virused hosts again!

[derrick.hansen]

Hello, looks like a new wave of spaming viruses is going around. We have had our mail server; 208.98.210.10 blacklisted again. While we can shut down the hosts that are using thier own mail server to spam with, trying to find out who is spamming with our mail server is a little more dificult.

Any of the spam warriors want to help us slay the virused host or hosts? We were hitting the spam traps so little info is given back.

[StevenUnderwood]

Hello, looks like a new wave of spaming viruses is going around. We have had our mail server; 208.98.210.10 blacklisted again. While we can shut down the hosts that are using thier own mail server to spam with, trying to find out who is spamming with our mail server is a little more dificult.

Any of the spam warriors want to help us slay the virused host or hosts? We were hitting the spam traps so little info is given back.

Well, it looks as if someone cleared the list. You say it was spamtraps. Was that all it was? Did it mention anything about misdirected bounces? Have you tried to email deputies[at]spamcop.net to get more info (if you are an administrator of that IP address)?

Viruses are not the only way for a host to get listed. In August, at least one spam message was reported.

Submitted: Tuesday, August 22, 2006 5:51:39 PM -0400:

Bachelors, Masters, MBA, PhD can be yours in 4 weeks if you qualify.

[turetzsr]

...Paying members may be able to dredge up a bit more information. However, information about stuff hitting SpamTraps is only visible to the SpamCop Deputies (deputies[at]admin.spamcop.net). Please be sure to provide all relevant information and include evidence that you are an admin for the machine being blocked (208.98.210.10).

...Good luck!

[StevenUnderwood]

...Paying members may be able to dredge up a bit more information.

I should have mentioned there is no new information available to paying reporters.

[derrick.hansen]

I am in the support dept at sun country cable which owns the blocked IP. The system administrator did find some old auto reply's that were getting hit with spam and bouncing. We killed those. Hopefully that was all.

Yes the report for 208.98.210.10 was saying that there were 2 spamtrap hits since last night.

I figured it was a virused host because I have had to shut down about 6 so far this week. most of the time they set up thier own mail server, but the odd time we get it going thru the mail server. The last time that happened the spamcop forums helped us conferm the source. I thought it may have been similar.

So yeah, hopefully it was just the old auto-reply's.

[Telarin]

Hi Derrick

I'm wondering if perhaps your mail server software could be configured to filter some of the more common virus distribution subject lines, as most of them only have a handful of subjects that they use. If you could then log those filtering actions, it should make tracking down the infected hosts relatively easy.

Unfortunately, until there are some manual reports on the IP, there is not much we users will be able to find for you. Your best bet is to send an email to deputies[at]admin.spamcop.net.

Do your mail servers add a received: from line to the headers for the IP address of the originating client computer? If so, you might be able to get the deputies to give you that IP and an approximate time, then you should be able to determine who it is based off your DHCP logs.

[turetzsr]

...An off-topic "reply" was split off from this thread and moved to the Lounge with title "Off-topic Post from Thread "virused hosts again!" PM sent to relevant individuals to advise of split and new location of those replies (Off-topic Post from Thread "virused hosts again!").