BlockList help: 88.119.128.53

[Edas]

Hi. Our mail server ip is blacklisted. The only one reason may be because of postfix bounce messages.

We are using postfix+amavis+spamassassin+clamav.

Postfix is configured to:

smtpd_recipient_restrictions =

permit_mynetworks,

permit_sasl_authenticated,

reject_non_fqdn_sender,

reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,

reject_unauth_destination,

reject_rbl_client dnsbl.sorbs.net

reject_rbl_client bl.spamcop.net,

reject_rbl_client opm.blitzed.org,

reject_rbl_client cbl.abuseat.org,

reject_rbl_client dnsbl.njabl.org,

reject_rbl_client zen.spamhaus.org,

reject_rbl_client list.dsbl.org

In amavis configuration:

$final_virus_destiny = D_DISCARD;

$final_banned_destiny = D_REJECT; # was D_BOUNCED

$final_spam_destiny = D_REJECT; # was D_BOUNCED

$final_bad_header_destiny = D_PASS;

What else should I check to prevent being listed?

[Farelf]

...What else should I check to prevent being listed?

Eliminate the source of spam on or behind your server:

http://www.spamcop.net/w3m?action=checkblo...p=88.119.128.53

88.119.128.53 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

* System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

System has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

88.119.128.7 88.119.128.52 88.119.128.64 88.119.128.71 88.119.128.80 88.119.128.143

Apologies if 88.119.128.53 is not the IP address you are talking about. You actually have to tell us or we have to guess and most who might help you cannot be bothered trying to guess or they do not have even the limited information to work with that I and a few others have.

Yes, if you bounce messages after the SMTP session is closed you will certainly be doing wrong and that might cause listing. In that circumstance you can only use the 'reply to' address (or 'from' address) and both are forged in almost all spam. If bouncing is the problem you are definitely bouncing to forged addresses because you are hitting spam traps.

Please continue the discussion if you have more to add, need further help, whatever.

[edit - oops, sorry, see you have included the IPA in the title., so the above analysis IS looking at the correct server.]

[Miss Betsy]

I am not a server admin - someone who knows more may answer as soon as people wake up here.

Your rDNS (I think it is called) doesn't seem to be configured properly according to senderbase which doesn't affect your spamcop bl listing, but is a problem.

Also, your volume has increased 275% That may have a reason. Perhaps you have an increase in spam that you were 'bouncing' to spam traps? If your volume % continues to climb, then you should look for an infected computer. I am assuming that you have discontinued accepting spam and then bouncing it.

Miss Betsy

[Farelf]

Further to all the above, you do not appear to be listed on any other RBLs - http://www.mxtoolbox.com/blacklists.aspx?IP=88.119.128.53 - however that may change (the SCBL is often just an 'early warning when it comes to listing on other BLs). SenderBase is showing increasing numbers:

Report on IP address: 88.119.128.53

Hostname: mail.lku.lt

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 3.0 344%

Last month 2.3

And your listing has renewed (another hit) since my first post.

Incidentally, I am not seeing any problems with your rDNS

> mail.lku.lt

...

Non-authoritative answer:

Name: lku.lt

Address: 88.119.128.53

Aliases: mail.lku.lt

> set type=ptr

>53.128.119.88.in-addr.arpa

...

Non-authoritative answer:

53.128.119.88.in-addr.arpa name = mail.lku.lt

>

[Edas]

Reverse DNS entry was made by our provider. I'll contact them to fix this.

I've changed route of outgoing smtp traffic to our mailserver, and found infected notebook of employee with some spam sending engine. Thank You for response. Problem seems to be solved. Now I have to wait to be delisted.

[Miss Betsy]

Thanks for letting us know what the problem was. I am glad you found the source! The column in senderbase that says No is forward reverse DNS match - that might be something different than rDNS.

Miss Betsy

[Wazoo]

Magnitude Vol Change vs. Last Month

Last day 3.0 344%

Last month 2.3

Things don't look good, unless you can provided another explanation. At the time of this post, some three hours after farelf's look-up, I'm seeing; http://www.senderbase.org/senderbase_queri...g=88.119.128.53

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.1 .. 423%

Last month .. 2.3

[Miss Betsy]

Looks like there may be more than one computer that is compromised - it's gone up to 425% now.

Miss Betsy

[Wazoo]

Data point: http://www.senderbase.org/senderbase_queri...g=88.119.128.53

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 2.3