Jump to content

Email blocked while using ISP relay


Recommended Posts

One of my clients using a Dynamic IP from CableVision (Optimum Online) is getting email blocked, and the message points to their Dynamic IP. I have the exchange server configured to relay via CableVision, which was preventing blacklists from picking them up until last week.

Here is the relevant info:

Client IP Address: 24.186.106.144

Optimum Online Relay: mail.optonline.net (Configured via SMTP Connector)

------------------Header (from the forwarded rejection notice)-----------------

Received: from mta2.srv.hcvlny.cv.net (167.206.4.197) by

remote.teamsharptech.com (10.1.0.15) with Microsoft SMTP Server id 8.1.358.0;

Fri, 29 May 2009 15:16:12 -0400

Received: from irinabrokerage.com (ool-18ba6a90.dyn.optonline.net

[24.186.106.144]) by mta2.srv.hcvlny.cv.net (Sun Java System Messaging Server

6.2-8.04 (built Feb 28 2007)) with ESMTP id

<0KKF00B7L6UVI570[at]mta2.srv.hcvlny.cv.net> for support[at]teamsharptech.com; Fri,

29 May 2009 15:16:08 -0400 (EDT)

Date: Fri, 29 May 2009 15:16:04 -0400

From: Elvina Habibutdinova <Elvina[at]irinabrokerage.com>

Subject: FW: Nexus WC0469562

To: <support[at]teamsharptech.com>

Message-ID: <FEABB04918C9F24CA901E967674C2965075528[at]IRI-SVR-01.iri.local>

MIME-Version: 1.0

X-MIMEOLE: Produced By Microsoft Exchange V6.5

Content-Type: multipart/alternative;

boundary="Boundary_(ID_RpVO6CvcNdq7avpwOhPxNg)"

Content-Class: urn:content-classes:message

Thread-topic: Nexus WC0469562

Thread-index: AcnfuaQ8dJGf6qg/QSSu9JTHMBbqyAAABalcADYJGDA=

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

Return-Path: Elvina[at]irinabrokerage.com

X-MS-Exchange-Organization-PRD: irinabrokerage.com

X-MS-Exchange-Organization-SenderIdResult: None

Received-SPF: None (TEAMSTS-DC-01.teamsts.local: Elvina[at]irinabrokerage.com

does not designate permitted sender hosts)

X-MS-Exchange-Organization-SCL: 0

X-MS-Exchange-Organization-PCL: 2

X-MS-Exchange-Organization-Antispam-Report: DV:3.3.7719.600;SV:3.3.7727.262;SID:SenderIDStatus None;OrigIP:167.206.4.197

X-TM-AS-Product-Ver: SMEX-8.2.0.1103-5.600.1016-16672.001

X-TM-AS-Result: No--8.627900-5.000000-31

X-TM-AS-User-Approved-Sender: No

X-TM-AS-User-Blocked-Sender: No

----------------------------------Email Header---------------------

--------------------Email Body--------------------------------

From: System Administrator

Sent: Thursday, May 28, 2009 1:29 PM

To: Elvina Habibutdinova

Subject: Undeliverable: Nexus WC0469562

Your message did not reach some or all of the intended recipients.

Subject: Nexus WC0469562

Sent: 5/28/2009 1:28 PM

The following recipient(s) cannot be reached:

%username%[at]appund.com on 5/28/2009 1:28 PM

The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.

<mta4.srv.hcvlny.cv.net (tcp-daemon) #5.0.0 smtp;554 Service unavailable; Client host [mta4.srv.hcvlny.cv.net] blocked by bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?24.186.106.144>

---------------------Email Body-----------------

I realize that any email sent from the dymanic IP should get rejected, but shouldn't the relay take care of that? Am I missing something?

Thank you!

James King

Link to comment
Share on other sites

One of my clients using a Dynamic IP from CableVision (Optimum Online) is getting email blocked, and the message points to their Dynamic IP.

