vidarh Posted January 17, 2013 Share Posted January 17, 2013 Yesterday I discovered one of our hosts was in the SCBL. I looked things over, and thought we'd eliminated the source, and requested delisting. But this morning it was listed again, and with some more work I uncovered a compromised user account that was being used to send spam. Killed the processes, and I'm in the process of wiping everything clean, and I've amped up our logging of mail activity on our firewall. (The ip address is 195.224.183.208) However, I'm wondering what I can do to ensure I receive reports in the future? In the past our ISP has forwarded reports as they've received them, with suitably ominous language about "taking it very seriously", but recently they seem to have gotten quite useless at this. We've heard nothing about this most recent block, for example, despite the summary report listing 1695 spamtrap hits. I'm not happy about that, and we're requesting an explanation for why they've not passed anything on. And as much as I'd love to change colo (not *just* because of this, but it's part of a pattern), that's not a quick process... Our /29 is registered to them, and so I assume that's why we've not seen any reports even though the IP in question in this case reverse maps to our domain name. Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source. If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details. Thanks in advance. Link to comment Share on other sites More sharing options...
petzl Posted January 17, 2013 Share Posted January 17, 2013 Yesterday I discovered one of our hosts was in the SCBL. I looked things over, and thought we'd eliminated the source, and requested delisting. But this morning it was listed again, and with some more work I uncovered a compromised user account that was being used to send spam. Killed the processes, and I'm in the process of wiping everything clean, and I've amped up our logging of mail activity on our firewall. (The ip address is 195.224.183.208) However, I'm wondering what I can do to ensure I receive reports in the future? Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source. If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details. Thanks in advance. The email server appears to be infected (Botnet) http://cbl.abuseat.org/lookup.cgi?ip=195.224.183.208 This link advises how to eliminate infection How can I get SpamCop reports about my network? http://www.spamcop.net/fom-serve/cache/94.html Link to comment Share on other sites More sharing options...
Derek T Posted January 17, 2013 Share Posted January 17, 2013 In the past our ISP has forwarded reports as they've received them, with suitably ominous language about "taking it very seriously", but recently they seem to have gotten quite useless at this. We've heard nothing about this most recent block, for example, despite the summary report listing 1695 spamtrap hits. I'm not happy about that, and we're requesting an explanation for why they've not passed anything on. Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source. If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details. Thanks in advance. First, thank you very much for your efforts to clean up your server and reduce the amount of spam in the world. It really is very much appreciated. As regards spamtrap hits, don't blame your ISP - NO REPORTS ARE SENT! This is to protect the security of the spamtraps. Lastly, this from the FAQ, but I don't know if it helps as it refers only to summary reports: How can I get SpamCop reports about my network? Report routing Anyone may receive summary reports about any netspace they specify. To receive reports, first create an ISP account. Once you have logged in with your new account, use the "Request Reports" menu item to specify which networks you would like to receive reports about. At any time, you may use the "show routes" menu item to view which networks you are configured to receive reports about. In addition, your ISP account allows you to spot-check any IP address for recent reports. Link to comment Share on other sites More sharing options...
vidarh Posted January 17, 2013 Author Share Posted January 17, 2013 The email server appears to be infected (Botnet) http://cbl.abuseat.org/lookup.cgi?ip=195.224.183.208 This link advises how to eliminate infection Thank you for the reply, but please see the first paragraph I wrote. I am fully aware of this. I did find the "infection" (actually it was a stupid user with an insecure password that had been guessed) after it was blocked again this morning. How can I get SpamCop reports about my network? http://www.spamcop.net/fom-serve/cache/94.html As I said in my original message, I have already signed up for the summary reports. My question is about the full reports, to make it easier for me to respond and identify the source quickly. I've read that link, and it only covers the summary reports. Thanks anyway. Link to comment Share on other sites More sharing options...
vidarh Posted January 17, 2013 Author Share Posted January 17, 2013 As regards spamtrap hits, don't blame your ISP - NO REPORTS ARE SENT! This is to protect the security of the spamtraps. I knew they wouldn't send out much details, but no reports at all? Oh well. In any case, according to the summary report there were user reports as well, and we haven't see those either and I know my ISP has forwarded those in the past. Hopefully there is a way... I've raised this with both our account manager and our ISPs support/abuse team but I'm not holding my breath about getting them to react. Thanks anyway. Link to comment Share on other sites More sharing options...
petzl Posted January 17, 2013 Share Posted January 17, 2013 As I said in my original message, I have already signed up for the summary reports. My question is about the full reports, to make it easier for me to respond and identify the source quickly. Looks to me the IP is still hitting SpamTraps? https://www.senderscore.org/lookup.php?look...mp;ipLookup.y=2 The reports sent are going to abuse[at]gxn.net ? SpamCop block list are least of problems! Hit Hotmails and they block your server IP permanently Same has happened to SpamCop email you are not alone Is there a way for you to limit your customers to say a maximum 10 recipient list? Naive users are a problem in giving passwords away or using insecure ones Suggest a format that all user passwords start with first letter of name Joe Number of home post box 007 A equal sign = then their alphanumeric password containing a capital letter no less than 8 alphanumerals paSSword10 J007=paSSword10 Link to comment Share on other sites More sharing options...
