Jump to content

Sender refused by the DNSBL bl.spamcop.net


mvanwyk
 Share

Recommended Posts

Hi Guys.

We host a merak pop3 mail server for a small town.

This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.

<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net

The mail server has a local IP address of 172.17.0.6 with a public Address 41.208.36.76.

I check the Public address and noticed that it was not listed.

Could someone please assist or point me in the right direction.

I hope i have given enough information.

Thanks in advance.

Link to comment
Share on other sites

We host a merak pop3 mail server for a small town.

This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.

<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net

1. AIUI mail is sent from an SMTP server and received from a POP3, so I am, to say the least, puzzled.

2. That IP seems to have a good reputation and I can find no reports against it. If there were they would have been sent to abuse[at]mtnns.za, is that you? Who checks that mailbox?

3. You get the error message when trying to send to anyone? Are you using the SCBL and if so is it configured correctly? Could you post the full text of a rejection please?

It just doesn't add up as you have presented it.

Link to comment
Share on other sites

It just doesn't add up as you have presented it.

My Bad!

Point 1

We also have the Merak SMTP as well.

Point 2

mtnns.za is our ISP i'm sure thier admin checks the mailbox

Point 3 (This is one of the domains / users trying to email)

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 Connected

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 >>> 220 mail.igrade.co.za ESMTP Merak 8.2.0; Thu, 7 May 2009 10:00:38 +0200

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 <<< EHLO JAKESPC

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 >>> 250-mail.igrade.co.za Hello JAKESPC [196.11.146.71], pleased to meet you.

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 <<< MAIL FROM: <jakes[at]tekalarms.co.za>

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 >>> 501 5.7.1 <jakes[at]tekalarms.co.za>... Sender refused by the DNSBL bl.spamcop.net

SYSTEM [000017D4] Thu, 7 May 2009 10:00:39 +0200 Disconnected

Link to comment
Share on other sites

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 >>> 501 5.7.1 <jakes[at]tekalarms.co.za>... Sender refused by the DNSBL bl.spamcop.net

http://www.spamcop.net/w3m?action=checkblo...p=196.11.146.71

196.11.146.71 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

System has been listed for less than 24 hours.

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 196.11.146.71 has no reverse dns

http://www.senderbase.org/senderbase_queri...g=196.11.146.71

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 4.4 .. 301%

Last month .. 3.8

DNS-based blocklists

bl.spamcop.net

cbl.abuseat.org

Spamtrap hits, user Reports, and an increase in traffic .... as noted in the Why am I Blocked? FAQ, Pinned, and Wiki entries points to an infected/compromised computer/network involved.

Link to comment
Share on other sites

http://www.spamcop.net/w3m?action=checkblo...p=196.11.146.71

196.11.146.71 listed in bl.spamcop.net (127.0.0.2)

Oh dear!

Submitted: 07 May 2009 09:21:39 +0100:
Renew your virility for yourself,for her and for your love.

	* 4116004757 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 19:47:11 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES

	* 4106883551 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 13:58:23 +0100:
[ipc] LATEST IPC CONNECT

	* 4106132192 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 07:00:03 +0100:
GOLD_DUST_and_GOLD_NUGGETS

	* 4104789442 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 05:39:19 +0100:
GOLD_DUST_and_GOLD_NUGGETS

	* 4104537549 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 03 May 2009 19:01:40 +0100:
GOLD_DUST_and_GOLD_NUGGETS

	* 4103343570 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 03 May 2009 19:01:28 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES

	* 4103342733 ( http://www.payprofit.net/payprofit/unsubscribe.... ) To: abuse[at]navigata.net
	* 4103342617 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

and

Parsing input: 196.11.146.71
[report history]
Routing details for 196.11.146.71
[refresh/show] Cached whois for 196.11.146.71 : risk[at]vodacom.co.za
spampolice[at]vodamail.co.za bounces (241 sent : 121 bounces)
Using best contacts
No reporting addresses found for 196.11.146.71, using devnull for tracking.
Statistics:
196.11.146.71 listed in bl.spamcop.net (127.0.0.2)
More Information..
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.8 )
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.9 )
196.11.146.71 not listed in cbl.abuseat.org
196.11.146.71 not listed in dnsbl.sorbs.net
No valid email addresses found, sorry!

	* There are several possible reasons for this: The site involved may not want reports from SpamCop.
	* SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
	* SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
	* There may be no working email address to receive reports. 

Houston, we have a problem :unsure:

Edited by Derek T
Link to comment
Share on other sites

Houston, we have a problem :unsure:

Thanks Guys.

One thing i forgot mention is that most of the people are using Vodacom as thier ISP to connect to the net using thier 3G network it seems like the public address which is assigned is blacklisted.

Link to comment
Share on other sites

Assuming that the problem is not a compromised mail server, which seems to rarely be the case, there are a couple of good solutions to this problem:

1) If you have, or can get, multiple public IP addresses, use one IP address for the mail server, and a seperate IP address for your NAT.

2) Configure your router to deny all Outbound traffic, with a destination port of 25, and a source IP address OTHER than the mail server.

An even better solution would be to do BOTH of these items if possible.

Of course, this is just a stop-gap measure. The real solution is going to be finding the infected machine or machines on the network and getting it cleaned, but 1 and 2 above should get your IP to quit sending spam so that you can get delisted quickly while tracking down the bad machine.

Edited by Telarin
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...