Jump to content

Why is it listed


wantedz

Recommended Posts

Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?

Help appreciated

on 05/04/2006 05:59 PM

There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.

<octagon.za.com #5.5.0 smtp;554 Service unavailable; Client host [196.211.16.228] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.211.16.228

Link to comment
Share on other sites

Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?

<octagon.za.com #5.5.0 smtp;554 Service unavailable; Client host [196.211.16.228] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.211.16.228

41829[/snapback]

There are no human reports for that server which suggests spamtrap hits. Listing now aged-off.

HOWEVER can you explain a 67-fold increase in traffic fom that server? Looks like a trojan or SMTP/AUTH hack to me.

Report on IP address:  196.211.16.228

Volume Statistics for this IP

Magnitude  Vol Change vs. Average

Last day  3.2  6777%

Last 30 days  1.8  218%

Average  1.3

Link to comment
Share on other sites

We only started to use the IP three days ago

41832[/snapback]

OK, thanks!

My next-best guess is post-facto NDRs OOOs etc. if you must reject do it with a 5xx code at the time of the SMTP transaction.

Link to comment
Share on other sites

Problems, confusion, wierd stuff ....

http://www.senderbase.org/?searchBy=ipaddr...=196.211.16.228 shows;

Date of first message seen from this address 2006-04-03

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.2 6983%

Last 30 days 1.8 219%

Average 1.3

However, the assignment data is showing only as AfriNIC - www.afrinic.net and Domain unknown

started with a trace route ...

04/06/06 06:22:03 Slow traceroute 196.211.16.228

Trace 196.211.16.228 ...

196.26.96.197 RTT: 615ms TTL: 48 (cdsl1-rba-gi0-2.isdsl.net ok)

196.36.80.213 RTT: 613ms TTL: 48 (clns2-rba.isdsl.net ok)

196.211.137.242 RTT: 956ms TTL: 48 (No rDNS)

* * * failed

* * * failed

OK, tried a Telnet connection - no connection made

So looked up the user's registration details to perhaps come up with a Domain involved to try to sort out what MX was actually involved:

http://co.za/cgi-bin/whois.sh?Domain=3gi&Enter=Enter

2005-04-01| R | 50.00|deon[at]bdse.co.za |2005-05-06| 2 | 436853|B&D System Engineers =

2006-04-03| R | 50.00|deon[at]bdse.co.za | NOT PAID | 1 | 567543|B&D System Engineers =

Noting that this history dates back to 2000-03-28 ....???

asterix.bdse.co.za reports the following MX records:

Preference Host Name IP Address TTL

10 mxscan02.bdse.net 196.34.229.60 3600

20 mxscan01.bdse.net 196.36.136.221 3600

50 dogmatix.bdse.co.za 196.34.229.60 3600

none of these are the IP in question ....

maybe I just need more coffee?

Link to comment
Share on other sites

If it is indeed spamtrap hits as Derek has indicated, you would need to contact deputies[at]admin.spamcop.net to get any more information on what is hitting them.

As far as volume goes, senderbase is showing a current estimated volume of around 1500 email messages per day. If that sounds like about what you expect, then you probably don't have a trojanned machine, as they will generally send that many every hour or so.

My guess would be a misconfigured server that is sending NDRs to the envelope "FROM:" address after it has already accepted the message for delivery to a non-existent user.

Automated replies such as Challenge/Response systems and Out of Office replies can cause this problem as well.

The deputies should be able to tell you exactly what types of messages are finding their way to the spamtraps.

Link to comment
Share on other sites

Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?

41829[/snapback]

No, sorry. Spammers ruined that feature.
Link to comment
Share on other sites

04/06/06 14:21:51 whois 196.211.16.228[at]whois.afrinic.net

whois -h whois.afrinic.net 196.211.16.228 ...

% This is the AfriNIC Whois server.

