Jump to content

Chris Parker

  • Posts

  • Joined

  • Last visited

Everything posted by Chris Parker

  1. Visit www.versiontracker.com and search for spamcop. There are several options available. I've been using the spamcop 1.3.2 plugin from Subsume for some time and it's worked great.
  2. What's the IP address or addresses of the servers in question? Are they properly processing messages without butchering the headers?
  3. Your server appears to have been sending to spam traps either directly or by bouncing, autoresponding, etc. See: CBL based on Senderbase report of mailing increasing by 5600% in the last 24 hours I'd guess that your server has been compromised. Maybe an SMTP AUTH hack. Check your logs. SpamCop's stats are not real-time because spammers abused the listing details. You may want to send an email to deputies <at> spamcop <dot> net.
  4. You need to fix the problem, not just put a band-aid on it. They could just inject from a different IP....
  5. Since it appears that the machine itself has been compromised it may not actually be an account within your mail server software package. You'll want to look at your firewall logs. You do have a firewall, right?
  6. I suggest that you unplug the network cable from the back of the machine until you figure out how to secure your machine. The block will be removed no more than 48 hours after your machine stops sending spam. Research indicated that the machine as been compromised with "Backdoor.Xibo" See also: SORBS and PSBL Sample Header from messages: (Evidence) -- Looks like your machine is sending eBay Phishing scams... From anonymous[at]alicia.netpivotal.com Mon Oct 11 17:35:28 2004 Delivery-date: Mon, 11 Oct 2004 17:35:28 -0400 Received: from [] (helo=alicia.netpivotal.com) by mail.victim.example with esmtp (Exim 4.41) id 1CH7pI-0006fa-0x for psbltrap[at]kernelnewbies.nl; Mon, 11 Oct 2004 17:35:28 -0400 Received: (qmail 15002 invoked by uid 48); 11 Oct 2004 21:29:22 -0000 Date: 11 Oct 2004 21:29:22 -0000 To: psbltrap[at]kernelnewbies.nl Subject: Important Notice From eBay inc. From: eBay Billing <aw-confirm[at]eBay.com> Reply-To: aw-confirm[at]eBay.com MIME-Version: 1.0
  7. It looks like it's been compromised... Sample: Google is your friend
  8. Doesn't look like your routing configuration worked. You'll want to look at your firewall logs (you have a firewall, right?) You'll want to look at your mail server logs... If properly configured it will show all the mail that it's been sending. In the mean time you'll want to make sure that there is a non-trivial password for EVERY account on the server. I suggest that you disable the admin, test, guest, etc accounts. Here's some evidence that I was able to dig up... Subject: PENI||S EN1lIARGEMENT Received: from screens ( []) by exchange1.asmnc.com ... Tue, 5 Oct 2004 12:56:49 -0700 Subject: |NCREASE YOUR PEN1lS SIZE! Received: from screens ( []) by exchange1.asmnc.com ... Tue, 5 Oct 2004 13:33:36 -0700 Subject: MAX|MUM EXP0OSURE Received: from micro ( []) by exchange1.asmnc.com ... Tue, 5 Oct 2004 23:44:42 -0700
  9. Please secure your server. Looks like an SMTP AUTH Hack issue on your Exchange server. You'll need to kill all the unused account (guest, test, etc) and then make sure that all existing accounts have non-trivial passwords.
  10. Sometime the details run behind reality. Check out: http://www.senderbase.org/?searchBy=ipaddr...g= 10000% increse in mail from that IP address in the last day. Looks like you are running Exchange. Chaces are you're victim of an SMTP AUTH HACK. Please read the FAQ: http://www.spamcop.net/fom-serve/cache/372.html
  11. You'll be removed within 48 hours of the last reported incident of spamming from that IP address. If the problem is solved the block will go away automatically. If the problem is not fixed and that IP address continues to send out spam that people report, it will remain listed here and likely get listed in some not so friendly block lists.
  12. Interesting domain name info on the host name your mail server is claiming to be... Based on the 1400% increase in mail from that sever I'd guess that it's been compromised. Check your logs!
  13. It appears that your machine has been compromised either by a virus/trojan or that the mail server itself has been compromised (SMTP AUTH HACK?) Disabling the guest account is a good start, however you really should disable any accounts that are not currently being used. For all accounts that are being used you should change *ALL* the passwords to something that is non-trivial. Unless someone who uses that mail server needs to access it from outside of your LAN I'd suggest than you disable all remote sending capabilities. A full virus/trojan scan of the machine should also be in order. If the machine has been compromised by a virus/trojan it would be in your best interest to format the drive and rebuild the machine taking all the proper security measues. Thanks for your desire to resolve the core problem leading to the listing of your server. You may also want to send an email to deputies <at> spamcop <dot> net who may provide you some additional information as to what is happening.
  14. Ugh, it's being used to send 419 scams... Sample 1 Sample 2
  15. Interesting discussion of this going on at spam-L. Most people seem to be taking the we'll believe it when we see it approach. Steve Linford (SpamHaus) seems optimistic about it.
  16. Does it bounce or does AOL just not auto-ack or ack at all to messages sent to it?
  17. Are you implying that you have a *dedicated* server? If so, it looks as if it may have been compromised in some form. There has been a significant increase in the amount of mail that server has been sending. See SenderBase Lookup. Just because it may not be an open relay does not mean that the machine macy not have been compromised. 1) If you have AV software that generates virus notifications, turn the notification feature off. 2) If you have a mail server that generates delivery notification messages on inbound mail, turn the feature off. 3) Send a polite email to deputies <at> spamcop.net asking for any additional information that may be available concerning the listing of your IP address.
  18. We are unable to provide any answer other than generalities since you have not provided any error messages. Please post an error message so that we may be able to assist you. If you are not careful, yes, you could be the one that is getting your ISP listed. You *always* want to make sure you review every report before you send it.
  19. Please see the pinned item: Why am I blocked? FAQ See: Lookup for Looks like your server has been sending to spam traps. The listing will be removed no longer than 48 hours after the most recent incident. You may also choose to send an email to deputies <at> spamcop.net and explain the situation with the action that you have taken to prevent it from happening in the future and they *may* choose to manually remove your server from the DNSbl.
  20. Looks like an SMTP AUTH Hack to your Exchange server. You'll need to change the password for *every* account to something that is non-trivial. Disable any unused (ie guest) accounts. Disable SMTP AUTH if you do not have any employees that access their mail from outside your network. See the section under For people who are operating servers in the posted FAQ - Why Am I Blocked? FAQ, Please read before posting
  21. Then you have another spamming client because your server has been sending to other spamtraps several times in the last week. PSBL Lookup
  22. It appears that you are running MS Exchange. You have probably fallen victim to an attack vector know as an SMTP AUTH Hack. It would be in your best interest to go through all accounts on your Exchange server and close any unused accounts (guest, etc) and then change the password for each and every account to something that is non-trivial. If you do not have employees that need to check/send mail from outside your network then you should disable SMTP AUTH access to your mail server. You may also want to read the pinned FAQ: Why am I blocked? which has additional links concerning the SMTP AUTH hack.
  • Create New...