Jump to content
Sign in to follow this  
aarnold

[Resolved] my client is blacklisted though spamcops

Recommended Posts

it says i have to be a admin of covad to delist. i do not have access to that.. what should i do?

their IP is: 67.103.70.198

Share this post


Link to post
Share on other sites
it says i have to be a admin of covad to delist. i do not have access to that.. what should i do?

their IP is: 67.103.70.198

There are no public reports in the last 90 days against this IP address.

67.103.70.198 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Have you fixed the source of the spamtrap hits? Otherwise, your delisting is likely to get undone quickly and there is only one chance for that. Then you could:

1. Good-Wait the currently 7 hours for it to delist

2. Better-Contact Covad to immediately delist you

3. Best, contact deputies[at]admin.spamcop.net. They will be able to tell you what kind of spamtrap traffic was being seen (Out of Office or some other automatic reply, misdirected bounces, or typical spam because of a corrupted machine) and if they have been continuing. If there is no recent spamtrap hits and you convince them you have fixed the problem, they can delist you immediately.

Good luck

P.S. You may want to hold off on that delisting... if you follow the links to SenderBase information , you will see:

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 3.5 1948%

Last month 2.2

Is there a reason more than 3000 messages have been seen by the senderbase network servers in the last day? You will need to explain that number before anyone believes you have fixed the issue.

Share this post


Link to post
Share on other sites

there was a system on the network that was heavily infected, it has been removed. Theres a good chance it was sending out bogus emails.

Share this post


Link to post
Share on other sites
there was a system on the network that was heavily infected, it has been removed. Theres a good chance it was sending out bogus emails.

It's been over a half-hour since Steven's post. SenderBase is showing something is still going strong.

http://www.senderbase.org/senderbase_queri...g=67.103.70.198

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ..... 3.5 .. 1949%

Last month .. 2.2

You didn't try to justify this much e-mail traffic, so it would appear that the problem isn't fixed yet.

h-67-103-70-198.lsanca54.covad.net .. is this really an e-mail server?

Share this post


Link to post
Share on other sites
It's been over a half-hour since Steven's post. SenderBase is showing something is still going strong.

http://www.senderbase.org/senderbase_queri...g=67.103.70.198

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ..... 3.5 .. 1949%

Last month .. 2.2

You didn't try to justify this much e-mail traffic, so it would appear that the problem isn't fixed yet.

h-67-103-70-198.lsanca54.covad.net .. is this really an e-mail server?

its showing 1945% on mine. We have no mail servers by that name.. covad is our ISP for our T1 line.

Share this post


Link to post
Share on other sites
its showing 1945% on mine. We have no mail servers by that name.. covad is our ISP for our T1 line.

Mine to0 at the moment...1945%

If you do not have a mail server, then you should be using your ISP's mail server as many systems will block your mail just because of that name.

Share this post


Link to post
Share on other sites
Mine to0 at the moment...1945%

If you do not have a mail server, then you should be using your ISP's mail server as many systems will block your mail just because of that name.

we have an exchange server inside our LAN. We dont use Covad mail services.

btw i love your quote at the bottem.. hehe

So at this point i think i found the problem machine which i took care of about 6 hours ago. Spamcop said they havnt had anymore spam messages come in for close to 20 hours..

should i ask them to delist me now?

Share this post


Link to post
Share on other sites

It is still rising

67.103.70.198

Last day 3.5 1947%

Last month 2.2

A lot of junk spewing from that IP. Nothing has been fixed yet.

You were also in the CBL but you requested removal

IP Address 67.103.70.198 is not currently listed in the CBL.

It was previously listed, but was removed at 2008-07-16 18:56 GMT

You also just made it on

NIXSPAM automatically generated entries: ix.dnsbl.manitu.net -> 127.0.0.2

Latest spam received via pk.netcologne.de at Wed, 16 Jul 2008 03:40:35 +0200, see http://www.dnsbl.manitu.net/lookup.php?value=67.103.70.198

Microsoft Exchange Server

Share this post


Link to post
Share on other sites
Spamcop said they havnt had anymore spam messages come in for close to 20 hours..

should i ask them to delist me now?

If you have been in contact with them, you should be asking them that question... as stated earlier, they are the only ones who can see what was going out.

It is very strange ONLY to hit spamcop traps and not see any spamcop reports.

Share this post


Link to post
Share on other sites
we have an exchange server inside our LAN. We dont use Covad mail services.

Somewhat confusing. Does this e-mail server handle both incoming and outgoing? Is there actually an MX record for this server? Yet again, you've really not touched the "expected" traffic flow from this server if there is any outgoing ...????

So at this point i think i found the problem machine which i took care of about 6 hours ago. Spamcop said they havnt had anymore spam messages come in for close to 20 hours.

Without your definition of 'expected' e-mail traffic, it's hard to analyze the SenderBase numbers from this side of the screen. Historically, if there was an infected/compromised machine that was the single source of a massive outbreak of spew, the numbers would normally have dropped dramatically over (your 6 hour reference, making it almost) 10 hours now.

http://spamcop.net/w3m?action=checkblock;ip=67.103.70.198

67.103.70.198 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 1 hours.

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.4 .. 1382%

Last month .. 2.2

Some dropage, but not what would be normally expected.

Share this post


Link to post
Share on other sites

the client has been whitelisted, and senderbase shows -1% which is good.. this thread can be closed.

thanks for the help guys!

Share this post


Link to post
Share on other sites

One tip that might prevent this in the future. I am guessing from the information that you have given that your Mail server and the workstations on your LAN all share the same public IP through some type of NAT enabled router. If that is the case, consider configuring your router to block and outgoing traffic on Port 25 that does not originate from your mail server. This will prevent infected machines on your network from sending email directly to the internet, and will generally prevent this type of problem in the future.

Share this post


Link to post
Share on other sites
One tip that might prevent this in the future. I am guessing from the information that you have given that your Mail server and the workstations on your LAN all share the same public IP through some type of NAT enabled router. If that is the case, consider configuring your router to block and outgoing traffic on Port 25 that does not originate from your mail server. This will prevent infected machines on your network from sending email directly to the internet, and will generally prevent this type of problem in the future.

It looks like he has his exchange server connected directly to the web:

SMTP - 25 220 xxxx.xxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 17 Jul 2008 11:55:55 -0700

POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (xxxx.xxxx.com) ready.

IMAP - 143 * OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 (xxxx.xxxx.com) ready.

He shut down the smtp service yesterday and just turned it back on a while ago.

Share this post


Link to post
Share on other sites
It looks like he has his exchange server connected directly to the web:

SMTP - 25 220 xxxx.xxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 17 Jul 2008 11:55:55 -0700

POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (xxxx.xxxx.com) ready.

IMAP - 143 * OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 (xxxx.xxxx.com) ready.

He shut down the smtp service yesterday and just turned it back on a while ago.

There really wouldn't be a way to tell from outside if that exchange server is sitting behind a NAT appliance with port forwarding enabled.

Share this post


Link to post
Share on other sites
There really wouldn't be a way to tell from outside if that exchange server is sitting behind a NAT appliance with port forwarding enabled.

true! Thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×