happycatmeows Posted March 18, 2009 Share Posted March 18, 2009 Hello all, I am new here and not an expert on email servers or computers. Since yesterday, at work, I was not able to send emails using our work mail accounts to a few ISPs, such as look.ca, and 2 other independent companies. My computer does not have any viruses or spyware, and I do not send spam. I can not contact our mail host because we don't know who they are. Long story short, our IT guy quit suddenly about half a year ago and left us with no info/password/whatsoever. I called up the company that should be hosting our mail server but they said they can't pull up our accounts. So, long story short, I am unable to contact our ISP/mail host for help. Below is one of the three "Mail delivery failed: returning message to sender" that I received. How can I get my email working properly again??? (I've "xxxxx" the names of the people" By the way, all those emails have different .jpg and .wmv attachments. (I was able to send those email to my personal account, Rogers.com accounts) Thanks in advance. ************************ This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: xxxxxxxx[at]mchsi.com SMTP error from remote mail server after MAIL FROM:<xxxxxx[at]millennium3000.com> SIZE=681510: host gateway.mchsi.com [204.127.203.150]: 550-67.212.91.2 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. ------ This is a copy of the message, including all the headers. ------ ------ The body of the message is 670993 characters long; only the first ------ 106496 or so are included here. Return-path: <xxxxxx[at]millennium3000.com> Received: from [69.159.202.44] (port=60966 helo=Reception) by newlondon.sibername.com with esmtpa (Exim 4.69) (envelope-from <xxxxxx[at]millennium3000.com>) id 1Lk00g-0001hg-FT for <elided>[at]mchsi.com; Wed, 18 Mar 2009 13:57:07 -0400 From: "XXXX XXXX <xxxxxx[at]millennium3000.com> To: <xxxxxxxx[at]mchsi.com> Subject: XXXXXX Date: Wed, 18 Mar 2009 13:56:50 -0400 Organization: Millennium 3000 Ltd. Message-ID: <1E64274EBFB64814BC0F260243A4574E[at]Reception> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0003_01C9A7D1.64E7B500" X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acmn8unxSoYNp7iJSNKBUFCqv5guQg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 This is a multi-part message in MIME format. Link to comment Share on other sites More sharing options...
dra007 Posted March 18, 2009 Share Posted March 18, 2009 looks to me like you are sending out phishers: Submitted: Monday, March 16, 2009 4:23:29 AM -0400: Representative In UK Urgently Needed !!! 3946145240 ( 67.212.91.2 ) ( SIMPLE ) To: postmaster#netelligent.ca[at]devnull.spamcop.net 3946145238 ( 67.212.91.2 ) ( SIMPLE ) To: abuse#netelligent.ca[at]devnull.spamcop.net -------------------------------------------------- Submitted: Sunday, March 15, 2009 7:05:14 PM -0400: Abbey Important Security Message 3945225221 ( 67.212.91.2 ) ( SIMPLE ) To: postmaster#netelligent.ca[at]devnull.spamcop.net 3945225218 ( 67.212.91.2 ) ( SIMPLE ) To: abuse#netelligent.ca[at]devnull.spamcop.net ------------------------------------------------- Submitted: Saturday, March 14, 2009 4:29:09 AM -0400: Ugent Representative Needed At Textile And Fabric Material Company 3940303528 ( 67.212.91.2 ) ( SIMPLE ) To: postmaster#netelligent.ca[at]devnull.spamcop.net 3940303526 ( 67.212.91.2 ) ( SIMPLE ) To: abuse#netelligent.ca[at]devnull.spamcop.net --------------------------------------------- Submitted: Thursday, February 26, 2009 11:53:59 AM -0500: Update your bank account information. 3899585519 ( 67.212.91.2 ) To: abuse[at]netelligent.ca 3899585518 ( 67.212.91.2 ) To: postmaster[at]netelligent.ca --------------------------------------------- Submitted: Thursday, February 26, 2009 11:53:30 AM -0500: Update your bank account information. 3899584517 ( 67.212.91.2 ) To: abuse[at]netelligent.ca 3899584512 ( 67.212.91.2 ) To: postmaster[at]netelligent.ca Oddly I couldnt find more recent reports, the ones in February were the last Link to comment Share on other sites More sharing options...