Farelf Posted January 17, 2013 Share Posted January 17, 2013 Doesn't appear to be an abuse.net entry for aardvarkmedia.co.uk - if you are able to set one up that may go some way to you being able to access reports (from some sources at least). Also, there appears to have been changes to the abuse handling of your network IP address allocation, according to RIPE lookup. SpamCop, as has been said, would forwarded reports (concerning reporter submissions only, not spamtrap hits) to abuse[at]gxn.net. But RIPE says % Information related to '195.224.183.0/24AS5413' route: 195.224.183.0/24 descr: Vialtus Solutions origin: AS5413 member-of: AS5413:RS-CUSTOMER remarks: remarks: ------------------------------------------------------ remarks: remarks: Please direct Abuse complaints to mailto:abuse[at]vialtus.com remarks: Complaints directed elsewhere will not be actioned. remarks: remarks: ------------------------------------------------------ remarks: mnt-by: AS5413-MNT source: RIPE # Filtered So maybe that is part of the problem? Actually, although SCbl listing may have been due to spamtrap hits, there has been a number of reporter submissions (generating reports) in recent days which could have helped you with their detail - only the earliest of those was "on the books" when you first registered with this forum, they are in summary: ________________________________________________________________ Submitted: Thursday, 17 January 2013 12:28:45 AM +0800: Attention please 5902339514 ( 195.224.183.208 ) To: [concealed user-defined recipient] 5902339513 ( 195.224.183.208 ) To: abuse[at]gxn.net ________________________________________________________________ Submitted: Wednesday, 16 January 2013 8:50:17 AM +0800: I liked your photos 5902126777 ( http://rallyrollef.okis.ru/index.html) To: postmaster[at]mnogobyte.ru 5902126776 ( 195.224.183.208 ) To: abuse[at]gxn.net ________________________________________________________________ Submitted: Tuesday, 15 January 2013 8:25:04 AM +0800: I am looking for a serious relationship with a man 5901628967 ( http://vk.cc/1bL43z) To: cfo[at]vkontakte.ru 5901628966 ( 195.224.183.208 ) To: abuse[at]gxn.net ________________________________________________________________ Submitted: Tuesday, 15 January 2013 8:25:02 AM +0800: Lady looking a man for serious relationship 5901628910 ( http://7chmqv0.pisem.su/) To: abuse[at]relax.ru 5901628909 ( http://7chmqv0.pisem.su/) To: abuse[at]mtu.ru 5901628908 ( 195.224.183.208 ) To: abuse[at]gxn.net ________________________________________________________________ Submitted: Monday, 14 January 2013 10:27:35 PM +0800: Pending Invoice 5901512529 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]aussiehq.com.au 5901512528 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]aussiehq.com.au 5901512527 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]aussiehq.com.au 5901512526 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]aussiehq.com.au 5901512525 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]uber.com.au 5901512524 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]uber.com.au 5901512523 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]uber.com.au 5901512522 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]uber.com.au 5901512521 ( 195.224.183.208 ) To: abuse[at]gxn.net ________________________________________________________________ Perhaps you should write to the SpamCop Administrator (Don D'Minion) to about the report routing - looks like it has been unchanged since 2004 - his address is: service[at]admin.spamcop.net Thanks for your anti-spam efforts and I hope this helps you to further progress them. Link to comment Share on other sites More sharing options...
turetzsr Posted January 18, 2013 Share Posted January 18, 2013 ...Another approach that might work for you: review my reply in SpamCop Forum article "Summary Reports Received." ...Good luck! Link to comment Share on other sites More sharing options...
petzl Posted January 18, 2013 Share Posted January 18, 2013 ...Another approach that might work for you: review my reply in SpamCop Forum article "Summary Reports Received." ...Good luck! The reality is that this provider sucks at email needs to consider turning over accounts to people who can provide reliable email service http://multirbl.valli.org/dnsbl-lookup/195.224.183.208.html presently seems near a world record at being listed by 26 blacklists? Gmail will handle this problem cheaply and effectively Link to comment Share on other sites More sharing options...
Farelf Posted January 18, 2013 Share Posted January 18, 2013 ...presently seems near a world record at being listed by 26 blacklists? ...I think practically all of those listed in the past several days, it was effectively only listed on CBL and (IIRC) Technovision ST when the O/P started looking for answers - we all know what damage a spammer/hacker can do and how quickly, when they get a chance. The network/domain (aardvarkmedia.co.uk) appears to have been remarkably "clean" for years before that AFAICT and should be given credit for that, I reckon. Link to comment Share on other sites More sharing options...
petzl Posted January 18, 2013 Share Posted January 18, 2013 I think practically all of those listed in the past several days, it was effectively only listed on CBL and (IIRC) Technovision ST when the O/P started looking for answers - we all know what damage a spammer/hacker can do and how quickly, when they get a chance. The network/domain (aardvarkmedia.co.uk) appears to have been remarkably "clean" for years before that AFAICT and should be given credit for that, I reckon. Senderscore is turning up now 5 from 2 so less spamtraps being hit SpamCops SMTP is 99 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.