michaelmanzini Posted July 28, 2006 Share Posted July 28, 2006 Hi all, First of all, some information about the host. ####################################### srv.sensordobrasil.com.br. [201.28.110.218] [TTL=86400] [bR] srv1.sensordobrasil.com.br. [201.28.110.219] [TTL=86400] [bR] rDNS host 201.28.110.218 218.110.28.201.in-addr.arpa domain name pointer mail.sensordobrasil.com.br. host mail.sensordobrasil.com.br mail.sensordobrasil.com.br has address 201.28.110.218 SPF Record "v=spf1 ip4:201.28.110.218/24 a mx ptr a:mail a:srv a:srv1 a:srv2 mx:mail.sensordobrasil.com.br include:sensor24horas.com.br ~all" [TTL=86400] Lookup by SpamCOP 201.28.110.218 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week ##################################### Whats the problem with this server ? I configured the SPF record after the SpamCOP list the IP. Only the configuration of the SPF record resolve the problem ? Thanks, Link to comment Share on other sites More sharing options...
Telarin Posted July 28, 2006 Share Posted July 28, 2006 The SPF is not something spamcop looks at. The most important part of the information you provided is: Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week This indicates that spam has hit both spamtraps (which are kept secret as a matter of course), and has been reported from users inboxes. A quick trace on the ip address (201.28.110.218) you gave, shows that abuse reports would have gone to postmaster[at]telefonica.com.br; postmaster[at]cert.br; mail-abuse[at]nic.br; antispambr[at]abuse.net and mail-abuse[at]cert.br. You should contact one of these people to determine why those reports were not forwarded to you. You may also be able to contact deputies[at]admin.spamcop.net to see if they can give you copies of those reports, or at least give you some indication of what spam is being seen from your IP. One of the paying members here may also be willing to post the report history for that IP. Link to comment Share on other sites More sharing options...
agsteele Posted July 28, 2006 Share Posted July 28, 2006 This ip is not currently listed in the SCBL. The last, and only report, I can find was as follows: Submitted: 24 July 2006 17:11:50 +0100: re: Big choice news1etter * 1849896462 ( 201.28.110.218 ) To: spamcop[at]imaphost.com * 1849896450 ( 201.28.110.218 ) To: postmaster[at]telefonica.com.br * 1849896436 ( 201.28.110.218 ) To: postmaster[at]cert.br * 1849896416 ( 201.28.110.218 ) To: mail-abuse[at]cert.br Andrew Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 28, 2006 Share Posted July 28, 2006 This ip is not currently listed in the SCBL. The last, and only report, I can find was as follows: Submitted: 24 July 2006 17:11:50 +0100: re: Big choice news1etter * 1849896462 ( 201.28.110.218 ) To: spamcop[at]imaphost.com * 1849896450 ( 201.28.110.218 ) To: postmaster[at]telefonica.com.br * 1849896436 ( 201.28.110.218 ) To: postmaster[at]cert.br * 1849896416 ( 201.28.110.218 ) To: mail-abuse[at]cert.br Andrew Well, it looks like you cleared the block. That is not a good thing to do unless you know you have solved the problem which, by your questions, you have not. The next report wil list you again, and you will not have the chance to remove yourself. Did you read all the information on this page: http://mailsc.spamcop.net/bl.shtml?201.28.110.218 Link to comment Share on other sites More sharing options...
Merlyn Posted July 28, 2006 Share Posted July 28, 2006 Still a big surge in email from that IP: Last day 3.5 601% Last 30 days 2.8 51% Link to comment Share on other sites More sharing options...
michaelmanzini Posted July 28, 2006 Author Share Posted July 28, 2006 http://mailsc.spamcop.net/bl.shtml?201.28.110.218 Whats account need to access this page ? I tried my user and password that i register here but I can't login in this page. Link to comment Share on other sites More sharing options...
