Jump to content

Am I blacklisted or not?


rocky

Recommended Posts

Posted

I am responsible for mailout.nec.com 143.101.113.2. I got a user complaint:

[at]airmail.net uses SPAMCOP service and rejected messages coming from 143.101.113.2 (NSG's outgoing SMTP server)

http://www.spamcop.net/w3m?action=blcheck&ip=143.101.113.2

Yet when I follow the link it says that I am not listed.

If we are sending spam I want it fixed, but I have not seen any evidence of this.

In short - am I listed or not?

FYI - your registration confirmation message is very spammy - spamassassin (with minor modifications) scored it 11.9.

Thanks for the help.

Rocky

Posted

That webpage and the database both show it as not listed:

143.101.113.2 not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 53.7 days. It has been listed for less than 24 hours.

unknown host 2.113.101.143.bl.spamcop.net
Posted

That is exactly what I saw, so why would sites be bouncing our email (I've had ~140 complaints this AM).

It's been multiple sites so I ruled out local misconfiguration.

Any other ideas?

BTW - I love the service - thanks for helping to rid the net of trash.

Rocky

Posted

The SpamCop Block List Administrators may be able to diagnose the problem by checking the individual nameservers - please email "bl at admin.spamcop.net" to reach them. Thanks!

Posted
I just did a dig at each of the bl nameservers and do not see the IP listed at any of them.

Well, something is amiss because even senderbase is showing it as being on the spamcop bl.

http://www.senderbase.org/?searchBy=ipaddr...g=143.101.113.2

The check block page is also showing spamtrap sightings as well.

http://www.spamcop.net/w3m?action=checkblo...p=143.101.113.2

Posted

It was not on the spamcop.net blocking list earlier, it aged off.

But now it is back for a second listing. The spam sample is the same as earlier and the title is ambigous as if it could be spam.

The prior check did not show spamtrap hits.

My first guess would be:

Is there an auto-responder on this mail server that is replying to or bouncing viruses?

If the original poster will follow the links from the pinned topic "Why is my mail server blocked, it will give you a list of things to check.

So lets do some checks:

In this case, it does not appear to be on any open relay list, or open proxy list, but it has been reported to MAPS-OPS for a proxy test at least twice.

They have two samples for May 2003, and JAN 2004.

In both cases a non-delivery message was submitted to the MAPS-OPS for proxy testing.

But this indicates that the exploit is probably one or more of:

1. SMTP Authentication exploit. Weak passwords, or a guest account.

2. Multihop exploit. That is a compromised computer somewhere on your internal network is relaying spam, and the spamcop.net parser does not recognize your server as a valid relay.

3. The mail server is abusively generating bounce messages instead of SMTP rejects. This will result in spamtrap hits on many DNSbls when a virus harvests a spamtrap address. Spamcop members are not allowed to report bounces and broken virus scanners through spamcop.net. The rules for a spamtrap may be different.

4. Some other exploit like an insecure web server or form mail.

If it were not for the spamtrap hits, I would also suspect that a user is mistakenly reporting their own mail server.

-John

Personal Opinion Only

Posted
I just did a dig at each of the bl nameservers and do not see the IP listed at any of them.

Well, something is amiss because even senderbase is showing it as being on the spamcop bl.

http://www.senderbase.org/?searchBy=ipaddr...g=143.101.113.2

The check block page is also showing spamtrap sightings as well.

http://www.spamcop.net/w3m?action=checkblo...p=143.101.113.2

yes it is listed again -- sigh

It's some kind of subscription probe it appears -- it's scheduled to delist in the next couple of hours.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...