Jump to content
Sign in to follow this  
studioarici

Help with IP blocklisted

Recommended Posts

Hi, my IP have been blocklisted for this reason :

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

I can't understand this message and why my IP was blocklisted. The IP is linked to an architectural office and obviously this isn't a spammer. I would ask you another thing. I need to find the email that cause this blocklisting because i have to investigate about who sent these.

Thanks for reply

Share this post


Link to post
Share on other sites

There isn't much more that one can tell you unless you give your IP address. When mail is sent only to spam traps, it is usually (but not always) because of automatic replies, like out-of-office replies. When automatic replies are sent indiscriminately, they also respond to spam. Because spam usually has forged return addresses, the replies are sent to spam traps (as well as to the innocent persons whose email address has been forged). The way around that is to filter incoming email for spam and to whitelist those who would benefit from getting an out of office reply.

Another reason that your email has been blocked could be that you are using a shared IP address with other people who use your web host. One of them may have a compromised computer or is really sending spam. The person to check with is your email service provider in that case. If it is your dedicated IP address that is listed, then the first thing to do is to scan all the computers for trojans and make sure that they all have up to date virus protection and are properly firewalled. Very often, a wireless router that is not secure is the culprit (someone outside the office is able to use the router to spew spam).

You can write to the deputies, but be sure to include the IP address in your email. However, because spam traps are secret addresses that have never sent email, all they can tell you is the kind of email that is being received - such as out-of-office replies or real spam.

Until you post the IP address in the message, there isn't much more that any one can tell you. However, there are other people here who can give you good advice once you do that. It wouldn't hurt either to give more information about how you are connected to the internet.

Miss Betsy

Share this post


Link to post
Share on other sites
I can't understand this message and why my IP was blocklisted. The IP is linked to an architectural office and obviously this isn't a spammer. I would ask you another thing. I need to find the email that cause this blocklisting because i have to investigate about who sent these.

The IP address you posted from is currently listed with the same reason, so I ASSUME you are talking about http://www.spamcop.net/bl.shtml?79.38.194.217. This IP address is showing NO manual reports. Please read that page carefully as it describes the most likely probelms.

What the message says is that some messages (not necessarily your standard spam type message) have reached email addresses that have never been used for anything from your IP address. The addresses are hidden on web sites around the internet where web bots collect them and add them to spammers lists. What usually has happened is that your mail server rejects non-deliverable emails by sending a message to the (always forged on spam) return address. This return address was (for at least some of those messages) spamcop's spamtrap addresses.

If you have ever received a whole bunch of bounces for messages you did not send, you were the victim of servers set up like yours currently is.

Share this post


Link to post
Share on other sites

Yes, StevenUnderwood, my IP is 79.38.194.217.

I have to ask you what i have to do to solve my problem beacuse i don't know how to resolve it.

I have just tested all PCs with spybotSearch&Destroy and the were clean. I also use windows firewall and NOD32 antivirus on all 5 PCs.

I wonder if you can help me to avoid blocking emails. Thanks a lot

Share this post


Link to post
Share on other sites
I have to ask you what i have to do to solve my problem beacuse i don't know how to resolve it.

Does any of your machines using that IP address use "automatic replies" or "out of office messages" etc.,?

Share this post


Link to post
Share on other sites
I have just tested all PCs with spybotSearch&Destroy and the were clean. I also use windows firewall and NOD32 antivirus on all 5 PCs.

http://www.senderbase.org/senderbase_queri...g=79.38.194.217

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.8 .. 176%

Last month .. 3.4

Date of first message seen from this address 2008-07-22

Only 5 computers, but cranking out 10,000+ e-mails a day????? Other BLs have picked up / added this IP Address. More definition on just what is being used for an e-mail server ... inhouse, ISP/Host, etc. If one was to place that kind of traffic on someone's desktop PC, one would think that user would be asking for a heck of an system upgrade because this one was running so slow ...?????

How many other people are actually "sharing" this IP Address? As asked so many times in so many other Discussions, is there a(n insecure) wireless router in the mix?

Share this post


Link to post
Share on other sites

79.38.194.217 = host217-194-static.38-79-b.business.telecomitalia.it is sending mail (possibly virus traffic) to our spam traps.

A spam trap is a non-existent address at a small vanity domain owned by us or one of our associates.

There doesn't seem to be any payload in the emails, so they are not ordinary profit oriented spam.

Received: from pfawf.telecomitalia.it (host217-194-static.38-79-b.business.telecomitalia.it [79.38.194.217])

by [our trap server] (Postfix) with SMTP id xx:xx

for <xx:xx>; Fri, 5 Sep 2008 07:xx:xx -0500 (CDT)

Date: Fri, 05 Sep 2008 12:xx:xx +0000

From: "Bingulla Dorgamas" <calamare[at]jtrg.com>

Subject: Runningman makes it into record books

Received: from kvhdu.telecomitalia.it (host217-194-static.38-79-b.business.telecomitalia.it [79.38.194.217])

by [our trap server] (Postfix) with SMTP id xx:xx

for <xx:xx>; Fri, 5 Sep 2008 01:xx:xx -0500 (CDT)

Date: Fri, 05 Sep 2008 06:xx:xx +0000

From: "Distive Bells" <elwiffo[at]we-engrave.com>

Subject: Memphis Woman Turns 116

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites
79.38.194.217 = host217-194-static.38-79-b.business.telecomitalia.it is sending mail (possibly virus traffic) to our spam traps.

