mark Posted January 30, 2004 Posted January 30, 2004 It appears any spoofed address can report a domain a a source of spam, crippling the domain for 48 hours, as stated in the FAQ. Consider removing SPAMCOP as a method of blocking spam, as it appears the system may prevent legitimate mail. Below is a response from the ISP, stating that they are not the reporting source. http://www.spamcop.net/sc?track=66.241.135.153 ~~~~~~~ We are not sure why our email address is listed although we are certain that we did not report this to Spamcop. If we where to receive spam from you we would contact you first. If there is any thing else we can help you with please feel free to give us a call or email. Regards, Dennis Network Operations Centre Toronto Hydro Telecom Inc. 185 The West Mall, Suite 500 Toronto, Ontario, M9C 5L5 Tel: (416) 542-2525 Backup Tel: (416) 626-0450 Fax: (416) 626-5419 Email: noc[at]thtelecom.ca -----Original Message----- From: Mark Munro [mailto:Mark.Munro[at]AllianceAtlantis.com] Sent: Friday, January 30, 2004 3:01 PM To: NOC [at] thtelecom; Mark Munro Subject: RE: spamcop Thanks, Dennis, Can you explain why your email address is listed at SPAMCOP as the address that reported us as a source of spam? -----Original Message----- From: NOC [at] thtelecom [mailto:noc[at]thtelecom.ca] Sent: Friday, January 30, 2004 2:59 PM To: 'Mark Munro' Subject: RE: spamcop Hi Mark, There is nothing we can do on our side to resolve this issue with Spamcop. I do suggest that you contact Spamcop directly and resolve this issue with them. It seems that you have been put on their blocking list and you must convince them to take you off. If you have any questions you can contact our NOC.
Bumpkin Posted January 30, 2004 Posted January 30, 2004 Please post the original message you received stating that you are on the Spamcop blocklist, with the IP address in question, and someone will be able to provide you with more assistance. Thanks!
turetzsr Posted January 30, 2004 Posted January 30, 2004 Hello! ...Please take a look at the post under "Important Topics" called "Pinned: FAQ Entry: Why is my email blocked?" at Help Forum Index. If after reading that you still have more questions, please return here and ask, and those of us who can will try to help. ...Good luck!
jefft Posted January 30, 2004 Posted January 30, 2004 It appears any spoofed address can report a domain a a source of spam, crippling the domain for 48 hours, as stated in the FAQ. That's simply not correct. The SpamCop parser completely and totally ignores any email addresses found in the headers of the spam. So, when email is sent with forged From: or sender addresses, that's not a problem since we ignore those anyway. SpamCop also mostly ignores the domain names found in the headers of the message. It does use the domain names, but only to double-check the IP address found in the headers. The IP address is always considered the authoritative reference for where the email was each step of the way on its travels. Spammers can't forge IP addresses into spam as they are automatically recorded by the receiving mail server, based on the IP address that connects to the mail server. We can settle this pretty easily. What is the IP address that is on the blacklist? JT
mark Posted January 30, 2004 Author Posted January 30, 2004 It appears any spoofed address can report a domain a a source of spam, crippling the domain for 48 hours, as stated in the FAQ. That's simply not correct. The SpamCop parser completely and totally ignores any email addresses found in the headers of the spam. So, when email is sent with forged From: or sender addresses, that's not a problem since we ignore those anyway. SpamCop also mostly ignores the domain names found in the headers of the message. It does use the domain names, but only to double-check the IP address found in the headers. The IP address is always considered the authoritative reference for where the email was each step of the way on its travels. Spammers can't forge IP addresses into spam as they are automatically recorded by the receiving mail server, based on the IP address that connects to the mail server. We can settle this pretty easily. What is the IP address that is on the blacklist? JT I have no idea why this is listed, I see no evidence indicating I am relaying, and I am recieving numerous reports that the spamcop database is the cause. Can you please get this IP removed immediately! -----Original Message----- From: System Administrator Sent: Friday, January 30, 2004 12:54 PM To: lmenary[at]roots.com Subject: Undeliverable: RE: Delivery Status Notification (Failure) Your message did not reach some or all of the intended recipients. Subject: RE: Sent: 1/30/2004 12:53 PM The following recipient(s) could not be reached: lmenary[at]roots.com on 1/30/2004 12:53 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. <webmail1.allianceatlantis.com #5.7.1 smtp;550 5.7.1 Rejected: 66.241.135.153 listed at bl.spamcop.net>
Jeff G. Posted January 30, 2004 Posted January 30, 2004 According to http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153 : Query bl.spamcop.net - 66.241.135.153 66.241.135.153 is webmail1.allianceatlantis.com 66.241.135.153 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 92.9 days. It has been listed for 26 hours. In the past week, this system has: Been reported as a source of spam less than 10 times Been witnessed sending mail about 270 times A sample sent sometime during the 24 hours beginning : Received: from -.-.com (-.-.com [66.241.135.153])- by -.-.-.- (-.-.-.-.-) with - id - for <-[at]-.com>- Thu, - Jan 2004 - - Subject: business - specialists - id - From: de.. at ..li.fr
Merlyn Posted January 30, 2004 Posted January 30, 2004 I am not an admin and I cannot see the email but the sample looks like the spam that has been going around with the subject "Web Business Programming Specialists" through hijacked machines. The link in it is to their email address at laposte.net. the faked from was probably developers03 at tiscali.fr I am sure a deputy will confirm if it was spam or not. Are you sure your machine is locked down?
