No reason given for cause of listing

[Don_Hart]

I am the network engineer for my company and I have just recived the following copy of a bounce email.

From: System Administrator

Sent: Tuesday, June 01, 2004 1:15 PM

To: longsr[at]madisonct.org

Subject: Undeliverable:FW: Qualifications-Based Selection of architects, etc.

Your message did not reach some or all of the intended recipients.

Subject: FW: Qualifications-Based Selection of architects, etc.

Sent: 6/1/2004 1:14 PM

The following recipient(s) could not be reached:

longsr[at]madisonct.org on 6/1/2004 1:15 PM

The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.

<mailgate.blr.com #5.0.0 smtp;554 Service unavailable; Client host [65.115.9.92] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?65.115.9.92>

when I go and look up the IP here:

http://www.spamcop.net/w3m?action=checkblock&ip=65.115.9.92

I get the following:

65.115.9.92 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for less than 24 hours.

As you can see no reason is given for the listing so I have no idea if I have a real problem or not and if so what the problem is. Any help with this would be appreciated.

Thanks

Don

[Chris Parker]

I would suggest that you send an email to deputies <at> spamcop.net for more specific details about your listing.

[Derek T]

email deputies <at> spamcop <dot> net and ask them to look at the evidence. Senderbase shows a 1300% increase in traffic in the last day is that legit or do you have a compromised server? See Eric23's thread for bad news about qwest.

[Merlyn]

Lets see:

220 mailgate.blr.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Tue, 1 Jun 2004 14:19:35 -0400

From the looks of it I would guess an smtp auth hack on your MS Mail server. You better check it out.

Refer to: http://news.spamcop.net/cgi-bin/fom?file=372

Better close up that guest account, change all user passwords, tighten up security and close the holes on that server.

BTW: You are already in a few other blocklists.

[Don_Hart]

I already had the guest account diabled but I went ahead and renamed it and changed the password to something long and complicated and changed all of passwords on that machine. I verified that allow relaying for authorized users was disabled.

What other lists did you find it listed in I have checked all of the other major ones and cannot find any other listings. and the list on senderbase shows the IP as being only listed here.

I have emailed deputies <at> spamcop <dot> net and am waiting a reply

[Derek T]

Any good burglar, on entering through the front door, immediately opens the back door. IF you are the victim of the smtp/auth hack it is a racing certainty that the spammers will have 'opened the back door' by leaving malware etc. for future expoitation. IMNSHO the best way of dealing with this on an M$ server is to put your favourite linux distro in the CD-ROM and say 'yes' to removing all M$ partitions!

[Derek T]

What other lists did you find it listed in I have checked all of the other major ones and cannot find any other listings. and the list on senderbase shows the IP as being only listed here.

see http://www.dnsbl.info/

[Don_Hart]

Now this is interesting. I have yet to hear back from deputies <at> spamcop <dot> net. So I went to the listing page to check and see if there was any updates on the reason that we are listed and low and behold the listing is no longer there.

I will be interested in hearing from the deputies on the reason we were listed. As I mentioned earlier I checked all of normal exploits and even changed the passwords on this machine (all 3 accounts) and verified that no malware was on the machine. The machine was already loaded with all of the microsoft security updates including the smtp security rollup needed to stop the smtp/auth hack.

Well I guess I will wait and see what they have to say.

Derek T thanks for the link but I had already checked there and the quick check shows all green. I will go and do an advanced check.

Thanks for all of your suggestions.

[Derek T]

The really GOOD thing about SpamCop is that it is real-time and VERY forgiving. The moment the spam spew stops you are scheduled for de-listing, this takes a MAXIMUM of 48hrs. If you have previous clean record then the de-listing will be much quicker. SpamCop is only interested in stopping currrent spews. It seems that whatever the problem was, it is now resolved.

[Don_Hart]

I just got email from one of the deputies it seems that the spam response NDRs that we send have been hitting some of thier spamtraps. I guess I will need to shut this off.

It is kinda too bad because there will be some legitimate people that will be blocked because there server is listed here or dsbl or spamhaus that will get blocked by our anti spam software and never know it and cannot correct it.

[Chris Parker]

I just got email from one of the deputies it seems that the spam response NDRs that we send have been hitting some of thier spamtraps. I guess I will need to shut this off.

It is kinda too bad because there will be some legitimate people that will be blocked because there server is listed here or dsbl or spamhaus that will get blocked by our anti spam software and never know it and cannot correct it.

You may want to look into an integrated AV / Mail solution that will REJECT messages during the SMTP process rather than generate a bounce message after the fact.

If mail is rejected during the SMTP process legitmate users will be informed by their own mail server.

The problem is that with your current setup innocent people who did not send you mail are getting messages from your server.

...spammers and virus writers ruin it for everyone...

[Merlyn]

I just got email from one of the deputies it seems that the spam response NDRs that we send have been hitting some of thier spamtraps. I guess I will need to shut this off.

It is kinda too bad because there will be some legitimate people that will be blocked because there server is listed here or dsbl or spamhaus that will get blocked by our anti spam software and never know it and cannot correct it.

Why are you sending/bouncing non delivery messages back to the "From" address?

"Everyone" knows that every virus and every piece of spam has a forged "From" address so all you are doing is annoying/spamming innocent victims.

Please get a handle on your email practices.

[Miss Betsy]

It is kinda too bad because there will be some legitimate people that will be blocked because there server is listed here or dsbl or spamhaus that will get blocked by our anti spam software and never know it and cannot correct it.

I don't know why anyone whose email is rejected by the spamcop bl or dsbl or spamhaus should not get a rejection notice at the server. That's the way blocklists work best.

If you have to accept the email to sort it out before delivering, I don't know why you can't run it through a content filter (since the bl's you mentioned, I believe, are based on IP addresses). If it makes it through the content filter, then you could look at it to see if it looks like a legitimate email that needs a reply.

And besides that, all those people who use content filters never give any reject email so people are used to their emails disappearing every now and then. If you are tagging the email, then if someone complains that they didn't get an email, you can maybe find it for them. There is no way to correct content filter mistakes except by whitelisting.

But I bet that you have annoyed many more people with your spam response NDRs than you ever notified that their email was rejected.

Miss Betsy