mmarklew Posted August 30, 2006 Share Posted August 30, 2006 IP: 203.33.254.150 After first been listed last week I started examining my mail logs in detail trying to find the customer responsible. I managed to stop a couple of customers sending non-deliverable reports but we are only talking like 5 messages a day out of some 10,000 we send. After continual re-listing over the weekend, many late nights examining logs, writing filters and attempts to contact Spamcop for more information I gave up and changed the IP of my mail server yesterday morning some 30hours + ago. I really didn't want to do this as if there is a problem I would like to fix it. The new IP hasn't been listed yet. But the old IP has been relisted since I stopped it sending any e-mail? How is this possible, am I missing something? The spamcop site doesn't really give any details of the reason for listing, other then the obvious. Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 idl.net.au' post='46922' date='Aug 30 2006, 12:39 AM']The spamcop site doesn't really give any details of the reason for listing, other then the obvious. Besides the obvious? http://www.spamcop.net/w3m?action=checkblo...=203.33.254.150 203.33.254.150 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 17 hours. Causes of listing SpamCop users have reported system as a source of spam about 60 times in the past week (this is the first listing showing something besides "less than 10 times" I've seen in a long time ..) Additional potential problems DNS error: 203.33.254.150 is mail.idl.com.au but mail.idl.com.au has no DNS information System administrator has already delisted this system once http://www.senderbase.org/?searchBy=ipaddr...=203.33.254.150 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.6 .. -73% Last 30 days ... 3.3 .. -86% Average ......... 4.1 It is still sending e-mail, per those numbers .... something like 10,000 a day, based on data at SenderBase's "Magnitude" Explained It appears that you're checking in the wrong place ..... or you've offered up the wrong IP address. whois -h whois.apnic.net 203.33.254.150 ... % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 203.33.254.0 - 203.33.254.255 netname: MAGNETICANDOPTI-AU descr: Magnetic and Optic Labs descr: 5 Garlick Close descr: Kariong descr: NSW 2250 country: AU admin-c: DM252-AP tech-c: DM252-AP remarks: ** Conversion note - reference 'DM252-AU' changed to 'DM252-AP' remarks: Record imported from AUNIC as part of AUNIC->APNIC migration remarks: Please see http://www.apnic.net/db/aunic/ mnt-by: APNIC-HM status: ALLOCATED PORTABLE changed: nobody[at]aunic.net 19961025 changed: aunic-transfer[at]apnic.net 20010525 changed: hm-changed[at]apnic.net 20041214 source: APNIC You mat also want to take a look at Spammers love Forum name = e-mail address Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Thats me, been staring at those pages for many hours now I added a smart host yesterday to relay all the messages via a different machine. Logs show the messages all going to the remote machine and recieved on the other end to. It doesn't track messages via a relay does it? Or how updated is it? Link to comment Share on other sites More sharing options...
dra007 Posted August 30, 2006 Share Posted August 30, 2006 All kind of spam, including pills, porn and gambling: Report History: Don't Display UUBE -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:37:38 PM -0400: Re: yuRXie 1898003822 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:22:43 PM -0400: pressed 1897992162 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:18:30 PM -0400: Youngest glorious Schoolgirl fu**eed by oldman. 1897984720 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:18:23 PM -0400: Got free time? Become richer! Tue, 29 Aug 2006 12:49:42 -0400 1897984741 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:18:18 PM -0400: Re: geRXly 1897984862 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:17:47 PM -0400: blackjack 1897993452 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:17:28 PM -0400: FW: Job proposition from "FinanceAct Corp 1897993955 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 7:17:16 PM -0400: ! Try the new miracle weight loss herb 1897994071 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 11:48:44 PM -0400: Re: BEST PRICE ON HUMAX PAU-42THD PLASMA SCREEN 1896620124 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 11:48:43 PM -0400: Pain killers are here 1896620161 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au --------------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 11:48:46 PM -0400: issues. stories weeks 1896619922 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 11:48:45 PM -0400: Which rules are in effect here? 1896620017 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 10:37:53 AM -0400: Undelivered Mail Returned to Sender 1895728296 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Sunday, August 27, 2006 9:02:41 PM -0400: Email address: The 1894923578 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Sunday, August 27, 2006 6:40:11 PM -0400: Be a powerful warrior in the bedroom! 