scottd Posted June 11, 2004 Share Posted June 11, 2004 What do I do? I'm an ISP and I am pretty aggressive in my reporting of spam to SpamCop. But today, I got two different reports from SpamCop users reporting spam from my network. The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all. But...we all know that after 'x' reports, the block of IP addresses gets blacklisted. How do I keep this from happening? I'm desperately trying to be one of the good guys, but I fear if this gets anymore out of hand, I'm going to wind up blacklisted. Any suggestions and/or advice would be greatly appreciated. Scott Link to comment Share on other sites More sharing options...
Wazoo Posted June 11, 2004 Share Posted June 11, 2004 Need to see the Tracking URL that would show what was submitted, how it was parsed, etc. That said, I'm not 100% sure that an ISP complaint form actually show this as an obvious entry. So you can offer up the details here and let some SpamCop users take a crack at it in the short-term .. or you can submit what you've got to Deputies <at> admin.spamcop.net and wait until they dig down far enough in their e-mail to get to yours. Currently, http://www.spamcop.net/w3m?action=checkblock&ip=67.131.122.3 shows this IP as being listed. Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 67.131.122.3 has no reverse dns Listing History It has been listed for less than 24 hours. There is a mathematical formula for listing / de-listing .. spam reported, traffic "seen" , spamtrap hits, and time ... There is no mention of the heavily-weighted spamtrap hits, so one would be going that the minimal reports have tipped the scales based on the self-admitted "not-in-use" status, thus there'd be no traffic "seen" from that IP. So, yes, I'd agree that you have an issue, and I've no doubt that Julian would want to see the evidence quick to find out what went wrong .... He has been working code this last week and there was also database issue earlier this evening. Whether there's a connection there, I don't know, but something like this isn't acceptable. Link to comment Share on other sites More sharing options...
WB8TYW Posted June 11, 2004 Share Posted June 11, 2004 Read the report carefully. Spamcop reports go to the ISP or it's upstream for both the I.P. address that the spam originated from and to the ISP for any URLs being advertised. You could be receiving reports because a spammer has put a URL for one of your I.P. addresses in their spew. Sometimes this is done because they are operating a spam site on your network either by purchasing access through you, or by hosting it on one of your customer's boxes that they have taken over by some means. The spammers have also been putting their DNS servers on such compromised machines. Sometimes they just put such URLs in to cause spamcop.net to send you reports. Spammers are also apparently registering I.P. addresses in others names to avoid being prosecuted. You may find that you now are the owner of that I.P. block or the spamvertised domain. If you are, take immediate control of it and NULL route it. The last time I saw that happen, it took the spammer at least 72 hours to recover from that and it knocked out quite a few of their domains. At the present time spamvertised URLs do not feed the spamcop.net blocking list in spite of rumors to the contrary. But if a spammer has registered a domain or an I.P. address with your contact information, other DNSbls and local lists may not realize this and block all of your domains. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
WB8TYW Posted June 11, 2004 Share Posted June 11, 2004 The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all. But...we all know that after 'x' reports, the block of IP addresses gets blacklisted. As a followup, spamcop.net only lists the I.P. address that it has determined that spam is coming from, not the block. Other DNSbls may be more liberal in what they list. If you own that I.P. address, make sure that there is nothing at it that has been compromised. I once called an ISP's toll free number to report an open relay on their network and they told me that it was not possible and tried to dismiss me until i started reading of the routing information in the headers. Then their tone changed and they referred me to their senior technician. A test machine in what should have been an isolated lab was operating as an open relay. It also could be a parser error, as spammers are trying to find ways to defeat the spamcop.net parser and occassionally they succeed for brief periods of time. The spammer that I mentioned in the previous post was doing that until the parser got smarter. If something is fooling the spamcop.net parser, it could be fooling others too. The other thing that could be happening is that if you own but are not routing that I.P. range, a spammer could have found a way to hijack the routing of it to their server that is not on your network. In this case it may be interesting to see what a traceroute to the I.P. addresses that you think are not reachable are going to. You would have to do that test from a netblock not registered to you. The http://www.samspade.org site should help. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Wazoo Posted June 11, 2004 Share Posted June 11, 2004 Further checking .. OUCH!!!! .. for a "no hosts in the network" ... you've got some severe issues going on ... for example; http://www.senderbase.org/?searchBy=ipaddr...ng=67.131.122.3 Volume Statistics for this IP --------------- Magnitude --- Vol Change vs. Average Last day ______ 4.3 _____ 12254% Last 30 days ___3.3 _____ 1032% Average ______ 2.2 Date of first message seen from this address 2004-06-09 Network Owner Qwest Communications http://moensted.dk/spam/?addr=67.131.122.3&Submit=Submit shows nothing major beyond the SpamCop listing. But looking at the traffic report at SenderBase, this is just a matter of time. Link to comment Share on other sites More sharing options...
