Jump to content

Recurring Blacklistings on our IP


brodel

Recommended Posts

We have recently (past week or two) have had users reporting their e-mails are being rejected by various companies that they send to. Here is an example:

The following recipient(s) could not be reached:

on 9/8/2006 12:45 PM

There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.

<nat.vafb.com #5.5.0 smtp;554 Service unavailable; Client host [65.213.205.175] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?65.213.205.175>

This has been happening on and off. I have searched around the site for the first part of today trying to find similar issues from others, but have mainly found out how to get your server off the blacklist. My server isn't currently on the blacklist, but I am afraid it might just pop up tomorrow or the next day.

Is there a way we can make sure we do not appear on the blacklist, or at least find out what is causing us to be there? At first we figured it was just a mistake and the next day all was ok.. then a little while later we were back on the list.

Any help on this matter would be greatly appreciated, our users are much confused about this.

Thanks!

-Brodel

Link to comment
Share on other sites

We have recently (past week or two) have had users reporting their e-mails are being rejected by various companies that they send to.

This IP is not currently listed in teh SCBL but has been reported with what definitely appear to be spam.

Submitted: 08 September 2006 15:38:44 +0100:
Good bussines opportunity for the investors

	* 1912962750 ( 65.213.205.175 ) To: mole[at]devnull.spamcop.net 

Submitted: 29 August 2006 14:26:47 +0100:
Stock promotion up to 300% in price

	* 1897248295 ( 65.213.205.175 ) To: abuse[at]uu.net 

Submitted: 28 August 2006 19:23:33 +0100:
Stock promotion up to 300% in price

	* 1896041836 ( 65.213.205.175 ) To: spamcop[at]imaphost.com
	* 1896041826 ( 65.213.205.175 ) To: abuse[at]uu.net 

Submitted: 28 August 2006 17:31:51 +0100:
Stock promotion group is in search of new partners

	* 1895890495 ( 65.213.205.175 ) To: spamcop[at]imaphost.com
	* 1895890479 ( 65.213.205.175 ) To: abuse[at]uu.net 

Submitted: 06 August 2006 05:14:59 +0100:
Delivery Status Notification (Failure)

	* 1865749931 ( 65.213.205.175 ) ( UUBE ) To: uube[at]devnull.spamcop.net 

Looks like abuse[at]uu.net and spamcop[at]imaphost.com have been receiving notices advising of the issue. Are you linked with either of these addresses? If not raise it with your ISP.

Andrew

Link to comment
Share on other sites

I set up e-mail notifications of when our address gets reported.. but all it says is:

IPs reported in past hour:

65.213.205.175

I need to know who sent it so I can track this down to verify it. Telling me that someone reported me doesn't help me any. :(

Link to comment
Share on other sites

This has been happening on and off. I have searched around the site for the first part of today trying to find similar issues from others, but have mainly found out how to get your server off the blacklist.

I'm not sure I understand your comment / thought ... Not having an IP address on the SpamCopDNSBL is pretty much what this Forum section is all about, so of course "how to ge your server off the list" is a recurring theme. Yet, did you actually read any of these "other folks'" stories and see the different causes, different trouibleshooting techniques .. did you look at the various data samples provided in sgowing the "spew" problems ... did you do any of this reseach on your own system?????

My server isn't currently on the blacklist, but I am afraid it might just pop up tomorrow or the next day.

Is there a way we can make sure we do not appear on the blacklist, or at least find out what is causing us to be there? At first we figured it was just a mistake and the next day all was ok.. then a little while later we were back on the list.

See the above .... there is a SpamCop FAQ here .. have you even looked at it?

I set up e-mail notifications of when our address gets reported.. but all it says is:

IPs reported in past hour:

65.213.205.175

I need to know who sent it so I can track this down to verify it. Telling me that someone reported me doesn't help me any.

And once again, the SpamCop FAQ here, the also Pinned "Why am I Blocked" FAQ wntry, and numerous "other folks posting" discussions offer the only way you're going to get more data than what has already been offered in this primarily user-to-user support venue.

Link to comment
Share on other sites

I don't care to argue. I'm here looking for help. You can save all that "Look at the FAQ" stuff. I tried finding my answer on these forums for hours before even registering for an account to post. Your response (well ones like it), is the reason why. I knew someone was going to do the holier than thou bit.

Anyway, to Andrew (agsteele), Thanks so much for your help. I just need to find a way to get info other than that it was reported. If there's a way to find the e-mail address(es) that have been reported, that would help me figure out what is going on. Even the time that the suspected spam was sent would be helpful. I signed up for the e-mail notifications (as described on this site) hoping I would get a bit more info. Thanks again.

Link to comment
Share on other sites

If there's a way to find the e-mail address(es) that have been reported, that would help me figure out what is going on.

E-mail addresses are NOT reported because they can and usually are, forged. Only the IP address is reported.

Even the time that the suspected spam was sent would be helpful.

Generally, the time would be within 48 hours of the report being received at the recipients server. Other than that, the message is too old to report.

I signed up for the e-mail notifications (as described on this site) hoping I would get a bit more info. Thanks again.

What you signed up for is summaries of the reports for a specific IP. Unless it is your IP block, you will not get the reports directly.

Looks like abuse[at]uu.net will receive the reports for 65.213.205.175. You should contact them if that is your assigned IP addresss (rather than sharing a server with other people) and ask them to contact you when there are reports against yhat IP.

