Jump to content

taphilo.com domain listed


taphilo

Recommended Posts

It's early in the morning which may be why I am confused.

Did you actually send any emails that were blocked/rejected?

Or are you just receiving 'bounce emails' to the forged return path (forged with your email address)? 'bounce emails' are not rejections at the server level. They are emails sent to the return path. Rejections at the server level return to the sending server with a code that your ISP translates into a bounce message to you.

So, if the server that you send emails from is on a blocklist, *your* emails will return to you saying that your email is blocked due to spam activity.

However, getting bounce emails to your forged email address for emails that you never sent has nothing to do with the spamcop blocklist unless the sending ISP is using the spamcop blocklist to tag suspected email (by the IP address, not the email address) and then sending the notification to the return path (not the IP address that was tagged) - which they should not be doing. The IP address that is suspected of spam is 64.224.219.86, but that doesn't seem to be an IP address for the server you are using to send email. Did you send an email to scott at TNT?

And you might want to edit your post and take out all the email addresses so that the spammers don't pick them up. Email addresses are not used for understanding where an email came from - only IP addresses. You can substitute MYEmail [at] MyDomain if you think that your email address is pertinent to the discussion.

Miss Betsy

Link to comment
Share on other sites

You're not alone Miss Betsy .. lots of stuff here to get confused about. Let's start with that there is a continued mix of "my problem" and "my problem at work" that's not really helpful to either one specifically.

Now we have signs that Lotus Notes is involved, so there's more to the issue.

Then we have an instance where the curreent check of the SpamCop DNSbl showing that the "my IP" was blocked for 3 days, but the only sample is dated back around December of 03 ..... then offered up is some long story bounce message that suggests that the "my IP" was seen as a spam source but not identifying where/why that determination was made. However, going over to http://www.moensted.dk/spam/?addr=64.224.2...6&Submit=Submit shows lots of reasons for someone rejecting incoming from that IP.

So I would say the "my IP" issue isn't one that has impact caused by SpamCop, again, SpamCop being the least drastic of the BL's. Getting off of some of these other BL's is going to be a major bit of work.

The "my problem at work IP" seems to be a bit of a lost cause here ... as previously mentioned, the IP's offered show up as "no record of this IP" in the SpamCop DNSbl (which at best goes back to somewhere around 5 March for the last known database issue) So we're still lost on the accusation of a "no record of this IP" being described as a "SpamCop identified the associated Domain as a spam Domain" ...????

Requesting outside help is out of the question = I am not allowed to and only people in our security office can request things like that be done against our systems. But then we have all sorts of outside Federal people always coming in since we are Federal so being checked for all types of vunerablities goes on all the time.

I'm even lost here .... can't ask for outside help ... is this in response to my suggestion of talking to other 3-letter Agency folks for assistance? That's an odd response, especially in these days and times, as there even 4-letter and 5-letter organizations that are supposed to be on top of these "security" issues. But then this turned around by stating that "outside people" are always coming in ...

Nope, the story isn't getting told straight. Best thing to suggest is to have taphilo pick one subject and focus on it. The government side of the conversation either needs to be in it's own Topic or just simply dropped. The smattering of the oh-by-the-way tidbits of data aren't doing anything but onfusing the "my IP" problem ... which again, appears to really be an issue in BL's other than SpamCop's ....

Link to comment
Share on other sites

Here is a header from a recent reject that ended up in my mail box. Course all the e-mails addresses shown in the rejcts are totally random and false. Same type of thing that I saw as coming from my taphilo.com domain.

Received: from valvur.sm.ee ([172.20.1.1])

by domino.sm.ee (Lotus Domino Release 5.0.11)

with ESMTP id 2004042820381712:13134 ;

Wed, 28 Apr 2004 20:38:17 +0300

Received: Message by Barricade valvur.sm.ee with SMTP id i3SHcGvc007398

for <anne.poll[at]sm.ee>; Wed, 28 Apr 2004 20:38:16 +0300

Received: from wizard.online.ee/194.106.96.27 by Barricade SMTP gate; Wed Apr 28 20:37:26 2004

Received: (qmail 15717 invoked by uid 79); 28 Apr 2004 20:37:08 +0300

Received: from TYBBZMNEF[at]nobug.org by wizard by uid 78 with qmail-scanner-1.20rc3

(clamuko: 0.60 Clear:RC:0:.

