Jump to content

Non mailserver IP blocked


fireguy

Recommended Posts

I have 2 IP addresses. One is my mail server (and has been since we got them) and the other is the 2nd DNS. I received an email the other day that someone was relaying from our 2nd IP address. How can that be? I am using IMail (latest version) and it is set not to relay mail. Since there is no web mail application on the machine with the 2nd IP how do I make sure no one can relay? Please help.

Thanks

Link to comment
Share on other sites

I have 2 IP addresses.  One is my mail server (and has been since we got them) and the other is the 2nd DNS.  I received an email the other day that someone was relaying from our 2nd IP address.  How can that be?

<snip>

31958[/snapback]

Hi, fireguy!

...Please see my reply in thread "Spammers using real headers" -- part that begins "Please explain to me what a "zombied machine" is? <snip>"

Link to comment
Share on other sites

vineland.ccoel.org reports the following MX records:

Preference Host Name IP Address

10 ccoel.org 209.3.204.207

Your NS records at the parent servers are:

VINELAND2.CCOEL.ORG. [209.3.204.254] [TTL=172800] [uS]

VINELAND.CCOEL.ORG. [209.3.204.207] [TTL=172800] [uS]

[These were obtained from tld6.ultradns.co.uk]

So it appears that the IP in question is 209.3.204.254

Quick check - not answering Port 80, port 25

Then again,

ERROR: Some of your nameservers listed at the parent nameservers did not respond. The ones that did not respond are:

209.3.204.254

Perhaps it's actually off-line at present?

Link to comment
Share on other sites

vineland.ccoel.org reports the following MX records:

Preference Host Name IP Address

10 ccoel.org 209.3.204.207

Your NS records at the parent servers are:

VINELAND2.CCOEL.ORG. [209.3.204.254] [TTL=172800] [uS]

VINELAND.CCOEL.ORG. [209.3.204.207] [TTL=172800] [uS]

[These were obtained from tld6.ultradns.co.uk]

So it appears that the IP in question is 209.3.204.254

31964[/snapback]

Wazoo, If your findings are correct, they have a third IP as well, the posting IP address 209.3.204.211- No reports

host 209.3.204.211 = client-209-3-204-211.ccoel.org (cached)

No recent reports, no history available

host 209.3.204.207 (getting name) = client-209-3-204-207.ccoel.org.

No recent reports, no history available

host 209.3.204.254 = client-209-3-204-254.ccoel.org (cached)

[report history]

Report History:

--------------------------------------------------------------------------------

Submitted: Wednesday, August 24, 2005 12:52:09 PM -0400:

RE: Elegance, beauty, class!

--------------------------------------------------------------------------------

Submitted: Wednesday, August 24, 2005 6:26:47 AM -0400:

Genuine Offer: 3.2%.

--------------------------------------------------------------------------------

Submitted: Wednesday, August 24, 2005 3:50:12 AM -0400:

Healthy Spermatazoa

--------------------------------------------------------------------------------

Submitted: Tuesday, August 23, 2005 1:06:56 PM -0400:

New Emerging Growth St0ck

--------------------------------------------------------------------------------

Submitted: Tuesday, August 23, 2005 12:26:11 AM -0400:

Rolex & LV Bag Replica Sale

--------------------------------------------------------------------------------

209.3.204.254 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 209.3.204.254 is client-209-3-204-254.ccoel.org but client-209-3-204-254.ccoel.org has no DNS information

This machine (.254) looks like it is being used by every spammer out there and is already listed on 3 of the bl's that senderbase monitors.

http://www.senderbase.org/?searchBy=ipaddr...g=209.3.204.254

Pay special attention to the Volume Statistics:

Magnitude Vol Change vs. Average

Last day 5.1 11253%

Last 30 days 3.9 575%

Average 3.0

That machine probably has gotten infected with one of the recent viruses and is now open to the public. I noticed port 8080 is open which is one of the indicators.

Is there a reason you have an FTP server on that IP or is that part of the infection?

C:\>ftp 209.3.204.254

Connected to 209.3.204.254.

220 SSH-1.99-OpenSSH_3.4

User (209.3.204.254:(none)):

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...