Derek T Posted March 18, 2009 Share Posted March 18, 2009 My computer does not have any viruses or spyware, and I do not send spam. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: xxxxxxxx[at]mchsi.com SMTP error from remote mail server after MAIL FROM:<xxxxxx[at]millennium3000.com> SIZE=681510: host gateway.mchsi.com [204.127.203.150]: 550-67.212.91.2 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. The important factoid in the message is that your mail is sent out from a server at IP 67.212.91.2. You may be sharing that with loads of other clients of your ISP. That sever was spewing spam Saturday through Monday. It seems that the problem has been solved by your ISP, the volume of mail is down and the IP is no longer listed. It seems you have a responsible ISP who pulled the plug on an infected customer. I wish they were all so clued up. The IP is not on any of the common blacklists AFAICT. All should now (or soon, when caches are refreshed) be back to normal. I don't think there's anything you need to do apart from the usual malware precautions (assuming that you are using Windows). By the way, why did you think that SpamCop was involved, it's not mentioned in your rejection message! Link to comment Share on other sites More sharing options...
Lking Posted March 18, 2009 Share Posted March 18, 2009 Well you do have a problem. I would suggest you attack your problem on both a short term and a long term bases. SMTP error from remote mail server after MAIL FROM:<xxxxxx[at]millennium3000.com> SIZE=681510: host gateway.mchsi.com [204.127.203.150]: 550-67.212.91.2 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. your current problem is not with your ISP it is with the "remote mail server" they are the ones that "Blocled (you) for abuse." Now when I do a whois on mchsi.com I come up with an IP address of 12.215.20.94. that is listed on SORBS block list. (actually the whole block 12.215.0.0 - 12.215.255.255) The only way to solve that problem is to get mchsi.com to change their way (or the ways of those that they provide mail service to.) I can not contact our mail host because we don't know who they are. Long story short, our IT guy quit suddenly about half a year ago and left us with no info/password/whatsoever. I called up the company that should be hosting our mail server but they said they can't pull up our accounts. That is your long term problem and may underlie your current problem. when I do Whois on millennium3000.com I get: Current Registrar: SIBERNAME.COM, INC. IP Address: 67.55.76.165 (ARIN & RIPE IP search) IP Location: US(UNITED STATES)-NEW YORK-JERICHO Record Type: Domain Name Server Type: Apache 1 Lock Status: ok Web Site Status: Active DMOZ no listings Y! Directory: see listings Secure: Yes E-commerce: Yes Traffic Ranking: 4 Data as of: 22-Apr-2008 When I look up the IP address for you domain I get; 67.55.76.165 Record Type: IP Address OrgName: Webair Internet Development Inc OrgID: WAIR Address: 333 Jericho Tpke Address: Suite 200 City: Jericho StateProv: NY PostalCode: 11753 Country: US ReferralServer: rwhois://rwhois.webair.com:4321 NetRange: 67.55.64.0 - 67.55.127.255 CIDR: 67.55.64.0/18 NetName: WEBAIRINTERNET6 NetHandle: NET-67-55-64-0-1 Parent: NET-67-0-0-0-0 NetType: Direct Allocation NameServer: NS.WEBAIR.NET NameServer: NS2.WEBAIR.NET Comment: All rwhois info can be found at rwhois.webair.com:4321 RegDate: 2006-07-28 Updated: 2007-04-18 RNOCHandle: ZW64-ARIN RNOCName: IPAdmin-Webair RNOCPhone: +1-516-938-4100 RNOCEmail: IPAdmin[at]webair.com OrgNOCHandle: ZW64-ARIN OrgNOCName: IPAdmin-Webair OrgNOCPhone: +1-516-938-4100 OrgNOCEmail: IPAdmin[at]webair.com OrgTechHandle: ZW64-ARIN OrgTechName: IPAdmin-Webair OrgTechPhone: +1-516-938-4100 OrgTechEmail: IPAdmin[at]webair.com We are only guessing but your email SMTP is most likely the same as the host of you web pages. Someone in your company is sending checks to SIBERNAME.COM, INC. to keep your web page on line. Those that get the check should be able to help resolve the problem. Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 18, 2009 Share Posted March 18, 2009 It is possible if you stick around here and read and ask questions to learn something about how email works. It might be more economically feasible for you to hire another IT guy if you can afford to do so. If you can't, you really should hire an IT person to, at least, find out where your ISP is and how to access your account, and maybe make a basic list of typical problems and what to do if you encounter them - including to call in an expert when something is not on the list or the simple troubleshooting doesn't work. If you are a business, IT should be an important part of your budget. If you had a company car and the mechanic quit, you couldn't just keep driving it without ever paying attention to maintenance. At least, you could, but sooner or later it would quit on you without oil changes, etc. If you didn't know anything about cars, then you could run into all sorts of problems like being stalled at the side of the road because of a flat tire. Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted March 19, 2009 Share Posted March 19, 2009 ... Return-path: <xxxxxx[at]millennium3000.com> Received: from [69.159.202.44] (port=60966 helo=Reception) by newlondon.sibername.com with esmtpa (Exim 4.69) (envelope-from <xxxxxx[at]millennium3000.com>) id 1Lk00g-0001hg-FT for grantcwsd[at]mchsi.com; Wed, 18 Mar 2009 13:57:07 -0400 ... OK, that's you (69.159.202.44), trying to send through your mail exchange mail.millennium3000.com which presently has an IP address (your MX 'internet address') of 67.212.64.130 (shared, and for which IP SenderBase sees no activity) and a reverse DNS name of newlondon.sibername.com (same as the blocked 67.212.91.2) and that's about as far as it gets. The IP address of mail.millennium3000.com has changed 'recently' - I briefly saw a cached address on robtex (on-line lookup), over a year old (384 days), which was quite different - a completely different range though I didn't make a note of it. There seems to be some sort of variability in the records anyway and it would certainly be worth persevering in trying to send. The blocked 67.212.91.2 (shared) is not necessarily a 'permanent' part of your routing. Certainly contacting sibername.com should be of assistance, as Lou says. "My computer does not have any viruses or spyware, and I do not send spam." is a brave claim since different AV and AS products might give different answers but the internet wouldn't usually be seeing your computer, just the IP address(es) through which you network and you will be sharing those with hundreds of others and the odds are that some of those are infected, that's the liability of the internet these days. This does not appear to be a SC blocklist issue as such (nothing specific in the NDR message) - though dra007 did find evidence of earlier reports on 67.212.91.2 (which may or may not have lead to short-term listing on the SCBL which, in turn, may or may not be associated with the cryptic '=rblmx' in the notice). [Oh yeah, as Miss Betsy says, you need an IT person. An independent contractor if you don't have enough full-time work for a permanent post. You are way too vulnerable, in numerous ways, without one.] Link to comment Share on other sites More sharing options...
happycatmeows Posted March 19, 2009 Author Share Posted March 19, 2009 Thank you to all of you for your responses. I think I will need more than 2 hours in order to understand entirely what each one of you are saying. We do have an independent IT contractor but he couldn't figure out who our mail host is neither. In the past, I tried calling all the companies that LKing found (Sibername, Webair, and also Netelligent). No luck, but anyway. I knew SpamCop was involved because in one of those "returned mail" messages, it reads "SMTP error from remote mail server after RCPT TO:<xxxxxx[at]look.ca>: host mail.look.ca [207.136.100.28]: 550-Denied by RBL bl.spamcop.net (Blocked - see 550 http://www.spamcop.net/bl.shtml?67.212.91.2) So that's why I knew SpamCop was involved. I think for now, I will just sit and wait for another 2 days to see if the problem will be resolved by our ISP because as mentioned in one reply, it seems that we are sharing the same mail server with other clients of our ISP, so the problem MIGHT not be on our end... In the meantime, I will try to fully understand all the replies. This morning, I tried sending an email to one of the people who I had problem sending emails to, and it was working. However, I was still unable to send emails to the other 2 people. Thanks~~~ Link to comment Share on other sites More sharing options...
agsteele Posted March 19, 2009 Share Posted March 19, 2009 I think for now, I will just sit and wait for another 2 days to see if the problem will be resolved by our ISP, while I try to fully understand all the replies. This morning, I tried sending an email to one of the people who I had problem sending emails to, and it was working. However, I was still unable to send emails to the other 2 people. I may be being dense and not fully understanding.... But it isn't all that difficult to make a new arrangement with an ISP that is able to help you. If you have a domain name which the unknown ISP currently controls then you'd need to speak with the registrar for your domain to get it back into your own control. But I'd want to know who was looking after my interests and at the moment you've no idea who that is. Time to take action. Andrew Link to comment Share on other sites More sharing options...
turetzsr Posted March 19, 2009 Share Posted March 19, 2009 <snip> I knew SpamCop was involved because in one of those "returned mail" messages, it reads "SMTP error from remote mail server after RCPT TO:<xxxxxx[at]look.ca>: host mail.look.ca [207.136.100.28]: 550-Denied by RBL bl.spamcop.net (Blocked - see 550 http://www.spamcop.net/bl.shtml?67.212.91.2) So that's why I knew SpamCop was involved. <snip> ...Well, not really. I see how you might have come to that conclusion (and, indeed, it may be correct that at some time SpamCop did have that address on its blacklist) but that message must not be treated as authoritative. It's as if I came to your house, knocked on your door and got no answer and a neighbor told me you'd been taken to jail. I could not then assume that the local police had been involved -- your neighbor could either be unintentionally mistaken, telling me something that was true in the past but is no longer true or deliberately lying, I have no way of knowing. <g> Link to comment Share on other sites More sharing options...
