ryenchek Posted March 4, 2004 Share Posted March 4, 2004 Can anyone, help, i've been blacklisted.. here are the details.. A sample sent sometime during the 24 hours beginning Sunday, February 29, 2004 4:00:00 PM -0800: Received: by -.-.net (-.-.net [63.93.63.194]) with - - - Mon, - Mar 2004 - - Subject: take online surveys - get paid - hour From: nz.. at ..t.net Can i get a report that would tell me what workstation client is actually sending the spam in my network? Can it be e-mailed to abuse[at]haclv.org? Thx for the help in advance.. Link to comment Share on other sites More sharing options...
turetzsr Posted March 4, 2004 Share Posted March 4, 2004 Hi, ryenchek! ...Please try SpamCop.net FAQ entries Help for abuse-desks and administrators, especially How can I get SpamCop reports about my network?. If you still have questions, please do return here to follow up. ...Good luck. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 5, 2004 Share Posted March 5, 2004 It does appear you are now a third party interested for reports about that IP address. Please be forewarned that many people have the third party reports disabled, so you will not get all of them. You may be able to email deputies at admin.spamcop.net to get more details on the current reports. Good luck Link to comment Share on other sites More sharing options...
ryenchek Posted March 5, 2004 Author Share Posted March 5, 2004 Steven, I have registered to receive reports but have not gotten any responses and now i have gotten more spam samples See below.. A sample sent sometime during the 24 hours beginning 02/29/2004 16:00:00 -0800: Received: by -.-.net (-.-.net [63.93.63.194]) with - - - Mon, - Mar 2004 - - Subject: take online surveys - get paid - hour From: nz.. at ..t.net A sample sent sometime during the 24 hours beginning 03/03/2004 16:00:00 -0800: Received: by -.-.com (-.-.com [63.93.63.194]) with - - - - Thu, - Mar 2004 - - Subject: amazingly realistic baby doll From: 34.. at ..r.com As far as i know every windows machine on my network has Symantec Anti-virus on it with the latest updates.. And i have a linux based e-mail server here that is also virus protected, so i really need a report to isolate my problem.. Can i request these spam reports from deputies at admin.spamcop.net.. Would i send a request to admin[at]spamcop.net? Thanx.. Link to comment Share on other sites More sharing options...
Wazoo Posted March 5, 2004 Share Posted March 5, 2004 You can ask, but this isn't the way it normally works. First of all, there are samples provided, these used to be much more complete, but it was seen that certain spammers were using this data to help keep the spew flowing, thus all the obfuscation of details. Normally, the suggestion would be (just as Steve had pointed out) that you contact the ISP that is receiving the complaints. You'd already been advised that even doing the third-party thing might not result in you receiving reports, again, you can thank the spammers for that. However, the real issue is found in the line: Been detected sending mail to spam traps (Though can't ignore the : this system has been reported about 230 times by about 20 users) These spamtraps are addresses placed on web pages somewhere, just made for scraping ... never used, never signed up for anything .. and they do not generate complaints. So you might send a note to Deputies at spamcop.net with the issue, and (usually) Ellen will take a look at the database, and make her call on just what info to release. In the past, she's pointed to a compromised machine behind the firewall, sometimes cleaned up a bit of the data to make it easier for the complainent to check their logs, but the actual complete spam, pretty doubtful. You made a big pitch on the anti-virus tools in place, but they don't handle many Trojans, exploits, etc. One common item is the IPaddress .. is this your e-mail server? If so, a search of the logs should come across something that would match the partial data seen in the samples, but one would assume you'd have done this already and just forgot to mention it??? Link to comment Share on other sites More sharing options...