1894779776 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Saturday, August 26, 2006 11:44:29 PM -0400: Undelivered Mail Returned to Sender 1893731739 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Saturday, August 26, 2006 9:50:52 AM -0400: Undelivered Mail Returned to Sender 1892962948 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 8:42:19 PM -0400: Your Express-credits Fri, 25 Aug 2006 09:25:58 +1000 1890963303 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:19:23 PM -0400: Xmas Party's on Trade BOOK NOW !! Is this what you mean??? 1890845278 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:19:16 PM -0400: Didnt Happen Brenda 1890845291 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au spamtraps are but a small fraction of reports. Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 idl.net.au' post='46926' date='Aug 30 2006, 01:47 AM']It doesn't track messages via a relay does it? Or how updated is it? http://forum.spamcop.net/scwik/SenderBase for the general background. Bottom line, those "data collection points" are seeing traffic from that IP address .... it is basically "live" .... Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 That is my personal old uni e-mail address that forwards to my ISP account. My mail server 203.33.254.150 does not send that e-mail out it recieves it from the newcastle uni. Is there something wrong with spam cop? PS: I can't believe I put my e-mail as the login and I can't figure out where to change it. Anyone know? Link to comment Share on other sites More sharing options...
dra007 Posted August 30, 2006 Share Posted August 30, 2006 I could go on, but this is one of the most productive source of spam I have seen yet, possibility of a hijacked PC is very likely: Submitted: Thursday, August 24, 2006 6:20:07 PM -0400: Ill 1890845231 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:20:07 PM -0400: money for you 1890845232 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:20:03 PM -0400: Latest stuff Now you could grant your wish Revel in 1890845233 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:20:06 PM -0400: Info for the Rock 1890845245 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:20:06 PM -0400: killing Just Schoolgirl and killing Schoolgirls from Your dreeam! 1890845246 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:20:05 PM -0400: beautiful Sluts at Porn! 1890845249 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:19:40 PM -0400: Russsian attractive Teen hardcoree action. 1890845256 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:19:30 PM -0400: good-looking russiann Teen in poono! 1890845259 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:19:28 PM -0400: Credit Card Expiration Approaching 1890845267 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au -------------------------------------------------------------------------------- Submitted: Thursday, August 24, 2006 6:19:28 PM -0400: {mob} 1890845269 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Missed my post Yes, My spam assassin works like mad filtering all the crap generated from that account. Again its sent to my mail server not the other way around.. c9514955[at]newcastle.edu.au forwards to 203.33.254.150. Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 idl.net.au' post='46922' date='Aug 30 2006, 12:39 AM']IP: 203.33.254.150 After continual re-listing over the weekend, many late nights examining logs, writing filters and attempts to contact Spamcop for more information I gave up and changed the IP of my mail server yesterday morning some 30hours + ago. I really didn't want to do this as if there is a problem I would like to fix it. The new IP hasn't been listed yet. But the old IP has been relisted since I stopped it sending any e-mail? How is this possible, am I missing something? Any explanation for the response I get ....??? C:\>telnet 203.33.254.150 25 220 mail.idl.net.au ESMTP There's still an e-mail server sitting at that IP address ..... Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Yes.. But it doesnt send any e-mail directly. It relays via another host. I do not send e-mail to c9514955[at]newcastle.edu.au it's my personal old UNI account. They forward my e-mail to my ISP that I happen to own.. They forward to 203.33.254.150 not the other way around. I just logged into their webmail admin and turned off the forwarding. BUT there must be an issue somewhere, what if one of my customers did this. I know you get a lot of noobs posting crap, and at the risk of sounding like I don't know what I am doing let me say that I do know what I am doing and I am an ISP admin of some 10 years. Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 idl.net.au' post='46929' date='Aug 30 2006, 01:56 AM']Is there something wrong with spam cop? Reports routes for 203.33.254.150: routeid:21471794 203.33.254.0 - 203.33.254.255 to:c9514955[at]alinga.newcastle.edu.au Administrator found from whois records Parsing input: 203.33.254.150 host 203.33.254.150 = mail.idl.com.au (cached) host 203.33.254.150 = mail.idl.com.au (cached) Routing details for 203.33.254.150 [refresh/show] Cached whois for 203.33.254.150 : c9514955[at]alinga.newcastle.edu.au Using last resort contacts c9514955[at]alinga.newcastle.edu.au Removing old cache entries. Tracking details "whois 203.33.254.150[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: dm252-ap = c9514955[at]alinga.newcastle.edu.au whois.apnic.net 