Jump to content
Sign in to follow this  
hoover11

[Resolved] 98.17.92.125

Recommended Posts

In the past 3.9 days, we have been listed 2 times for a total of 43 hours. 98.17.92.125

We ran Spybot and Adaware on all 4 machines and took care of any issues (finished friday)

We use IXwebhosting for web hosting and email. We have a dynamic ip from windstream. We use a protected wifi (WEP) router connected directy to the windstream modem. Each machine runs AVG and regulary scans. we use windows xp firewall, updates, and virus protection on each pc.

we do have a newsletter, we generated the contacts for our customers (didn't purchase a list or anything), and have sent is out sucessfully 10 times over the past year without issue.

I'm concerned this could have been taken over but I don't see anything indicating that...

How can I track down the infected PC more directly , anyway of finding it's name? Also, can I identify what was being sent that caused the issue.

Any ideas in what I should look into next? I tried to fix each machine on Friday but we were put back on the list today so something is still messed up.

thanks

Edited by hoover11

Share this post


Link to post
Share on other sites
How can I track down the infected PC more directly , anyway of finding it's name? Also, can I identify what was being sent that caused the issue.

Any ideas in what I should look into next? I tried to fix each machine on Friday but we were put back on the list today so something is still messed up.

Have you yet even looked at the Why am I Blocked? FAQ and/or Pinned entry? Most of your questions have already been answered there.

http://www.spamcop.net/sc?track=98.17.92.125

98.17.92.125 listed in bl.spamcop.net (127.0.0.2)

98.17.92.125 listed in cbl.abuseat.org ( 127.0.0.2 )

http://www.spamcop.net/w3m?action=checkblo...ip=98.17.92.125

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

(Report History has no content for the last 90 days)

http://www.senderbase.org/senderbase_queri...ng=98.17.92.125

Hostname: h125.92.17.98.dynamic.ip.windstream.net

Date of first message seen from this address 2008-12-11

..... Doesn't quite match up with that "10 times in the last year" description ....

Real-time blacklists

dnsbl.sorbs.net

cbl.abuseat.org

pbl.spamhaus.org

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 2.7 .. 233%

Last month .. 2.2

Headed for 1,000 e-mails a day ....

I'm done. Will wait for you to do some of your own research and provide some more detail. Just noting that sending e-mail from a 'dynamic' IP Address has you already looking at 'blocking' issues by many ISPs/Hosts.

Share this post


Link to post
Share on other sites
In the past 3.9 days, we have been listed 2 times for a total of 43 hours. 98.17.92.125

I'm sorry to report that the server is sending spam to our spamtraps. We know for a fact that our trap servers accurately record the source IP when they get mail. A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. We guard our traps like gold for fear of revealing the email addresses, which is why we don't send any reports about the spam they get, so I'm afraid there aren't many details I can share with you.

Received: from h125.92.17.98.dynamic.ip.windstream.net (HELO biss-2) ([98.17.92.125])

by [our trap server] with SMTP; 15 Dec 2008 06:xx:xx -0800

Received: (qmail 3201 by uid ); Mon, 15 Dec 2008 09:xx:xx -0500

Message-Id: <2008_________________mail[at]biss-2>

To: <x>

Subject: RE: Discount ID532246

These days, the most common problem is backdoor spam sending spyware that has been installed by a Trojan or Worm. The server may be suffering from an open proxy port exploit, or has been compromised by some other means.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites

"Have you yet even looked at the Why am I Blocked?"

Yes I have

"System has sent mail to SpamCop spam traps"

OK, I'm looking to solve that...It wasn't a trojan found on any machine (that I could find).

I can't detect any issue with our mailing program, but If you know somewhere to look for issues I will.

"..... Doesn't quite match up with that "10 times in the last year" description ...."

Actually it does, read the first sentence in the last 4 days... (12-11 is less than 4 days from 12-15)

"Real-time blacklists"

Yea I found these too, also pointed me to a trojan or malware. I ran MSRT as the CBL list reccommended, nothing found on any of the machines.

"Will wait for you to do some of your own research "

I did all this, You've told me nothing new, and none of this helped me resolve the issue

Share this post


Link to post
Share on other sites
I did all this, You've told me nothing new, and none of this helped me resolve the issue

Are all of your machines hidden behind the IP address 98.17.92.125 or is it only your mail server? Do you share that IP address with any other people (shared server)?

Is there a firewall in place that you could limit (better)/monitor (at least) traffic leaving your network on port 25?

Share this post


Link to post
Share on other sites

First of all you shouldn't be running a mail server on a dynamic IP no self respecting admin will accept it.

from another blocklist you are on:

IP Address 98.17.92.125 is currently listed in the CBL.

