C2 Webmaster Posted June 30, 2005 Posted June 30, 2005 My company was added to the blacklist, somewhere between yesterday en today. This has been the 3rd time this year :angry: . This also compromisses our business as we are heavily dependent on e-mail. Can i get an overview of the persons \ companies who reported the following ip: 62.58.67.2 I manually removed the registration today, but i don't wanna be registered again. I read the Spamcop policy and terms and understand your point, but i do object if we are reported unfairly.
agsteele Posted June 30, 2005 Posted June 30, 2005 Can i get an overview of the persons \ companies who reported the following ip: 62.58.67.2 29779[/snapback] A quick check in the lookup on the SpamCop site shows the following for this IP: Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Since spam traps are unpublished Email addresses which have never been used to send or receive legitimate Email, they are considered a reliable indication that the originator is sending unsolicited messages. This means that either you have purchased a list of addresses or, quite commonly, that a PC has become infected with a trojan which is sending unsolicted Email without your knowledge. A look up at SenderBase indicates a 152% increase in mail volumes in the last day which suggests something untoward may be happening. Andrew
turetzsr Posted June 30, 2005 Posted June 30, 2005 My company was added to the blacklist, somewhere between yesterday en today. This has been the 3rd time this year :angry: . 29779[/snapback] ...Sorry to hear that. I share your anger -- spammers have spoiled the internet for everyone! <frown>Can i get an overview of the persons \ companies who reported the following ip: 62.58.67.229779[/snapback] ...The best place to start to get information about the spam reports, I think, would be to contact the folks responsible for Versatel in Amsterdam, The Netherlands, as SpamCop abuse reports for that IP address go to abuse[at]versatel.nl.This also compromisses our business as we are heavily dependent on e-mail. <snip> 29779[/snapback] ...Unsolicited advice: you may wish to rethink your business strategy in this regard. Internet e-mail is not a guaranteed delivery mechanism. Although it is (amazingly, in my view) reliable, it is not 100% so. Backhoes cut lines, servers fail or get backlogged, e-mail gets accidentally deleted or otherwise mishandled. Important communications should be done by other means in addition to e-mail.
StevenUnderwood Posted June 30, 2005 Posted June 30, 2005 My company was added to the blacklist, somewhere between yesterday en today. This has been the 3rd time this year :angry: . This also compromisses our business as we are heavily dependent on e-mail. Can i get an overview of the persons \ companies who reported the following ip: 62.58.67.2 I manually removed the registration today, but i don't wanna be registered again. I read the Spamcop policy and terms and understand your point, but i do object if we are reported unfairly. 29779[/snapback] As you may be aware, you are listed again and will fal off that listing in 16 hours unless another report comes in. Have you read and understood: http://www.spamcop.net/bl.shtml?62.58.67.2 Specifically, the section in the middle: The most common causes of blocking systems not intending to spam One of the recent problems, not yet listed in this forum, is the first one on that list, misdirected auto-replies. Do you use a virus scanner or anti-spam system that returns messages to the forged From or reply-to addresses? Do you have Out of office messages enabled? Any automated reply, if sent to an address provided in the email message, could be the cause of spam trap hits if someone has figured out one of the addresses and is using it as the sender.
C2 Webmaster Posted June 30, 2005 Author Posted June 30, 2005 Thank you all for your quick responses. I performed a full network scan and couldn't detect any virussen at all. Exchange and the firewall also didn't report any unusual activities. But we do have lots off people on vacation right now, and some disabled users. I'll take the advice for disabling the Exchange 2003 system messages, for i suspect that those are the cause of this situation. Unfortunately we are dependent on mail, as we are a helpdesk company with lots of customers. We have used Versatel as our ISP for their extremely high service-levels, Antivirus protection and high availability of the mailservice. Guess i'll have to wait for 16 hours now .... I'll keep you informed.
StevenUnderwood Posted June 30, 2005 Posted June 30, 2005 Guess i'll have to wait for 16 hours now .... I'll keep you informed. 29783[/snapback] If you contact deputies<at>spamcop.net and ask them nicely, they should be able to confirm for you what type of messages hit one of the spamtraps from your server. Then, if you explain what you have done to eliminate the problem, they COULD agree to remove you early.
Jeff G. Posted June 30, 2005 Posted June 30, 2005 At this point there appears to be no Report History for 62.58.67.2 - that is, all of the information the SCBL has about that IP Address is from at least one spamtrap and any number of moles. You should definitely ask the Deputies to at least characterize the information they have, while explaining that you have disabled the Exchange 2003 system messages and bounces (or your timetable for doing so).
Jeff G. Posted June 30, 2005 Posted June 30, 2005 You might also contact the nice folks at Stichting Spamvrij.nl (the site is in the Dutch Language; you can try to view it in English via http://www.systranbox.com/systran/box?syst...an_f=1120163454) to see if they have any reports.
Merlyn Posted June 30, 2005 Posted June 30, 2005 Looks like in the last day traffic is up by 152% according to senderbase.