203.33.254.150 = c9514955[at]alinga.newcastle.edu.au whois: 203.33.254.0 - 203.33.254.255 = c9514955[at]alinga.newcastle.edu.au Routing details for 203.33.254.150 Using last resort contacts c9514955[at]alinga.newcastle.edu.au PS: I can't believe I put my e-mail as the login and I can't figure out where to change it. Anyone know? ???? The link to the Announcement was provided in a previous post .. that Announcemnt has a link to an entry in the Forum FAQ (which also available at the top of this screen) Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Ahh.. Should I feel stupid now? So you are saying the reports where sent to c9514955[at]alinga.newcastle.edu.au, not that the spam was reported by this address? I cant change the whois lookup as I registered that subnet some 12 years ago and unless I start paying APNIC they wont update records. Any way to get notifications to go to a different address? Do you have any details of the actual message headers so I can track it within my network. I really want to know how I can miss so many in my logs. Still doesn't answer the question as to why I am getting re-listed when that sever does not send e-mail directly. Any more help please? Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 idl.net.au' post='46935' date='Aug 30 2006, 02:06 AM']Yes.. But it doesnt send any e-mail directly. It relays via another host. Firewall in use? Can you send e-mail 'to' this server and 'prove' that it is relaying for you properly? If so, then there's a lot more to the story ..... I do not send e-mail to c9514955[at]newcastle.edu.au it's my personal old UNI account. They forward my e-mail to my ISP that I happen to own.. They forward to 203.33.254.150 not the other way around. I just logged into their webmail admin and turned off the forwarding. BUT there must be an issue somewhere, what if one of my customers did this. As shown, that address is found in the WHOIS data/records ..... thus you should have been receiving all those reports. Not sure what you 'solved' by turning off the forwarding, other than having to check that account directly now .... I know you get a lot of noobs posting crap, and at the risk of sounding like I don't know what I am doing let me say that I do know what I am doing and I am an ISP admin of some 10 years. I just fessed up to making a huge error in only applying half a modification to some other code in another application here .... I had it running just fine on the original installation .. was involved with Alpha and Beta testing with the next release, then installed the 'final' of that last release .. eventually copying over the 'final' into the 'original' location .... a couple of weeks ago .. problem only noticed a few hours back ... how I missed inserting the second bit of code is beyond me, but ..... and I've been around for a lot longer than 10 years <g> Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Firewall in use? Can you send e-mail 'to' this server and 'prove' that it is relaying for you properly? Yes, the mail definatly goes via the smart host and then is sent to the Internet. As shown, that address is found in the WHOIS data/records ..... thus you should have been receiving all those reports. Not sure what you 'solved' by turning off the forwarding, other than having to check that account directly now .... My bad, thought that was the address reporting the spam (please see my last post, we really need a chat line instead of a discussion board.. and thanks for you quick help) I just fessed up to making a huge error in only applying half a modification to some other code in another application here .... I had it running just fine on the original installation .. was involved with Alpha and Beta testing with the next release, then installed the 'final' of that last release .. eventually copying over the 'final' into the 'original' location .... a couple of weeks ago .. problem only noticed a few hours back ... how I missed inserting the second bit of code is beyond me, but ..... and I've been around for a lot longer than 10 years <g> My comment was a litte toung in cheek. I get self proclamed network admin's calling for support ever day that don't even know how to forward a port. Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 PM sent, asking for a test e-mail so I can see the headers .. Tracking URL will be forthcoming .... Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Are you able to give me the full headers for one or some of these messages by any chance? I honostly have spent many hours (like 4 days up until midnight) trying to figure out where it is coming from. I like nothing more then to disconnect a user who is sending spam , kind of like disconnecting an ISP that sends spam I suppose Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 Are you able to give me the full headers for one or some of these messages by any chance? I honostly have spent many hours (like 4 days up until midnight) trying to figure out where it is coming from. Section 8 - SpamCop's System & Active Staff User Guide You've gotten all the data that other 'users' can provide. Yoy're saying that the Subject: lines don't do you any good, thus I asked for an e-mail to see what is actually in those headers. Link to comment Share on other sites More sharing options...
