zweers Posted February 2, 2004 Share Posted February 2, 2004 In the past we have gotten very useful reports from spamcop when a user spams. We have tried to react to the customers very quickly. However, recently something appears to have changed (if I'm wrong about this, I'm sure I'll be corrected). http://www.spamcop.net/sc?id=z280296275z84...7f5a52b72f0de9z This is the "logic" behind this report being generated. Specifically... Received: from mshweihat (ppp120.f1.56k.execulink.com [209.239.31.120]) by gouda.execulink.net (8.11.6/8.11.6) with SMTP id i11MKbw15574; Sun, 1 Feb 2004 17:20:37 -0500 host 209.239.31.120 = ppp120.f1.56k.execulink.com (cached) host ppp120.f1.56k.execulink.com (checking ip) = 209.239.31.120 199.166.6.56 not listed in dnsbl.njabl.org 199.166.6.56 not listed in cbl.abuseat.org 199.166.6.56 not listed in dnsbl.sorbs.net 199.166.6.56 is not an MX for nas.net 199.166.6.56 is not an MX for gouda.execulink.net 199.166.6.56 is not an MX for gouda.execulink.net 199.166.6.56 is not an MX for nas.net 199.166.6.56 not listed in dnsbl.njabl.org Possible spammer: 209.239.31.120 209.239.31.120 is not an MX for ppp120.f1.56k.execulink.com host ppp120.f1.56k.execulink.com (checking ip) = 209.239.31.120 host gouda.execulink.net (checking ip) = 199.166.6.56 199.166.6.56 not listed in dnsbl.njabl.org 199.166.6.56 not listed in cbl.abuseat.org 199.166.6.56 not listed in dnsbl.sorbs.net 199.166.6.56 is not an MX for nas.net 199.166.6.56 is not an MX for gouda.execulink.net 199.166.6.56 is not an MX for gouda.execulink.net 199.166.6.56 is not an MX for nas.net 199.166.6.56 not listed in dnsbl.njabl.org Possible spammer: 209.239.31.120 209.239.31.120 is not an MX for ppp120.f1.56k.execulink.com host ppp120.f1.56k.execulink.com (checking ip) = 209.239.31.120 host gouda.execulink.net (checking ip) = 199.166.6.56 199.166.6.56 not listed in dnsbl.njabl.org 199.166.6.56 not listed in cbl.abuseat.org 199.166.6.56 not listed in dnsbl.sorbs.net Chain test:gouda.execulink.net =? gouda.execulink.net gouda.execulink.net and gouda.execulink.net have same hostname - chain verified Possible relay: 199.166.6.56 199.166.6.56 not listed in relays.ordb.org. 199.166.6.56 has already been sent to relay testers Received line accepted 209.239.31.120 discarded as a forgery, using 199.166.6.56 In fact, this message did originate from this IP, relayed through our mail server as is the norm (I assume it is still prefered that users relay mail through their local ISP rather then direct.) I'm not sure how this decision was made, but it has resulted in our server being listed (quite annoying). Is there something that I'm missing here or has something changed that caused this IP address to be discarded as a forgery? Link to comment Share on other sites More sharing options...
zweers Posted February 2, 2004 Author Share Posted February 2, 2004 Now our second mail server has been listed. Same issue. This is very bad for us as I hope you can imagine. Link to comment Share on other sites More sharing options...
Chris Parker Posted February 2, 2004 Share Posted February 2, 2004 Received: by nas.net (CommuniGate Pro PIPE 4.1.8) with PIPE id 18659775; Sun, 01 Feb 2004 17:35:13 -0500 Received: from [199.166.6.56] (HELO gouda.execulink.net) by nas.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 18659780; Sun, 01 Feb 2004 17:35:08 -0500 Received: from mshweihat (ppp120.f1.56k.execulink.com [209.239.31.120]) by gouda.execulink.net (8.11.6/8.11.6) with SMTP id i11MKbw15574; Sun, 1 Feb 2004 17:20:37 -0500 Looks like the chain is being broken... If you can fix that it would help. You might want to send an email to deputies at spamcop dot net. (It *could* be a problem with nas.net not properly adding headers) Link to comment Share on other sites More sharing options...
