Blacklisted :(

[umeremortals]

My server was blacklisted and the problem has been corrected, my question is when will I start seeing the countdown to 48 hours so my server ip will be removed?

[Merlyn]

How can anyone answer you without an IP address?

The generic answer:

48 hours from the "Last" spam report.

[umeremortals]

oops..sorry

216.37.42.46

[dra007]

looks like you may have a spammy neighbourhood or possibly an infected machine (sending to spam traps):

216.37.42.46 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 10 times by less than 10 users. It has been sending mail consistently for at least 91.1 days. In the past 258.5 days, it has been listed 2 times for a total of 3.2 days

In the past week, this system has:

Been detected sending mail to spam traps

Been witnessed sending mail about 170 times

Other hosts in this "neighborhood" with spam reports:

216.37.41.74

216.37.41.94

I got a lot of these morgage spams lately:

A sample sent sometime during the 24 hours beginning Monday, May 10, 2004 8:00:00 PM -0400:

Received: from -41-74.-.net (216.37.41.74)-

by -.-.net with - - May 2004 - -

Subject: mortgage quotes on the -

From: ma.. at ..i.com

You may want to contact your ISP to identify the problem.

[WB8TYW]

1/2 hour is said to be the minimum time of a listing, 48 hours is the longest. The algorithm is supposedly biased by how long of time the spam was allowed to be sent, how many reports, and how many times in the past the server has been listed. The exact algorithm is not published.

http://www3.mail-abuse.org/cgi-bin/nph-ops...ew?216.37.42.46 shows a possible open relay in Sept 2003

If the system was compromised through week passwords, or by another exploit, I hope a complete security audit was done to make sure that everything was found.

The spamcop.net reports show multiple I.P. addresses in that range having spam problems.

* Other hosts in this "neighborhood" with spam reports:

* 216.37.41.3

* 216.37.41.26

* 216.37.41.33

* 216.37.41.38

* 216.37.41.94

* 216.37.42.46

* 216.37.41.74

Spammers will use any vulnerability in your network to send spam.

Media reports have stated if a spammer needed to purchase the bandwidth stolen though a compromised computer, it would cost them over $1,200 U.S. week.

-John

Personal Opinion Only

[umeremortals]

what is a spammy neighborhood? and how can I get my ip address removed from the blacklist?

[WB8TYW]

what is a spammy neighborhood?

A group of I.P. addresses that are under the control of one Internet Service Provider (ISP), or similar network owner, that are being used to send spam.

Having spam coming from an I.P. indicates a small problem. Having it come from a lot of I.P. addresses indicates that there is a problem with network management.

and how can I get my ip address removed from the blacklist?

Listings on the spamcop.net DNSbl expire no more than 48 hours from the last reported spam. The date is based on the timestamp of the mail server that received the spam,. not the time that the report was made.

Fixing the security hole(s) that are allowing the spam to be sent is the best way to stay of of DNSbls. Making sure that either the machines that are not secured are blocked behind a router or firewall.

-John

Personal Opinion Only

[Miss Betsy]

Since IP addresses run consecutively and are assigned that way, that's a neighborhood where the same ISP probably sets the policy. If there are several IP addresses numerically close to each other that are listed, it means that the ISP controlling those IP addresses is either allowing spammers to operate or is negligent or incompetent about controlling spam.

If your IP is listed because it has been sending to spam traps, then even if it is delisted, if you have not fixed the problem, it is likely to re-listed the next time you get hit by viruses or the spammer uses the vulnerability or whatever the problem is. After a while, other blocklists are going to notice that spam comes consistently from that IP address and you will start to be blocked by others.

The only way to get delisted is to stop the spam - or to prove to the deputies that it was a mistaken listing.

Miss Betsy

[Merlyn]

Doesn't One Call still host bulkhosting.com?

[umeremortals]

ok by looking at my ip info how long do I have to wait until the 48 hour period is up?

[Wazoo]

ok by looking at my ip info how long do I have to wait until the 48 hour period is up?

http://www.spamcop.net/w3m?action=checkblock&ip=216.37.42.46

But the actual question / answer is based on when the spamtrap hits stopped. Again, 48 hours is the maximum, although it may be that due to the low levels of "seen sending e-mail" .. this IP may tend to reach for the longer time-frame.

In another light, can you state what was done to stop the bad outgoing traffic?

[umeremortals]

yep....

a user was compromised so I delete that account, I deleted all the bad mail that was in the bad mail folder, I turned off automatic NDR, and changed all admin passwords.

My server is not an open relay, this is the second time this has happened to me from the same user......

I also implemented stong password policys on my domain.

I read your reply and it dosent make any sense to me, can anyone give me a exact time of when the ip will be de-listed?

[Wazoo]

No, exact time can't be offered from the evidence that "we" can see .... However, if you'd kick a note off to Deputies at admin.spamcop.net with the data you just provided, there is a possibility that one of them might step in and upon agreement with what you say and what they see, this IP could possibly be 'touched' a bit in the database.

[Ellen]

oops..sorry

216.37.42.46

If that is your IP, your exchange server is relaying spam -- the spammers are using the SMTP/AUTH hack; see:

http://news.spamcop.net/cgi-bin/fom?file=372

I see further down the thread that you have taken care of this problem.

Your IP is scheduled to delist in an hour.

BTW having other IPs in the same /24 listed does not in any way affect your server being listed or delisted.

[WB8TYW]

If that is your IP, your exchange server is relaying spam -- the spammers are using the SMTP/AUTH hack; see:

http://news.spamcop.net/cgi-bin/fom?file=372

I see further down the thread that you have taken care of this problem.

When a privileged account on a server has been compromized, a full security audit is required to make sure that the problem is found. At least one security agency recommends rebuilding a compromised machine from known uncompromised media.

BTW having other IPs in the same /24 listed does not in any way affect your server being listed or delisted.

True. However it does indicate that the ISP may be slow to react to abuse reports which is not a good thing.

If the machines are on the same network, then they may share a security vulnerability.

-John

Personal Opinion Only