Processed in 0.927191 secs); 28 Apr 2004 20:37:08 +0300

Received: from unknown (HELO 194.106.96.27) (218.56.34.74)

by wizard.online.ee with SMTP; 28 Apr 2004 20:37:07 +0300

218.56.34.74 is listed as compromised in the xbl.spamhaus.org and other DNSbls.

Received: from 120.96.192.51 by 218.56.34.74; Thu, 29 Apr 2004 14:27:41 +0400

This line is apparently fake, especially since 120.96.192.51 is not allocated according to the lookup I just did.

So it looks like a spammer picked up one of your e-mail addresses, and sent spam through a compromised computer at 218.56.34.74.

Above was the header in the HTML encoded e-mail that was bounced back to me and the headers of the bounce message:

Received: from valvur.sm.ee (valvur.sm.ee [62.65.34.146])

(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))

(No client certificate requested)

by mx.easystreet.com (Postfix) with ESMTP id 0F9F02F0185

for <TYBBZMNEF[at]nobug.org>; Wed, 28 Apr 2004 10:36:27 -0700 (PDT)

Instead of using an SMTP reject code becasuse the destination user did not exist, the remote mail system generated a bounce.

This is why using bounces instead of SMTP rejects is bad.

This was probably a real bounce message, but some end-user spam filters have "fake" bounce functions that their users can use to abuse other spam victims with.

Your options with these bounce messages are:

1. Delete them.

2. Complain to the abuse and postmaster addresses for the I.P. address of where your mail server received the bounce from that they are abusively bouncing spam instead of using SMTP reject codes.

3. If you can control your mail server, and it allows configuring a MILTER, the MILTER can be programmed to reject these useless bounce messages with 550 codes and a text message of "misdirected bounces to a forged addresses not accepted here."

From your previous postings, it does not look like you have option 3.

But those bounces and forgeries will not cause your I.P. addresses to be listed by spamcop.net. The spamcop.net parser does not pay any attention to the domain names that spam claims to come from.

So this side issue can be closed.

-John

Personal Opinion Only

Link to comment
Share on other sites

As Wazoo has stated,

The first two are just something abusively bouncing spam that has forged your domain names. That just means that your e-mail is being used by a spammer, and has absolutely nothing to do with the mail servers that your domain uses being listed by the spamcop.net and other DNSbls.

TNT Software subscribes to SPAMCOP and the original reject was via SPAMCOP message stating that it was rejected by it.

A more recent rject by TNT was via RBL6

Reporting-MTA: dns; mail12.atl.registeredsite.com

Received-From-MTA: DNS; imta01a2.registeredsite.com

Arrival-Date: Tue, 13 Apr 2004 03:04:21 GMT

Final-Recipient: RFC822; scott[at]TNTSoftware.com

Action: failed

Status: 5.7.1

Remote-MTA: DNS; mail.tntsoftware.com

Diagnostic-Code: SMTP; 550 5.7.1 Your message from 64.224.219.86 has been identified by RBL6 as potential spam or other unwanted email and blocked by our scanning gateway.  If you believe this was an error, please forward this message to abuse[at]tntsoftware.com.  We apologize for this inconvenience.

Last-Attempt-Date: Tue, 13 Apr 2004 03:05:00 GMT

The mail server i.p. has been also submitted to MAPS-OPS for proxy testing.

http://www3.mail-abuse.org/cgi-bin/nph-ops...w?64.224.219.86

The evidence there is interesting.

On January 30th, 2004, a virus scanner detected a virus and bounced it to the forged address that the virus came from with the virus intact.

That is very bad. Bounces instead of SMTP reject codes are bad because the SMTP reject code is the only to notify the sending system with out sending a message to some innocent victim as a forged message.

Sending virus detected notices to the forged addresses is also very bad.

Sending a known live virus out again is also very bad.

MAPS-OPS is recording spam samples for almost every month since MAY 2003 up to the virus incident in Jan 2004.

This is the most samples that I have ever seen listed in a MAPS-OPS evidence file.

It looks like up until December you were sharing a mail server with a spammer either as another customer, or through a security hole.

The January reports are from the mail server bouncing spam/viruses to innocent victimes instead of using SMTP reject codes. The RFCs permit the bounces for mail, but the practice is very bad. And there is no excuse for bouncing a detected virus.

On the page that displays for the link that Wazoo gave you, there is a link canned google search of "64.224.219.86" group:*abuse*. 14 items come up.

It looks like your shared mail servers have a history of spam problems, and it is not just from spamcop.net reporters.

-John

Personal Opinion Only

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...