Wazoo Posted March 19, 2009 Share Posted March 19, 2009 We do have an independent IT contractor but he couldn't figure out who our mail host is neither. In the past, I tried calling all the companies that LKing found (Sibername, Webair, and also Netelligent). No luck, but anyway. From the top .. what affiliation/position do you have with the millennium3000.com web-site? Trace millennium3000.com (67.55.76.165) ... 80.91.249.109 RTT: 194ms TTL:170 (nyk-bb1-link.telia.net probable bogus rDNS: No DNS) 80.91.250.97 RTT: 48ms TTL:170 (nyk-b4-link.telia.net probable bogus rDNS: No DNS) 213.248.82.150 RTT: 41ms TTL:170 (webair-126294-nyk-b1.c.telia.net ok) 209.200.52.5 RTT: 51ms TTL:170 (csa010.nyc.webair.net fraudulent rDNS) 67.55.76.165 RTT: 42ms TTL: 54 (No rDNS) Apparently a "shared" web-server involved .. DNS and hosting apparently provided by webair.net Dig millennium3000.com[at]ns2.webair.net (174.137.152.1) ... Authoritative Answer Query for millennium3000.com type=255 class=1 millennium3000.com SOA (Zone of Authority) Primary NS: ns.webair.net Responsible person: webmaster[at]millennium3000.com serial:2006041902 refresh:10800s (3 hours) retry:3600s (60 minutes) expire:604800s (7 days) minimum-ttl:43200s (12 hours) millennium3000.com NS (Nameserver) ns.webair.net millennium3000.com NS (Nameserver) ns2.webair.net millennium3000.com MX (Mail Exchanger) Priority: 10 mail.millennium3000.com millennium3000.com A (Address) 67.55.76.165 mail.millennium3000.com A (Address) 67.212.64.130 This web-site has an incoming e-mail server running at the IP Address of 67.212.64.130 .... however, the data is a bit 'off' ..... Trace mail.millennium3000.com (67.212.64.130) ... 4.69.140.250 RTT: 84ms TTL:170 (ae-11-11.car2.Toronto2.Level3.net ok) 4.69.140.254 RTT: 83ms TTL:170 (ae-2-2.car2.Montreal2.Level3.net ok) 4.59.178.6 RTT: 90ms TTL:170 (NHS.car2.Montreal2.Level3.net probable bogus rDNS: No DNS) 64.15.64.43 RTT: 95ms TTL:170 (No rDNS) 67.212.64.130 RTT: 83ms TTL: 50 (newlondon.sibername.com fraudulent rDNS) Not sure I'd be all that comfortable dealing with them, looking at their Registration details .... whois -h whois.tucows.com sibername.com ... Registrant: Sibername Internet and Software Technologies Inc. Suite: 900 - 275 Slater Street Ottawa, ON K1P 5H9 CA Domain name: SIBERNAME.COM Administrative Contact: TURKOGLU, Bulent mesutbulent[at]yahoo.com Suite: 900 - 275 Slater Street Ottawa, ON K1P 5H9 CA 800 613 8915 Technical Contact: TURKOGLU, Bulent mesutbulent[at]yahoo.com Suite: 900 - 275 Slater Street Ottawa, ON K1P 5H9 CA 800 613 8915 Their web-site offers support[at]sibername.com which makes a lot more sense ..... Anyway, the millennium3000.com web-site is hosted by one outfit, but the e-mail is hosted somewhere else. Who is actually running the server that identifies itself as helo=Reception I haven't quite sorted out yet. Your supplied rejection notice shows that you (or your network .. still undefined) sent the original e-mail from your system (or network) to the newlondon.sibername.com e-mail server which then tried to pass that e-mail on to an Mediacom (mchsi.com) e-mail server. This "should" imply that 'you' (or your network) are an authorized user of the sibername.com (e-mail) system. Why they can't identify "you" as a user is a bit strange, but noting that their Support page does do a bit of bad-mouthing their own (1st level) support folks .. perhaps an e-mail to their 'support' address might actually come up with better results ...??? As previously suggested, it does seem pretty doubtful that e-mail would continue to be passed without payment for those services being received .... yet, perhaps it's just that the subscription due date hasn't come up yet. The fear at this point would be just when that date happens, apparently with no one knowing just who'd be receiving any notifications of the next invoice/bill ...??? Not sure if this will actually help, as the situation does seem to be very confusing with no one "in the know" ... I'm wondering abut the qualifications of your current "independent IT contractor" ... yet realizing that there may be passwords and ID codes not known by anyone but the previous IT person .. might explain other folks not wanting to disclose account/connection data ??? Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 20, 2009 Share Posted March 20, 2009 If I were you, I would start all over with a new ISP. Some people like me can find out all those things, but I think it is a gift and not something that you can teach someone. If I were you, I would start over. An independent IT person should be able to find out where your domain is registered. Even if it is someone else, that's not a good recommendation to be listed more than once in a year. Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.