Murabba Posted July 2, 2004 Share Posted July 2, 2004 Hi all .. We have our own server (dedicating one) and last two days, we receive two complain .. from SpasmCop that our server send spasm… we hate spasm and we are total understand that. We tried our best to trace the source of the spasm and from which account under our server ! but unfortunately until now we are not sure about it ! Could some one help us please … how to trace the source ! Thanks The massage from SpasmCop >Subject: [spamCop (65.75.154.110) id:1088911515] >Date: Thu, 1 Jul 2004 01:45:26 -0700 >From: Egyptian <1088911515[at]reports.spamcop.net> >To: abuse[at]managed.com > > > >[ SpamCop V1.351 ] >This message is brief for your comfort. Please use links below for details. > >Email from 65.75.154.110 / Thu, 1 Jul 2004 01:45:26 -0700 >http://www.spamcop.net/w3m?i=z1088911515z715e25d0706cbaa1cb7654a928254b >25z > >[ Offending message ] >X-Message-Info: 6sSXyD95QpUOoMV+MBLu428SihUMpolx >Received: from mc2-f2.hotmail.com ([65.54.190.9]) by mc2-s5.hotmail.com >with Microsoft SMTPSVC(5.0.2195.6824); > Thu, 1 Jul 2004 03:47:39 -0700 >Received: from ns1.murabba.com ([65.75.154.110]) by mc2-f2.hotmail.com >with Microsoft SMTPSVC(5.0.2195.6713); > Thu, 1 Jul 2004 01:45:26 -0700 >Received: from nobody by ns1.murabba.com with local (Exim 4.34) > id 1BfxCA-00054J-JC > for x; Thu, 01 Jul 2004 11:45:26 +0300 >To: x >Subject: >From: ""<waseet[at]ns1.murabba.com> >Reply-To: waseet[at]ns1.murabba.com >Message-Id: <E1Bf_________J-JC[at]ns1.murabba.com> >Date: Thu, 01 Jul 2004 11:45:26 +0300 >X-AntiAbuse: This header was added to track abuse, please include it >with any abuse report >X-AntiAbuse: Primary Hostname - ns1.murabba.com >X-AntiAbuse: Original Domain - hotmail.com >X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] >X-AntiAbuse: Sender Address Domain - ns1.murabba.com >X-Source: >X-Source-Args: >X-Source-Dir: >Return-Path: nobody[at]ns1.murabba.com >X-OriginalArrivalTime: 01 Jul 2004 08:45:26.0887 (UTC) >FILETIME=[C19DAF70:01C45F47] > ><html> ><body> >http://www.w444.com/vb/showthread.php?s=&postid=45918#post45918 ></html> ></body> > > > Link to comment Share on other sites More sharing options...
Wazoo Posted July 2, 2004 Share Posted July 2, 2004 I'm confused. If one makes the leap of logic and assumption that you are somehow related to the ip of 65.75.154.110 and then one looks at the referenced link in the report of http://www.spamcop.net/w3m?i=z1088911515z7...7654a928254b25z ... one sees three entries, but all three entries say they come from another set of IPs .... host 62.149.80.162 (getting name) = dsl62-80-1184.saudi.net.sa host 212.138.47.17 (getting name) = cache7-4.ruh.isu.net.sa but the original IP / complaint was about; host 65.75.154.110 = www.murabba.com and the complaint would have gone to abuse[at]managed.com ... How about explaining who you are and the connections between these differing IPs. Then possibly add in why it would be so difficult for someone "running" their own servers to figure out what is going on ..(perhaps the answer to the first part might explain the confusion of the second part of my question) Link to comment Share on other sites More sharing options...
Murabba Posted July 2, 2004 Author Share Posted July 2, 2004 Thanks for your reply … Will … I will try to clarify the confusion This IP 65.75.154.110 is the main IP address of our server we get this server from managed.com as dedicating server, and we are from Saudi Arabia so when ever we tried to add a reply to the report, IP address come from Saudi Arabia. Hope it's clear now Link to comment Share on other sites More sharing options...
Wazoo Posted July 2, 2004 Share Posted July 2, 2004 OK, then what I make of this is that abuse[at]managed.com has forwarded the spam complaints to you. You "may" be able to register yourself as an "interested third-party" such that complaints will come directly to you (though also noting that due to some abuse in the past, a lot of reporters will elect not to send these third-party reports out) .. Please see http://www.spamcop.net/fom-serve/cache/94.html http://www.senderbase.org/?searchBy=ipaddr...g=65.75.154.110 shows some strange numbers ... 853% increase in e-mail traffic over the last 30 days, but -6% over the last day ... this may be because it is early in the morning at SenderBase ..?? http://www.spamcop.net/w3m?action=checkblo...p=65.75.154.110 only mentions reports for the cause of the listing, the mathematical formula of traffic "seen", spam reports, and time appear to suggest that most of your e-mail raffic is not hitting those servers involved in "momitoring" traffic, so the few amounts of complaints/reports has been enough to get you over the 2% threshold of the ratio of spam to total (seen) traffic. At this point, I can only suggest that someone there needs to do what would be considered "normal" analysis. In the complaint, there are date/time stamps in the headers that should give a clue as to where to start looking in your server log files. This does presume that this e-mail did leave via that route. Not knowing what your system looks like, you might also be looking for an exploit of very well known issues of an Exchange server, you may have an abuseable relay or proxy, there may be an infected/compromised machine on your network, but at this point, it does appear that you should be able to find the traffic in your log files. Do you have a "waseet" user on your system? Why would the address be showing as "ns1.murabba.com" which would normally suggest a "name-server"? How long has this server been in use? Link to comment Share on other sites More sharing options...
dra007 Posted July 2, 2004 Share Posted July 2, 2004 Calling spam <<spasm>> sure sounds like a Freudian slip! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.