Cale Posted March 2, 2006 Posted March 2, 2006 About 5 days ago I started getting emails from my clients saying that their email is blocked because of Spamcop. I have been running the same configuration on my email server for at least 2 years without a problem, however now im getting endless problems. This is what the report says 196.15.203.170 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 17 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 196.15.203.170 has no reverse dns Because of the above problems, express-delisting is not available Listing History In the past 5.9 days, it has been listed 2 times for a total of 4.8 days I have TrendMicro enterprise running and it seems to be clear for my server and whole network. There arent any viruses on at all. We got delisted today, but after a few hours got listed again. Here is a response from Ellen at Spamcop. If this is your IP/server then you have a virus/worm infection somewhere in your network or an insecure server being used by spammers and you need to find the compromised machine and disinfect it or you may have a server exploit such as an insecure cgi or php scri_pt; an open proxy or an smtp/auth issue where the spammer has cracked a name/password. If i have a insecure cgi or and smtp/auth issue, how do I fix it? also Is it possible that I have a DNS problem as stated in the original report? Thanks in advance...
Wazoo Posted March 2, 2006 Posted March 2, 2006 Telnet response shows; 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:04:39 +0200 .. which reflects some out of date software ... current version is shown at http://www.merakmailserver.com/ as being 8.3.8 .... Reading the "spiffy" stuff, one sees right off the bat the "Challenge/Response" settings ... not a good sign. Are you using this function? How you "find" stuff ...???? Logs for starters. You talk about anti-virus checks but say nothng about a firewall ...??? http://www.senderbase.org/?searchBy=ipaddr...=196.15.203.170 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 4.5 .. 8539% Last 30 days ... 3.1 ... 236% Average ......... 2.6 I don't quite understand how this kind of traffic increase would be that hard to not see somewhere ... Hmm, looks like someone has already been woeking in other areas ... http://psbl.surriel.com/listing?ip=196.15....PSBL+list+query Currently listed in PSBL? No. spam and removal history for 196.15.203.170 (times in UTC): 2006-02-25 21:23:17.458613 received spamtrap mail 2006-02-25 22:18:53.136368 received spamtrap mail 2006-03-02 07:12:47.886267 removed through website Just as with SpamCop, playing the "get me off the list" without finding/fixing the problem is pretty much a waste of time. Did whoever hit the "Remove" button there look at the evidence files from those spamtrap hits? Was any work done to track down the source of that spew? 03/02/06 07:24:38 Slow traceroute 196.15.203.170 Trace 196.15.203.170 ... 196.43.9.145 RTT: 293ms TTL:240 (rrba-ip-lir-1-pos-6-1.telkom-ipnet.co.za ok) 196.43.10.66 RTT: 298ms TTL:240 (ndn-ip-esr-1-fe-1-0-0.telkom-ipnet.co.za bogus rDNS: host not found [authoritative]) 196.25.220.54 RTT:1416ms TTL:240 (select-online-gw.telkom-ipnet.co.za bogus rDNS: host not found [authoritative]) 196.15.203.170 RTT: 889ms TTL:116 (No rDNS) ns2.zadns.net reports the following MX records: Preference Host Name IP Address 5 mail.selectonline.net 196.15.203.170 http://www.mxtoolbox.com/blacklists.aspx?IP=196.15.203.170 PSBL LISTED Return codes were: 127.0.0.2 300 656 SPAMCOP LISTED Blocked - see Detail Return codes were: 127.0.0.2 2100 609 UCEPROTECTL1 LISTED Sorry, IP 196.15.203.170 is blacklisted at Level 1 by UCEPROTECT-Network see Detail Return codes were: 127.0.0.2 Reverse DNS FAILED! This is a problem http://www.dnsreport.com/tools/dnsreport.c...electonline.net ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries The problem MX records are: 170.203.15.196.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) http://www.dnsstuff.com/tools/ptr.ch?ip=196.15.203.170 No PTR records exist for 196.15.203.170
Cale Posted March 2, 2006 Author Posted March 2, 2006 EDIT Ok im totally freaked out at the moment. Panda Online Scan has detected over 20 viruses which Trend ( updated upto today ) never did. How can this happen? Surely this is the source of my problem??? Thank you for your response. There are a lot of things to be done, judging by your post. I will download the newest version of Merak to get things started, and just as a measure use an online antivirus check to verify that we dont have any viruses on our server. Now onto your post. one sees right off the bat the "Challenge/Response" settings ... not a good sign. Are you using this function? What is challenge/response? Where can i identify this setting under Merak? How you "find" stuff ...???? Logs for starters. You talk about anti-virus checks but say nothng about a firewall ...??? I didnt think it pertinent. We have a firewall im place as well and is functional. Here is some suspicious log file evidence 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:48 +0200 <<< HELO thedirtybear.com 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:48 +0200 >>> 250 mail.selectonline.net Hello thedirtybear.com [209.221.40.204], pleased to meet you. 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 <<< MAIL FROM:<halldofortier[at]thedirtybear.com> 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 >>> 250 2.1.0 <halldofortier[at]thedirtybear.com>... Sender ok 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 <<< RCPT TO:<kathy[at]selectonline.net> 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 >>> 250 2.1.5 <kathy[at]selectonline.net>... User unknown 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:51 +0200 <<< DATA 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:51 +0200 >>> 354 Enter mail, end with "." on a line by itself 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:53 +0200 *** <halldofortier[at]thedirtybear.com> <kathy[at]selectonline.net> 1 3878 00:00:02 OK 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:53 +0200 >>> 250 2.6.0 3878 bytes received in 00:00:02; Message accepted for delivery 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 <<< QUIT 209.221.40.204 [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection SYSTEM [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 Disconnected and 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:07 +0200 Connected 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:07 +0200 >>> 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:29:07 +0200 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:08 +0200 <<< HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:08 +0200 >>> 250 mail.selectonline.net Hello mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx [209.198.149.186], pleased to meet you. 