[Resolved] Erroneous blocking IP

[jamaro]

Greetings. Ours IP (213.186.195.179) have wrongly blocked.

We are not engaged spam in dispatch.

Please unblock ours IP.

Thanks!

[Miss Betsy]

You may not intend to send spam. There is spam coming from your IP address. You may have an infected computer that is sending spam without your knowledge. Please inspect your computers for trojans or viruses.

You may also be sending 'misdirected bounces' If you do not understand about 'misdirected bounces', please ask.

If you ask here, someone can tell you how to find the infected computer if you need help.

Miss Betsy

[Derek T]

Greetings. Ours IP (213.186.195.179) have wrongly blocked.

We are not engaged spam in dispatch.

Please unblock ours IP.

Thanks!

Yours IP have rightly blocked

213.186.195.179 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

please fix your server. De-listing is automatic when the spam stops.

[jamaro]

At us is not present infected with virus PC.

I have personally checked up it.

Besides on PC it is installed NOD32 and Trojan Remover

NOD32 And Trojan Remover are regularly updated

22 hours it long to wait, as it is possible to accelerate process

[Miss Betsy]

SpamCop is automatic. Your IP address will be de-listed when the spam stops.

You need to find the source of the spam or backscatter (also called 'misdirected bounces').

From the SenderBase Statistics

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 3.5 135%

Can you account for 135% increase in your volume of email today?

You are also listed at cbl.abuseat.org

They say: ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

If you are running a Barracuda anti-spam appliance, turn off the "bounce spam" feature before delisting. Barracuda appliances with the "bounce spam or virus" feature turned on are showering innocent third parties with bounces of email that they didn't send. This is called "backscatter", and can get you listed in quite a number of DNSBLs (including SpamCop).

The sooner you find the source of the spam, the sooner you will be delisted. If you don't find the source of the spam, you will be listed on many more blocklists. Some of those blocklists are difficult to be removed from.

Miss Betsy

[Derek T]

At us is not present infected with virus PC.

I have personally checked up it.

Besides on PC it is installed NOD32 and Trojan Remover

NOD32 And Trojan Remover are regularly updated

22 hours it long to wait, as it is possible to accelerate process

Despite your protestations, you are still spewing spam.

1330 GMT: Counter reset to 24 hours - spam still coming from that IP

FIX IT!

If you are running a Barracuda anti-spam appliance, turn off the "bounce spam" feature before delisting. Barracuda appliances with the "bounce spam or virus" feature turned on are showering innocent third parties with bounces of email that they didn't send. This is called "backscatter", and can get you listed in quite a number of DNSBLs (including SpamCop).

The sooner you find the source of the spam, the sooner you will be delisted. If you don't find the source of the spam, you will be listed on many more blocklists. Some of those blocklists are difficult to be removed from.

Looking at the reports, it does not appear to be back-scatter.

[DavidT]

Yes, you have a computer sending through that IP that seems to be infected and part of a botnet. Here are the spam reports that we can see, but the bigger problem is what we can't see, which are the hits to secret spamtrap addresses:

Submitted: Tuesday, February 03, 2009 4:51:32 PM -0700:

Lets Chat

* 3838856646 ( 213.186.195.179 ) To: mole[at]devnull.spamcop.net

Submitted: Tuesday, February 03, 2009 4:01:20 AM -0700:

Lets Chat

* 3836975172 ( 213.186.195.179 ) To: igorp[at]mas-el.kiev.ua

So, you're going to have to check whatever SMTP logs you might have to see how those spam messages are getting sent by your system. I compared all of the commercial antivirus/security products recently, and although NOD32 was high on my list, I think that the Kaspersky products currently might be better at detecting this kind of thing.

DT

[Farelf]

Now listed in dnsbl-1.uceprotect.net as well. Proceed to http://www.uceprotect.net/en/rblcheck.php and enter IP address for detail.

[Derek T]

1550 GMT Counter reset again (23hrs) and a further user report submitted yesterday.

Time to unplug that server from the internet until it's been cleaned up, I think.

[Wazoo]

http://www.spamcop.net/w3m?action=checkblo...213.186.195.179

213.186.195.179 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...213.186.195.179

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ........ 0.0 .. N/A

Last month ... 3.3