rocky Posted February 27, 2004 Posted February 27, 2004 I am responsible for mailout.nec.com 143.101.113.2. I got a user complaint: [at]airmail.net uses SPAMCOP service and rejected messages coming from 143.101.113.2 (NSG's outgoing SMTP server) http://www.spamcop.net/w3m?action=blcheck&ip=143.101.113.2 Yet when I follow the link it says that I am not listed. If we are sending spam I want it fixed, but I have not seen any evidence of this. In short - am I listed or not? FYI - your registration confirmation message is very spammy - spamassassin (with minor modifications) scored it 11.9. Thanks for the help. Rocky
Jeff G. Posted February 27, 2004 Posted February 27, 2004 That webpage and the database both show it as not listed: 143.101.113.2 not listed in bl.spamcop.net Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 53.7 days. It has been listed for less than 24 hours. unknown host 2.113.101.143.bl.spamcop.net
rocky Posted February 27, 2004 Author Posted February 27, 2004 That is exactly what I saw, so why would sites be bouncing our email (I've had ~140 complaints this AM). It's been multiple sites so I ruled out local misconfiguration. Any other ideas? BTW - I love the service - thanks for helping to rid the net of trash. Rocky
Jeff G. Posted February 27, 2004 Posted February 27, 2004 The SpamCop Block List Administrators may be able to diagnose the problem by checking the individual nameservers - please email "bl at admin.spamcop.net" to reach them. Thanks!
Ellen Posted February 28, 2004 Posted February 28, 2004 I just did a dig at each of the bl nameservers and do not see the IP listed at any of them.
StevenUnderwood Posted February 28, 2004 Posted February 28, 2004 I just did a dig at each of the bl nameservers and do not see the IP listed at any of them. Well, something is amiss because even senderbase is showing it as being on the spamcop bl. http://www.senderbase.org/?searchBy=ipaddr...g=143.101.113.2 The check block page is also showing spamtrap sightings as well. http://www.spamcop.net/w3m?action=checkblo...p=143.101.113.2
WB8TYW Posted February 28, 2004 Posted February 28, 2004 It was not on the spamcop.net blocking list earlier, it aged off. But now it is back for a second listing. The spam sample is the same as earlier and the title is ambigous as if it could be spam. The prior check did not show spamtrap hits. My first guess would be: Is there an auto-responder on this mail server that is replying to or bouncing viruses? If the original poster will follow the links from the pinned topic "Why is my mail server blocked, it will give you a list of things to check. So lets do some checks: In this case, it does not appear to be on any open relay list, or open proxy list, but it has been reported to MAPS-OPS for a proxy test at least twice. They have two samples for May 2003, and JAN 2004. In both cases a non-delivery message was submitted to the MAPS-OPS for proxy testing. But this indicates that the exploit is probably one or more of: 1. SMTP Authentication exploit. Weak passwords, or a guest account. 2. Multihop exploit. That is a compromised computer somewhere on your internal network is relaying spam, and the spamcop.net parser does not recognize your server as a valid relay. 3. The mail server is abusively generating bounce messages instead of SMTP rejects. This will result in spamtrap hits on many DNSbls when a virus harvests a spamtrap address. Spamcop members are not allowed to report bounces and broken virus scanners through spamcop.net. The rules for a spamtrap may be different. 4. Some other exploit like an insecure web server or form mail. If it were not for the spamtrap hits, I would also suspect that a user is mistakenly reporting their own mail server. -John Personal Opinion Only
Ellen Posted February 28, 2004 Posted February 28, 2004 I just did a dig at each of the bl nameservers and do not see the IP listed at any of them. Well, something is amiss because even senderbase is showing it as being on the spamcop bl. http://www.senderbase.org/?searchBy=ipaddr...g=143.101.113.2 The check block page is also showing spamtrap sightings as well. http://www.spamcop.net/w3m?action=checkblo...p=143.101.113.2 yes it is listed again -- sigh It's some kind of subscription probe it appears -- it's scheduled to delist in the next couple of hours.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.