Jeff G. Posted June 30, 2005 Posted June 30, 2005 Looks like in the last day traffic is up by 152% according to senderbase.29809[/snapback] Already referenced by Andrew in Linear Post #2.
C2 Webmaster Posted July 4, 2005 Author Posted July 4, 2005 Looks like in the last day traffic is up by 152% according to senderbase. 29809[/snapback] Weirdly enough, we can't see any abnormal messages going out from our server, nor an abnormal amount of mail. We do have mailings sometimes, but those are normal. Today we are listed again (4-7-2005). :angry: I've sent a nice mail, as suggested, to the deputies. But i can't figure out what's wrong. We have no virussen, no trojans, and i've disabled the system messages. But still, we're on the list. Now i've got an very angry boss, and all i can say is "sorry". As long as the companies we mail to, use SpamCop we're dependent on SpamCop for our mailservices. Seems a bit odd. In my opinion SpamCop is for filtering mailtraffic, not shutting companies down. So once again, i'll wait for the answer.
swingspacers Posted July 4, 2005 Posted July 4, 2005 Your server has sent mail to spam traps. Those are secret email addresses to which no legitimate mailer would send anything. If you stop sending mail to spam traps, the IP address of your server will automatically be removed from the SpamCop DNSBL within just a couple of hours.
Jeff G. Posted July 4, 2005 Posted July 4, 2005 Please see FAQ Entry: Am I Running Mailing Lists Responsibly?.
agsteele Posted July 5, 2005 Posted July 5, 2005 When or if you get more information from the deputies it would be really helpful if you could share any insights. In the meantime I'd say there is a real possibility that one of your customers lists has spam trap addresses in it and/or your mail server is responding to junk mail by bouncing back to the from address. Either of these could get you listed. Andrew
dbiel Posted July 5, 2005 Posted July 5, 2005 Do you have SMTP enabled for remote users. If you do, this could also be the source of your problems. Most companies have found that they can live without that feature as their remote users are connecting through another ISP that provides the necessary SMTP services, or have provided a login to the mail server using some type of webmail browser interface that eliminates the need for remote SMTP. I would also suggest that you require your users to change their passwords and delete unnecesary accounts. Have you renamed your Admin account, or are you still using the default name. Why make it easier for hackers by giving them the first half of the "user name / password" log in for a admin login? But still, we're on the list. Now i've got an very angry boss, and all i can say is "sorry". As long as the companies we mail to, use SpamCop we're dependent on SpamCop for our mailservices. Seems a bit odd. In my opinion SpamCop is for filtering mailtraffic, not shutting companies down.SpamCop's official policy is to recommend filtering, not blocking. The problem is that some ISPs have chosen to use the SpamCop list as a blocking list rather than as a filtering list. I personal would refuse to use an ISP that blocks rather than filters. Hopefully you will be able to expain to your boss why your out bound traffic levels have varried. It was previously noted that sender base indicated a 152% increase while now indicating a 43% decrease for the day but a 45% average increase for the past month does not quite match with your statement Weirdly enough, we can't see any abnormal messages going out from our server, nor an abnormal amount of mail. We do have mailings sometimes, but those are normal.
C2 Webmaster Posted July 5, 2005 Author Posted July 5, 2005 Do you have SMTP enabled for remote users. -> No I would also suggest that you require your users to change their passwords -> They have to every 30 days, no exceptions ....and delete unnecesary accounts. -> We always sustain a disabled account for 1 month and then delete it Have you renamed your Admin account -> Yes SpamCop's official policy is to recommend filtering, not blocking. -> I know, but most companies use blocking mode. BTW we don't have a problem with our ISP, but with our customers who sometimes use SpamCop. Hopefully you will be able to expain to your boss why your out bound traffic levels have varried. -> Well, thats our business, sometimes we need to send lots of mail. Especially last month, we contacted customers and prospects for the holidays It was previously noted that sender base indicated a 152% increase while now indicating a 43% decrease for the day but a 45% average increase for the past month does not quite match with your statement -> As said before, thats our business. Sometimes we send mail to lists of clients and prospects Today we are off the list again. Maybe disabling the systemmessages helped.....
dbiel Posted July 5, 2005 Posted July 5, 2005 Sounds like you have things well under control. I hope your problem has been solved by deleting the auto replies.
GraemeL Posted July 5, 2005 Posted July 5, 2005 Do you have SMTP enabled for remote users. -> No 29927[/snapback] In fact, you do have AUTH LOGIN enabled which will allow remote users to authenticate and relay mail through your server. I ran a check on 100 or so common weak username/password combinations, but was unable to get authenticated. Though the spammers may be using a different set of common passwords than I am. If you don't require your remote users to be able to send mail through your server, you should disable AUTH LOGIN. I'm pretty sure the FAQ has a link that tells you how to do it. It might not be the cause this time, but disabling it removes an attack vector that could be abused in the future.
Jeff G. Posted July 6, 2005 Posted July 6, 2005 62.58.67.2 appears to relay according to abuse.net's "Relay test 8".
Recommended Posts
Archived
This topic is now archived and is closed to further replies.