It was detected at 2008-12-15 14:00 GMT (+/- 30 minutes), approximately 8 hours, 30 minutes ago.

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL eventually stop letting you delist it and you will have to contact us directly.

You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

Share this post


Link to post
Share on other sites
"Have you yet even looked at the Why am I Blocked?"

Yes I have

"Will wait for you to do some of your own research "

I did all this, You've told me nothing new, and none of this helped me resolve the issue

You sure leave me confused. As I stated, nost of the questions you asked in your starting post were nswered within that FAQ/Pinned entry. Perhaps your definition of 'looking' is a bit different that what I asked?

"System has sent mail to SpamCop spam traps"

OK, I'm looking to solve that...It wasn't a trojan found on any machine (that I could find).

I can't detect any issue with our mailing program, but If you know somewhere to look for issues I will.

If the Why am I Blocked? entry really didn't answer the questions, then that shoud have bee taken as a nudge that more information was needed.

Actual network nor described.

Firewall use not mentioned.

That WEP is totally hackable in seconds these days doesn't seem to be acknowledged, nor is any evalution of the actual connections made to that device.

on and on ...

"..... Doesn't quite match up with that "10 times in the last year" description ...."

Actually it does, read the first sentence in the last 4 days... (12-11 is less than 4 days from 12-15)

Actually, no ir doesn't. The "real" answer would appear to be the use of a dynamic IP Address, in that the alleged previous traffic would have been seen coming from yet another (dynamic?) IP Address ... a situation noted a couple of times already as being a really bad udea for outgoing e-mail.

"Real-time blacklists"

Yea I found these too, also pointed me to a trojan or malware. I ran MSRT as the CBL list reccommended, nothing found on any of the machines.

As above, there's yet a lot of othe stuff that apparently has yet to be checked, documented. You didn't even take the bait on the 1,000 e-mails a day and state whether this was anywhere near matching your expected traffic/newsletter flow.

As you state that you haven't found anything on "your" systems, who actually gets disconnected when you turn off that wireless router?

Share this post


Link to post
Share on other sites

While the techies want more information (which they really need in order to do any troubleshooting), my take on what has been posted is that if you are using a wireless router, it is insecure and someone is sending lots of spam through it. Either that or you do have a trojan which you haven't found yet.

Though if you do have a wireless router, there was someone else a few months back that did have some knowledge, and they swore up and down there was nothing infected, but it turned out to be that someone was using their wireless router.

There IS spam coming from that IP address.

Miss Betsy

Share this post


Link to post
Share on other sites
...my take on what has been posted is that if you are using a wireless router, it is insecure and someone is sending lots of spam through it. ...
Have to concur this is the most likely scenario - or at least the most hopeful, and potentially least painful to address.

Searching the internet for "wifi security" or similar would be the way to go IMO. On the principal of "set a thief to catch a thief", the good folk at wardrive.net might have some useful advice and resources.

Share this post


Link to post
Share on other sites
<snip>

"..... Doesn't quite match up with that "10 times in the last year" description ...."

Actually it does, read the first sentence in the last 4 days... (12-11 is less than 4 days from 12-15)

<snip>

...Well, okay, literally speaking 11 December through 15 December is all "in the last year" but I think it is not unreasonable for Wazoo to infer from the "in the last year" clause that you are suggesting that your server has been sending e-mail for at least a year or so. This does not jibe with Wazoo's discovery [emphasis mine]:
<snip>

http://www.senderbase.org/senderbase_queri...ng=98.17.92.125

Hostname: h125.92.17.98.dynamic.ip.windstream.net

Date of first message seen from this address 2008-12-11

<snip>

Share this post


Link to post
Share on other sites
(HELO biss-2) to what is that reffering to?

That was probably part of the SMTP "helo" command, in which the spewing machine identified itself. If that doesn't sound familiar to you, then perhaps the explanation of an inadequately-secured WiFi setup is indeed the cause. WEP is nowhere near enough any more. Also, I agree with Wazoo that no legitimate mail server should be using a dynamic IP. Your messages will be blocked by many systems for that reason alone.

DT

Share this post


Link to post
Share on other sites

apparently Resolved .. tagging it as so with a note or two ...

http://www.spamcop.net/w3m?action=checkblo...ip=98.17.92.125

98.17.92.125 not listed in bl.spamcop.net

factoid apparently showing that SenderBase data also ages off ...????

http://www.senderbase.org/senderbase_queri...ng=98.17.92.125

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 0.0

Date of first message seen from this address unknown

Share this post


Link to post
Share on other sites
factoid apparently showing that SenderBase data also ages off ...????

Interesting...but might explain the rather recent dates we often see when we look at those "date of first message" values.

DT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×