helpline Posted October 15, 2004 Posted October 15, 2004 Hello Sir, My IP is 66.216.122.76. It appears that you have blocked this IP. our clients cannot send out mail. Please immediately unblock this IP. we are ready to follow all your instructions and suggestions.But please imdiately unblock the above given IP . looking forward for positive reply .
dra007 Posted October 15, 2004 Posted October 15, 2004 66.216.122.76 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 66.216.122.76 is alicia.netpivotal.com but alicia.netpivotal.com is 65.61.185.241 instead of 66.216.122.76 Listing History It has been listed for 24 hours. Spamtrap hits are a bad sign! You also have a large increase in the volume of traffic: Report on IP address: 66.216.122.76 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.6 1178% Last 30 days 3.8 83% Average 3.5 That too is a bad sign. You may be using a hijacked/compromised machine. Have you read the FAQs?
helpline Posted October 15, 2004 Author Posted October 15, 2004 Hello sir, Please unblock our IP and let us know the particular account that is responsible for spamming . we will take care of it. But please first unblock the IP .
Wazoo Posted October 15, 2004 Posted October 15, 2004 It really doesn't work like that. The posting IP of this user is far, far removed from the IP in question, so I can't even come up with a relationship between the requestor and the system in question. As already suggested, the identified IP has all the marking of a compromised system. Either solve the problem if it is under your control or ask the hosting provider to step in. The SpamCopDNSBL does not prevent you from sending e-mail. It is a list of spam-spew source IP addresses used by other ISPs to try to control the amount of spam entering their systems. Removal from this list will occur somewhere from one-half hour to 48 hours ... after the spew stops. You must do your work first.
Chris Parker Posted October 15, 2004 Posted October 15, 2004 Hello Sir, My IP is 66.216.122.76. It appears that you have blocked this IP. our clients cannot send out mail. Please immediately unblock this IP. We are ready to follow all your instructions and suggestions. But please imdiately unblock the above given IP . looking forward for positive reply . 18843[/snapback] I suggest that you unplug the network cable from the back of the machine until you figure out how to secure your machine. The block will be removed no more than 48 hours after your machine stops sending spam. Research indicated that the machine as been compromised with "Backdoor.Xibo" See also: SORBS and PSBL Sample Header from messages: (Evidence) -- Looks like your machine is sending eBay Phishing scams... From anonymous[at]alicia.netpivotal.com Mon Oct 11 17:35:28 2004 Delivery-date: Mon, 11 Oct 2004 17:35:28 -0400 Received: from [66.216.122.76] (helo=alicia.netpivotal.com) by mail.victim.example with esmtp (Exim 4.41) id 1CH7pI-0006fa-0x for psbltrap[at]kernelnewbies.nl; Mon, 11 Oct 2004 17:35:28 -0400 Received: (qmail 15002 invoked by uid 48); 11 Oct 2004 21:29:22 -0000 Date: 11 Oct 2004 21:29:22 -0000 To: psbltrap[at]kernelnewbies.nl Subject: Important Notice From eBay inc. From: eBay Billing <aw-confirm[at]eBay.com> Reply-To: aw-confirm[at]eBay.com MIME-Version: 1.0
Chris Parker Posted October 15, 2004 Posted October 15, 2004 Please unblock our IP and let us know the particular account that is responsible for spamming . we will take care of it. But please first unblock the IP . 18846[/snapback] Since it appears that the machine itself has been compromised it may not actually be an account within your mail server software package. You'll want to look at your firewall logs. You do have a firewall, right?
dra007 Posted October 15, 2004 Posted October 15, 2004 That IP is listed in 4 places already: CLICK HERE!
Merlyn Posted October 16, 2004 Posted October 16, 2004 It really doesn't work like that. The posting IP of this user is far, far removed from the IP in question, so I can't even come up with a relationship between the requestor and the system in question. 18848[/snapback] How far away is it? The IP in question 66.216.122.76 is alicia.netpivotal.com and if you go to alicia.netpivotal.com you end up at www.onlywebhosting.com which is 65.61.185.240 Is that far enough away?