mark Posted January 30, 2004 Author Posted January 30, 2004 Thanks Jeff, I did see this page. If I understand this correctly, then the page states that some domain in .fr is highjacking our IP address? Can you offer any suggestions on how this is possible? I have tested for open relays on a number of test sites. I have also submitted our ip to the ordb.org site, and I dont see how the .fr domain highjacked our address. Please help.
Jeff G. Posted January 30, 2004 Posted January 30, 2004 Your mailserver appears to be running Microsoft Exchange Server 5.0 - according to http://west-pub.mail-abuse.org/tsi/ar-fix.html#exchange : Microsoft Exchange Server Status: Commercial (Microsoft Corp.) Systems: Win/NT Info: http://www.microsoft.com/ Versions through 5.0 are vulnerable to relay if they permit any local SMTP users. (Servers that only act as a gateway between internal non-SMTP mail and the Internet don't have relay problems.) In other words, if your Exchange 5.0 server is connected to the Internet, it WILL relay for anyone, and that cannot be stopped. Starting with version 5.5, provisions have been made to prevent unauthorized relay. These are described in detail in an article from Windows NT Magazine http://www.exchangeadmin.com/Articles/Inde...?ArticleID=7696 . If you're running an older version, it's time to upgrade. Microsoft has an article http://www.microsoft.com/technet/treeview/...il/excrelay.asp or http://tinyurl.com/ywb5n on their TechNet site that discusses securing Exchange 2000 and 5.5.
mark Posted January 30, 2004 Author Posted January 30, 2004 Mail server is running Exchange 2000 sp3. Can you tell me why the address, Reporting addresses: postmaster[at]thtel.ca <mailto:postmaster[at]thtel.ca> -----Original Message----- From: Mark Munro Sent: Thursday, January 29, 2004 6:21 PM To: 'noc[at]thtelecom.ca' Subject: spamcop http://www.spamcop.net/sc?track=66.241.135.153
Merlyn Posted January 30, 2004 Posted January 30, 2004 Mail server is running Exchange 2000 sp3. Can you tell me why the address, Reporting addresses: postmaster[at]thtel.ca <mailto:postmaster[at]thtel.ca> -----Original Message----- From: Mark Munro Sent: Thursday, January 29, 2004 6:21 PM To: 'noc[at]thtelecom.ca' Subject: spamcop http://www.spamcop.net/sc?track=66.241.135.153 Because that is who the IP is registered to in arin.
mark Posted January 30, 2004 Author Posted January 30, 2004 Can I confirm that no new reports are being added? If not, can I expect the IP to be removed after the 48 hour period?
Jeff G. Posted January 30, 2004 Posted January 30, 2004 More specifically, per http://ws.arin.net/cgi-bin/whois.pl?queryi...=66.241.135.153 : OrgName: Toronto Hydro Telecom OrgID: THTI Address: 185 THe West Mall City: Toronto StateProv: ON PostalCode: M9C-5L5 Country: CA NetRange: 66.241.128.0 - 66.241.143.255 CIDR: 66.241.128.0/20 NetName: THTI NetHandle: NET-66-241-128-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.THTEL.CA NameServer: DNS2.THTEL.CA Comment: RegDate: 2002-03-06 Updated: 2003-09-05 TechHandle: TECH15-ARIN TechName: tech TechPhone: +1-416-542-2525 TechEmail: tech[at]thtel.ca OrgTechHandle: TECH15-ARIN OrgTechName: tech OrgTechPhone: +1-416-542-2525 OrgTechEmail: tech[at]thtel.ca # ARIN WHOIS database, last updated 2004-01-29 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. Now, since thtel.ca doesn't have an abuse.net contact, SpamCop sent the report to postmaster[at]thtel.ca per recommendations in Internet Standards 10 and 11. You should create an abuse.net listing for each of the domains you manage per http://www.abuse.net/addnew.html.
