Why are we blocked?

[ddi]

Our mail relay 130.227.153.100 is blocked by SpamCop.

It has never been an open relay (at least not for the last couple of years).

There's no information of interest to be found at http://www.spamcop.net/w3m?action=checkblo...130.227.153.100.

Full Quote:

=================

130.227.153.100 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 400 times by less than 10 users. It has been listed for 40 hours.

In the past week, this system has:

Been detected sending mail to spam traps

=================

We have a very tight mail server setup, and I can't imagine anyone here ever having sent anything remotely like spam. I could imagine that the problem may stem from a non-delivery report or so unintentionally bouncing back and forth between a spamtrap and our system - but with the little information above, it's hard to tell.

Is there any way to get more information on what SpamCop sees?

Is it possible that someone is faking us as a sender address and that SpamCop wrongly accepts this information?

Update: We have disabled all NDR's etc. (all system messages), and the honeypot counter on spamcop.net is still happily counting upwards.

[turetzsr]

Our mail relay 130.227.153.100 is blocked by SpamCop.

It has never been an open relay (at least not for the last couple of years).

There's no information of interest to be found at http://www.spamcop.net/w3m?action=checkblo...130.227.153.100.

Full Quote:

=================

130.227.153.100 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 400 times by less than 10 users. It has been listed for 40 hours.

In the past week, this system has:

Been detected sending mail to spam traps

=================

We have a very tight mail server setup, and I can't imagine anyone here ever having sent anything remotely like spam. I could imagine that the problem may stem from a non-delivery report or so unintentionally bouncing back and forth between a spamtrap and our system - but with the little information above, it's hard to tell.

Is there any way to get more information on what SpamCop sees?

Is it possible that someone is faking us as a sender address and that SpamCop wrongly accepts this information?

Update: We have disabled all NDR's etc. (all system messages), and the honeypot counter on spamcop.net is still happily counting upwards.

Hi,

...Please check out the Pinned: FAQ Entry: Why is my email blocked? or the SpamCop FAQ. If you still have questions after looking there, please don't hesitate to come on back here and ask them.

...Good luck!

[jefft]

Our mail relay 130.227.153.100 is blocked by SpamCop.

It has never been an open relay (at least not for the last couple of years).

There's no information of interest to be found at http://www.spamcop.net/w3m?action=checkblo...130.227.153.100.

Full Quote:

=================

130.227.153.100 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 400 times by less than 10 users. It has been listed for 40 hours.

In the past week, this system has:

Been detected sending mail to spam traps

=================

We have a very tight mail server setup, and I can't imagine anyone here ever having sent anything remotely like spam. I could imagine that the problem may stem from a non-delivery report or so unintentionally bouncing back and forth between a spamtrap and our system - but with the little information above, it's hard to tell.

Is there any way to get more information on what SpamCop sees?

Is it possible that someone is faking us as a sender address and that SpamCop wrongly accepts this information?

Update: We have disabled all NDR's etc. (all system messages), and the honeypot counter on spamcop.net is still happily counting upwards.

Actually, you've got a real problem. There's been close to 500 spams come out of that machine recently that we've trapped. I can see the headers and it isn't bounces or NDR's. It's "these chicks get down, fast", "Find out anything about anyone", and "u gotta see what these hoes do" among others.

The spam is originating on that machine and going out through notes.dubex.dk.

I'd suggest you maybe run some packet traces between those machines or something. It appears that the machine that is listed is actively being exploited by spammers. I don't know if it's an open proxy, if they've guessed an SMTP AUTH password, or if there's a zombie on your network that's spamming, but there's something going on.

Good luck and, if you can, please let us know what you find out.

JT

[ddi]

A long forgotten test machine in a long forgotten test segment (which unfortunately was specifically allowed to send mail on the outgoing relay)..

It has been disabled, which seems to have stopped the honeypot counter.

If you come across any more from .100 or .101, don't hesitate to contact me.

Thank you very much for the information, it's been a big time-saver in finding the culprit :-).

[jefft]

A long forgotten test machine in a long forgotten test segment (which unfortunately was specifically allowed to send mail on the outgoing relay)..

It has been disabled, which seems to have stopped the honeypot counter.

If you come across any more from .100 or .101, don't hesitate to contact me.

Thank you very much for the information, it's been a big time-saver in finding the culprit :-).

Indeed, the spam seems to have stopped completely 27 hours ago.

Thanks for coming back and telling us what the problem was. Since you've got it fixed, I went ahead and scheduled your machine to be delisted early.

JT