Merlyn Posted February 2, 2004 Share Posted February 2, 2004 I believe a deputy should check it as there does seem to be a parsing problem. There is also a user problem as people should be checking what they report before they press the submit button. It also looks like this person is reporting virus email which is not allowed. A sample sent sometime during the 24 hours beginning Saturday, January 31, 2004 7:00:00 PM -0500: Received: from [199.166.6.56] (- -.-.net)- by -.net (- - SMTP -.-.-)- with - id -6- Sun, - Feb 2004 - - Subject: hello From: in.. at ..er.ca hello in the subject looks like MyDoom. Yes the deputy should check to see why the chain breaks this is a possible misconfiguration and also to see if someone is reporting virus email. Link to comment Share on other sites More sharing options...
zweers Posted February 2, 2004 Author Share Posted February 2, 2004 I'm not sure how the chain is being broken. Our customer on 209.239.31.120 is sending to 199.166.6.56 (our server, gouda), and it is sending it on to a mcmaster.ca mail server. I'm confused with the nas.net name in the next hop, but since its not my server (left at gouda) I'm not sure what I could do with that. Link to comment Share on other sites More sharing options...
zweers Posted February 2, 2004 Author Share Posted February 2, 2004 I've sent a message to deputies. Oh the joys of email. Link to comment Share on other sites More sharing options...
zweers Posted February 2, 2004 Author Share Posted February 2, 2004 Whats the timeframe I should or could expect some type of response and is anyone else noticing this problem. I've heard from a couple of other local companies that they have found themselves black listed as well. Since I don't see the spam reports on their systems I can't see if this is in fact the same thing though. Link to comment Share on other sites More sharing options...
Chris Parker Posted February 2, 2004 Share Posted February 2, 2004 Looks like the listing has been removed. Either it fell off itself, or someone intervened. http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.56 Link to comment Share on other sites More sharing options...
zweers Posted February 2, 2004 Author Share Posted February 2, 2004 Yes, sorry, I didn't give the listing for the second server (though I did forward that message to deputies) http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.57 I've shut down this server completely, but I'm very concerned that the problem may get repeated and we have both servers listed. http://www.spamcop.net/sc?id=z279994384zfd...c9021a7e78ebefz Link to comment Share on other sites More sharing options...
jefft Posted February 2, 2004 Share Posted February 2, 2004 Yes, sorry, I didn't give the listing for the second server (though I did forward that message to deputies) http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.57 I've shut down this server completely, but I'm very concerned that the problem may get repeated and we have both servers listed. http://www.spamcop.net/sc?id=z279994384zfd...c9021a7e78ebefz The deputies will be able to help you with this when they respond. It's not always instant, but it should be within 24 hours. For now, I have delisted that second server. JT Link to comment Share on other sites More sharing options...
Chris Parker Posted February 2, 2004 Share Posted February 2, 2004 Yes, sorry, I didn't give the listing for the second server (though I did forward that message to deputies) http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.57 I've shut down this server completely, but I'm very concerned that the problem may get repeated and we have both servers listed. http://www.spamcop.net/sc?id=z279994384zfd...c9021a7e78ebefz Looks like you've got a compromised machine on your networks... I would assume that your company would not be sending mail entitled "untold beast sex" Unfortunately I think it's going to take a deputy to provide any additional details. Oh, does your server(s) send out virus notifications? Link to comment Share on other sites More sharing options...
jefft Posted February 2, 2004 Share Posted February 2, 2004 The deputies will be able to help you with this when they respond. It's not always instant, but it should be within 24 hours. For now, I have delisted that second server. JT The rules for mail relays are pretty tight right now. Those hosts were getting flagged because they're not really MX's for themselves or the execulink.net domain. They've been marked as trusted relays now, though. If spam actually originates on them, they'll still get listed. However, they won't get kicked out as forgeries any more. You can test the original parsing URLs posted above and verify that. JT Link to comment Share on other sites More sharing options...
zweers Posted February 2, 2004 Author Share Posted February 2, 2004 OK, great, thanks. I'm a bit confused about the MX issue. I know that I can add MX's too all our dialup IP addresses. We haven't done it in the past since we don't really want these hosts to receive mail. (I realize servers will simply attempted direct delivery then). We have several thousand IP's used for dialup, DSL, cable etc etc. I'm not sure what I need to do to prevent any activites done on these from generating a hit against the server they communicate through. Not having an MX doesn't seem too me to be a reason for it to be considered a forgery, but I can add them. The biggest problem would be setting up our mail servers to accept mail for them. I'm wondering if/when having an MX pointing to a server that rejects all mail would be effective? We run a system that requires a match in LDAP before it will accept mail. I just want to make sure that I know what is expected here before I do it. Link to comment Share on other sites More sharing options...
jefft Posted February 3, 2004 Share Posted February 3, 2004 I just want to make sure that I know what is expected here before I do it. Sorry, I'm not sure I understand the rules, either. You'll need to ask the deputies what the best configuration is. JT Link to comment Share on other sites More sharing options...
Ellen Posted February 3, 2004 Share Posted February 3, 2004 I believe I took care of these yesterday by flagging them as valid/relaying mailservers -- write to me at deputies <at> spamcop.net if you are still having problems or have additional questions ... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.