michaell Posted January 30, 2004 Posted January 30, 2004 If I understand this correctly, then the page states that some domain in .fr is highjacking our IP address? Can you offer any suggestions on how this is possible? It's not necessarily anything to do with .fr - the connections to your server are coming via exploited proxy servers in various places around the world. If it helps, the spam headers look something like this: Received: from webmail1.allianceatlantis.com [66.241.135.153] by <spam_recipient_server> Received: from mail.salter.com ([172.16.180.23]) by webmail1.allianceatlantis.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 28 Jan 2004 12:40:39 -0500 Received: from <open_proxy> by mail.salter.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 28 Jan 2004 13:40:15 -0400 172.16.180.23 is a LAN address. That server is accepting email and relaying it to webmail1.allianceatlantis.com, which in turn relays it to the recipients of the spam. The latest spam reported was sent just 5 hours ago, so I imagine the problem is ongoing.
Jeff G. Posted January 30, 2004 Posted January 30, 2004 The open proxy, then, would be the public interface of mail.salter.com at 142.176.128.51 According to http://www.spamcop.net/w3m?action=checkblo...=142.176.128.51 : Query bl.spamcop.net - 142.176.128.51 DNS error: 142.176.128.51 has no reverse dns 142.176.128.51 not listed in bl.spamcop.net Since SpamCop started counting, this system has been reported about 40 times by about 10 users. In the past 53.7 days, it has been listed 3 times for a total of 4.7 days A sample sent sometime during the 24 hours beginning Tuesday 2003/12/09 19:00:00 -0500: Received: from -.-.com ([142.176.128.51]) by -.net-.- (-.-.-.-.-) with - id - for <-[at]-.com>- Wed, - Dec 2003 - - Subject: james want - please the ladies From: pa.. at ..l.net A sample sent sometime during the 24 hours beginning Thursday 2004/01/15 19:00:00 -0500: Received: Subject: lowest price for - cartridges - administrator From: ma.. at ..s.com According to http://moensted.dk/spam/?addr=142.176.128.51 : 142.176.128.51 was found in 5 lists (of 259 tested) According to its listing in RSL, 142.176.128.51 is the input of a two-stage open relay. Testing reveals that 142.176.128.51 is running Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 but is not accepting mail for postmaster[at]mail.salter.com
michaell Posted January 30, 2004 Posted January 30, 2004 The open proxy, then, would be the public interface of mail.salter.com at 142.176.128.51 ... According to its listing in RSL, 142.176.128.51 is the input of a two-stage open relay. No, that's not an open proxy - it is, as that RSL message says, the input point of an open relay. An open proxy is something quite different - in this case, open proxies are being used to transmit the spam to 142.176.128.51.
Jeff G. Posted January 30, 2004 Posted January 30, 2004 Well, it's not a wide open relay. It could be an SMTP/AUTH issue with an open guest account or a weak password somewhere.
mark Posted January 31, 2004 Author Posted January 31, 2004 Jeff, The information you provided was correct. That external address, 142.176.128.51 was accepting inbound mail, and relaying over our internal network. The header information was key in finding this problem. Can you also confirm the open relay is now closed?
Jeff G. Posted January 31, 2004 Posted January 31, 2004 Sorry, I couldn't get it to relay in the first place. Please try to get it delisted by RSL, and tell Al I said "Hi."
mark Posted February 1, 2004 Author Posted February 1, 2004 How can I check to if reports of UCE are still occuring?
Jeff G. Posted February 1, 2004 Posted February 1, 2004 66.241.135.153 is still listed, both web and dns. postmaster[at]thtel.ca should be getting any reports.
mark Posted February 1, 2004 Author Posted February 1, 2004 Can you tell me if I am scheduled to be removed from this database, and when? Are you still receiving new reports of spam from this addres?
Jeff G. Posted February 1, 2004 Posted February 1, 2004 Can you tell me if I am scheduled to be removed from this database, and when? Are you still receiving new reports of spam from this addres? Sorry, I don't have access to that info. Only Deputies and Admins have access to that info.
mark Posted February 1, 2004 Author Posted February 1, 2004 Is there anything I can do to expedite the removal from this list? How can I report on when I will be delisted.?
Jeff G. Posted February 1, 2004 Posted February 1, 2004 Is there anything I can do to expedite the removal from this list? How can I report on when I will be delisted.? Having closed the relay, you can ask the Deputies (deputies at spamcop.net) to expedite removal. If they don't remove your IP Address, they should at least be able to tell you when you are scheduled to be delisted (assuming no more reports).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.