<snip>

I realize that any email sent from the dymanic IP should get rejected, but shouldn't the relay take care of that? Am I missing something?

Thank you!

James King

Hi, James,

...My suspicion would be that your client is the victim of malware that is using her/his PC as a zombie or spambot and thus is not sending the spam through the relay.

Link to comment
Share on other sites

I am not a server admin and I don't understand about relays. However, some blocklists may not determined on the IP address of the mail server, but on the IP address of the person sending to that mail server. (I remember there was a big discussion because gmail didn't reveal the IP addresses of the clients who were using their servers to spam so the gmail servers got listed)

If that is true, then your friend's dynamic IP could be listed even if it went through a relay to a mail server. And that would explain why zombies might be implicated.

I may be all wrong.

Miss Betsy

Link to comment
Share on other sites

One of my clients using a Dynamic IP from CableVision (Optimum Online) is getting email blocked, and the message points to their Dynamic IP. I have the exchange server configured to relay via CableVision, which was preventing blacklists from picking them up until last week.

I realize that any email sent from the dymanic IP should get rejected, but shouldn't the relay take care of that? Am I missing something?

Just to put a point on the scenario .... your words seem to state that you knowingly have things configured to try to 'hide' the source of the e-mail. That's a poor idea for a large number of reasons.

http://www.spamcop.net/sc?id=z2964149267z1...ca83d2cc689938z shows that the SpamCop Reporting Parser isn't fooled by the configuration and flow. Note, in particular, the 'special' line;

24.186.106.144 is an open proxy

This foes right along with the data found at http://www.spamcop.net/w3m?action=blcheck&...=24.186.106.144

24.186.106.144 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

See the Why am I Blocked? entry for more explanation of that particular situation.

http://www.senderbase.org/senderbase_queri...=24.186.106.144

Date of first message seen from this address 2009-05-14

DNS-based blocklists

dnsbl.sorbs.net

bl.spamcop.net

cbl.abuseat.org

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ........ 4.4 .. 64%

Last month .... 4.2

Why is someone that's putting out numbers heading towards 100,000 e-mails a day not using a dedicated host somewhere?

From this side of the screen, if you actually gave a damn about things, you'd be slam-dunking your client and put a stop to the spew from his/her system/network .. or is it that you're already charging that client some excessive amounts of money to pay for the bandwidth consumption?

Link to comment
Share on other sites

Just to put a point on the scenario .... your words seem to state that you knowingly have things configured to try to 'hide' the source of the e-mail. That's a poor idea for a large number of reasons.

http://www.spamcop.net/sc?id=z2964149267z1...ca83d2cc689938z shows that the SpamCop Reporting Parser isn't fooled by the configuration and flow. Note, in particular, the 'special' line;

24.186.106.144 is an open proxy

Why is someone that's putting out numbers heading towards 100,000 e-mails a day not using a dedicated host somewhere?

From this side of the screen, if you actually gave a damn about things, you'd be slam-dunking your client and put a stop to the spew from his/her system/network .. or is it that you're already charging that client some excessive amounts of money to pay for the bandwidth consumption?

Comcast claimed that they were not spamming, that they monitor all traffic on Port 25, so I decided to post here, but WOW. I ask for genuine help and get blasted by the admin. Consider for a second that this is a tiny client, 4 employees, who as I am sure you have dealt with do not want to spend money to do things right.

Believe me, she will get, as you say,"Slam-Dunked". Her initial coorespondence to us was in fact blaming us for being on blacklists when she already paid to have them removed before, hence the relay. Her antvirus did not pick up any Zombies. Thanks for you help, I have something to bring back to her door now.

James King

Link to comment
Share on other sites

<snip>

but WOW. I ask for genuine help and get blasted by the admin. Consider for a second that this is a tiny client, 4 employees, who as I am sure you have dealt with do not want to spend money to do things right.

