Jump to content

Blocked because of a fictional email


moworld

Recommended Posts

Posted

I have been blocked from emailing because a spammer out there has found my domain, and is forging email to look like it is coming from my domain. How can I protect my domain and website from this occuring in the future.

Posted

Hi, moworld!

...Who is blocking you? And by what vehicle are you being told that you are being blocked?

...Basically, anyone who knows anything about the internet is not likely to be blocking your domain because of a forgery, because they should be aware that domain names are easily forged. SpamCop, for example, adds IP addresses that have either been reported multiple times as a spam source (the formula is a complex one, so that one report will not cause an IP address to be added to the blocklist) or because it has been identified as the source of spam being received by so-called "spam traps," which are e-mail addresses that have never been used to send e-mail.

Posted

I first discovered that there was something up yesterday when I received an email copy from"xgmeekh[at]moworldmedia.net". My hosting company suggested that a spammer out there has found my domain, and is forging email to look like it is coming from my domain. They said that there is nothing that I can do but I should report this to Spamcops. But before this occured, my outgoing email became blocked. The error message said to see a spamcop.net link. I found that 2 instances of spam was reported and this has gotten me blacklisted (if that was the right word. The SpamCop information says something about getting cleared if no further reports come in within 24 hours.

This all comes as a surprise to me. I do not know what I can do to my website to avoid this.

Posted

...Sorry to hear of your problem. Spammers have spoiled things for everyone!

...Your hosting company is apparently not very knowledgeable about how SpamCop works. There is nothing SpamCop can do about such forgeries that you, as the injured party, can initiate.

...There are many possible reasons for an IP address to be added to the SpamCop blocklist (note that it is not SpamCop that is blocking your e-mail, but ISPs or e-mail providers of the people to whom you are sending e-mail).

...To help you, the folks who frequent this forum and have the knowledge to help generally need to know the IP address that is being blocked. The exact blocking message may be helpful (especially if it contains the IP address of the blocked machine).

...You are wise to not just wait for the "if no further reports" expiration (which is in a range of something like 3 to 48, not 24, hours, unless something has changed recently -- the exact time is based on another complex formula). There are lots of possible causes of the spam reports, including hijacked machines that have been compromised with malware and are sending out spam.

...You may also gain some useful knowledge by perusing the "Pinned" items that appear at the top of the SpamCop Help forum main page.

Posted

The actual message that I get when I try to send an email:

The SMTP server returned an error. Account: 'contact[at]moworldmedia.net', Server: 'mail.moworldmedia.net', Protocol: SMTP, Server Response: 'rblsmtpd: 209.30.245.202 pid 484: 451 Blocked - see http://www.spamcop.net/bl.shtml?209.30.245.202', Port: 25, Secure(SSL): No, Error Number: 0x800CCC60

A question which comes to mind is whether there is any kind of scri_pt to add to my web pages to help prevent this? Is there any immunizing element?

Posted

You have more problems than spamcop....

Real-time blacklists [ Click to view all ]

dnsbl.njabl.org Open proxy - http://www.njabl.org/cgi-bin/lookup.cgi?query=209.30.245.202

list.dsbl.org Boycotted - http://dsbl.org/listing?209.30.245.202

dnsbl.sorbs.net HTTP - http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=209.30.245.202

dnsbl.sorbs.net SOCKS proxy - http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=209.30.245.202

bl.spamcop.net http://spamcop.net/w3m?action=checkblock&ip=209.30.245.202

dynablock.njabl.org Dynamic IP - http://www.njabl.org/cgi-bin/lookup.cgi?query=209.30.245.202

Spamcop is not currently showing a reason, which is unusual, but the web page is no longer real-time because of spammers using that information to their advantage.

Posted
The actual message that I get when I try to send an email:

The SMTP server returned an error. Account: 'contact[at]moworldmedia.net', Server: 'mail.moworldmedia.net', Protocol: SMTP, Server Response: 'rblsmtpd: 209.30.245.202 pid 484: 451 Blocked - see http://www.spamcop.net/bl.shtml?209.30.245.202', Port: 25, Secure(SSL): No, Error Number: 0x800CCC60

17892[/snapback]

...Thank you -- this should help us greatly! :) <g>

...When I follow that link, I get a page labeled "SpamCop Blocking List" that has a section labeled "Was your email blocked?" that has another link: Specific information about the reasons for blocking your mail server ( 209.30.245.202 ). Following that link shows:

Query bl.spamcop.net - 209.30.245.202

209.30.245.202 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

<none were shown>

Additional potential problems

(these factors do not directly result in spamcop listing)

<none were shown>

Listing History

In the past 209.4 days, it has been listed 2 times for a total of 2.1 days

<note: this doesn't mean that two instances of spam were reported against this IP address, but rather that there have been two different periods of time in the past 209.4 days during which the IP met the criteria for inclusion on the SpamCop blocklist -- that is, it went on the list, then off the list, then back on the list>

Other hosts in this "neighborhood" with spam reports

209.30.244.237 209.30.245.83 209.30.245.168 209.30.246.199

...Clicking the link labeled "Trace IP," the following is displayed:

Parsing input: 209.30.245.202

host 209.30.245.202 = adsl-209-30-245-202.dsl.hstntx.swbell.net. (cached)

Reporting addresses:

sbc-abuse[at]sbc.com

So it appears that this IP address belongs to swbell. It also looks to me (see the "adsl" in the domain name) that this is a machine that does an ADSL dial-up. If it is a mail server, it should not be a dial-up. If it is not a mail server, then my (relatively uninformed) guess would be that it either has been assigned to someone else who used it to send spam or it has been hijacked by malware.

A question which comes to mind is whether there is any kind of scri_pt to add to my web pages to help prevent this?  Is there any immunizing element?

17892[/snapback]

...Not of which I am aware. It is unlikely that your web site itself is a problem, unless it is set up to send e-mail.

...Is 209.30.245.202 the IP address of your machine? If so, what operating system (and version) is it running? Should it be sending e-mail?

...At this point, please check out the Pinned: Why Am I Blocked? FAQ for more information. If you still have questions after reading it, please return here to post follow-ups. And do keep us informed of your progress (or lack thereof) towards resolving the problem.

Posted

209.30.245.202 appears to be associated with my DSL account with SBC. It is not my computer.

The email that I received which indicated someone was doing something unauthorized:

email:

From: xgmeekh[at]moworldmedia.net

To: cunjail11[at]aol.com

Subject: auzQapG qyy6 kri mdpjwg la nnqaf eiij

Nz5kThh cldvkig rEbi IhqqrfihYkvhxHsC 7hsl M1ZdebkyK Cbbyvzfjk

.

recipient: 80uje2[at]moworldmedia.net

subject: 80uje2[at]moworldmedia.net

redirect: 80uje2[at]moworldmedia.net

required: 80uje2[at]moworldmedia.net

sort: 80uje2[at]moworldmedia.net

your_name: 80uje2[at]moworldmedia.net

phone: 80uje2[at]moworldmedia.net

yesbook: 80uje2[at]moworldmedia.net

comments: 80uje2[at]moworldmedia.net

Then, hours later, I am prevented from sending emails. If it helps, the SMTP is via my domain. Does the SMPT have anything to do with the blockage?

Posted
209.30.245.202 appears to be associated with my DSL account with SBC.  It is not my computer.

17895[/snapback]

...To be quite honest, I haven't a clue what that means in terms of what machine that is or how it got involved in sending e-mail. If it's something outside your control, then it seems to me that it's SBC (your ISP?) that must identify and fix the problem. Their "abuse" e-mail address should be receiving the spam reports from SpamCop.

The email that I received which indicated someone was doing something unauthorized:

email:

From: xgmeekh[at]moworldmedia.net

To: cunjail11[at]aol.com

Subject: auzQapG qyy6 kri mdpjwg la nnqaf eiij

Nz5kThh cldvkig rEbi IhqqrfihYkvhxHsC 7hsl M1ZdebkyK Cbbyvzfjk

.

recipient: 80uje2[at]moworldmedia.net

subject: 80uje2[at]moworldmedia.net

redirect: 80uje2[at]moworldmedia.net

required: 80uje2[at]moworldmedia.net

sort: 80uje2[at]moworldmedia.net

your_name: 80uje2[at]moworldmedia.net

phone: 80uje2[at]moworldmedia.net

yesbook: 80uje2[at]moworldmedia.net

comments: 80uje2[at]moworldmedia.net

Then, hours later, I am prevented from sending emails.

17895[/snapback]

...And how do you interpret this information (and from where does it come)? What is "moworldmedia.net" -- is that your "domain?" If so, what instrumentality (software, etc) is creating these apparent e-mail addresses (xgmeekh[at]moworldmedia.net and 80uje2[at]moworldmedia.net)?