Wazoo Posted August 30, 2006 Share Posted August 30, 2006 Tracking URL: http://www.spamcop.net/sc?id=z1047543055za...2b5fdbb20a16afz Bottom line, this "legitimate' e-mail would resilt in reports being sent to you about the 'other' IP address .... Report spam to: Re: 203.33.254.129 (Administrator of network where email originates) To: c9514955[at]alinga.newcastle.edu.au So that the spam being reported shown by dra007 was either prior to your switching to the smarthost ... or there is definitely someone managing to bypass the alleged e-mail server itself, yet using the same IP address to get out on (so back to the firewall logs ..????) On the other hand, the parser shows lots of problems (well even the e-mail header itself complains aboit a misconfigured server ....) I really hate to post the whole mess here, but I'm guessing that as you don't have even a free reporting account, I don't know if you will be able to see the "full, technical details" ..???? Received: from smtp2.idl.com.au (smtp3.idl.com.au[203.33.254.147](misconfigured sender)) by sccqmxc94.asp.att.net (sccqmxc94) with ESMTP id <20060830074230q9400ob5gde>; Wed, 30 Aug 2006 07:42:30 +0000 203.33.254.147 is not an MX for smtp3.idl.com.au Host smtp3.idl.com.au (checking ip) = 203.33.254.147 203.33.254.147 not listed in dnsbl.njabl.org 203.33.254.147 not listed in cbl.abuseat.org 203.33.254.147 not listed in dnsbl.sorbs.net 203.33.254.147 is not an MX for sccqmxc94.asp.att.net 203.33.254.147 is not an MX for smtp3.idl.com.au. 203.33.254.147 is not an MX for smtp2.idl.com.au 203.33.254.147 is not an MX for sccqmxc94.asp.att.net 203.33.254.147 not listed in dnsbl.njabl.org 203.33.254.150 is not an MX for mail.idl.com.au Host mail.idl.com.au (checking ip) = 203.33.254.150 Host smtp2.idl.com.au (checking ip) = 203.32.82.5 203.32.82.5 not listed in dnsbl.njabl.org 203.32.82.5 not listed in cbl.abuseat.org 203.32.82.5 not listed in dnsbl.sorbs.net Chain test:smtp2.idl.com.au =? smtp3.idl.com.au. Host smtp3.idl.com.au. (checking ip) = 203.33.254.147 203.33.254.147 is not an MX for smtp2.idl.com.au Host smtp2.idl.com.au (checking ip) = 203.32.82.5 203.33.254.147 is not an MX for smtp2.idl.com.au smtp2.idl.com.au and smtp3.idl.com.au. have same domain - chain verified Possible relay: 203.33.254.147 203.33.254.147 not listed in relays.ordb.org. 203.33.254.147 has already been sent to relay testers Received: from localhost (localhost.localdomain [127.0.0.1]) by bishop.idl.com.au (Postfix) with ESMTP id B5B6451C775 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST) Received: from bishop.idl.com.au ([127.0.0.1]) by localhost (bishop [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29416-07 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST) Cannot accept line without valid 'by'. Skipping chain test - would fail. 203.33.254.129 is not an MX for gemini.idl.com.au Host gemini.idl.com.au (checking ip) = 203.33.254.129 Host bishop.idl.com.au (checking ip) = 203.33.254.150 203.33.254.150 not listed in dnsbl.njabl.org 203.33.254.150 not listed in cbl.abuseat.org 203.33.254.150 not listed in dnsbl.sorbs.net Chain test:bishop.idl.com.au =? mail.idl.com.au Host mail.idl.com.au (checking ip) = 203.33.254.150 203.33.254.150 is not an MX for bishop.idl.com.au Host bishop.idl.com.au (checking ip) = 203.33.254.150 ips are identical bishop.idl.com.au and mail.idl.com.au have close IP addresses - chain verified Possible relay: 203.33.254.150 203.33.254.150 not listed in relays.ordb.org. 203.33.254.150 has already been sent to relay testers Lots of configuration "issues" ..... Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Report spam to: Re: 203.33.254.129 (Administrator of network where email originates) To: c9514955[at]alinga.newcastle.edu.au I'll put my mail server on another subnet that I have access to the whois e-mail address or is there another way to change the reporting address? (I cant access the whois due to a APNIC policy with old registered class C's) So that the spam being reported shown by dra007 was either prior to your switching to the smarthost It would have been before, I only switched it 40 hours or so ago. On the other hand, the parser shows lots of problems (well even the e-mail header itself complains aboit a misconfigured server ....) I fixed the DNS, but am I correct the only error is to do with the virus scanning on outgoing e-mail? I will remove this service. Lots of configuration "issues" ..... Lots? Other then the anti virus and the dns for 203.33.254.150, am I reading this wrong? Link to comment Share on other sites More sharing options...