% Information related to '196.208.0.0 - 196.211.255.255'

inetnum: 196.208.0.0 - 196.211.255.255

netname: TIS-20050812

descr: Internet Solutions

descr: The Campus, 57 Sloane Street

descr: Bryanston

descr: Johannesburg

descr: Gauteng

descr: 2021

country: ZA

org: ORG-TIS1-AFRINIC

admin-c: ZT12-AFRINIC

tech-c: ZT12-AFRINIC

status: ALLOCATED PA

remarks: +-------------------------------------+

remarks: | Further assignment information is |

remarks: | available in the Internet Solutions |

remarks: | whois database: |

remarks: | |

remarks: | http://whois.is.co.za |

remarks: +-------------------------------------+

mnt-by: AFRINIC-HM-MNT

mnt-lower: TF-LALISHA-MNT

changed: hostmaster[at]afrinic.net 20050812

changed: hostmaster[at]afrinic.net 20050812

source: AFRINIC

parent: 196.0.0.0 - 196.255.255.255

organisation: ORG-TIS1-AFRINIC

org-name: Internet Solutions

org-type: LIR

address: The Internet Solution

address: The Campus, 57 Sloane Street

address: Bryanston

address: Johannesburg

address: Gauteng

address: 2021

country: ZA

e-mail: netadmin[at]is.co.za

admin-c: LS1-AFRINIC

tech-c: LS1-AFRINIC

tech-c: ZT12-AFRINIC

remarks: abuse e-mail: <abuse[at]is.co.za>, phone: +27 11 575 0055

mnt-ref: TF-LALISHA-MNT

mnt-by: AFRINIC-HM-MNT

changed: hostmaster[at]arin.net 19940613

changed: hostmaster[at]arin.org 20030714

changed: hostmaster[at]afrinic.net 20050221

changed: hostmaster[at]afrinic.net 20050818

source: AFRINIC

person: IS Hostmaster

address: The Campus, 57 Sloane Street

address: Bryanston

address: Johannesburg

address: Gauteng

address: 2021

phone: +27(11) 5750550

fax-no: +27(11) 5760550

e-mail: hostmaster[at]is.co.za

notify: hostmaster[at]is.co.za

org: ORG-TIS1-AFRINIC

nic-hdl: ZT12-AFRINIC

notify: hostmaster[at]is.co.za

changed: hostmaster[at]is.co.za 20050712

source: AFRINIC

04/06/06 14:22:56 whois 196.211.16.228[at]whois.is.co.za

whois -h whois.is.co.za 196.211.16.228 ...

Your WHOIS search for '196.211.16.228' yielded the following results:

inetnum: 196.211.16.224/29 (196.211.16.224 - 196.211.16.231)

netname: ISDSL (Reserved)

descr: c/o Internet Solutions

descr: The Campus, 57 Sloane Street

descr: Bryanston

descr: Johannesburg

descr: Gauteng

descr: 2021

country: ZA

admin-c: ZT12-AFRINIC

tech-c: ZT12-AFRINIC

status: ALLOCATED PA

remarks: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

mnt-by: LS1-AFRINIC

mnt-lower: n/a

changed: netadmin[at]is.co.za (Wed Oct 26 16:02:08 2005)

source: Internet Solutions IPDB

organisation:

org-name: Internet Solutions

org-type: LIR

address: Internet Solutions

address: The Campus, 57 Sloane Street

address: Bryanston

address: Johannesburg

address: Gauteng

address: 2021

country: ZA

e-mail: netadmin[at]is.co.za

admin-c: ZT12-AFRINIC

tech-c: ZT12-AFRINIC

remarks: abuse e-mail: abuse[at]is.co.za, phone: +27 11 575 0055

mnt-ref: n/a

mnt-by: LS1-AFRINIC

source: Internet Solutions IPDB

person: Internet Solutions

address: The Campus, 57 Sloane Street

address: Bryanston

address: Johannesburg

address: Gauteng

address: 2021

address: ZA

phone: +27 11 575 1000

e-mail: netadmin[at]is.co.za

nic-hdl: ZT12-AFRINIC

source: Internet Solutions IPDB

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...