If it helps, the SMTP is via my domain.  Does the SMPT have anything to do with the blockage?

17895[/snapback]

...Presumably, some SMTP service is sending e-mails through IP address 209.30.245.202 that are being reported as spam. If it is you who have set up the SMTP service and e-mails that you feel are "unauthorized" are being sent through that service, then shut it down and find out why (you may need SBC's help for that), plug the hole, then bring back the SMTP service. Better yet, contract with an e-mail provider that is familiar with techniques to secure an e-mail service to prevent its use in such an "unauthorized" manner.

...It still may be helpful (to other participants in this forum, if not to me) to know what operating system software (and version) you are using and, if you have an SMTP service running, what software (and version) it is.

Posted

My OS is Windows XP.

I use Outlook Express for Email.

My SMPT is supplied by the host of my website.

moworldmedia.net is the domain of my website.

My primary emails are through the domain. Somehow, fictitious emails have been created and used via my domain.

Xtreme-host.com is my host provider.

SBC Yahoo is my ISP. I am not sure what 209.30.245.202 is but it seems to be associated with my DSL.

Posted

...Remember that "blocked" message back in your second reply to me, above? It mentioned 209.30.245.202 as the IP address that was on the blocklist. From the trace information I found, this appears to be the IP address given to you when you dial into SBC (aka swbell as well as others). As I mentioned earlier, SBC's abuse e-mail box should be receiving spam reports from SpamCop. From what you've written, it seems to me that SBC should be able to determine where the hole is and plug it. It is possible that your machine has been attacked by malware (have you installed Windows XP SP 2?) because your operating system is a favorite target.

...FYI, I'm leaving now (it's after midnight). If you return for follow-ups, hopefully there will be others (likely more knowledgeable than am I) to help you.

Posted

Let's start with this ... SORBS added this IP back in March dur to Proxy and HTTP issues ... did you "have" this IP back then?

CustName: PPPoX Pool - bras1.hstntx

Address: 2701 W 15th PMB 236

City: Plano

StateProv: TX

PostalCode: 75075

Country: US

RegDate: 2004-01-05

Updated: 2004-01-05

NetRange: 209.30.244.0 - 209.30.245.255

CIDR: 209.30.244.0/23

NetName: SBC209030244000040105

NetHandle: NET-209-30-244-0-1

Parent: NET-209-30-0-0-1

NetType: Reassigned

Comment: For Policy Abuse issues, contact: abuse[at]swbell.net

Comment: For Technical issues, contact: noc[at]swbell.net

PPPoX Pool is a new one on me ....

Google offers lots of strange listings, but all seeming to be in a different IP block ..

Your sample e-mail of "someone doing something" doesn't do a thing for me .. not sure what your are trying to depict or what the message is supposed to mean .. sorry.

Trace moworldmedia.net (216.187.107.164) - so the IP does not directly correlate with your web page ... but noting that the contact address in the WHOIS contains a NetZero address doesn't give me a good feeling right now ... running smack into a frameset .... OK, I'll stop saying bad things .. if that's the way you want to advertise your web-building expertise, ok ...

216.187.68.46 RTT: 37ms TTL:160 (GIG6-0.tor-gsr-a.peer1.net bogus rDNS: host not found [authoritative])

216.187.68.250 RTT: 39ms TTL:160 (tor-fe3-4b.ne.peer1.net bogus rDNS: host not found [authoritative])

216.187.68.246 RTT: 39ms TTL:160 (tor-fe3-4a.ne.peer1.net bogus rDNS: host not found [authoritative])

216.187.107.164 RTT: 38ms TTL: 51 (moworldmedia.net ok)

So at this point, the IP in questions must have to do with the way you're handling your e-mail ... it doesn't appear at first glance that you are sending from your web-host ....

So, as already pointed out, the IP in question is identified as a DSL line .. is this a static IP for you? (back to the above, how long have you had it?)

Going to stop for now, as there's surely enough here to get you started on researching your end a bit more.

Posted

This is a dynamic IP. And I am sure you are not running a mail server.

The machine on this IP address has an insecure proxy, or could possibly be infected with a virus or trojan.

Posted
Wazoo - I think you have the power to look up the IP address from which the OP is connecting...that might be enlightening.  :-)

Did the look-up while trying to figure out what else to look up that would "clearly" show what was happening, despite what details were posted ... let's just say, the posting address is covered in the questions " So, as already pointed out, the IP in question is identified as a DSL line .. is this a static IP for you? (back to the above, how long have you had it?)"

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...