TTILLCTC Posted August 17, 2006 Share Posted August 17, 2006 One of the Exchange server I tend is being on the list at spamcop, cbl, xbl, you get the idea. Anyway, I am looking for the details of why I am blocked. I would really like a "From:" and/or a "To:". Some kind of clue as to where to start looking. The IP address is 68.153.96.34. I have scanned the Exchange server with all the recommended software. Checked all the reports for each site I am listed on, etc. Read the forums. You name it, I have read it, checked it or chunked it. Thanks in advance. Link to comment Share on other sites More sharing options...
Telarin Posted August 17, 2006 Share Posted August 17, 2006 It looks all the reports on that IP address were user submitted reports. Copies would have gone to abuse[at]bellsouth.net. You should try contacting them and find out why they have not forwarded these reports on to you. You can also try contacting deputies[at]admin.spamcop.net, but you will have to have some proof that you are responsible for that IP address (using a role address helps) to get much detail. I'm sure one of the paid spamcop members will be happy to post the traffic that has been reported, however that will only contain the subject lines and dates/times sent, although this should be enough to track them down in the exchange logs. What version of exchange are you running? I know some versions are susceptible to SMTP/AUTH attacks. You'll also want to make absolutely certain it is not an open relay. If you are using a single public IP address shared between your server and PCs, you will also need to check the PCs and make sure they have not been compromised. Link to comment Share on other sites More sharing options...
TTILLCTC Posted August 17, 2006 Author Share Posted August 17, 2006 Thanks for your reply Will. I appreciate it. I have contacted Bellsouth. I can't get a human on the phone and the email I sent a request for data replied with the following we will not respond to your message except, possibly, in cases where the abuse poses a serious threat to person or property Gotta love that! Here's my problem. My server has been convicted and sentenced without it's attorney, that would be me, seeing the evidence or event getting to review the charges. Sorry, had to rant and rave for a second. Kinda frustrated. I would be willing to pay to get the report but all I see is a signup for ISPs. Maybe I missed it. One site did have some times that I was reported but I couldn't correlate it to my logs. I have a firewall and have configured it so that only the Exchange server can use port 25 outgoing. I am running 2000. Double-checked open relay. ordb.org says "Nope". Thanks again for your help! Link to comment Share on other sites More sharing options...
dra007 Posted August 18, 2006 Share Posted August 18, 2006 Some reports look like potential phishers: Submitted: Thursday, August 17, 2006 11:53:57 AM -0400: You have added a new e-mail address to your account. 1880313674 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: postmaster[at]ecommerce.com 1880313644 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: abuse[at]ecommerce.com 1880313613 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1880313582 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880313548 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 11:51:27 AM -0400: You have added a new e-mail address to your account. 1880310463 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: postmaster[at]ecommerce.com 1880310423 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: abuse[at]ecommerce.com 1880310371 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1880310325 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880310286 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 11:10:54 AM -0400: You have added a new e-mail address to your account. 1880278871 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880278864 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 10:18:35 AM -0400: You have added a new e-mail address to your account. 1880223963 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880223945 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 9:46:51 AM -0400: You have added a new email address to your account. 1880226358 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880226341 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 9:50:55 PM -0400: You have added a new email address to your account. 1879591097 ( 68.153.96.34 ) To: mole[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 4:43:57 PM -0400: You have added a new email address to your account. 1879366127 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879366124 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 4:32:31 PM -0400: You have added a new email address to your account. 1879348735 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1879348733 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1879348730 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1879348726 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1879348725 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1879348723 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879348721 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 1:11:35 PM -0400: You have added a new email address to your account. 1879166377 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879166362 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 12:21:02 PM -0400: You have added a new email address to your account. 1879110984 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879110978 ( 68.153.96.34 ) To: abuse[at]bellsouth.net Older Reports ---------------------------------------------- Submitted: Wednesday, August 16, 2006 12:29:04 PM -0400: You have added a new email address to your account. 1879103448 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1879103421 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879103385 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 11:48:39 AM -0400: You have added a new email address to your account. 1879063320 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1879063297 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1879063283 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1879063271 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1879063251 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1879063227 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879063215 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 11:33:41 AM -0400: You have added a new email address to your account. 1879046948 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1879046927 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1879046908 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1879046900 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1879046894 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1879046878 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879046862 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 10:31:30 AM -0400: You have added a new email address to your account. 1878982283 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1878982254 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1878982238 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1878982204 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1878982175 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1878982152 ( 68.153.96.34 ) To: abuse[at]bellsouth.net 1878982132 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 8:15:12 AM -0400: You have added a new email address to your account. 1878824272 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1878824241 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1878824202 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1878824173 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1878824134 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1878824100 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1878824076 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 7:48:45 AM -0400: You have added a new email address to your account. 1878806929 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1878806906 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1878806888 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1878806869 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1878806851 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1878806828 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1878806808 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 15, 2006 7:01:52 PM -0400: You have added a new email address to your account. 1878148449 ( http://sbs.adp.com/index.asp?brnd=p&dest=201.10... ) To: abuse#nac.net[at]devnull.spamcop.net 1878148444 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1878148439 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1878148435 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 15, 2006 3:47:55 PM -0400: You have added a new email address to your account. 1877990464 ( http://sbs.adp.com/index.asp?brnd=p&dest=201.10... ) To: abuse#nac.net[at]devnull.spamcop.net 1877990463 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1877990462 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1877990460 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 15, 2006 3:01:54 PM -0400: You have added a new email address to your account. 1877949204 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1877949193 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 10, 2006 2:07:11 PM -0400: Your account is limited 1871675054 ( 68.153.96.34 ) To: abuse[at]bellsouth.net Older Reports Link to comment Share on other sites More sharing options...