Wazoo Posted October 17, 2004 Posted October 17, 2004 Rackspace in Texas is what I recall from yesterday .... and the other place is the current U.S. tech "favorite" outsourcing spot. I know Rackspace has crap all over the place, but .....
DavidT Posted October 17, 2004 Posted October 17, 2004 Rackspace in Texas is what I recall from yesterday .... and the other place is the current U.S. tech "favorite" outsourcing spot. While their server is indeed hosted by Rackspace, their postal address is in London, but from the mangled English, I'm guessing that the OP is from India. One of the companies hosting sites I'm involved with outsourced their support to India a while back, and it's caused a LOT of problems (bad answers, incompetence, etc.). Symantec has done the same, and that's causing them to lose a lot of business, because the support from India is so bad. My bank gets their "portal" services from a company with most of its workers in India, and I've received infected email messages at the address I created only for use by the bank, and the infected messages came from India. I know of the case of an Silicon Vally tech worker who committed suicide after having to train his replacement (who was in India). I will NOT do business with any more companies who outsource their support to India...period. DT
helpline Posted October 17, 2004 Author Posted October 17, 2004 Hello sir, It was told to me that my machine is compromised with "Backdoor.Xibo". However after more investigation on the same ,I found that Backdoor.Xibo do not affects linux box.The IP 66.216.122.76 is on linux box.
Merlyn Posted October 17, 2004 Posted October 17, 2004 66.216.122.76 has too much spam coming from it! It is already in many blocklists. You will stay listed as long as spam keep coming from this machine. I think you would agree with me that everyone is tired of receiving mortgage quotes, penis enlargement, breast enhancement, weight loss, nude 40 year old teenage sluts, Viagra, vacation, lottery, prescription drug, business opportunities, genealogical, university degrees, gambling, get rich quick, MLM, pyramid schemes, Web Cams, Russian brides, work from home, stock scams, pirated software and everything else that is force fed into our inboxes. Please secure your machine. mail output from this machine is up 1,205% today. Learn how to check your logs. Spammers are currently using your machine.
StevenUnderwood Posted October 17, 2004 Posted October 17, 2004 The most recent spams coming frm your IP address are EBAY phishing expeditions with subjets like: Submitted: Sunday, October 17, 2004 2:53:47 PM -0400: Important Notice From eBay inc.
Merlyn Posted October 18, 2004 Posted October 18, 2004 It's a shared server on Ratspace with 185 wesites. You would think he would get a clue and move because Ratspace is not going to do anything about spammers.
helpline Posted October 18, 2004 Author Posted October 18, 2004 The most recent spams coming frm your IP address are EBAY phishing expeditions with subjets like: 18883[/snapback] Hello Sir, I have blocked the IP ,that showed frequent occurance in maillog. I hope this helps in decreasing amount of spam.
Miss Betsy Posted October 18, 2004 Posted October 18, 2004 I also hope it helps. I hope you also told the owner to check out his machine. Miss Betsy
dra007 Posted October 18, 2004 Posted October 18, 2004 I have to wonder if this OP has read any of the the replies.. His rhetorical statements strike me as the sound of a broken record... Those were the times...(and they had no outsourcing then)...
Merlyn Posted October 18, 2004 Posted October 18, 2004 I am not sure he can block them if they are not originating from his site/email server. There are 154 others sharing that server that he has no control over.