<snip>

Hi, James,

...From my naive perspective, it seems to me that Wazoo (yes, he is the Forum admin but his post was not, IMHO, raised as the admin) raised a valid point (and his "seem to state" does not suggest to me a "blast" but, rather, an implicit question) that your reply ("tiny client, ...") does not address. If you are not "try[ing] to 'hide' the source of the e-mail [behind a relay]," you might say so and relieve Wazoo's concern; if you believe that Wazoo's point isn't relevant, you might explain why you believe it isn't.

Link to comment
Share on other sites

...From my naive perspective, it seems to me that Wazoo (yes, he is the Forum admin but his post was not, IMHO, raised as the admin) raised a valid point (and his "seem to state" does not suggest to me a "blast" but, rather, an implicit question) that your reply ("tiny client, ...") does not address. If you are not "try[ing] to 'hide' the source of the e-mail [behind a relay]," you might say so and relieve Wazoo's concern; if you believe that Wazoo's point isn't relevant, you might explain why you believe it isn't.

Point well taken, it just seems to me that when an admin accuses you of both not giving a damn and milking your client, it seems to dwarf any valid point he may have made.

Again, I do appreciate the help provided here. Thank you.

James King

Link to comment
Share on other sites

A machine at that IP is infected with Cutwail/Pandex (same malware, it just goes by different names).
How could I have determined this externally for myself?
One way (to do it) - IP is/was listed in a number of BLs (robtex, whatever, for listings at any given time), including CBL. Check CBL - http://cbl.abuseat.org/lookup.cgi which currently says (my emphasis)
IP Address 24.186.106.144 is currently listed in the CBL.

It was detected at 2009-06-04 14:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: If you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL eventually stop letting you delist it and you will have to contact us directly.

This is the cutwail2 spamBOT

You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers. Please see our recommendations on NAT firewalls

The Microsoft MSRT (Malicious Software Removal Tool) stands a good chance of being able to find/remove the malicious software. If you can find which machine the malware is on.

Request delisting of 24.186.106.144.

[Edit] Oh yeah, then searching on Symantec for aliases, using cutwail:
Trojan.Pandex | Symantec

Also Known As: Win32/Cutwail.B [Computer Associates], Win32/Cutwail.C [Computer Associates], Win32/Cutwail.M [Computer Associates], W32/Agent.BOY [F-Secure], Troj/Pushdo-B [sophos]

Link to comment
Share on other sites

... WOW. I ask for genuine help and get blasted by the admin. Consider for a second that this is a tiny client, 4 employees, who as I am sure you have dealt with do not want to spend money to do things right.

Believe me, she will get, as you say,"Slam-Dunked". Her initial coorespondence to us was in fact blaming us for being on blacklists when she already paid to have them removed before, hence the relay.

Wazoo put it a little bit bluntly, but from an end-user's point of view, all that's between me and some ignorant, reckless computer user who is spewing spam in my direction are their server admins. Only the server admins are in a position to know which computer is either deliberately, or inadvertently because of infection, spewing spam. The only way to control spam is from the /sending/ end.

Too often (and Comcast was one of the worst) server admins look at the bottom line rather than whether the computers under their control are clean. If you had looked 'from this side of the screen' enough times at the irresponsible ways that server admins use to avoid being blacklisted and allow spam to spew so that they don't lose a customer, you might also be a little 'blunt' in your statements. He didn't actually accuse you of doing those things, but only said that it looked like it. I suspect that if he had believed you actually were doing that, he wouldn't have given you any help whatsoever. The fact that you came here asking for help probably means that you are not and I can't think of a good comparison at the moment, but sometimes telling people that what they are doing doesn't 'look good' is a helpful thing to do. Other competent server admins might not even be willing to answer your questions at all if you looked as though you were using spammer tricks from 'their side of the screen.'