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:09 +0200 <<< HELO mxtoolbox.com 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:09 +0200 >>> 250 mail.selectonline.net Hello mxtoolbox.com [209.198.149.186], pleased to meet you. 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:10 +0200 <<< MAIL FROM: <test[at]mxtoolbox.com> 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:10 +0200 >>> 250 2.1.0 <test[at]mxtoolbox.com>... Sender ok 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 <<< RCPT TO: <test[at]mxtoolbox.com> 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 >>> 550 5.7.1 <test[at]mxtoolbox.com>... we do not relay <test[at]mxtoolbox.com> 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 <<< QUIT 209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection SYSTEM [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 Disconnected 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:54 +0200 Connected 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:54 +0200 >>> 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:30:54 +0200 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 <<< HELO test.DNSreport.com 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 >>> 250 mail.selectonline.net Hello test.DNSreport.com [66.36.241.109], pleased to meet you. 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 <<< MAIL FROM:<> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 >>> 250 2.1.0 <>... Sender ok 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<postmaster[at]selectonline.net> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 250 2.1.5 <postmaster[at]selectonline.net>... Recipient ok 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<abuse[at]selectonline.net> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 250 2.1.5 <abuse[at]selectonline.net>... User unknown 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<postmaster[at][196.15.203.170]> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 550 5.7.1 <postmaster[at][196.15.203.170]>... we do not relay <> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:57 +0200 <<< RCPT TO:<Not.abuse.see.www.DNSreport.com.from.IP.12.214.114.136[at]DNSreport.com> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:57 +0200 >>> 550 5.7.1 <Not.abuse.see.www.DNSreport.com.from.IP.12.214.114.136[at]DNSreport.com>... we do not relay <> 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 <<< QUIT 66.36.241.109 [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection SYSTEM [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 Disconnected 2006-02-25 21:23:17.458613 received spamtrap mail 2006-02-25 22:18:53.136368 received spamtrap mail 2006-03-02 07:12:47.886267 removed through website Did whoever hit the "Remove" button there look at the evidence files from those spamtrap hits? Was any work done to track down the source of that spew? If you could point me in the right direction in how to do this it would be appreciated. It also seems I have to put in a reverse PTR entry for my IP?? Correct ? PS It seems you are a bit upset. It might not have occured to you that I really dont know how to go about fixing my problem. Hence my detailed answers to your post. I really would like to fix it but need some assistance in doing so. Thank you very much.
Telarin Posted March 2, 2006 Posted March 2, 2006 Don't take Wazoo's short answers as him being upset, its not unusual in a forum like this to get answers of that nature. Its not intended to be rude, just direct and to the point. You can read more about Challenge/Response and other Auto-Responder problems here: http://www.spamcop.net/fom-serve/cache/329.html#CR That would be one place to start. However, from what Ellen told you, I don't think that is your problem, as she would have immediately noticed C/R or NDR messages as a problem. An insecure scri_pt can be any scri_pt on a webpage that allows users of your website to send mail to anywhere else. Many of these scripts will have the TO address in a hidden field on the form, which means that a malicious user can change it and submit to any to address they like. You need to make sure that any form to mail scripts you are using have a hard coded to address. The PTR record, while not directly related to your problem, is a problem that you will want to take care of. Many ISPs will automatically reject any mail coming from a server without a proper PTR record. You should talk to whoever actually owns the IP address (Your connectivity provider usually) and have them put in the correct PTR record for your server.
Merlyn Posted March 2, 2006 Posted March 2, 2006 I really would like to fix it but need some assistance in doing so. Thank you very much. 40873[/snapback] As you are already aware that this is a bad problem and you do not know what to do then it would probably be very productive to hire someone that is competent in this area otherwise your server(s) will keep bombarding the web with needless and unwanted junk. Good luck.
Jeff G. Posted March 2, 2006 Posted March 2, 2006 The PTR record, while not directly related to your problem, is a problem that you will want to take care of. Many ISPs will automatically reject any mail coming from a server without a proper PTR record. You should talk to whoever actually owns the IP address (Your connectivity provider usually) and have them put in the correct PTR record for your server.40874[/snapback] Cale: The reverse address for your mailserver "196.15.203.170" is "170.203.15.196.in-addr.arpa". There is no PTR Record for "170.203.15.196.in-addr.arpa". "170.203.15.196.in-addr.arpa" is in a zone "203.15.196.in-addr.arpa" run by Telkom SA's dnsadmin[at]saix.net which has not been updated since December 27th, 2005, as follows: C:\>dig [at]igubu.saix.net 170.203.15.196.in-addr.arpa ptr ; <<>> DiG 9.2.3 <<>> [at]igubu.saix.net 170.203.15.196.in-addr.arpa ptr ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;170.203.15.196.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 203.15.196.in-addr.arpa. 3600 IN SOA localhost.203.15.196.in-addr.arpa. dnsadmin.saix.net. 2005122701 10800 3600 604800 3600 ;; Query time: 701 msec ;; SERVER: 196.25.1.1#53(igubu.saix.net) ;; WHEN: Thu Mar 02 09:57:59 2006 ;; MSG SIZE rcvd: 108 When discussing this issue with Telkom SA, please ask them to see http://forum.spamcop.net/forums/index.php?...027entry36027 and to put a proper nameserver name in their SOA Record. Thanks!
Jeff G. Posted March 2, 2006 Posted March 2, 2006 All of the about 11-20 incidents regarding 196.15.203.170 appear to be Spamtrap hits.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.