WB8TYW Posted June 11, 2004 Share Posted June 11, 2004 13 kcm-edge-09.inet.qwest.net (205.171.29.82) 39 ms 39 ms 39 ms 14 65.123.132.138 (65.123.132.138) 49 ms 49 ms 50 ms 15 67.131.122.254 (67.131.122.254) 87 ms 87 ms 88 ms 16 * * * The subnet has a router, nothing is visible by traceroute after the router. It would take a deputy to determine if there has been a parser error as I can not find any spam samples anywhere. In the event that the parser is correct, if nothing is supposed to be on that subnet, to check the incoming stats on your router, and to set it to actually block that subnet. Can you post the headers of the spam that is alleged to come from your subnet from the spamcop.net reports that you have? -John Personal Opinion Only Link to comment Share on other sites More sharing options...
scottd Posted June 11, 2004 Author Share Posted June 11, 2004 Here are the two headers I got from Spamcop: [ SpamCop V1.330 ] This message is brief for your comfort. Please use links below for details. Email from 67.131.122.3 / 10 Jun 2004 16:11:46 -0000 http://www.spamcop.net/w3m?i=z1064169684ze...7ef055dc099a80z [ Offending message ] "From yczmatqazefmns[at]yahoo.com Thu Jun 10 15:15:50 2004 Return-Path: <yczmatqazefmns[at]yahoo.com> Delivered-To: x Received: (qmail 796 invoked from network); 10 Jun 2004 16:11:46 -0000 Received: from unknown (HELO 69.0.205.41) (67.131.122.3) by worshipradio.com with SMTP; 10 Jun 2004 16:11:46 -0000 Return-Path: <yczmatqazefmns[at]yahoo.com> Received: from smtp4.nix.paypal.com (smtp6.nix.paypal.com [67.131.122.3]) by yahoo.com (8.12.10/8.18.10) with ESMTP id i4M1AVjw010312 for <x>; %CURRENT_DATE_TIME Received: from notify1.nix.paypal.com (notify8.nix.paypal.com [53.220.240.152]) by smtp6.nix.paypal.com (Postfix) with SMTP id E0B568EF09 for <x>; %CURRENT_DATE_TIME Received: (qmail 18817 invoked by uid 087); Thu, 10 Jun 2004 23:11:32 +0600 Message-Id: <1081________8648[at]paypal.com> X-country: US X-language: en_US MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_00MK_05D5063TY_01R.551U00I0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 From: "Refinance" <yczmatqazefmns[at]yahoo.com> To: Info<x> Subject: Hundreds of lenders X-spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a on yahoo.com X-spam-Level: X-spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no version=2.60-spambr_20030926a X-UIDL: fB[at]"!)+h"!#+""!Y$m!! [ SpamCop V1.328 ] This message is brief for your comfort. Please use links below for details. Email from 67.131.122.3 / Wed, 9 Jun 2004 19:37:07 +0000 http://www.spamcop.net/w3m?i=z1063321451zb...a99277693bedefz [ Offending message ] Return-Path: <zbfwteph[at]hotmail.com> Received: from [203.2.192.76] ([67.131.122.3]) by smta03.mail.ozemail.net with SMTP id <20040609193707.CESB11826.smta03.mail.ozemail.net[at][203.2.192.76]>; Wed, 9 Jun 2004 19:37:07 +0000 Return-Path: <zbfwteph[at]hotmail.com> Received: from smtp1.nix.paypal.com (smtp4.nix.paypal.com [67.131.122.3]) by yahoo.com (8.19.10/8.15.10) with ESMTP id i4M1AVjw010633 for <x>; %CURRENT_DATE_TIME Received: from notify3.nix.paypal.com (notify1.nix.paypal.com [40.84.219.171]) by smtp2.nix.paypal.com (Postfix) with SMTP id E0B863EF91 for <x>; %CURRENT_DATE_TIME Received: (qmail 18850 invoked by uid 612); Wed, 09 Jun 2004 23:35:19 +0300 Message-Id: <1082________3115[at]paypal.com> X-country: US X-language: en_US MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_00XV_00I0212NC_07T.181U85J0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 From: "Lenders Compete" <zbfwteph[at]hotmail.com> To: x Subject: Refinance {CD237D06-25FA-4E68-B7D2-EB4DD6F8DF11} X-spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a on yahoo.com X-spam-Level: X-spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no version=2.60-spambr_20030926a X-UIDL: fB[at]"!)+h"!#+""!Y$m!! Date: Wed, 9 Jun 2004 19:37:26 +0000 X-Filter-Tag: {CD237D06-25FA-4E68-B7D2-EB4DD6F8DF11} X-Filter-Result: Score: 99%, Threshold: 50% Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 11, 2004 Share Posted June 11, 2004 The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all. A quick port scan on that range gives the following, so there is something there. All of these hosts are responding to pings. The telnets seem to be a router or routers. IP Ports Host name 67.131.122.1 Telnet Unavailable 67.131.122.2 Unavailable 67.131.122.3 Unavailable 67.131.122.253 Telnet Unavailable 67.131.122.254 Telnet Unavailable Link to comment Share on other sites More sharing options...
