m57rm Posted October 5, 2004 Share Posted October 5, 2004 We have done the test for open relay and we are not an open relay and yet we are still blacklisted. We have changed ip address twice (12.162.1.172 and 12.162.1.171) and still keep getting on the blacklist. How can we get off the blacklist permanently? We have scanned our users for viruses and worms and everybody is clean. We also have restricted the routing to only our internal ip address. Where is this spam coming from? Your help is appreciated. Link to comment Share on other sites More sharing options...
dra007 Posted October 5, 2004 Share Posted October 5, 2004 12.162.1.172 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) Listing History It has been listed for 4.3 days. Other hosts in this "neighborhood" with spam reports 12.162.1.171 Looks like you may have suffered an attack. Have you read the pinned FAQs? They will point you to the possible reasons you are blocked and ways to fix it, they were put there for people like you. If you still have questions after you read them, plenty of people here will give you further assistance. spam trap hits are a bad sign, but they may be caused by misconfigured bounces as well. PS. You are also showing a large increase in traffic, that is also a bad sign!!: Report on IP address: 12.162.1.172 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.4 4007% Last 30 days 2.9 1178% Average 1.7 Link to comment Share on other sites More sharing options...
Merlyn Posted October 5, 2004 Share Posted October 5, 2004 We have done the test for open relay and we are not an open relay and yet we are still blacklisted. We have changed ip address twice (12.162.1.172 and 12.162.1.171) and still keep getting on the blacklist. How can we get off the blacklist permanently? We have scanned our users for viruses and worms and everybody is clean. We also have restricted the routing to only our internal ip address. Looks like you have changed your server again. Spamcop is not a list of open relays but a list of IP's that have been reported for being the source of spam Where is this spam coming from? Your help is appreciated. 18307[/snapback] Maybe it's you. You cannot send stuff to people who have not requested it. It's all about conSent not conTent Link to comment Share on other sites More sharing options...
Wazoo Posted October 5, 2004 Share Posted October 5, 2004 10/05/04 17:42:01 Slow traceroute 12.162.1.172 Trace 12.162.1.172 ... 12.123.213.17 RTT: 67ms TTL: 48 (ar2-p3110.rd2ca.ip.att.net bogus rDNS: host not found [authoritative]) 12.119.240.158 RTT: 75ms TTL: 48 (No rDNS) 12.162.1.172 RTT: 76ms TTL: 52 (exchange.asmnc.com ok) 10/05/04 17:45:00 Browsing http://12.162.1.172/ Fetching http://12.162.1.172/ ... GET / HTTP/1.1 Host: 12.162.1.172 Server: Microsoft-IIS/5.0 <HTML> <!--Microsoft Outlook Web Access--> <!--default.htm--> <!--Copyright © Microsoft Corporation 1993-1997. All rights reserved.--> <META HTTP-EQUIV="REFRESH" CONTENT="0; URL=/exchange/logon.asp"> All together now, can we say SMTP/AUTH hack just one more time? Please, keep right on changing the IP address, that is certainly the most recommended "fix" for the use of an Exchange server put directly onto the Internet. Please try to read at least some of the FAQ here .. if you don't believe what you find there, I'll suggest Google. Link to comment Share on other sites More sharing options...
dra007 Posted October 5, 2004 Share Posted October 5, 2004 I tried a few ID/PW combinations, the most common were disabled! Link to comment Share on other sites More sharing options...
Merlyn Posted October 5, 2004 Share Posted October 5, 2004 I tried a few ID/PW combinations, the most common were disabled! 18319[/snapback] I am thinking in another direction but I might be wrong. I am probably wrong maybe it is an SMTP Auth hack 220 exchange1.asmnc.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready YUP! Someone has usercode/password access to it... Sure are a lot of sites pointing to the same site: ACSM.COM ASMAGENCY.COM ASMCO.COM ASMDEN.COM ASMNC2.COM ASMNET.COM ASMPHX.COM ASMSC.COM ASMSCB.COM ASMSLC.COM JNJSLC.COM MARKETINGSLS.COM PROMOPOINTMARKETING.COM Link to comment Share on other sites More sharing options...
dra007 Posted October 6, 2004 Share Posted October 6, 2004 I am thinking in another direction but I might be wrong. I am probably wrong maybe it is an SMTP Auth hack 220 exchange1.asmnc.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready YUP! Someone has usercode/password access to it... 18321[/snapback] Funny, maybe I will send some V?A/G/R/A .... PS. Looks like another PYRAMID scheme! Link to comment Share on other sites More sharing options...
Chris Parker Posted October 6, 2004 Share Posted October 6, 2004 We also have restricted the routing to only our internal ip address. Where is this spam coming from? 18307[/snapback] Doesn't look like your routing configuration worked. You'll want to look at your firewall logs (you have a firewall, right?) You'll want to look at your mail server logs... If properly configured it will show all the mail that it's been sending. In the mean time you'll want to make sure that there is a non-trivial password for EVERY account on the server. I suggest that you disable the admin, test, guest, etc accounts. Here's some evidence that I was able to dig up... Subject: PENI||S EN1lIARGEMENT Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 12:56:49 -0700 Subject: |NCREASE YOUR PEN1lS SIZE! Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 13:33:36 -0700 Subject: MAX|MUM EXP0OSURE Received: from micro (200.5.234.3 [200.5.234.3]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 23:44:42 -0700 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.