Jump to content

Keep getting blocked


rjcalderon
 Share

Recommended Posts

I've been blocked for a couple of days now the description of the problem is: <******* #5.5.0 smtp;591 ******* your host [72.18.235.98] is blacklisted by bl.spamcop.net. No mail will be accepted>

we host our own e-mail server (exchange) and I've been through various steps to make our server more secure and I've disabled auto responders... I can't figure this one out. the site will say 24 hours untill we are no longer blocked but then after a few hours the timer starts over.

Any help? We are a medium sized winery and I consider this a rather large issue.

Link to comment
Share on other sites

These are the senderbase statistics. I am not really technically fluent, but I think that increase is not a good sign. It usually indicates that your machine (or some machine on the same IP) has been compromised by spammers. Have you read all the possible exploits for exchange servers? (there are links in the Why Am I blocked FAQ)? A lot of times, it seems from reading other admin's posts, the place to look is not Port 25, but in your firewalls since the trojans use other ports.

Vol Change vs. Average

Last day 4.7 2403%

Last 30 days 3.6 125%

Average 3.3

Someone more knowledgable will be along shortly (but that isn't bad advice to look at the firewall logs).

Miss Betsy

Link to comment
Share on other sites

Not good at all:

http://www.spamcop.net/bl.shtml?72.18.235.98

72.18.235.98 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

You are getting lots of real reports that do not look like auto responders. The spammers seem to have taken control of your server or some machine behind that IP address. Se below for some information on these reports

To make it worse, the abuse desk for your provider is bouncing so reports are not being sent:

Routing details for 72.18.235.98

Using abuse net on ipadmin[at]telepacific.com

abuse net telepacific.com = abuse[at]telepacific.net

Using best contacts abuse[at]telepacific.net

abuse[at]telepacific.net bounces (41 sent : 35 bounces)

Using abuse#telepacific.net[at]devnull.spamcop.net for statistical tracking.

Report History:

--------------------------------------------------------------------------------

Submitted: Wednesday, August 02, 2006 3:00:15 PM -0400:

Current

1861647883 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, August 02, 2006 8:54:23 AM -0400:

Richmond

1861191614 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday, August 01, 2006 9:17:13 PM -0400:

Raymond

1860597342 ( 72.18.235.98 ) To: spamcop[at]imaphost.com

1860597341 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday, August 01, 2006 9:07:39 PM -0400:

installed

1860609431 ( 72.18.235.98 ) To: spamcop[at]imaphost.com

1860609415 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday, August 01, 2006 9:07:34 PM -0400:

installed

1860607919 ( 72.18.235.98 ) To: spamcop[at]imaphost.com

1860607913 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday, August 01, 2006 9:07:30 PM -0400:

installed

1860606886 ( 72.18.235.98 ) To: spamcop[at]imaphost.com

1860606867 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday, August 01, 2006 3:29:48 PM -0400:

rule

1860302043 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday, August 01, 2006 2:53:33 AM -0400:

Please

1860381650 ( 72.18.235.98 ) To: abuse#telepacific.net[at]devnull.spamcop.net

Link to comment
Share on other sites

we host our own e-mail server (exchange)

Technically, as there are so many versions of Exchange out there, that data could be important as far as what to be looking for, if there is a 'fix' available, etc.

and I've been through various steps to make our server more secure and I've disabled auto responders... I can't figure this one out. the site will say 24 hours untill we are no longer blocked but then after a few hours the timer starts over.

The "timer" starts counting down (not necessarily totally devoted to the passing seconds) when the "spam spew stops" .... The 'starting over' scenario goes along with that the spew is continuing.

That the results are showing both spamtrap hits and reports, direct involvement by a spammer is most likely.

telnet 72.18.235.98 25

**********************************************************0****0*2**********

********2*****200**20*0******0*00

not your typical response string ...????

Link to comment
Share on other sites

telnet 72.18.235.98 25

**********************************************************0****0*2**********

********2*****200**20*0******0*00

not your typical response string ...????

While completely unrelated, I've see mail servers behind certain versions of Cisco PIX firewalls munge the mail HELO like that. I think the culprit was the smtp fixup + the IOS version.

Link to comment
Share on other sites

While completely unrelated, I've see mail servers behind certain versions of Cisco PIX firewalls munge the mail HELO like that. I think the culprit was the smtp fixup + the IOS version.

That is most likely the case as we do use a pix firewall. I really really hope I do not need to change the configuration on the pix since I'm not all that fluent in pix commands. I've checked all of our computers and the countdown has not been reset for several hours... so fingers crossed we will soon be back in the honest world of e-mailing. Thanks for all the responces.

Link to comment
Share on other sites

That is most likely the case as we do use a pix firewall. I really really hope I do not need to change the configuration on the pix since I'm not all that fluent in pix commands.

My Telnet attempt was to simply do a quick snag at pulling up the version number in use ... that didn't work, and you still haven't said ....

I've checked all of our computers and the countdown has not been reset for several hours... so fingers crossed we will soon be back in the honest world of e-mailing. Thanks for all the responces.

Although true that the clock is running down, the same can't be said for the actual traffic, which you also haven't yet either agreed that it was valid or admitted to finding the cause of ....

http://www.senderbase.org/?searchBy=ipaddr...ng=72.18.235.98

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.6 .. 2083%

Last 30 days .. 3.6 .... 126%

Average ........ 3.3

Link to comment
Share on other sites

That is most likely the case as we do use a pix firewall. I really really hope I do not need to change the configuration on the pix since I'm not all that fluent in pix commands. I've checked all of our computers and the countdown has not been reset for several hours... so fingers crossed we will soon be back in the honest world of e-mailing. Thanks for all the responces.

Search Google for "postfix cisco fixup".

http://archives.neohapsis.com/archives/pos...01-06/1198.html

This issue usually effects older versions of IOS, and different email servers other than postfix.

Link to comment
Share on other sites

Our pix version is 6.3(4) so it wouldn't be affected.. right? should I disable the fixup 25 anyway?

I'm not a Cisco or security guru, so I can't say. I can just give pointers as to why the telnet HELO output posted earlier might have been screwy. :-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...