Jump to content

Help requested


horsepro

Recommended Posts

Hi There,

I have n Educational Website that is quite popular and helps a lot of people. My mail is often blocked and I am on spam lists apparently. I cannot work out how to put a dispute form in. It asked for my ip number, I put it in and then no help as to what to do next.

www.horseproblems.com.au

Thanks for any advice.

Link to comment
Share on other sites

Assuming your email server is at 66.116.206.62, you do not seem to be in any of the major blocklists. You will probably need to post one of the rejection notices.

-- Just a happy user,

JosephK

Link to comment
Share on other sites

Assuming your email server is at 66.116.206.62

But it's probably not. In most shared hosting situations, the IP address from which mail emanates is rarely the same as the IP address of the "www" version of the domain, which is what you've supplied here. Did you look it up in SenderBase? Take a look here:

http://www.senderbase.org/?searchBy=ipaddr...g=66.116.206.62

It doesn't seem that any mail is emanating from that IP. However, if you look up the DNS for "horseproblems.com.au" at:

http://dnsreport.com/tools/dnsreport.ch?do...problems.com.au

you'll see that their MX is "mail6.hostexcellence.com" (which is an alias for "mail6.opentransfer.com") and the IP is:

69.6.255.177

Let's look that up in SenderBase:

http://www.senderbase.org/?searchBy=ipaddr...ng=69.6.255.177

Oh my...in the last 30 days, the traffic has risen by 1159%!!! That's a very BAD indicator. The good news is that in the last day, it's dropped by 75%, so perhaps someone is dealing with whatever problem might exist (spammer, hijacked mail scripts, ?) on that server.

The IP isn't currently listed on any blocklists, however, and there's no SpamCop "history" of reports (on either of the IPs), so I'm not sure if that's the sending IP for the server in question, either. We need to see the error message from one of the bounces.

Regarding the hosting provider....some strange stuff...the address given is in Kentucky, but the IPs and servers all appear to be under the control of a person named "Fathi Said" in Austria. If you Google him, you'll find some odd stuff relating to some big flap over "FeaturePrice.com" and Mr. Said. You'll also find this reference to him not caring about spamvertising in Usenet groups:

http://www.talkaboutspam.com/group/alt.kil...sages/9766.html

Hmmm...a little more Googling, and I find this:

http://www.featureprice-scam.com/fathi.html

I checked out some of the "web hosting review sites" mentioned on that page, and there does appear to be a pattern of Mr. Said putting up self-serving review sites, putting his hosting companies as the top-rated hosts. Or maybe he's a fine, upstanding businessman whose reputation was sullied by previously being in partnership with someone who wasn't quite so upstanding? It's hard to tell from a limited bit of research. OK, I guess it's time to get back on topic... ;-)

DT

Link to comment
Share on other sites

Thanks very much David. Now I am starting to understand it. Thankyou for your kind efforts on my behalf.

27783[/snapback]

Now senderbase -51% and de-listed. Seems like another case of SpamCop doing what it says on the tin! - alerting server admins of a problem which they seem to have put right.

Link to comment
Share on other sites

Sorry to bother you again, but when you see the funny writing on your preview in mail washer, like down the bottom of this, does that mean it is a virus?

(Personal data removed by Wazoo)

Date: Mon, 09 May 2005 17:18:18 UTC

Subject: Your email was blocked

Importance: Normal

X-Priority: 3 (Normal)

Message-ID: <bfb3.efb1c996adf[at]vw.ph-heidelberg.de>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="======b974a638df438e1b31ef"

Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

--======b974a638df438e1b31ef

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

--======b974a638df438e1b31ef

Content-Type: application/octet-stream; name=error-mail_info.zip

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="error-mail_info.zip"

UEsDBAoAAAAAAAGAojKuS6g1MtEAADLRAAAmAAAAV2luemlwcGVkLVRleHRfRGF0YS50eHQgICAg

ICAgICAgIC5waWZNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAA

Link to comment
Share on other sites

Although it may have been / probably was a virus, to the question you ask about the data you provided, the specific technical answer would be "no" ... it doesn't "mean" that it's a virus, only that the data had been "packaged" .. the details describing how it was packaged ....

Content-Transfer-Encoding: base64 - says that the included data was encoded to Base-64 ... so you wouldn't see 'plain text'

Example: This is a test ends up looking like VGhpcyBpcyBhIHRlc3Q=

Content-Type: application/octet-stream; name=error-mail_info.zip - then suggests that the included data had been archived/compressed into a .ZIP file, yet another level of data manipulation that would further distance that data from any resemblance to 'plain text' ....

Link to comment
Share on other sites

42 in one stretch would suggest that it really was a virus infected machine working hard to get your attention ... <g> .. dang Iwent back to look up the source, guess maybe I removed too much? (though don't recall seeing a lot of hand-off data .. just keyed on your address sitting there in plain sight ..)

Link to comment
Share on other sites

does that mean it is a virus?

Let me state first...."Google is your friend...use it!"

Now for the answer....YES! It's the new variant of the "Sober" worm. I put the zip file name into Google and came up with plenty of hits. Here's the description from Syamtec:

mm.html]http://sarc.com/avcenter/venc/data/w32.sober.o[at]mm.html

Most incoming messages with ".zip" file attachments are worms, as are those with ".pif" and other file types. You can use the headers on this to report it to the source ISP and get them to cut that user's Internet access off until they call in, and are then told to disinfect their computer.

DT

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...