Thanks for the input. Much appreciated.

Share this post


Link to post
Share on other sites
Only 5 computers, but cranking out 10,000+ e-mails a day????? Other BLs have picked up / added this IP Address. More definition on just what is being used for an e-mail server ... inhouse, ISP/Host, etc. If one was to place that kind of traffic on someone's desktop PC, one would think that user would be asking for a heck of an system upgrade because this one was running so slow ...?????

How many other people are actually "sharing" this IP Address? As asked so many times in so many other Discussions, is there a(n insecure) wireless router in the mix?

This IP address is used only for our office and we're using a ethernet router provided by our provider (Telecom Italia) and set up by its technician. The router isn't wifi.

So what are u telling me is that someone is abusively using my IP address ?

Is there something or some program that i can use to check my PCs and to solve this problem ?

thanks a lot for help

Share this post


Link to post
Share on other sites
So what are u telling me is that someone is abusively using my IP address ?

No...they're not forging it, if that's what you mean. If a wireless router isn't involved, and only those few machines are connected to a "static" (unchanging) IP address, then one or more of those machines are still infected with something. It's generally a good idea to scan the machines with multiple tools, rather than just one. Other people will probably have better suggestions for those tools than I would.

Peace,

DT

Share this post


Link to post
Share on other sites

Antivirus tools are not always effective when it comes to finding some malware. I always recommend using plain old "netstat -a" to see what's really happening on your network if you suspect an infection.

Share this post


Link to post
Share on other sites
I always recommend using plain old "netstat -a" to see what's really happening on your network if you suspect an infection.

What a useful first post, kmolloy, and welcome! I had forgotten that command and will be making use of it regularly. Thanks!

DT

Share this post


Link to post
Share on other sites

I'll try to check which PC is infected when back to work.

Now, with router turned off (from yesterday evening) i see that my IP will be delisted in a short time. I'll try tomorrow to turn on 1 PC by 1 and to scan it with anti-malware/spyware/virus etc..

I wonder to solve my problem ;)

Share this post


Link to post
Share on other sites

Well, it certainly timed off OK. Turning off the router stopped the spam. And SenderBase - http://www.senderbase.org/senderbase_queri...g=79.38.194.217 - is currently showing:

[tcol]
[/tcol] Magnitude Vol Change
vs. Last Month
Last day 2.1 -95%
Last month 3.4 -
("Last day" should drop to 0 by the time you are back at work.)

I note you are listed on CBL also (link from the SenderBase display) - there is not automatic delisting there I think - http://www.senderbase.org/senderbase_queri...g=79.38.194.217

IP Address 79.38.194.217 is currently listed in the CBL.

It was detected at 2008-09-05 16:00 GMT (+/- 30 minutes), approximately 1 days, 1 hours ago.

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL stop letting you delist it.

This is the BOT

You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

When you have fixed the problem you can delist from the CBL from the link on that page.

Good luck, you should have little trouble finding the computer(s) doing this by its/their behavior but completely disinfecting from trojan installation can be difficult, it is said.

Share this post


Link to post
Share on other sites

Ok, thanks for help. I'll scan all my PCs tomorrow. Can you please tell me a program or programs to use to find this trojan/malware/spyware on the infected PC ?

Thanks a lot. Regards

Share this post


Link to post
Share on other sites
Ok, thanks for help. I'll scan all my PCs tomorrow. Can you please tell me a program or programs to use to find this trojan/malware/spyware on the infected PC ?...
I use SuperAntiSpyware but have never had to disinfect a machine with it - that is a whole different world. If people who have actually been through the process might speak up now that would be of most value.

SenderBase is still seeing some volume from 'your' IP so it seems there are other users (it never will get to 0). But the virus sending has stopped.

Share this post


Link to post
Share on other sites

I'm scanning the first PC and when i typed netstat -a i found a bog amount of process active, here in a screen :

0001iz4.th.jpg

I think that this is the infected PC....but i'm running ad-aware, kaspersky internet security 2009, malwarebytes, but no one of these have found anything....

My last chance is to format the primary partition...but it's the last option...

:(

Share this post


Link to post
Share on other sites
My last chance is to format the primary partition...but it's the last option...

Sounds like that might be the best plan, even if a little "painful." And this might not be the only infected PC, sorry to say.

DT

Share this post


Link to post
Share on other sites
I have formatted the infected PC....no one of my anti-malware/anti-spyware have found anything...

Thanks all for help :)

Thanks for keeping us informed. I hope that has fixed it - some "root-kit" infections are infamous for difficulty in detection once installed but re-formatting usually works to remove them it is said. I see you have delisted from the cbl also. Everything is clear so far.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×