hpaulh Posted February 27, 2004 Posted February 27, 2004 These are friends of mine, and members of my mailing list that have asked to be on my list. Yet I my domain has been put on a DNS blacklist. Why? Here's the example: The original message was received at Fri, 27 Feb 2004 07:42:22 -0800 (PST) from [10.253.4.121] ----- The following addresses had permanent fatal errors ----- <dougk[at]thegathering.org> (reason: 554 The IP Address of the sender (208.54.142.1) was found in a DNS blacklist database and was therefore refused.) <doug774[at]intergate.com> (reason: 550 5.7.1 <doug774[at]intergate.com>... Email rejected due to sending server misconfiguration - see http://spamcop.net/w3m?action=checkblock&ip=208.54.142.1) ----- Transcript of session follows ----- ... while talking to mail.thegathering.org.: >>> RCPT To:<dougk[at]thegathering.org> <<< 554 The IP Address of the sender (208.54.142.1) was found in a DNS blacklist database and was therefore refused. 554 5.0.0 Service unavailable ... while talking to mailgate2.trip.net.: >>> RCPT To:<doug774[at]intergate.com> <<< 550 5.7.1 <doug774[at]intergate.com>... Email rejected due to sending server misconfiguration - see http://spamcop.net/w3m?action=checkblock&ip=208.54.142.1 550 5.1.1 <doug774[at]intergate.com>... User unknown
Jeff G. Posted February 27, 2004 Posted February 27, 2004 Please see http://forum.spamcop.net/forums/index.php?...findpost&p=2724
Ellen Posted February 28, 2004 Posted February 28, 2004 There is spam being sent thru that server and the headers do not allow the parser to determine the exact user(s) sending the spam. Reports are being sent to tech[at]tmodns.net There have been nearly 70 instances in less than a week.
WB8TYW Posted February 28, 2004 Posted February 28, 2004 It is starting to apear on other DNSbls since the first complaint here of it being blocked, so others are noticing the spam. http://www.moensted.dk/spam/?addr=208.54.142.1&Submit=Submit But so far no open relays or open proxy lists. It was submitted to the MAPS-OPS for proxy testing back in Jul 2003. The samples on spamcop.net show it definitely is sending spam. So far my best guess with out looking at the headers would be an SMTP AUTH exploit. A look at the headers would show if it were multi-hop. If not one of those, then the next guess would be other vulnerability like a web server weakness or a form mail exploit. -John Personal Opinion Only
Ellen Posted February 28, 2004 Posted February 28, 2004 The samples on spamcop.net show it definitely is sending spam. So far my best guess with out looking at the headers would be an SMTP AUTH exploit. A look at the headers would show if it were multi-hop. If not one of those, then the next guess would be other vulnerability like a web server weakness or a form mail exploit. -John Personal Opinion Only Ni sign in the headers that it is SMTP/AUTH vs a trojan actually. There are some with a forged bottom header and some without ... could easily be more than one compromised user behind that IP with more than one type of problem :-( Sigh
Recommended Posts
Archived
This topic is now archived and is closed to further replies.