Merlyn Posted August 18, 2006 Share Posted August 18, 2006 Looks like you have a small problem I hope this info helps.......... Your server is sending way to much junk. Looks pretty spammy to me! in the last day you are up more than 1000 percent! Last day 4.5 1351% Last 30 days 3.5 26% Reports: -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 11:53:57 AM -0400: You have added a new e-mail address to your account. 1880313674 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: postmaster[at]ecommerce.com 1880313644 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: abuse[at]ecommerce.com 1880313613 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1880313582 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880313548 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 11:51:27 AM -0400: You have added a new e-mail address to your account. 1880310463 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: postmaster[at]ecommerce.com 1880310423 ( http://www.nbpc.tv/redirect.php?url=http://201.... ) To: abuse[at]ecommerce.com 1880310371 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1880310325 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880310286 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 11:10:54 AM -0400: You have added a new e-mail address to your account. 1880278871 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880278864 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 10:18:35 AM -0400: You have added a new e-mail address to your account. 1880223963 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880223945 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Thursday, August 17, 2006 9:46:51 AM -0400: You have added a new email address to your account. 1880226358 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1880226341 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 9:50:55 PM -0400: You have added a new email address to your account. 1879591097 ( 68.153.96.34 ) To: mole[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 4:43:57 PM -0400: You have added a new email address to your account. 1879366127 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879366124 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 4:32:31 PM -0400: You have added a new email address to your account. 1879348735 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: ssradmin[at]telmex.com 1879348733 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: postmaster[at]uninet.net.mx 1879348730 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: dominios[at]telmex.com 1879348726 ( http://201.100.4.74/.www.paypal.com/bin-cgi/web... ) To: abuse[at]uninet.net.mx 1879348725 ( 68.153.96.34 ) To: spamcop[at]imaphost.com 1879348723 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879348721 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 1:11:35 PM -0400: You have added a new email address to your account. 1879166377 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879166362 ( 68.153.96.34 ) To: abuse[at]bellsouth.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 12:21:02 PM -0400: You have added a new email address to your account. 1879110984 ( 68.153.96.34 ) To: thisisspam[at]bellsouth.net 1879110978 ( 68.153.96.34 ) To: abuse[at]bellsouth.net Older Reports Link to comment Share on other sites More sharing options...
TTILLCTC Posted August 18, 2006 Author Share Posted August 18, 2006 Please excuse my ignorance but what is this report saying? Does this show who reported this and who sent it somewhere? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 18, 2006 Share Posted August 18, 2006 Please excuse my ignorance but what is this report saying? Does this show who reported this and who sent it somewhere? These are messages received by spamcop users. These users are saying I did not request this message, it is spam. They submit it to spamcop, a tool used to determine the source of the message and that is showing your IP address. It does not show who the report went to or from, but those entries are easily forged. What can not be forged is the IP address the messages are coming from. Does your server generally send out emails with the subject: You have added a new email address to your account. Link to comment Share on other sites More sharing options...
TTILLCTC Posted August 18, 2006 Author Share Posted August 18, 2006 So that's the subject line. Thank you. No we wouldn't be doing that. Thank you for pointing that out. Much appreciated. Link to comment Share on other sites More sharing options...
dra007 Posted August 18, 2006 Share Posted August 18, 2006 As I stated before, that subject line and the reference to paypal suggest that these reported e-mails may in fact be phishers attempting to scam the recipients of information and money. With those subject lines and reporting dates you can certainly check your logs, reporting is done within hours of reciept in most cases, and less than 48h in the more extreme submissions. Link to comment Share on other sites More sharing options...
TTILLCTC Posted August 18, 2006 Author Share Posted August 18, 2006 Thanks everyone for your help. I got some information from one of the deputies this morning that cleared everything up for me. It is a phishing expedition originating from inside my house. Saturday will be spent cleaning and delousing all the PCs. Thanks again for all the help provide. Link to comment Share on other sites More sharing options...
Telarin Posted August 18, 2006 Share Posted August 18, 2006 Thanks for coming here with a good attitude and wanting to take care of the problem! You'd be surprised how many people just want to rant and not actually fix anything, its nice to see people that do want to fix things ocassionally. Let us know how your delousing goes Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.