Jump to content

My emails are bounced back from non-SpamCop users


hpaulh

Recommended Posts

These are friends of mine, and members of my mailing list that have asked to be on my list. Yet I my domain has been put on a DNS blacklist. Why? Here's the example:

The original message was received at Fri, 27 Feb 2004 07:42:22 -0800 (PST)

from [10.253.4.121]

----- The following addresses had permanent fatal errors -----

<dougk[at]thegathering.org>

(reason: 554 The IP Address of the sender (208.54.142.1) was found in a DNS blacklist database and was therefore refused.)

<doug774[at]intergate.com>

(reason: 550 5.7.1 <doug774[at]intergate.com>... Email rejected due to sending server misconfiguration - see http://spamcop.net/w3m?action=checkblock&ip=208.54.142.1)

----- Transcript of session follows -----

... while talking to mail.thegathering.org.:

>>> RCPT To:<dougk[at]thegathering.org>

<<< 554 The IP Address of the sender (208.54.142.1) was found in a DNS blacklist database and was therefore refused.

554 5.0.0 Service unavailable

... while talking to mailgate2.trip.net.:

>>> RCPT To:<doug774[at]intergate.com>

<<< 550 5.7.1 <doug774[at]intergate.com>... Email rejected due to sending server misconfiguration - see http://spamcop.net/w3m?action=checkblock&ip=208.54.142.1

550 5.1.1 <doug774[at]intergate.com>... User unknown

Link to comment
Share on other sites

There is spam being sent thru that server and the headers do not allow the parser to determine the exact user(s) sending the spam. Reports are being sent to tech[at]tmodns.net There have been nearly 70 instances in less than a week.

Link to comment
Share on other sites

It is starting to apear on other DNSbls since the first complaint here of it being blocked, so others are noticing the spam.

http://www.moensted.dk/spam/?addr=208.54.142.1&Submit=Submit

But so far no open relays or open proxy lists.

It was submitted to the MAPS-OPS for proxy testing back in Jul 2003.

The samples on spamcop.net show it definitely is sending spam.

So far my best guess with out looking at the headers would be an SMTP AUTH exploit.

A look at the headers would show if it were multi-hop.

If not one of those, then the next guess would be other vulnerability like a web server weakness or a form mail exploit.

-John

Personal Opinion Only

Link to comment
Share on other sites

The samples on spamcop.net show it definitely is sending spam.

So far my best guess with out looking at the headers would be an SMTP AUTH exploit.

A look at the headers would show if it were multi-hop.

If not one of those, then the next guess would be other vulnerability like a web server weakness or a form mail exploit.

-John

Personal Opinion Only

Ni sign in the headers that it is SMTP/AUTH vs a trojan actually.

There are some with a forged bottom header and some without ... could easily be more than one compromised user behind that IP with more than one type of problem :-(

Sigh

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...