smomanaz Posted September 2, 2004 Share Posted September 2, 2004 We are a small compnay that runs a Win2K3/Exchange 2K3 server that I beilieve IS NOT allowing open relay. Many of my clients emails are rejecting us because of an association to an FTP server, at a different address than our mail server. Can someone at Spamcop please identify our address's as not having aan open relay, and remove us from the list?? 208.14.80.199 is our mail server... 208.142.80.201 was our FTP server that I have shut down. Any questions......... please contact me asap itman[at]summitbuilders.com Link to comment Share on other sites More sharing options...
DavidT Posted September 2, 2004 Share Posted September 2, 2004 "208.14.80.199" = your server?? But according to ARIN, that IP belongs to Conell.edu, so I think you might have a typo in your number. DT Link to comment Share on other sites More sharing options...
Wazoo Posted September 2, 2004 Share Posted September 2, 2004 Currently, Query bl.spamcop.net - 208.14.80.199 208.14.80.199 not listed in bl.spamcop.net Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 0.0 -100% Last 30 days 0.0 -100% Average 0.0 Query bl.spamcop.net - 208.142.80.199 208.142.80.199 not listed in bl.spamcop.net Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 0.0 -100% Last 30 days 0.0 -100% Average 2.0 Query bl.spamcop.net - 208.142.80.201 208.142.80.201 listed in bl.spamcop.net (127.0.0.2) Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 208.142.80.201 has no reverse dns Listing History It has been listed for less than 24 hours. Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.8 3338% Last 30 days 2.8 270% Average 2.3 I'm wondering if you have your IPs mixed up. You obviously haven't looked at the FAQ or read any of the recent Topics that also deal with hooking an Exchange server directly to the 'net' .... The second IP above belongs to a machine that has been compromised. Please look at the FAQ item labelled "Read before Posting" and try again. Link to comment Share on other sites More sharing options...
DavidT Posted September 2, 2004 Share Posted September 2, 2004 Ah...you DID have a typo in your mail server IP....it should have been: 208.142.80.199 (and I see that you're using MX Logic's email defense system for your incoming messages....I've just started experimenting with that, but my hosting provider is using the TUCOWS reseller version and it's got problems) DT Link to comment Share on other sites More sharing options...
smomanaz Posted September 2, 2004 Author Share Posted September 2, 2004 Sorry Guys,.. What Iam being told is spam from me is.. 208.142.80.201 It is from Savvis which was Cable and Wireless Link to comment Share on other sites More sharing options...
smomanaz Posted September 2, 2004 Author Share Posted September 2, 2004 My exchange is the 199.... the 201 wa sthe FTP.. I dont know how spamcop would have cut off our Exchange server for an activity not on the same address.... Link to comment Share on other sites More sharing options...
Wazoo Posted September 2, 2004 Share Posted September 2, 2004 My exchange is the 199.... the 201 wa sthe FTP.. I dont know how spamcop would have cut off our Exchange server for an activity not on the same address.... 16283[/snapback] And again, the FAQ would have explained that SpamCop has no such power to begin with. SpamCop also does not deal with FTP. I am no longer wondering about the confusion of IPs ... your roadmap is wrong. 201 is kicking out e-mail. so if it's not the Exchange server, you've got a seriously screwed machine sitting there. Link to comment Share on other sites More sharing options...
DavidT Posted September 2, 2004 Share Posted September 2, 2004 My exchange is the 199.... the 201 wa sthe FTP.. I dont know how spamcop would have cut off our Exchange server for an activity not on the same address.... Well...seeing that SpamCop users have reported the FTP IP as a source of spam, I'd say that there's something goofy with your server configs, and that perhaps whatever services exist on that IP include some that are capable of being used by spammers. Or, here's another scenario....if you've got a particular machine that's dedicated as an FTP server that was assigned to that IP address, and that machine was compromised, perhaps by a trojan, making it a "spam zombie," then it's conceivable that the machine could have been cranking out spam without your knowledge and that's how it got reported. I'm a choir director in AZ....not a server admin, but maybe I've presented a logical scenario? BTW, SpamCop doesn't block ANYTHING at all. SpamCop has a DNS BL that ISPs can query and some of them use it as a blocking tool....just to make that clear. DT Link to comment Share on other sites More sharing options...
DavidT Posted September 2, 2004 Share Posted September 2, 2004 More on your "FTP IP": The Senderbase report is pretty scary: http://www.senderbase.org/?searchBy=ipaddr...=208.142.80.201 That machine is cranking out email....I'd reformat the HD and start from scratch, and then change the way you've got things configured so that it doesn't happen again. Furthermore, somone has been surfing the web this summer from that IP address...it shows up in the web stats on 06 Jul 2004 - 14:48 for: http://www.cycletrailerrental.com/ which rents and sells motorcycle trailers in Tampa Bay, Florida. Have you got a "travelling biker" in the office there at Summit? :-) DT Link to comment Share on other sites More sharing options...
Merlyn Posted September 2, 2004 Share Posted September 2, 2004 The configuration on these machines is really messed up. Were you listed on 199 aand couldn't figure out your problem so you switched servers and now 201 is listed???? Or are they the same machine (Notice on both the internal IP is 192.168.1.20) Lets see: 208.142.80.201 listed in bl.spamcop.net (127.0.0.2) Lets check the machine: 208.142.80.201 SMTP - 25 220 exchange.inside.summitbuilders.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Thu, 2 Sep 2004 15:12:13 -0700 HTTP - 80 HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://192.168.1.20/iisstart.htm Last-Modified: Sat, 22 Feb 2003 01:48:30 GMT Accept-Ranges: bytes ETag: "06be97f14dac21:7fd1" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 02 Sep 2004 22:12:13 GMT Connection: close You probably have been hacked by the sptm auth hack: Your exchange server may be relaying spam for spammers. Please see this faq for information about the exploit and how to fix the problem: http://news.spamcop.net/cgi-bin/fom?file=372 And the following http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html 208.142.80.199 is not listed. Lets check the machine anyhow: 208.142.80.199 SMTP - 25 220 exchange.inside.summitbuilders.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Thu, 2 Sep 2004 15:18:36 -0700 HTTP - 80 HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://192.168.1.20/iisstart.htm Last-Modified: Sat, 22 Feb 2003 01:48:30 GMT Accept-Ranges: bytes ETag: "06be97f14dac21:7fd1" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 02 Sep 2004 22:18:36 GMT Connection: close You have the exchange server running on Both of them!!!!!!!!!!!!!!! They are probably both hacked. You should disconnect them from the web (It's the little wire in back) until you can either fix them or hire someone who can. Link to comment Share on other sites More sharing options...
Ellen Posted September 2, 2004 Share Posted September 2, 2004 Sorry Guys,.. What Iam being told is spam from me is.. 208.142.80.201 It is from Savvis which was Cable and Wireless 16282[/snapback] IP 208.142.80.199 is not listed and has had no reports or listings for the last 30 days. IP 208.142.80.201 -- you apparently have/had exchange running on that server and it is being exploited by spammers using the SMTP/AUTH exploit; see these faqs: http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html http://support.microsoft.com/default.aspx?...;EN-US;324958#4 You need to secure this server. IP 208.142.80.201 is listed. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.