rjcalderon Posted August 3, 2006 Share Posted August 3, 2006 I've been blocked for a couple of days now the description of the problem is: <******* #5.5.0 smtp;591 ******* your host [72.18.235.98] is blacklisted by bl.spamcop.net. No mail will be accepted> we host our own e-mail server (exchange) and I've been through various steps to make our server more secure and I've disabled auto responders... I can't figure this one out. the site will say 24 hours untill we are no longer blocked but then after a few hours the timer starts over. Any help? We are a medium sized winery and I consider this a rather large issue. Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 3, 2006 Share Posted August 3, 2006 These are the senderbase statistics. I am not really technically fluent, but I think that increase is not a good sign. It usually indicates that your machine (or some machine on the same IP) has been compromised by spammers. Have you read all the possible exploits for exchange servers? (there are links in the Why Am I blocked FAQ)? A lot of times, it seems from reading other admin's posts, the place to look is not Port 25, but in your firewalls since the trojans use other ports. Vol Change vs. Average Last day 4.7 2403% Last 30 days 3.6 125% Average 3.3 Someone more knowledgable will be along shortly (but that isn't bad advice to look at the firewall logs). Miss Betsy Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 3, 2006 Share Posted August 3, 2006 Not good at all: http://www.spamcop.net/bl.shtml?72.18.235.98 72.18.235.98 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week You are getting lots of real reports that do not look like auto responders. The spammers seem to have taken control of your server or some machine behind that IP address. Se below for some information on these reports To make it worse, the abuse desk for your provider is bouncing so reports are not being sent: Routing details for 72.18.235.98 Using abuse net on ipadmin[at]telepacific.com abuse net telepacific.com = abuse[at]telepacific.net Using best contacts abuse[at]telepacific.net abuse[at]telepacific.net bounces (41 sent : 35 bounces) Using abuse#telepacific.net[at]devnull.spamcop.net for statistical tracking. Report History: -------------------------------------------------------------------------------- Submitted: Wednesday, August 02, 2006 3:00:15 PM -0400: Current 1861647883 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 02, 2006 8:54:23 AM -0400: Richmond 1861191614 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 01, 2006 9:17:13 PM -0400: Raymond 1860597342 ( 72.18.235.98 ) To: spamcop[at]imaphost.com 1860597341 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 01, 2006 9:07:39 PM -0400: installed 1860609431 ( 72.18.235.98 ) To: spamcop[at]imaphost.com 1860609415 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 01, 2006 9:07:34 PM -0400: installed 1860607919 ( 72.18.235.98 ) To: spamcop[at]imaphost.com 1860607913 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 01, 2006 9:07:30 PM -0400: installed 1860606886 ( 72.18.235.98 ) To: spamcop[at]imaphost.com 1860606867 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 01, 2006 3:29:48 PM -0400: rule 1860302043 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 01, 2006 2:53:33 AM -0400: Please 1860381650 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net Link to comment Share on other sites More sharing options...
Wazoo Posted August 3, 2006 Share Posted August 3, 2006 we host our own e-mail server (exchange) Technically, as there are so many versions of Exchange out there, that data could be important as far as what to be looking for, if there is a 'fix' available, etc. and I've been through various steps to make our server more secure and I've disabled auto responders... I can't figure this one out. the site will say 24 hours untill we are no longer blocked but then after a few hours the timer starts over. The "timer" starts counting down (not necessarily totally devoted to the passing seconds) when the "spam spew stops" .... The 'starting over' scenario goes along with that the spew is continuing. That the results are showing both spamtrap hits and reports, direct involvement by a spammer is most likely. telnet 72.18.235.98 25 **********************************************************0****0*2********** ********2*****200**20*0******0*00 not your typical response string ...???? Link to comment Share on other sites More sharing options...
claco Posted August 3, 2006 Share Posted August 3, 2006 telnet 72.18.235.98 25 **********************************************************0****0*2********** ********2*****200**20*0******0*00 not your typical response string ...???? While completely unrelated, I've see mail servers behind certain versions of Cisco PIX firewalls munge the mail HELO like that. I think the culprit was the smtp fixup + the IOS version. Link to comment Share on other sites More sharing options...
rjcalderon Posted August 3, 2006 Author Share Posted August 3, 2006 While completely unrelated, I've see mail servers behind certain versions of Cisco PIX firewalls munge the mail HELO like that. I think the culprit was the smtp fixup + the IOS version. That is most likely the case as we do use a pix firewall. I really really hope I do not need to change the configuration on the pix since I'm not all that fluent in pix commands. I've checked all of our computers and the countdown has not been reset for several hours... so fingers crossed we will soon be back in the honest world of e-mailing. Thanks for all the responces. Link to comment Share on other sites More sharing options...
Wazoo Posted August 3, 2006 Share Posted August 3, 2006 That is most likely the case as we do use a pix firewall. I really really hope I do not need to change the configuration on the pix since I'm not all that fluent in pix commands. My Telnet attempt was to simply do a quick snag at pulling up the version number in use ... that didn't work, and you still haven't said .... I've checked all of our computers and the countdown has not been reset for several hours... so fingers crossed we will soon be back in the honest world of e-mailing. Thanks for all the responces. Although true that the clock is running down, the same can't be said for the actual traffic, which you also haven't yet either agreed that it was valid or admitted to finding the cause of .... http://www.senderbase.org/?searchBy=ipaddr...ng=72.18.235.98 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.6 .. 2083% Last 30 days .. 3.6 .... 126% Average ........ 3.3 Link to comment Share on other sites More sharing options...
claco Posted August 3, 2006 Share Posted August 3, 2006 That is most likely the case as we do use a pix firewall. I really really hope I do not need to change the configuration on the pix since I'm not all that fluent in pix commands. I've checked all of our computers and the countdown has not been reset for several hours... so fingers crossed we will soon be back in the honest world of e-mailing. Thanks for all the responces. Search Google for "postfix cisco fixup". http://archives.neohapsis.com/archives/pos...01-06/1198.html This issue usually effects older versions of IOS, and different email servers other than postfix. Link to comment Share on other sites More sharing options...
rjcalderon Posted August 3, 2006 Author Share Posted August 3, 2006 Our pix version is 6.3(4) so it wouldn't be affected.. right? should I disable the fixup 25 anyway? Link to comment Share on other sites More sharing options...
claco Posted August 3, 2006 Share Posted August 3, 2006 Our pix version is 6.3(4) so it wouldn't be affected.. right? should I disable the fixup 25 anyway? I'm not a Cisco or security guru, so I can't say. I can just give pointers as to why the telnet HELO output posted earlier might have been screwy. :-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.