I hope that one of the things you learned is to not try to avoid blocklists by hiding behind a relay - it is not the responsible way. Also, not to ignore valid points because you don't like the way they are delivered. And, that's not easy to do when one is already frustrated and upset because of a problem. It's also easy to not see the notice that says this is a 'peer to peer' forum - no one here is anything other than a user who is willing to help other users.

I hope now that you have solved your problem, that you will be able to see Wazoo's comments in a different light.

Miss Betsy

Link to comment
Share on other sites

Comcast claimed that they were not spamming, that they monitor all traffic on Port 25,

ComCast .. they that do not and never did spam (until they figured out just how 'famous' they had become) ... ComCast, they that did not and never did any type of client throttleing on folks using applications like BitTorrent (until the class-action suit was brought into the picture, the FCC got involved, etc.) .. yeah, you can trust them, especially if you are only talking to a tier-1 support droid.

so I decided to post here, but WOW. I ask for genuine help and get blasted by the admin. Consider for a second that this is a tiny client, 4 employees, who as I am sure you have dealt with do not want to spend money to do things right.

And 'getting blasted' means that there's no reason to look at the data, not make any attempt at researching and/or validating any of the data brought up? As stated/suggested/queried for instance .. only 4 people involved with sending out approximately 100,000 e-mails a day ????? (Noting that Farelf's last post in http://forum.spamcop.net/forums/index.php?showtopic=4556 suggests that the actual number might be closer to 200,000+ e-mails a day.) Just what business might they be in, besides "high-speed delivery of important advertising/informational text and graphic material" ?????

Still increasing apparently; http://www.senderbase.org/senderbase_queri...=24.186.106.144

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.2 .. 4%

Last month .. 4.2

Believe me, she will get, as you say,"Slam-Dunked". Her initial coorespondence to us was in fact blaming us for being on blacklists when she already paid to have them removed before, hence the relay.

Ouch!!!! So the thoughts and comment about 'extra money involved' wasn't that far off the mark after all. Shame.

Her antvirus did not pick up any Zombies.

A story often seen in these parts. One of the reasons that there are so many anti-virus/trojan/malware/root-kit/on and on and on tools out there are based on exactly that issue .... above and beyond that these tools are 'reactive' in general, meaning 'after the fact'

Thanks for you help, I have something to bring back to her door now.

No problem .. remember, it's 'my InBox' I'm trying to protect <g>

Link to comment
Share on other sites

it just seems to me that when an admin accuses you of both not giving a damn and milking your client, it seems to dwarf any valid point he may have made.
You hit the nail on the head!

Welcome to the user support forums. Wear your flame-proof underwear.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

You hit the nail on the head!

Welcome to the user support forums. Wear your flame-proof underwear.

I ALWAYS wear flame proof underwear when posting in any internet forum... Its just seems like a good "best practice" to me...

Link to comment
Share on other sites

You hit the nail on the head!

Welcome to the user support forums. Wear your flame-proof underwear.

Thanks for the "official" response that would appear to condone the actions taken by Topic Starter .... asking for and taking an "extra fee" for the purpose of attempting to cloak the source of e-mail from an infected/compromised/spamming client .. and not once mentioning that the actual cause of the problem was even attempted to be resolved at the client's level. Much appreciated by all concerned. Thanks for your time, interest, and input. Sorry you seem to have totally missed the point.

http://www.senderbase.org/senderbase_queri...=24.186.106.144

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.9 .. -54%

Last month .. 4.2

Having to wonder if this is a sign that cleanup has begun or that the 'client' has changed to a 'new' IP Address ...????

Link to comment
Share on other sites

<snip>

Sorry you seem to have totally missed the point.

<snip>

And, yet again, you win the "Missed it by a Mile" award in the advanced conclusion jumping category.

<snip>

...This off-topic and pointless sniping drivel is really getting old. Take it to the Lounge forum or one of the less public forums so the rest of us don't have to see this nonsense and we can concentrate on actually addressing the issues and questions being raised by the OPs.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...