vampyre Posted October 12, 2006 Share Posted October 12, 2006 Like many others, my IP 208.35.254.162 (burnersystems.com) is listed in bl.spamcop.net Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week I have checked for open relays, and found none. You are welcome to confirm this. Our firewall is only allowing SMTP traffic outbound on port 25 from our mail server. I have scanned our Exchange server with Symantec, and we have mail filtering for exchange. Nothing was found. Can somebody help me please? This has just started this monday. Link to comment Share on other sites More sharing options...
turetzsr Posted October 12, 2006 Share Posted October 12, 2006 Hi, vampyre, ...Have you looked through the SpamCop FAQ (see link near top left hand side of web page) or navigated to http://www.spamcop.net/ and clicked the "Learn More" link under the heading "REPORTED FOR SPAMMING?" If so, are there specific questions about what's there that we can answer for you? If not, please try that first, then return here with any follow-up questions you have. Thanks! <g> Link to comment Share on other sites More sharing options...
Telarin Posted October 12, 2006 Share Posted October 12, 2006 What version of Exchange are you running? By default Exchange 2000 generates a post-delivery bounce for all mail addressed to non-existent addresses. You must install a patch from microsoft to prevent this. In Exchange 2003 there is an option in the system manager to prevent sending post-delivery bounces. Link to comment Share on other sites More sharing options...
DavidT Posted October 12, 2006 Share Posted October 12, 2006 I didn't see post-delivery bounces (known as "UUBE" here at SC), but here are some items in the recent "History" for that IP: Report History: Submitted: Wednesday, October 11, 2006 8:19:06 PM -0700: Subject: Hey man, stop throwing away your money * 1962127340 ( 208.35.254.162 ) To: spamcop[at]imaphost.com * 1962127327 ( 208.35.254.162 ) To: abuse-quiet[at]sprint.net Submitted: Wednesday, October 11, 2006 1:58:40 AM -0700: Subject: Be healthy, be wealthy! * 1961123169 ( 208.35.254.162 ) To: abuse-quiet[at]sprint.net Kinda looks like garden-variety spam to me. The reports were sent to Sprint. If you want details, you'll need to get in touch with them. I think you might also be able to contact the SC admins and get your address added as an "interested party" to receive reports about that IP. On a more-or-less related note, I did a Google Groups search on the IP and found a hit to an old thread about a zombie DOS attack on the SpamCop servers, and the IP you've supplied was one of the attacking machines! Here's a link: http://groups.google.com/group/news.admin....67b08c5866b62d1 DT Link to comment Share on other sites More sharing options...
Derek T Posted October 12, 2006 Share Posted October 12, 2006 Like many others, my IP 208.35.254.162 (burnersystems.com) is listed in bl.spamcop.net Can you expalin this seven-fold increase in traffic? Report on IP address: 208.35.254.162 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.3 728% Last 30 days 3.4 -1% Average 3.4 Looks like a routine trojanned machine / SMTP AUTH hack to me. Link to comment Share on other sites More sharing options...
DavidT Posted October 12, 2006 Share Posted October 12, 2006 ...and it looks as if the 24-hour automatic delisting timer was reset a few hours ago, because I just checked the IP (which is again listed) and the details page says: "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours" DT Link to comment Share on other sites More sharing options...
Wazoo Posted October 12, 2006 Share Posted October 12, 2006 ...and it looks as if the 24-hour automatic delisting timer was reset a few hours ago, because I just checked the IP (which is again listed) and the details page says: Assumedly based on a new 'report'; Submitted: Thursday, October 12, 2006 5:18:39 PM -0500: [scanned by Cloudmark] High-quality drugs for you. 1963587790 ( 208.35.254.162 ) To: spamcop[at]imaphost.com 1963587772 ( 208.35.254.162 ) To: abuse-quiet[at]sprint.net Link to comment Share on other sites More sharing options...
Derek T Posted October 13, 2006 Share Posted October 13, 2006 Senderbase now showing 1431%. Has the OP been back, Wazoo? Link to comment Share on other sites More sharing options...
Telarin Posted October 13, 2006 Share Posted October 13, 2006 In case the OP hasn't had a look at the senderbase site, and doesn't know what those stats mean, that Magnitude 4.3 equates to somewhere in the neighborhood of 20,000 messages per day coming from that IP. Is that the amount of traffic you expect to be sending? Do you have exchange configured to send direct to MX using DNS, or are you forwarding through an ISPs smarthost? If you're smarthosting, then you may be at the mercy of other customers of that ISP using the same smarthost. Link to comment Share on other sites More sharing options...
Merlyn Posted October 13, 2006 Share Posted October 13, 2006 More spam examples from this IP at: http://psbl.surriel.com/evidence?ip=208.35...=Check+evidence and http://antispam.imp.ch/spamikaze/spamlisti...=208.35.254.162 Looks like this machine is compromised. Link to comment Share on other sites More sharing options...
petzl Posted October 13, 2006 Share Posted October 13, 2006 Like many others, my IP 208.35.254.162 (burnersystems.com) is listed in bl.spamcop.net Can somebody help me please? This has just started this monday. 208.35.254.162 appears to be an email server SpamCop tries to list an IP address of the computer sending spam The fact that it is not means your email server is misconfigured and is not stamping the source IP, leaving/naming 208.35.254.162 as the direct source instead of the computer sending the spam through it Note how SpamCop tracks my compter through Hotmail correctly configured email server http://www.spamcop.net/sc?id=z1087964718z8...c974068e18a468z You are probably also bouncing email Learn about backscatter Bouncing email is worse than spamming as reply addresses are mainly a Joe Job. If they are hitting SpamCop spamtrap they are hitting addresses with around 16 or better alphanumeric[at] addresses which are better than bank security to guess but are obtained by web spiders, software used to mindlessly gather addresses for spammers Please read how to stop doing this http://www.spamcop.net/fom-serve/cache/329.html SpamCop will release a blocked IP quickly just as it will list quickly (SpamCop Blocklist stops spam as it is being sent not after it is sent). Other blocklist are slow and you will find that they will not release an IP as quick as SpamCop does. FIX YOUR PROBLEM NOW! Link to comment Share on other sites More sharing options...
Wazoo Posted October 13, 2006 Share Posted October 13, 2006 Senderbase now showing 1431%. Has the OP been back, Wazoo? In just these few hours ...... http://www.senderbase.org/?searchBy=ipaddr...=208.35.254.162 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.8 .. 2286% Last 30 days .. 3.5 ..... 29% Average .........3.4 vampyre hasn't been here since a little bit after making the Topic starting post. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.