Jump to content

Can anyone help me figure out why We were blocked


TimD
 Share

Recommended Posts

We were blacklisted this morning. I have been trying to track this down all day, and I'm getting nowhere. I have been able to track down the following:

This is the message we get when sending mail - 451 Blocked - see http://www.spamcop.net/bl.shtml?66.43.182.194

On the blacklist page the timer was 5 hours before we were removed, since 2PM EST, the following is listed on the spamcop page. 66.43.182.194 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours.

I have called my ISP, USLEC and they confiremed that they use SPAMCOP and some other spam list to control spam.

USLEC is the controller of my Mail server.

I am trying to see if a user of our mailboxes were effected by a virus, or sent out the spam. I can track down that mailbox and stop that from happening. Or if it was a configuration error on the mailserver, that I do not control, is what got us blacklisted.

Any help in finding out either what mailbox is causing this, so I can address the issue, and not loose 8 hours of sending mail at our company.

Thanks in advance,

Tim

Link to comment
Share on other sites

I am trying to see if a user of our mailboxes were effected by a virus, or sent out the spam.  I can track down that mailbox and stop that from happening.  Or if it was a configuration error on the mailserver, that I do not control, is what got us blacklisted.

Any help in finding out either what mailbox is causing this, so I can address the issue, and not loose 8 hours of sending mail at our company.

40909[/snapback]

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

As a paid reporter, I can see a summary of user reports but the system is showing none. This means you will need to contact the deputies[at]spamcop.net via email or using the contact information available on this site (sorry, not home so don't have my standard templates available).

Is host 66.43.182.194 = uslec-66-43-182-194.cust.uslec.net your mail servers IP address on the internet, the IP address of a user machine (or machines NAT behind this address), or both? Very few viruses send out email through the official mail servers, most running their own service they can control. I am not getting an SMTP connection trying to reach it. It it is an end user machine, you should be using your mail server (or ISP's mail server) to send mail as many ISP's block addresses that look like they are in dial-up space.

Link to comment
Share on other sites

Is host 66.43.182.194 = uslec-66-43-182-194.cust.uslec.net your mail servers IP address on the internet, the IP address of a user machine (or machines NAT behind this address), or both?  Very few viruses send out email through the official mail servers, most running their own service they can control.  I am not getting an SMTP connection trying to reach it.  It it is an end user machine, you should be using your mail server (or ISP's mail server) to send mail as many ISP's block addresses that look like they are in dial-up space.

40914[/snapback]

Thanks for the info about sending them the e-mail. I have just sent it.

The host 66.43.182.194, machines are NATed behind this address. I'm guessing that a host on that network may have been spamming mail? How do I track that down? or would that info be provided by the deputies?

Thanks,

Tim

Link to comment
Share on other sites

While you wait for the SpamCop Deputies to respond, you could look at your logs from your NAT and firewall for connections from the inside to Port 25 somewhere outside.

Edited by Jeff G.
Link to comment
Share on other sites

Thanks for the info about sending them the e-mail.  I have just sent it.

The host 66.43.182.194, machines are NATed behind this address.  I'm guessing that a host on that network may have been spamming mail?  How do I track that down?  or would that info be provided by the deputies?

40915[/snapback]

This is such a new kid on the block that the senderbase statistics are not helpful. First message seen from this IP only two weeks ago so I'm guessing this is a new set-up? Spamtrap-only hits suggest non-deivery, out-of-office or other post-SMTP 'bounces'. Tell us more about your set up, number of machines behind the server, server software etc. and we may be able to offer some suggestions.

If Steven can't telnet into it it doesn't look like a regular compromised server.

EDIT: re-reading all that I guess what I'm really asking is: is that machine meant to be sending email to the world or not? Could there be something in the way it is configured that leads to the SpamCop algoithm identifying the wrong culprit? As (I think) Steven said, it looks mightily like dynamic space: OTOH there are nearly 500 IP addresses owned by that outfit that have sent mail at one time or another.

Edited by Derek T
Link to comment
Share on other sites

Got a call from the ISP on Sayurday, stating that everthing is fine.

But when I get into the office, we are blacklisted again!!

To answer some of the questions eariler, there are about 200 hosts behind that IP being NATed to the internet. NO mailservers in our network.

I;m leaning toward a host sending out messages, but no response from the deputies yet, and I've got 50MB of logs each day to go through.

Your suggestions have been helpful so far, anyone got any more to point me in the right direction?

Thanks,

Tim

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...