jjjjace Posted September 29, 2004 Posted September 29, 2004 HELP ME PLEASE OUR DOMAIN is in serious need of help... Spamcop is still blocking our 4.21.179.70 which is our firewall.. Our email is not reaching our clients.... Is there an administrator or someone that might help.... It has been over 72 hours since any spam has come from our domain.... We have not been removed yet HELP US PLEASE <Wazoo moved data originally posted as a Poll event into this first posting> Why won't spam cop remove us? I ahve done everything needed as our administrator... No Loopbacks, I have killed the XP pc that was infected and spamming on our lan.... I have have checked traffic out of our firewall and nothing since friday... That is more than 48 hours... Please remove my domain........ 4.21.179.70 Our company is suffering because we can not send clients email..... Please help My work email is jswenson <at> mayinstitute.org If that doesn't work and probably won't because I am being blocked try jjjjace <at> comcast.netHELP US SOMEONE>>>>>>>
Wazoo Posted September 29, 2004 Posted September 29, 2004 More work needed? (and out of curiosity, how much exaggeration is in your query? That the IP in question is allegedly your firewall ... why would it be showing up in an e-mail thus provided a reaction fo a SpamCopDNSbl listing? Your "cannot reach customers" seems a bit harsh, as in reality, any blockage would only occur if the receiving ISP is using the SPamCopDNSbl, and that's certainly not a 100% world-wide standard) Maybe you need to change the firewall and e-mail server address assignments? 4.21.179.70 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 4.21.179.70 is mi.mayinstitute.org but mi.mayinstitute.org has no DNS information Report on IP address: 4.21.179.70 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 2.9 -20% Last 30 days 3.6 329% Average 3.0 OK< Senderbase shows traffic going down (or it's still early in the day and the "today" rate hasn't yet seen enough traffic?) and by the way, I'm not exactly happy at your mis-use of a Poll setup ...
jjjjace Posted September 29, 2004 Author Posted September 29, 2004 This is an add on to my first post... We are a Non Profit Educational/Healthcare company www.mayinstitute.org We have 1000 email users behind our firewall and we are having serious trouble emailing mostly universities that we do business with. If there is an administrator for Spamcop that someone could help me get in contact with it would be more than helpfull... Thanks Jace Swenson The May Institute Net Admin jswenson <at> mayinstitute.org alt email jjjjace <at> comcst.net
jjjjace Posted September 29, 2004 Author Posted September 29, 2004 Our email server is behind our firewall. Our actual email server is 4.21.179.68 mail.mayinstitute.org.... our email traffice passes through the firewall resulting in the last IP shown on delivery .70 also the offending pc on our lan was using outlook through port 110 and 25 directly out the firewall and not our email server.. We have a few users using outlook and that has been a problem with viruses... We have been lucky thus far since only one machine became a spammer and low volume at that... Please help us since it is seriously affecting our company.. Please feel free to call me . I am at the May Institute . Our number is 1-781-440-0400 My extension is 207 or call me direct Jace swenson 1-508-783-7863 This is the only way I have been able to even get a response. I am sorry if you think this is abuse of your system.. I just need help and the spam cop web site has no contact info....
StevenUnderwood Posted September 29, 2004 Posted September 29, 2004 You have some kind of problem, perhaps your firewall has a virus... Here are the subjects of some of the recently reported spams: Submitted: Tuesday, September 28, 2004 5:32:05 AM -0400: Enlar ge your manhood today! 14gn Submitted: Tuesday, September 21, 2004 5:57:05 PM -0400: Re: So to answer your original question, spam still seems to be coming from your firewall (or a machine being NATted behind the firewall), hitting the spamtraps and real people, causing the firewall to be listed. I have all of my workstations NATted behind a single IP address different from the firewall's and my servers (that need to be accessed via the internet) all have individual IP's NATted through the firewall. That way, if something like this happens, I can limit the damage and trace where the problem is coming from. I also have plenty of public IP's (Class C) with which I can switch things around if needed (after fixing the problem, of course).
Wazoo Posted September 29, 2004 Posted September 29, 2004 http://www.senderbase.org/search?searchString=4.21.179.68 Report on IP address: 4.21.179.68 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 0.0 -100% Last 30 days 1.8 -81% Average 2.5 Odd that this IP (you say your e-mail server) shows less e-mail traffic than your alleged firewall; Report on IP address: 4.21.179.70 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 2.9 -20% Last 30 days 3.6 329% Average 3.0 And also noting that the firewall IP was "seen" sending e-mail before the e-mail server was identified. Most firewalls I've run across simply route/block/allow traffic through them ... adding their IP to an outgoing e-mail isn't a normal function. How sure are you of how things are actually configured? Have you gone through the FAQ here yet? You say Outlook is used by systems behind the firewall .. might this also suggest your are using an Exchange server? If so, have you gone through the FAQ here yet?
StevenUnderwood Posted September 29, 2004 Posted September 29, 2004 The firewall could be configured to NAT everything behind it to one IP address so the only IP address of a connecting server would be of the firewall. Depending on how those stats are collected (connection IP or Received headers) could explain the numbers you are seeing in senderbase. I would think it would be based on connection IP. Not a good configuration, perhaps, but I can see how it could be done. (I can't see WHY it would be done that way, however.