Spambo Posted June 11, 2004 Share Posted June 11, 2004 The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all. There is something at 67.131.122.3 06/11/04 08:25:15 -0500 ping 67.131.122.3 Ping 67.131.122.3 ... 1 Addr:67.131.122.3, RTT: 105ms, TTL: 113 2 Addr:67.131.122.3, RTT: 102ms, TTL: 113 3 Addr:67.131.122.3, RTT: 103ms, TTL: 113 4 Addr:67.131.122.3, RTT: 103ms, TTL: 113 06/11/04 08:25:33 -0500 Fast traceroute 67.131.122.3 Trace 67.131.122.3 ... [...] 16 205.171.29.82 39ms 39ms 52ms TTL: 0 (kcm-edge-09.inet.qwest.net fraudulent rDNS) 17 65.123.132.138 68ms 49ms 49ms TTL: 0 (No rDNS) 18 67.131.122.254 99ms 97ms 101ms TTL: 0 (No rDNS) 19 67.131.122.3 113ms 103ms 104ms TTL:113 (No rDNS) Link to comment Share on other sites More sharing options...
Wazoo Posted June 11, 2004 Share Posted June 11, 2004 OK, in the links provided for ISP info, did you follow all the way through to the page at http://www.spamcop.net/sc?id=z515748441z45...307f0295db546az ??? this shows the parsing engine at work, also including a link to see the entire orignal spam (as submitted) .. and might I say, what a spam it is ... Forged (incompletely) header lines, GPG signed, "important" graphic included ... wow ... But, I would suggest that there is something sitting at that IP that allowed the traffic. The question now might be simply .. is it something that you have control over? Link to comment Share on other sites More sharing options...
WB8TYW Posted June 12, 2004 Share Posted June 12, 2004 At the time that I posted this morning, the I.P. address used to send spam was not reachable. Later in the day, it was reachable. Now in the evening it is not. If the problem has not been fixed, this is an indication that it is a compromised computer that is only turned on during office hours. When the I.P. address is responding to the outside, the original poster should be able to find it by tracing the pings. If they can not do that, then they need to see their upstream and ask them why one of their assigned I.P. addresses is being routed outside of their network. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Ellen Posted June 12, 2004 Share Posted June 12, 2004 What do I do? I'm an ISP and I am pretty aggressive in my reporting of spam to SpamCop. But today, I got two different reports from SpamCop users reporting spam from my network. The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all. But...we all know that after 'x' reports, the block of IP addresses gets blacklisted. How do I keep this from happening? I'm desperately trying to be one of the good guys, but I fear if this gets anymore out of hand, I'm going to wind up blacklisted. Any suggestions and/or advice would be greatly appreciated. Scott I have definite spam samples showing spam coming thru IP 67.131.122.3 Most of it also has forged received headers after the valid received header -- sometimes one forged header, sometimes two -- sometimes looking like this: Received: from smtp1.nix.paypal.com (smtp4.nix.paypal.com [67.131.122.3]) by yahoo.com (8.19.10/8.15.10) with ESMTP id i4M1AVjw010633 for <x>; %CURRENT_DATE_TIME Received: from notify3.nix.paypal.com (notify1.nix.paypal.com [40.84.219.171]) by smtp2.nix.paypal.com (Postfix) with SMTP id E0B863EF91 for <x>; %CURRENT_DATE_TIME sometimes with an actual datestamp. Right now the IP is unreachable -- don;t know whether you took the server down or not. But this looks to me like worm/trojan infection either on the server or by a machine nat'd behind it. Some of the worm/trojans are pretty sophisticated and only turn on at certain times; others only respond to specific IPs. Whatever is infecting the server/firewall/ machine behind the server/firewall may be difficult to find and it may be more than one trojan/worm ... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.