Jump to content

Spasm Alert ! & Trace the source!


Recommended Posts

Hi all ..

We have our own server (dedicating one) and last two days, we receive two complain .. from SpasmCop that our server send spasm… we hate spasm and we are total understand that.

We tried our best to trace the source of the spasm and from which account under our server ! but unfortunately until now we are not sure about it !

Could some one help us please … how to trace the source !


The massage from SpasmCop

>Subject:  [spamCop ( id:1088911515]

>Date:  Thu, 1 Jul 2004 01:45:26 -0700

>From:  Egyptian <1088911515[at]reports.spamcop.net>

>To:  abuse[at]managed.com




>[ SpamCop V1.351  ]

>This message is brief for your comfort.  Please use links below for details.


>Email from / Thu, 1 Jul 2004 01:45:26 -0700




>[ Offending message ]

>X-Message-Info: 6sSXyD95QpUOoMV+MBLu428SihUMpolx

>Received: from mc2-f2.hotmail.com ([]) by mc2-s5.hotmail.com

>with Microsoft SMTPSVC(5.0.2195.6824);

>  Thu, 1 Jul 2004 03:47:39 -0700

>Received: from ns1.murabba.com ([]) by mc2-f2.hotmail.com

>with Microsoft SMTPSVC(5.0.2195.6713);

>  Thu, 1 Jul 2004 01:45:26 -0700

>Received: from nobody by ns1.murabba.com with local (Exim 4.34)

> id 1BfxCA-00054J-JC

> for x; Thu, 01 Jul 2004 11:45:26 +0300

>To: x


>From: ""<waseet[at]ns1.murabba.com>

>Reply-To: waseet[at]ns1.murabba.com

>Message-Id: <E1Bf_________J-JC[at]ns1.murabba.com>

>Date: Thu, 01 Jul 2004 11:45:26 +0300

>X-AntiAbuse: This header was added to track abuse, please include it

>with any abuse report

>X-AntiAbuse: Primary Hostname - ns1.murabba.com

>X-AntiAbuse: Original Domain - hotmail.com

>X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]

>X-AntiAbuse: Sender Address Domain - ns1.murabba.com




>Return-Path: nobody[at]ns1.murabba.com

>X-OriginalArrivalTime: 01 Jul 2004 08:45:26.0887 (UTC)










Link to comment
Share on other sites

I'm confused. If one makes the leap of logic and assumption that you are somehow related to the ip of and then one looks at the referenced link in the report of http://www.spamcop.net/w3m?i=z1088911515z7...7654a928254b25z ... one sees three entries, but all three entries say they come from another set of IPs ....

host (getting name) = dsl62-80-1184.saudi.net.sa

host (getting name) = cache7-4.ruh.isu.net.sa

but the original IP / complaint was about;

host = www.murabba.com and the complaint would have gone to abuse[at]managed.com ...

How about explaining who you are and the connections between these differing IPs. Then possibly add in why it would be so difficult for someone "running" their own servers to figure out what is going on ..(perhaps the answer to the first part might explain the confusion of the second part of my question)

Link to comment
Share on other sites

Thanks for your reply …

Will … I will try to clarify the confusion

This IP is the main IP address of our server we get this server from managed.com as dedicating server, and we are from Saudi Arabia so when ever we tried to add a reply to the report, IP address come from Saudi Arabia.

Hope it's clear now :)

Link to comment
Share on other sites

OK, then what I make of this is that abuse[at]managed.com has forwarded the spam complaints to you. You "may" be able to register yourself as an "interested third-party" such that complaints will come directly to you (though also noting that due to some abuse in the past, a lot of reporters will elect not to send these third-party reports out) .. Please see http://www.spamcop.net/fom-serve/cache/94.html

http://www.senderbase.org/?searchBy=ipaddr...g= shows some strange numbers ... 853% increase in e-mail traffic over the last 30 days, but -6% over the last day ... this may be because it is early in the morning at SenderBase ..??

http://www.spamcop.net/w3m?action=checkblo...p= only mentions reports for the cause of the listing, the mathematical formula of traffic "seen", spam reports, and time appear to suggest that most of your e-mail raffic is not hitting those servers involved in "momitoring" traffic, so the few amounts of complaints/reports has been enough to get you over the 2% threshold of the ratio of spam to total (seen) traffic.

At this point, I can only suggest that someone there needs to do what would be considered "normal" analysis. In the complaint, there are date/time stamps in the headers that should give a clue as to where to start looking in your server log files. This does presume that this e-mail did leave via that route.

Not knowing what your system looks like, you might also be looking for an exploit of very well known issues of an Exchange server, you may have an abuseable relay or proxy, there may be an infected/compromised machine on your network, but at this point, it does appear that you should be able to find the traffic in your log files.

Do you have a "waseet" user on your system? Why would the address be showing as "ns1.murabba.com" which would normally suggest a "name-server"? How long has this server been in use?

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...