Jump to content

My IP is listed but I the Spamcop doesnt say why


AdamWHughes

Recommended Posts

Query bl.spamcop.net - 209.58.200.92

(Help) (Trace IP) (Senderbase lookup)

209.58.200.92 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

209.58.201.60

Link to comment
Share on other sites

Hi, AdamWHughes!

...Some standard answers I have seen to inquiries like yours:

  • The SpamCop "check block" page you viewed no longer provides real-time information, as it was being used by spammers.
  • Sometimes ISPs and e-mail providers use several block lists and send out a generic message saying an IP address was blocked due to SpamCop when in fact it was blocked due to some other block list.
  • The SpamCop blocklist is so dynamic that it is possible the IP address was listed at some point but has fallen off the list because there have been no recent (which could mean in as little as about 90 minutes) reports.

...IIUC, SpamCop reports for this IP address go to abuse[at]primushost.com (I found this by clicking the "Trace IP" list on the check block page), so that abuse address should have information on any SpamCop reports.

...Your final resort is to contact the SpamCop deputies (deputies <at> spamcop <dot> net), as they are the only ones who have access to the live database.

...Good luck!

Link to comment
Share on other sites

Query bl.spamcop.net - 209.58.200.92

(Help) (Trace IP) (Senderbase lookup)

209.58.200.92 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

209.58.201.60

18137[/snapback]

Sometime the details run behind reality.

Check out: http://www.senderbase.org/?searchBy=ipaddr...g=209.58.200.92

10000% increse in mail from that IP address in the last day.

Looks like you are running Exchange. Chaces are you're victim of an SMTP AUTH HACK. Please read the FAQ: http://www.spamcop.net/fom-serve/cache/372.html

Link to comment
Share on other sites

I thought you must have made a typo .. Wow! and in reference to Steve's question on the Senderbase update period .. here's a reference .. at the time of this posting, Senderbase was showing 10442% for the "today" data .... talk about getting hammered ...

Link to comment
Share on other sites

canonical name mail.egancapital.com.

addresses 209.58.200.92

220 eganex.local.egancapital.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sat, 2 Oct 2004 00:47:03 -0400

Definately an SMTP AUTH hack....

They should pull the plug untill it gets fixed.

The funny thing is their front page says

"Leveraging our collective experience in computer technologies."

Now that's scary.........

Link to comment
Share on other sites

I had suspected an auth attack when I orignally posted. So I took action aganist it. I found that there were several unknown accounts which are now disabled. I changed the passwords for the accounts that were necessary and disabled the guest account which was at one point disabled (pitalls of mulitpul people with admin access I guess).

Very sketchy. Anyway the number of NDRs that are coming back to me has subsided. For a time they were coming every min or so, at this point they have stopped. I blew away my SMTP server with a bunch of retry crap in it and created a new one to see if I finally have this thing stopped.

Link to comment
Share on other sites

Did any of he NDR's have the original spam attached?

Would be nice to know the spamvertised link so we can trace it to the criminal that stole your resources. It is now a federal offense with jail time I believe.

Your leagal beagles could also use that info.

Link to comment
Share on other sites

At the time of this posting, Senderbase is still showing 10467% ... so at least it hasn't increased since midnight, and it's only been about an hour since the OP posted that things had been changed at the server ....

Link to comment
Share on other sites

Did any of he NDR's have the original spam attached?

Would be nice to know the spamvertised link so we can trace it to the criminal that stole your resources. It is now a federal offense with jail time I believe.

Your leagal beagles could also use that info.

18172[/snapback]

No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should?

Link to comment
Share on other sites

No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should?

18175[/snapback]

That's 1.5 - 48hrs after the last report. If you've not been listed before it ought to tend to the lower figure. It's a complicated formula! the deputies on deputies <at> spamcop <dot> net hae access to the time of last report and the time due to de-list.

Link to comment
Share on other sites

No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should?

18175[/snapback]

It's the usual pills spam -- same old, same old. The urls vary. Your IP will delist before noon tomorrow if there are no further reports.

Link to comment
Share on other sites

It's the usual pills spam -- same old, same old.  The urls vary. Your IP will delist before noon tomorrow if there are no further reports.

18196[/snapback]

AIUI half of spamcop is one coast of the USA, half on t'other. I'm in the UK and 'we' are spead all over the world. Whaddyamean 'noon' Ellen?

Link to comment
Share on other sites

AIUI half of spamcop is one coast of the USA, half on t'other. I'm in the UK and 'we' are spead all over the world. Whaddyamean 'noon' Ellen?

18205[/snapback]

Well I am in -0400 and never get the conversions right so either you have to accept "noon" as my "noon" or trust that I haven't come up with some totally random (converted) time :-)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...