wantedz Posted April 6, 2006 Share Posted April 6, 2006 Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it? Help appreciated on 05/04/2006 05:59 PM There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. <octagon.za.com #5.5.0 smtp;554 Service unavailable; Client host [196.211.16.228] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.211.16.228 Link to comment Share on other sites More sharing options...
Derek T Posted April 6, 2006 Share Posted April 6, 2006 Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it? <octagon.za.com #5.5.0 smtp;554 Service unavailable; Client host [196.211.16.228] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.211.16.228 41829[/snapback] There are no human reports for that server which suggests spamtrap hits. Listing now aged-off. HOWEVER can you explain a 67-fold increase in traffic fom that server? Looks like a trojan or SMTP/AUTH hack to me. Report on IP address: 196.211.16.228 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.2 6777% Last 30 days 1.8 218% Average 1.3 Link to comment Share on other sites More sharing options...
wantedz Posted April 6, 2006 Author Share Posted April 6, 2006 HOWEVER can you explain a 67-fold increase in traffic fom that server? Looks like a trojan or SMTP/AUTH hack to me. 41831[/snapback] We only started to use the IP three days ago Link to comment Share on other sites More sharing options...
Derek T Posted April 6, 2006 Share Posted April 6, 2006 We only started to use the IP three days ago 41832[/snapback] OK, thanks! My next-best guess is post-facto NDRs OOOs etc. if you must reject do it with a 5xx code at the time of the SMTP transaction. Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2006 Share Posted April 6, 2006 Problems, confusion, wierd stuff .... http://www.senderbase.org/?searchBy=ipaddr...=196.211.16.228 shows; Date of first message seen from this address 2006-04-03 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.2 6983% Last 30 days 1.8 219% Average 1.3 However, the assignment data is showing only as AfriNIC - www.afrinic.net and Domain unknown started with a trace route ... 04/06/06 06:22:03 Slow traceroute 196.211.16.228 Trace 196.211.16.228 ... 196.26.96.197 RTT: 615ms TTL: 48 (cdsl1-rba-gi0-2.isdsl.net ok) 196.36.80.213 RTT: 613ms TTL: 48 (clns2-rba.isdsl.net ok) 196.211.137.242 RTT: 956ms TTL: 48 (No rDNS) * * * failed * * * failed OK, tried a Telnet connection - no connection made So looked up the user's registration details to perhaps come up with a Domain involved to try to sort out what MX was actually involved: http://co.za/cgi-bin/whois.sh?Domain=3gi&Enter=Enter 2005-04-01| R | 50.00|deon[at]bdse.co.za |2005-05-06| 2 | 436853|B&D System Engineers = 2006-04-03| R | 50.00|deon[at]bdse.co.za | NOT PAID | 1 | 567543|B&D System Engineers = Noting that this history dates back to 2000-03-28 ....??? asterix.bdse.co.za reports the following MX records: Preference Host Name IP Address TTL 10 mxscan02.bdse.net 196.34.229.60 3600 20 mxscan01.bdse.net 196.36.136.221 3600 50 dogmatix.bdse.co.za 196.34.229.60 3600 none of these are the IP in question .... maybe I just need more coffee? Link to comment Share on other sites More sharing options...
Telarin Posted April 6, 2006 Share Posted April 6, 2006 If it is indeed spamtrap hits as Derek has indicated, you would need to contact deputies[at]admin.spamcop.net to get any more information on what is hitting them. As far as volume goes, senderbase is showing a current estimated volume of around 1500 email messages per day. If that sounds like about what you expect, then you probably don't have a trojanned machine, as they will generally send that many every hour or so. My guess would be a misconfigured server that is sending NDRs to the envelope "FROM:" address after it has already accepted the message for delivery to a non-existent user. Automated replies such as Challenge/Response systems and Out of Office replies can cause this problem as well. The deputies should be able to tell you exactly what types of messages are finding their way to the spamtraps. Link to comment Share on other sites More sharing options...
Jeff G. Posted April 6, 2006 Share Posted April 6, 2006 Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?41829[/snapback] No, sorry. Spammers ruined that feature. Link to comment Share on other sites More sharing options...