Telarin Posted July 28, 2006 Share Posted July 28, 2006 This link should work for you, it doesn't require being logged in: http://www.spamcop.net/w3m?action=checkblo...=201.28.110.218 However, either the listing has aged off the list, or you have marked it as resolved, so all it shows now is 201.28.110.218 not listed in bl.spamcop.net If you manually removed the listing, you should be aware that you can only do that one time, so if it gets listed again, you will have to wait out the listing once you have resolved the problem. Link to comment Share on other sites More sharing options...
michaelmanzini Posted July 28, 2006 Author Share Posted July 28, 2006 Well, it looks like you cleared the block. That is not a good thing to do unless you know you have solved the problem which, by your questions, you have not. The next report wil list you again, and you will not have the chance to remove yourself. Did you read all the information on this page: http://mailsc.spamcop.net/bl.shtml?201.28.110.218 Ok I work in a company and we provide service how smtp servers. A two weeks ago some costumers report us about problem with e-mail and when a researched i found the spamcop blocked. Is There a spamcop block that is more often ? About CBL, almost 100% of incidents are infected workstation. I send a e-mail for them and they return me a name of infected workstation. And I fix the problem. But in SpamCop I don't know why The IP has been listed. Please help me. This link should work for you, it doesn't require being logged in: http://www.spamcop.net/w3m?action=checkblo...=201.28.110.218 However, either the listing has aged off the list, or you have marked it as resolved, so all it shows now is If you manually removed the listing, you should be aware that you can only do that one time, so if it gets listed again, you will have to wait out the listing once you have resolved the problem. The admin of the sensorsdobrasil.com.br deslisting it. I work in the company that provide services for them. And i'm responsable for this server. I known that is isn't a good pratic, but I don't do it ! I have knowlegment about blacklists, I 'm communic with CBL, SORBS but I never found a block by SpamCop blacklist. Its the first contact with this backlist. thanks for attention. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 28, 2006 Share Posted July 28, 2006 http://mailsc.spamcop.net/bl.shtml?201.28.110.218 Whats account need to access this page ? I tried my user and password that i register here but I can't login in this page. Yes, Sorry about that. I should have replaced the mailsc with www as: http://www.spamcop.net/bl.shtml?201.28.110.218 The other link provided is one step under this page, but this was the info I wanted you to see. To see parts what was sent to a spamtrap address, you will need to email deputies[at]spamcop.net and ask nicely. They are extremely busy, dealing with ~1800 messages per day so if they can not answer your question without more data, it is likely to be put on the back of the todo list, which may be quite a while. Keep trying and let us know what you found. Link to comment Share on other sites More sharing options...
Derek T Posted July 28, 2006 Share Posted July 28, 2006 Ok I work in a company and we provide service how smtp servers. A two weeks ago some costumers report us about problem with e-mail and when a researched i found the spamcop blocked. Is There a spamcop block that is more often ? About CBL, almost 100% of incidents are infected workstation. I send a e-mail for them and they return me a name of infected workstation. And I fix the problem. But in SpamCop I don't know why The IP has been listed. thanks for attention. SpamCop is entirely automatic and very proactive. SpamCop does NOT recommend using it to block mail outright, it should be used only for quarantining mail. SOME admins choose to use to block - their call. The good news is that de-listing is also entirely automatic - once the spew stops an IP de-lists in 24hrs or even less. Check your logs to find the trojanned machine. Link to comment Share on other sites More sharing options...
turetzsr Posted July 28, 2006 Share Posted July 28, 2006 <snip> About CBL, almost 100% of incidents are infected workstation. I send a e-mail for them and they return me a name of infected workstation. And I fix the problem. But in SpamCop I don't know why The IP has been listed. Bom dia! ...If infected workstations are sending spam, then there is a very good chance that is what is causing the listings in the SpamCop blacklist. ...If infected workstations are being addressed only after incidents, and if the infected workstations sending spam are causing your server to be listed on the SpamCop blacklist, then your problem is going to continue. I would suggest you (and your customers) work to avoid any workstations becoming infected at all. Workstation firewalls and anti-virus software should be running on all workstations and servers at all times! Please help me....Help appears in many of the replies from other members here. The two most likely ways to get answers are: As Telarin suggested, contact the owners of postmaster[at]telefonica.com.br; postmaster[at]cert.br; mail-abuse[at]nic.br; antispambr[at]abuse.net and/or mail-abuse[at]cert.br and ask that reports regarding your servers be sent to you. As StevenUnderwood suggested, contact the SpamCop deputies at deputies[at]spamcop.net to ask for any available evidence of spam Trap hits. To repeat and extend what Steven mentioned, you will have to provide enough information for the Deputies to be able to handle your request without coming back to you for more information and to convince them that you are an authorized administrator of the server 201.28.110.218. Otherwise, it may take them quite a long time to reply to you. ...Good luck! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.