Reports routes for 65.213.205.175:

routeid:13521949 65.205.158.0 - 65.217.53.255 to:abuse[at]mci.com

Administrator interested in all reports

Thursday, March 17, 2005 10:26:51 AM -0500

[Note added by 216.127.43.94 (sam.julianhaight.com)]

routeid:11679670 65.192.0.0 - 65.217.53.255 to:abuse[at]mci.com

remove mci from 65.205.157.0 /24 -- listwashing

routeid:18006572 65.192.0.0 - 65.223.255.255 to:abuse[at]uu.net

Administrator interested in all reports

Thursday, February 09, 2006 1:49:45 PM -0500

[Note added by 67.33.168.115 (adsl-33-168-115.asm.bellsouth.net)]

request uu.net

Link to comment
Share on other sites

Why doesn't someone give him the report history info so that he can see the subject lines?

agsteele did say that it definitely looked like spam. That probably means a user with a compromised computer which is usually found by looking at the firewall logs because the spammer's engine uses other ports. Can you check Sendermail for inscreased volume?

Miss Betsy

Link to comment
Share on other sites

Why doesn't someone give him the report history info so that he can see the subject lines?

<snip>

...Yeah, that would have been nice, wouldn't it? What a bunch of dummies we are!

...Oh, wait, here it is! Of course, the subject lines are cleverly hidden on separate lines that aren't labeled "subject." :) <g>

Link to comment
Share on other sites

If there's a way to find the e-mail address(es) that have been reported, that would help me figure out what is going on. Even the time that the suspected spam was sent would be helpful.

I posted, in my original response the only information available to fellow reporters. That gives dates, times and subjects of the messages I identified at that moment. It also identifies who the reports are sent to.

As I noted, abuse[at]uu.net and spamcop[at]imaphost.com receive the reports and since you didn't respond positively Im now assuming you aren't linked with these addresses. If you can obtain the original reports from these guys then that will provide a small amount of additional information. Remember that SpamCop doesn't record or report sender's Email addresses, it records the originating mail server IP address.

deputies[at]spamcop.net have more information but you will need to provide some convincing reason why they would release information to you if you are not a registered abuse desk.

That said, I'd be looking for a compromised PC spewing spam rather than an individual. Unless, of course, you have someone running a pump-and-dump stocks and shares scam... ;)

Andrew

Link to comment
Share on other sites

E-mail addresses are NOT reported because they can and usually are, forged. Only the IP address is reported.

I can understand not reporting the e-mail address since anyone can easily change the address, but including that info in the report would greatly help me track down who's machine is doing this. I tend to agree with agsteele that I might have a bot or something on a users PC. My other concern is that the type of business we do in certain departments, the e-mails would look completely legit. Some departments here do a lot with stocks and lobbying.

Generally, the time would be within 48 hours of the report being received at the recipients server. Other than that, the message is too old to report.

Awesome, didn't know that. I'll keep that in mind.

Looks like abuse[at]uu.net will receive the reports for 65.213.205.175. You should contact them if that is your assigned IP addresss (rather than sharing a server with other people) and ask them to contact you when there are reports against yhat IP.

Ok. Cool. Another worry of mine was that I wasn't sure if there was some central place that all of the reports were sent to. I'll see if I can get connected with that address. Is that how you found all of those e-mails reported on my IP? I want to see if we have been reported again recently so I can check through more recent logs.

Thanks again!

Link to comment
Share on other sites

I'll see if I can get connected with that address. Is that how you found all of those e-mails reported on my IP? I want to see if we have been reported again recently so I can check through more recent logs.

No, paid spamcop reporters have access to the limited report details that were posted. The actual original reports that are sent to the registered abuse addresses are much more detailed, contain the original headers, and the message itself.

I don't know precisely what your situation and relation with uu.net is. If you get your connectivity directly from them, and have a large enough block of IPs, they might be willing to add your address as an alternative abuse address in the WHOIS data, that way you would get the reports direcly.

On the other hand, they really should be forwarding these reports to you anyway right now, rather than simply ignoring them.

If you are getting connectivity from someone else that is reselling uu.net bandwidth and IP space, then you probably need to contact that provider and find out how the abuse reports are routed. It may be that they are receiving the reports from uu.net and then failing to forward them on to you.

In either case, if you can get your email address associated with your IP block in the WHOIS data, you would be able to get full reports directly.

Link to comment
Share on other sites

For the IP range 65.213.205.160 - 65.213.205.191, here's a link to the information on file with ARIN:

http://ws.arin.net/cgi-bin/whois.pl?queryi...5-213-205-160-1

That page indicates that abuse reports should be sent to "abuse-mail(at)mci.com" and yet the SpamCop system's "explanation" of where it sends reports doesn't mention that address:

Report routing for 65.213.205.160: abuse(at)mci.com, abuse(at)uu.net

abuse(at)mci.com redirects to abuse(at)uu.net

I thought that SpamCop used to get it's reporting addresses from "abuse.net" but their web-based lookups only accept domain names, and not IP addresses.

DT

Link to comment
Share on other sites

Also, I believe if you can sufficiently convince the deputies that you are responsible for a portion of those IPs, they can manually add your abuse address as a 3rd party recipient for that range. You would have to confirm this with deputies[at]admin.spamcop.net however.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...