AdamWHughes Posted October 1, 2004 Share Posted October 1, 2004 Query bl.spamcop.net - 209.58.200.92 (Help) (Trace IP) (Senderbase lookup) 209.58.200.92 listed in bl.spamcop.net (127.0.0.2) Causes of listing Additional potential problems (these factors do not directly result in spamcop listing) Listing History It has been listed for less than 24 hours. Other hosts in this "neighborhood" with spam reports 209.58.201.60 Link to comment Share on other sites More sharing options...
turetzsr Posted October 1, 2004 Share Posted October 1, 2004 Hi, AdamWHughes! ...Some standard answers I have seen to inquiries like yours: The SpamCop "check block" page you viewed no longer provides real-time information, as it was being used by spammers. Sometimes ISPs and e-mail providers use several block lists and send out a generic message saying an IP address was blocked due to SpamCop when in fact it was blocked due to some other block list. The SpamCop blocklist is so dynamic that it is possible the IP address was listed at some point but has fallen off the list because there have been no recent (which could mean in as little as about 90 minutes) reports. ...IIUC, SpamCop reports for this IP address go to abuse[at]primushost.com (I found this by clicking the "Trace IP" list on the check block page), so that abuse address should have information on any SpamCop reports. ...Your final resort is to contact the SpamCop deputies (deputies <at> spamcop <dot> net), as they are the only ones who have access to the live database. ...Good luck! Link to comment Share on other sites More sharing options...
Chris Parker Posted October 1, 2004 Share Posted October 1, 2004 Query bl.spamcop.net - 209.58.200.92 (Help) (Trace IP) (Senderbase lookup) 209.58.200.92 listed in bl.spamcop.net (127.0.0.2) Causes of listing Additional potential problems (these factors do not directly result in spamcop listing) Listing History It has been listed for less than 24 hours. Other hosts in this "neighborhood" with spam reports 209.58.201.60 18137[/snapback] Sometime the details run behind reality. Check out: http://www.senderbase.org/?searchBy=ipaddr...g=209.58.200.92 10000% increse in mail from that IP address in the last day. Looks like you are running Exchange. Chaces are you're victim of an SMTP AUTH HACK. Please read the FAQ: http://www.spamcop.net/fom-serve/cache/372.html Link to comment Share on other sites More sharing options...
Wazoo Posted October 2, 2004 Share Posted October 2, 2004 I thought you must have made a typo .. Wow! and in reference to Steve's question on the Senderbase update period .. here's a reference .. at the time of this posting, Senderbase was showing 10442% for the "today" data .... talk about getting hammered ... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 2, 2004 Share Posted October 2, 2004 Well, that is DOWN from this morning where it was +13000% Link to comment Share on other sites More sharing options...
Wazoo Posted October 2, 2004 Share Posted October 2, 2004 How'd you know that? This poster didn't hit here until after 1700 this evening ... says it's his first post ... another poster addressing the same IP? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 2, 2004 Share Posted October 2, 2004 Sorry, my question about the senderbase stats was made in the thread where senderbase was showing +13000%. I did not look back to see mthat my post was in the same thread I was posting in this time. Link to comment Share on other sites More sharing options...
Merlyn Posted October 2, 2004 Share Posted October 2, 2004 canonical name mail.egancapital.com. addresses 209.58.200.92 220 eganex.local.egancapital.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sat, 2 Oct 2004 00:47:03 -0400 Definately an SMTP AUTH hack.... They should pull the plug untill it gets fixed. The funny thing is their front page says "Leveraging our collective experience in computer technologies." Now that's scary......... Link to comment Share on other sites More sharing options...
Wazoo Posted October 2, 2004 Share Posted October 2, 2004 And again for Steven's Senderbase update points .. at the time of this poting, this IP showed 10467% for the daily data. Link to comment Share on other sites More sharing options...
AdamWHughes Posted October 2, 2004 Author Share Posted October 2, 2004 I had suspected an auth attack when I orignally posted. So I took action aganist it. I found that there were several unknown accounts which are now disabled. I changed the passwords for the accounts that were necessary and disabled the guest account which was at one point disabled (pitalls of mulitpul people with admin access I guess). Very sketchy. Anyway the number of NDRs that are coming back to me has subsided. For a time they were coming every min or so, at this point they have stopped. I blew away my SMTP server with a bunch of retry crap in it and created a new one to see if I finally have this thing stopped. Link to comment Share on other sites More sharing options...
Merlyn Posted October 2, 2004 Share Posted October 2, 2004 Give it some time now. Good luck. Link to comment Share on other sites More sharing options...
Merlyn Posted October 2, 2004 Share Posted October 2, 2004 Did any of he NDR's have the original spam attached? Would be nice to know the spamvertised link so we can trace it to the criminal that stole your resources. It is now a federal offense with jail time I believe. Your leagal beagles could also use that info. Link to comment Share on other sites More sharing options...
Wazoo Posted October 2, 2004 Share Posted October 2, 2004 At the time of this posting, Senderbase is still showing 10467% ... so at least it hasn't increased since midnight, and it's only been about an hour since the OP posted that things had been changed at the server .... Link to comment Share on other sites More sharing options...
AdamWHughes Posted October 2, 2004 Author Share Posted October 2, 2004 Did any of he NDR's have the original spam attached? Would be nice to know the spamvertised link so we can trace it to the criminal that stole your resources. It is now a federal offense with jail time I believe. Your leagal beagles could also use that info. 18172[/snapback] No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should? Link to comment Share on other sites More sharing options...
Derek T Posted October 2, 2004 Share Posted October 2, 2004 No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should? 18175[/snapback] That's 1.5 - 48hrs after the last report. If you've not been listed before it ought to tend to the lower figure. It's a complicated formula! the deputies on deputies <at> spamcop <dot> net hae access to the time of last report and the time due to de-list. Link to comment Share on other sites More sharing options...
Ellen Posted October 3, 2004 Share Posted October 3, 2004 No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should? 18175[/snapback] It's the usual pills spam -- same old, same old. The urls vary. Your IP will delist before noon tomorrow if there are no further reports. Link to comment Share on other sites More sharing options...
Derek T Posted October 3, 2004 Share Posted October 3, 2004 It's the usual pills spam -- same old, same old. The urls vary. Your IP will delist before noon tomorrow if there are no further reports. 18196[/snapback] AIUI half of spamcop is one coast of the USA, half on t'other. I'm in the UK and 'we' are spead all over the world. Whaddyamean 'noon' Ellen? Link to comment Share on other sites More sharing options...
Wazoo Posted October 3, 2004 Share Posted October 3, 2004 As of 0935 GMT -5; 209.58.200.92 not listed in bl.spamcop.net And SenderBase is showing 0 magnitude ... -100% for last 24 hour rate Link to comment Share on other sites More sharing options...
Ellen Posted October 3, 2004 Share Posted October 3, 2004 AIUI half of spamcop is one coast of the USA, half on t'other. I'm in the UK and 'we' are spead all over the world. Whaddyamean 'noon' Ellen? 18205[/snapback] Well I am in -0400 and never get the conversions right so either you have to accept "noon" as my "noon" or trust that I haven't come up with some totally random (converted) time :-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.