Spambo Posted March 5, 2004 Share Posted March 5, 2004 It looks to me like abuse[at]haclv.org is getting the reports as requested, and has been all along. Steven, I have registered to receive reports but have not gotten any responses and now i have gotten more spam samples See below.. A sample sent sometime during the 24 hours beginning 02/29/2004 16:00:00 -0800: Received: by -.-.net (-.-.net [63.93.63.194]) with - - - Mon, - Mar 2004 - - Subject: take online surveys - get paid - hour From: nz.. at ..t.net A page that is available to paying members (presumably by design) has a little more information and it indicates that abuse[at]haclv.org was sent a copy of the above spam report on Tuesday, March 02, 2004 14:16:22 -0600 sent by 745502xxx[at]reports.spamcop.net [1]. A sample sent sometime during the 24 hours beginning 03/03/2004 16:00:00 -0800: Received: by -.-.com (-.-.com [63.93.63.194]) with - - - - Thu, - Mar 2004 - - Subject: amazingly realistic baby doll From: 34.. at ..r.com The same page shows abuse[at]haclv.org received a spam report on this issue on Thursday, March 04, 2004 19:10:56 -0600, sent by 752041xxx[at]reports.spamcop.net [1]. However the Subject line of the report that I see is slightly different from the SCBL Output Page. [1] I've munged the last three digits in the "username" portion of the return address - just in case, however the first 6 digits should be enough for you to locate the reports if the postmaster at haclv.org keeps adequate logs, and/or emails addressed to you don't go straight to the bit bucket. As far as i know every windows machine on my network has Symantec Anti-virus on it with the latest updates.. And i have a linux based e-mail server here that is also virus protected, so i really need a report to isolate my problem.. Can i request these spam reports from deputies at admin.spamcop.net.. Would i send a request to admin[at]spamcop.net? Thanx.. Unless things have changed recently copies of the reports may not be available. Based on previous statements by an admin and at least two Deputies the SpamCop database deletes message bodies within a very short time after the report is sent. This is because the size of message bodies results in a tremendously huge database since SC processes hundreds of thousands of spam reports every day. Headers are kept for a longer though, 30 days IIRC. Anyway, it appears that abuse[at]haclv.org was a recipient of two of the three reports that you're requesting. There was one "mole" report filed in mid-February that you did not receive since this type of report is used for SC internal purposes and aren't sent to abuse departments. Link to comment Share on other sites More sharing options...
Ellen Posted March 5, 2004 Share Posted March 5, 2004 Steven, I have registered to receive reports but have not gotten any responses and now i have gotten more spam samples See below.. A sample sent sometime during the 24 hours beginning 02/29/2004 16:00:00 -0800: Received: by -.-.net (-.-.net [63.93.63.194]) with - - - Mon, - Mar 2004 - - Subject: take online surveys - get paid - hour From: nz.. at ..t.net A sample sent sometime during the 24 hours beginning 03/03/2004 16:00:00 -0800: Received: by -.-.com (-.-.com [63.93.63.194]) with - - - - Thu, - Mar 2004 - - Subject: amazingly realistic baby doll From: 34.. at ..r.com The spam is hitting spamtraps *however* I see reports sento to abuse[at]haclv.org on 3/4 and 3/2 and no indication that they are bouncing. In any case here are some partial headers for the latest report on IP 63.93.63.194 Received: from 63-93-63-194.lvgs.mdsg-pacwest.com (HELO srvrdapiaqmqqs06u.dedicatedemailservers.com) (63.93.63.194) by mailgate.cesmail.net with SMTP; 4 Mar 2004 18:00:04 -0000 MIME-Version: 1.0 Received: by srvrdapiaqmqqs06u.dedicatedemailservers.com (srvrdapiaqmqqs06u.dedicatedemailservers.com [63.93.63.194]) with Assemblage Mail Server Pro Thu, 4 Mar 2004 17:53:58 -0500 The helo is totally bogus and I would guess that either the server or a maachine nat'd behind it has a worm/trojan infection. Link to comment Share on other sites More sharing options...
ryenchek Posted March 5, 2004 Author Share Posted March 5, 2004 Thx for writing back guys, by the way my abuse[at]haclv.org account does not work for reasons unknown and my mailer-dameon does not even bouce back when i sent to it.. it's a very strange anomoly, anyway i have registered a new abuse acct: abuse1[at]haclv.org and tested it.. This should work for any future reports.. i will be contacting my isp for help as well, thx again.. Link to comment Share on other sites More sharing options...
Wazoo Posted March 5, 2004 Share Posted March 5, 2004 man, if it ain't one thing, it's another <g> ... good luck! Noting that you didn't say whether Ellen's input helped at all ...??? Link to comment Share on other sites More sharing options...
ryenchek Posted March 5, 2004 Author Share Posted March 5, 2004 Wazoo, The ip address is my acutally our firewall and we have various servers nat'd behind it including our mail server.. Link to comment Share on other sites More sharing options...
Wazoo Posted March 5, 2004 Share Posted March 5, 2004 Ouch, I remember asking that a while back .. You made a big pitch on the anti-virus tools in place, but they don't handle many Trojans, exploits, etc. One common item is the IPaddress .. is this your e-mail server? If so, a search of the logs should come across something that would match the partial data seen in the samples, but one would assume you'd have done this already and just forgot to mention it??? and if it's the firewall, the whole dang network is suspect .... I feel for you ... The inplications are certainly that one of your users has got a sick machine at this point, probably bypassing your e-mail server, which would explain nothing on the logs ... Link to comment Share on other sites More sharing options...