Telarin Posted August 30, 2006 Share Posted August 30, 2006 Here's a possible scenario. If your mailserver had some kind of virus running on it, that virus would most likely not use your MTA to send mail, it would simply go direct to MX, which means that traffic would still be from your original mail server IP, not your relay. Your legitimate email would bounce from your MTA, to the relay/smart host and out on the new IP. As Wazoo suggested, I would watch port 25 traffic on your firewall logs and see if you are still showing traffic from your mailserver going out on port 25 to places other than your designated relay. Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Here's a possible scenario. If your mailserver had some kind of virus running on it, that ....... That is a good point and worth checking. Its a Linux server with postfix, I guess its possible it has been compromised. Just checked my netflow records and nothing going external from that IP. You had me worried for a second there. Sorry to harp and thank you for your help, but I still do not know why I am blocked. Everyone has been helpful to give me records of spam my server sent but nothing in these posts allows me to track it back to my server and the originating user. I check the time stamps and there was nothing at the time I could see to be the message in question (my time is in sync). Can I gain access to more of the header? I need the bit that shows the sent from/to or the message ID from my server so I can search my logs. Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 but I'm guessing that as you don't have even a free reporting account, I don't know if you will be able to see the "full, technical details" ..???? I have a paid spamcop e-mail account. I am happy to even pay for a reporting account if I can get the info I need. Believe me I see the need for the Spamcop service I am as committed as you at stopping spam. I have read loads of FAQ's and stuff but can find this out. There is a lot of info though. Can you point me to the right docs please? Link to comment Share on other sites More sharing options...
Telarin Posted August 30, 2006 Share Posted August 30, 2006 You should be able to get more detailed information from the deputies (deputies[at]admin.spamcop.net). The users here don't have access to any more information than what has already been posted unfortunately. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 30, 2006 Share Posted August 30, 2006 I have a paid spamcop e-mail account. I am happy to even pay for a reporting account if I can get the info I need. Believe me I see the need for the Spamcop service I am as committed as you at stopping spam. I have read loads of FAQ's and stuff but can find this out. There is a lot of info though. Can you point me to the right docs please? You get a paid rporting account with your paid email account, but you will not get any more information that way. The email address just above can provide the information, but you wil need to prove to the deputies you are the administrator of that server. Link to comment Share on other sites More sharing options...
mmarklew Posted August 30, 2006 Author Share Posted August 30, 2006 Wazoo's previous comment about us getting listed for forwarded e-mail was correct but I didnt quite understand what he ment. Turns out one of my customers was forwarding e-mail to a spamcop account (I even do this) and the parser was making a mistake with the forwarding via my anti-virus system. Means it was listing my ISP for the e-mail by mistake. The deputy fixed it but I need to clean up the message routing to prevent this type of thing happening again. I have been using the amavis anti virus for almost a year, but there must be something I have done wrong in its configuration. Anyone seen this type of problem before and know how to fix the headers for amavis + postfix? Thanks for everyones help. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.