Jeff G. Posted April 6, 2006 Share Posted April 6, 2006 04/06/06 14:21:51 whois 196.211.16.228[at]whois.afrinic.net whois -h whois.afrinic.net 196.211.16.228 ... % This is the AfriNIC Whois server. % Information related to '196.208.0.0 - 196.211.255.255' inetnum: 196.208.0.0 - 196.211.255.255 netname: TIS-20050812 descr: Internet Solutions descr: The Campus, 57 Sloane Street descr: Bryanston descr: Johannesburg descr: Gauteng descr: 2021 country: ZA org: ORG-TIS1-AFRINIC admin-c: ZT12-AFRINIC tech-c: ZT12-AFRINIC status: ALLOCATED PA remarks: +-------------------------------------+ remarks: | Further assignment information is | remarks: | available in the Internet Solutions | remarks: | whois database: | remarks: | | remarks: | http://whois.is.co.za | remarks: +-------------------------------------+ mnt-by: AFRINIC-HM-MNT mnt-lower: TF-LALISHA-MNT changed: hostmaster[at]afrinic.net 20050812 changed: hostmaster[at]afrinic.net 20050812 source: AFRINIC parent: 196.0.0.0 - 196.255.255.255 organisation: ORG-TIS1-AFRINIC org-name: Internet Solutions org-type: LIR address: The Internet Solution address: The Campus, 57 Sloane Street address: Bryanston address: Johannesburg address: Gauteng address: 2021 country: ZA e-mail: netadmin[at]is.co.za admin-c: LS1-AFRINIC tech-c: LS1-AFRINIC tech-c: ZT12-AFRINIC remarks: abuse e-mail: <abuse[at]is.co.za>, phone: +27 11 575 0055 mnt-ref: TF-LALISHA-MNT mnt-by: AFRINIC-HM-MNT changed: hostmaster[at]arin.net 19940613 changed: hostmaster[at]arin.org 20030714 changed: hostmaster[at]afrinic.net 20050221 changed: hostmaster[at]afrinic.net 20050818 source: AFRINIC person: IS Hostmaster address: The Campus, 57 Sloane Street address: Bryanston address: Johannesburg address: Gauteng address: 2021 phone: +27(11) 5750550 fax-no: +27(11) 5760550 e-mail: hostmaster[at]is.co.za notify: hostmaster[at]is.co.za org: ORG-TIS1-AFRINIC nic-hdl: ZT12-AFRINIC notify: hostmaster[at]is.co.za changed: hostmaster[at]is.co.za 20050712 source: AFRINIC 04/06/06 14:22:56 whois 196.211.16.228[at]whois.is.co.za whois -h whois.is.co.za 196.211.16.228 ... Your WHOIS search for '196.211.16.228' yielded the following results: inetnum: 196.211.16.224/29 (196.211.16.224 - 196.211.16.231) netname: ISDSL (Reserved) descr: c/o Internet Solutions descr: The Campus, 57 Sloane Street descr: Bryanston descr: Johannesburg descr: Gauteng descr: 2021 country: ZA admin-c: ZT12-AFRINIC tech-c: ZT12-AFRINIC status: ALLOCATED PA remarks: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE mnt-by: LS1-AFRINIC mnt-lower: n/a changed: netadmin[at]is.co.za (Wed Oct 26 16:02:08 2005) source: Internet Solutions IPDB organisation: org-name: Internet Solutions org-type: LIR address: Internet Solutions address: The Campus, 57 Sloane Street address: Bryanston address: Johannesburg address: Gauteng address: 2021 country: ZA e-mail: netadmin[at]is.co.za admin-c: ZT12-AFRINIC tech-c: ZT12-AFRINIC remarks: abuse e-mail: abuse[at]is.co.za, phone: +27 11 575 0055 mnt-ref: n/a mnt-by: LS1-AFRINIC source: Internet Solutions IPDB person: Internet Solutions address: The Campus, 57 Sloane Street address: Bryanston address: Johannesburg address: Gauteng address: 2021 address: ZA phone: +27 11 575 1000 e-mail: netadmin[at]is.co.za nic-hdl: ZT12-AFRINIC source: Internet Solutions IPDB Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.