Chris Parker Posted March 5, 2004 Share Posted March 5, 2004 Wazoo, The ip address is my acutally our firewall and we have various servers nat'd behind it including our mail server.. You might want to download some network sniffing trialware software that would point out any unusuall activity, but only if it's currently active... I would agree that you've got a trojan'd machine on your network. I wasn't able to connect up to any mail servers though the firewall. Link to comment Share on other sites More sharing options...
Wazoo Posted March 5, 2004 Share Posted March 5, 2004 been thinking .. the data you may get from your ISP probably won't be much help anyway ... yes, maybe they'll let you see the whole complaint, but this is only going to get you back to the data that Ellen's already provided ... stuff coming from what you said was your firewall ... but then again, the SpamCop parsing engine would have dropped (at this point) assumed non-routable address of the machine spitting out the spew ... but then again, this is something that Ellen would normally have picked up on .. though she did point out the horrible HELO and suggested a behind the scenes machine, so I'm having to guess that the sample spam she looked at doesn't include the "real" source IP ... dang, in the same spot you're in now .. sure would be nice to see the actual spam <g> Link to comment Share on other sites More sharing options...
Ellen Posted March 6, 2004 Share Posted March 6, 2004 The thread is too long and the method for quoting too weird to pick out the one or two lines I wanted to quote but anyway ... If you have changed the address for reports kindly write to us at deputies[at]spamcop.net and tell us what the old address was and the new address is and I'll make the change. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 6, 2004 Share Posted March 6, 2004 The thread is too long and the method for quoting too weird to pick out the one or two lines I wanted to quote Have you tried using the "Preview Post" Button to the right of the "Add Reply" Button? It allows you to do inline quoting, but it takes some getting used to. Link to comment Share on other sites More sharing options...
Ellen Posted March 6, 2004 Share Posted March 6, 2004 The thread is too long and the method for quoting too weird to pick out the one or two lines I wanted to quote Have you tried using the "Preview Post" Button to the right of the "Add Reply" Button? It allows you to do inline quoting, but it takes some getting used to. um no I haven't -- so I will go push it now and see what fabulous thing shows up ... Link to comment Share on other sites More sharing options...
Wazoo Posted March 7, 2004 Share Posted March 7, 2004 oh geeze, she pushed it and .... never came back! Ellen .. Elllen .. can you hear me now? .... <g> Link to comment Share on other sites More sharing options...
Jeff G. Posted March 7, 2004 Share Posted March 7, 2004 Ellen Pushes Button, Ending World As We Know It. Film at 11. Link to comment Share on other sites More sharing options...
Ellen Posted March 7, 2004 Share Posted March 7, 2004 Ellen Pushes Button, Ending World As We Know It. Film at 11. Bah nothing as simple as that -- I have what can't be the flu cause the CDC said the flu season is officially over ... so when I can't stand daytime TV any longer I stumble over to the computer and stare at the screen trying to make all those cute letters line up into words and then sensible sentences :-) <rant> and the weather has been beautiful and I haven't been outside enjoying it ... of course allergy season should arrive 24 hours after I recover from this plague. My mutant camellias however are blooming </rant> eeek Jeff'll probably move this to social or something so I'd better say something geeky .... um uh hrmmm ok SMTP Link to comment Share on other sites More sharing options...
Jeff G. Posted March 8, 2004 Share Posted March 8, 2004 Ellen Pushes Button, Ending World As We Know It. Film at 11. Bah nothing as simple as that -- I have what can't be the flu cause the CDC said the flu season is officially over ... so when I can't stand daytime TV any longer I stumble over to the computer and stare at the screen trying to make all those cute letters line up into words and then sensible sentences :-) <rant> and the weather has been beautiful and I haven't been outside enjoying it ... of course allergy season should arrive 24 hours after I recover from this plague. My mutant camellias however are blooming </rant> eeek Jeff'll probably move this to social or something so I'd better say something geeky .... um uh hrmmm ok SMTP Ellen, I hope that you recover fully and quickly. The good work that you do in supporting SpamCop Users, Members, Customers, Staff, Reporters, and Reportees is very much appreciated. <FoodTP>Here's some Chicken Soup.</FoodTP> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.