DavidT Posted October 18, 2004 Posted October 18, 2004 I am not sure he can block them if they are not originating from his site/email server. There are 154 others sharing that server that he has no control over. Wait...he might be an outsourced Tech Support admin for the Rackspace box, assuming that whoever leases the box has contrated one of the horrible companies in India who do that. That would put his answer in a logical context. They might allow POP before SMTP authentication, so his comment about blocking the IP refers to the particular user who was using SMTP on the box to spam. However, if this scenario is correct, then the admin should also be able to determine which hosting client is responsible and do more than just block a single source of spam. But I'll be darned if I spend one more minute doing anything that remotely helps someone in India who is doing a job that should be located right here in the U.S.A. DT
Wazoo Posted October 18, 2004 Posted October 18, 2004 I have blocked the IP ,that showed frequent occurance in maillog. I hope this helps in decreasing amount of spam. I'm thinking that blocking a single IP address seems like an awfully small "fix" for what appears to be such a large problem. Has the DNS issue been resolved yet? DNS error: 66.216.122.76 is alicia.netpivotal.com but alicia.netpivotal.com is 65.61.185.241 instead of 66.216.122.76 http://www.senderbase.org/?sb=1&searchBy=d...=netpivotal.com includes a little factoid of; Addresses in netpivotal.com used to send email address ........... hostname ............. DNS Verified Daily Mag .. Monthly Mag 66.216.122.76 .. alicia.netpivotal.com .. N ............. 4.6 ............ 3.8 So as has been hinted at a number of times in this Topic, are you the sole user of the machine at this IP address? Are you employed by netpivotal or are you just one of the users of this hardware? Do you have direct access to this machine?
Merlyn Posted October 18, 2004 Posted October 18, 2004 According to that information they also have a DNS problem: DNS error: 66.216.122.76 is alicia.netpivotal.com but alicia.netpivotal.com is 65.61.185.241 instead of 66.216.122.76
Wazoo Posted October 18, 2004 Posted October 18, 2004 OK, let's add some more to the mix of unknowns here. From an unknown "new" user, that makes no attempt at identifying his/her status or association with the "problem" IP / system, I receive the following PM; Hi Wazoo, RE: http://forum.spamcop.net/forums/index.php?showtopic=2864 We have now narrowed down the account that was causing the spam and have disabled his account. The account was sending email using PHP which made it hard to narrow down. Could you please now remove this thread from your forum. To which, I will answer "here" ..... nope ... it doesn't work like that ... and besides; IP is still listed in the SpamCopDNSBL SenderBase http://www.senderbase.org/?searchBy=ipaddr...g=66.216.122.76 currently shows; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.8 ........... 1941% Last 30 days .. 3.9 ............ 141% Average ........ 3.5 Which is up from yesterday's "Vol Change" of 1025% So, to both helpline and AdamF .... from this side of the screen, there is still more than just a single account (or is it two accounts now?) that needs to be taken care of .... this box needs some serious attention. Questions asked here are still left wide open, so it's hard to come up with suggestions on just who you folks might need to contact. If this box is under "your" control, I'd say it's time to take it down, reformat, reinstall, and add user accounts only after verifying that these are real accounts (if this is the only issue you seem to be able to track down) For completeness, my actual PM reply is also provided; Sorry, it doesn't work like that. Responded (and included this in that response) in that Topic. As said there, I don't have a clue as to who you (or helpline) may be, and the issue appears to be more than just one (or is it teo now) acounts. Can you provide answers to questions already posed and not answered within that Topic? Please provide them within that Topic.
Chris Parker Posted October 18, 2004 Posted October 18, 2004 Hello Sir, I have blocked the IP ,that showed frequent occurance in maillog. I hope this helps in decreasing amount of spam. 18886[/snapback] You need to fix the problem, not just put a band-aid on it. They could just inject from a different IP....
DavidT Posted October 18, 2004 Posted October 18, 2004 One probable reason for the OP to request that this topic be deleted is that hosting companies don't like to have it publicized that they're using outsourced tech support from India. The OP doesn't want to admit that my suspicions were correct. DT
Merlyn Posted October 18, 2004 Posted October 18, 2004 I would not like to see this topic deleted as it is a perfect example of clueless operators. Companies should see what they are or are not paying for.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.