Wazoo Posted September 29, 2004 Posted September 29, 2004 Surely not to argue with you but .... NAT from 4.21.179.70 to 4.21.179.68 ????? The usual practice is to use NAT is ... from http://computer.howstuffworks.com/nat.htm ; This is where NAT (RFC 1631) comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers. Although other examples are offered for varying uses of network routable addesses/systems ... I'm still stuck with a firewall that would stamp its IP into an e-mail header if the e-mail server is setting somewhere else ... I'd easily grok this situation if the firewall turns out to be *NIX system as a front end to the Exchange server, but ... this hasn't even been conjectured thus far.
turetzsr Posted September 29, 2004 Posted September 29, 2004 <snip> This is the only way I have been able to even get a response. I am sorry if you think this is abuse of your system.. I just need help and the spam cop web site has no contact info.... 17975[/snapback] ...The problem isn't your use of the SpamCop forum to ask for help (although you should have posted this to the SpamCop Help forum rather than to the SpamCop Email forum, since this is not a problem relating to the SpamCop e-mail System). The problem is that you are including a lot of "stuff (Poll and quoting without adding additional information)" that uses a lot of space but does not add to the information we need to help you. ...Wazoo and StevenUnderwood have given you some good direction -- please read it and post back here if you still have questions about what they wrote. ...Good luck!
StevenUnderwood Posted September 29, 2004 Posted September 29, 2004 Wazoo: We had a configuration here where the firewall also had virus scanner (inbound and outbound) that modified the headers. Ours appended the internal (non-routable) IP in a received line until we re-configured and just have the FW do the FW part of the process. I agree, we do not have anywhere near enough datails to be speculating about this particular configuration. I was simply offering up a possible (not plausible)explanation.
Wazoo Posted September 29, 2004 Posted September 29, 2004 As said, arguing with you isn't in the plan <g> And as usual, I get so wrapped in teh details, I didn't notice "where" this thing was .... consider it moved over to Help ... thanks for the jog ... Poll removed, contents added into OP's first posting, now going through and hitting all the other exposed e-mail addresses .... thinking I really ought to mung out the phone numbers, but that's more of a choice for that poster I'd say. Perhaps this poster had had nothing but great fortune thus far in his/her life and knows not the possibilities that come along with exposing this much detail to the world? Also deleted the posts that were nothing but quotes of previous posts.
turetzsr Posted September 29, 2004 Posted September 29, 2004 <snip> And as usual, I get so wrapped in teh details, I didn't notice "where" this thing was .... consider it moved over to Help ... thanks for the jog ... Poll removed, contents added into OP's first posting, now going through and hitting all the other exposed e-mail addresses .... thinking I really ought to mung out the phone numbers, but that's more of a choice for that poster I'd say. Perhaps this poster had had nothing but great fortune thus far in his/her life and knows not the possibilities that come along with exposing this much detail to the world? Also deleted the posts that were nothing but quotes of previous posts. 17990[/snapback] ...Nicely done, Wazoo, thanks! ...Any time now, we will surely see posts like: Wazoo and Steve T: why are you complaining about quoting without adding anything useful -- I don't see any such posts by the OP! <big g>
Ellen Posted October 1, 2004 Posted October 1, 2004 Our email server is behind our firewall. Our actual email server is 4.21.179.68 mail.mayinstitute.org.... our email traffice passes through the firewall resulting in the last IP shown on delivery .70 also the offending pc on our lan was using outlook through port 110 and 25 directly out the firewall and not our email server.. We have a few users using outlook and that has been a problem with viruses... We have been lucky thus far since only one machine became a spammer and low volume at that... Please help us since it is seriously affecting our company.. Please feel free to call me . I am at the May Institute . Our number is 1-781-440-0400 My extension is 207 or call me direct Jace swenson 1-508-783-7863 This is the only way I have been able to even get a response. I am sorry if you think this is abuse of your system.. I just need help and the spam cop web site has no contact info.... 17975[/snapback] Your IP has delisted. There have been no new spams since 9/27. I assume that you located the problem which was allowing spammers to send thru your system.'
Wazoo Posted November 9, 2004 Posted November 9, 2004 Situational update .. someone using the original poster's ID, posting IP, e-mail address, etc. has been posting spam into one of the SpamCop support newsgroups. One could go with that this person is woefully confused and apparently thinks that posting the spam into the newsgroup traffic will accomplish something. If this person is being spoofed, what a spoof it is. Third case is that this user somehow believes that some kind of retribution is being accomplaished? Hard to say, as it also appears that the posting to the newsgroup is being done as though the newsgroups were a write-only medium, either this user is not reading or simply ignoring all the traffic generated thus far about the silly spam posts. It's not "reporting" as only the body as rendered on screen is being supplied. But, the possibility of an alleged screw-up of having the mailing-list mode invoked isn't demonstrated in the headers of these posts, the user is pysically posting an NNTP connected post. Anyway, as this user apparently is only posting and not "reading" anything in the newsgroups, a PM has been sent from here to possibly wake this person up. Follow-up: someone had set up a nice "automated" way to handle spam. User would simply drop the spam onto a box and it would be taken care of. Unfortunately, this box turned out to be a link to the SpamCop newsgroup.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.