jmann Posted February 3, 2004 Share Posted February 3, 2004 Hi folks. I'm the admin for the mail server on 194.117.129.35. This server is currently listed on bl.spamcop.net. We are an ISP, and the server in question is an outgoing mail relay for the use of our business customers. It is restricted to relaying for the IP ranges that we assign to those customers only. We DO have a no-spam policy. Unfortunately, from time to time, we get a customer who is either deliberately sending spam through the relay in defiance of our policy, or unknowingly has an insecure mail server themselves, and has it set to use our relay as a smart host. In such cases, our standard course of action is to immediately block the offending customer from using the relay and then contact them to inform them of what is happening. Only after they have told us that they have secured their mail server do we lift the block on the relay server. I would like to do that in this case, but I don't have enough information to proceed. To identify the customer, I need to see all the Received: headers of the spam message so that I can identify the IP address that sent the mail to our relay. However, the listing on spamcop only shows a small portion of the headers of the offending mail, with much of the information masked out. I'm stuck now. I'm unable to identify the abuser of our relay, and thus I'm unable to stop them. I DO want to act responsibly here and prevent this spam from being sent. Can anyone suggest what I should do? Thanks. Jason Mann Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 3, 2004 Share Posted February 3, 2004 Since most of us here are spamcop users and not administrators, we are not allowed to see any more evidence than you are. Your best resource will be to email deputies<at>spamcop.net and try to get more information. Be fore warned however, that your listing includes a reference to mail received at spamtraps, addresses setup to catch unauthorized email. The deputies are very protective of any information sent to the spamtraps in order to protect them. http://www.spamcop.net/w3m?action=checkblo...=194.117.129.35 Good luck. Link to comment Share on other sites More sharing options...
michaelanglo Posted February 3, 2004 Share Posted February 3, 2004 What is in your SMTP logs ? I see a typical spam subject (contains Norton) there, can you search for that ? Link to comment Share on other sites More sharing options...
Ellen Posted February 3, 2004 Share Posted February 3, 2004 Hi folks. I'm the admin for the mail server on 194.117.129.35. This server is currently listed on bl.spamcop.net. <snip> I would like to do that in this case, but I don't have enough information to proceed. To identify the customer, I need to see all the Received: headers of the spam message so that I can identify the IP address that sent the mail to our relay. However, the listing on spamcop only shows a small portion of the headers of the offending mail, with much of the information masked out. I'm stuck now. I'm unable to identify the abuser of our relay, and thus I'm unable to stop them. I DO want to act responsibly here and prevent this spam from being sent. Can anyone suggest what I should do? Thanks. Jason Mann HELO STJOHNS.NEILSONS.CO.UK The latest trap hit is less than an hour ago. Link to comment Share on other sites More sharing options...
jmann Posted February 3, 2004 Author Share Posted February 3, 2004 Thank you all for your replies. I'm using qmail, and subject lines are not included in the logs. STJOHNS.NEILSONS.CO.UK doesn't resolve to anything. Still stuck. Link to comment Share on other sites More sharing options...
jmann Posted February 3, 2004 Author Share Posted February 3, 2004 I've just searched through the queue for more mails with the string "NEILSONS" in it, and found quite a few. I have now blocked the sending IP address and will delete any already-queued mails. Hopefully the spam will stop and we can be unlisted in 48 hours. Thanks for your help. Jason Link to comment Share on other sites More sharing options...
Merlyn Posted February 3, 2004 Share Posted February 3, 2004 Was it somewhere between 213.48.59.192 - 213.48.59.207 ?? Link to comment Share on other sites More sharing options...
jmann Posted February 3, 2004 Author Share Posted February 3, 2004 Unfortunately, I can't say. I'd probably get in serious trouble with my employer. Link to comment Share on other sites More sharing options...
Merlyn Posted February 3, 2004 Share Posted February 3, 2004 No problem, I just wanted to know so I could add to my personal BL. But sooner or later all the spammers get into it :-) Link to comment Share on other sites More sharing options...
jmann Posted February 3, 2004 Author Share Posted February 3, 2004 I'll say this much: The customer in question was one of those who had an insecure mail server without realising it. The spam originated from a 3rd party outside their network. The customer was notified and they have corrected the configuration of their mail server. I have just now carried out an open-relay check on their server, and it seems to be ok, so we have already unblocked them from using our relay. I shall be keeping a close eye on them though, and they will be blocked instantly if I see any more spam. Link to comment Share on other sites More sharing options...
Chris Parker Posted February 3, 2004 Share Posted February 3, 2004 The customer in question was one of those who had an insecure mail server without realising it. The spam originated from a 3rd party outside their network. The customer was notified and they have corrected the configuration of their mail server. I have just now carried out an open-relay check on their server, and it seems to be ok, so we have already unblocked them from using our relay. I shall be keeping a close eye on them though, and they will be blocked instantly if I see any more spam. If they were running exchange you might also want to check role accounts (admin, guest, webmaster, postmaster, etc) for weak passwords. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.