AlexWebster Posted October 25, 2006 Share Posted October 25, 2006 Hi all, Our Exchange server (213.31.181.19) has been blocked. However, the Spamcop page is reporting conflicting information. The Query page says the address is listed (even though it was reported more than 24 hours ago and I requested a delisting): Click Here However, the Dispute page says the address is not listed: Click Here And yet, I got this SpamCop Alert email just now: "IPs reported in past hour: 213.31.181.19" So which one of these is correct and why is there a conflict? And, since I can't find it, can someone point me to where I can see who reported the server? Many thanks, Alex Webster Link to comment Share on other sites More sharing options...
DavidT Posted October 25, 2006 Share Posted October 25, 2006 Alex, I'm hoping you took a good look at the various FAQ and pinned items here? You might have missed this one: http://forum.spamcop.net/forums/index.php?showtopic=4133 I got to it by first clicking on Start Here - before you make your first Post then on Blocking List Service (SCBL) and finally on NEW! SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained. Also, what have you done to stop the flow of spam from your IP address? The stats at Senderbase.org indicate that your server had a bit of a jump in email output over it's average....130% higher in fact. Your IP is also listed on the "Passive spam Block List" at: http://psbl.surriel.com for hitting one of their spamtrap addresses with an obvious spam. Here's the "evidence" page: http://psbl.surriel.com/evidence?ip=213.31...=Check+evidence Have you traced down what or who was hijacking/using your server to attack the rest of the world? DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 25, 2006 Share Posted October 25, 2006 Our Exchange server (213.31.181.19) has been blocked. However, the Spamcop page is reporting conflicting information. The Query page says the address is listed (even though it was reported more than 24 hours ago and I requested a delisting): Click Here However, the Dispute page says the address is not listed: Click Here And yet, I got this SpamCop Alert email just now: "IPs reported in past hour: 213.31.181.19" So which one of these is correct and why is there a conflict? And, since I can't find it, can someone point me to where I can see who reported the server? Conflicts can occur because of stale information between the mirrors, but I would hope that spamcop would always access the master list. That does not appear to be the case. It is probably working through the mirrors. My manual testing of that IP address shows it still listed: Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\>nslookup Default Server: kopdc01.kopin.com Address: 10.1.75.11 > 19.181.31.213.bl.spamcop.net Server: kopdc01.kopin.com Address: 10.1.75.11 Name: 19.181.31.213.bl.spamcop.net Address: 127.0.0.2 There are two reports visible to paid reporters: Report History: ------------------------------------------------------ Submitted: Tuesday, October 24, 2006 7:53:01 AM -0400: Tehachapi Temecula 1982538337 ( 213.31.181.19 ) To: spamcop[at]imaphost.com 1982538263 ( 213.31.181.19 ) To: mircea_pisica[at]infonet.com ------------------------------------------------------ Submitted: Tuesday, October 24, 2006 7:52:53 AM -0400: Tehachapi Temecula 1982537972 ( 213.31.181.19 ) To: spamcop[at]imaphost.com 1982537942 ( 213.31.181.19 ) To: mircea_pisica[at]infonet.com Link to comment Share on other sites More sharing options...
Telarin Posted October 25, 2006 Share Posted October 25, 2006 No, you can not directly see who reported the server. What you can see is: 213.31.181.19 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) System administrator has already delisted this system once You have already delisted the server once without correcting the problem, so you will not be able to delist it again. The fact that you have a combination of both user reports and spamtrap hits indicates that you probably have a pretty serious problem. Are you running Exchange 2000 or 2003? If you are running 2000, it bounces messages to non-existant addresses by default. You will need to download a hotfix from Microsoft to correct that behaviour. I'm certain one of the paid reporters will be kind enough to post a history of the user reports so we can see the types of messages being reported. It looks like the abuse reports are sent to mircea_pisica[at]infonet.com You could try contacting that address to find out why the reports are not being forwarded to you. You might also request that they list a proper abuse[at] role account in their RIPE listing. The role account is required by RFC 2142, however some providers fail to implement them, or forget to add them to their RIPE contact information. Link to comment Share on other sites More sharing options...
agsteele Posted October 25, 2006 Share Posted October 25, 2006 The most recent reports from an individual were on the 24th. Both had the subject below. Submitted: 24 October 2006 12:53:01 +0100: Tehachapi Temecula Other reports look like they relate to spamtraps. Andrew Link to comment Share on other sites More sharing options...
AlexWebster Posted October 25, 2006 Author Share Posted October 25, 2006 Thanks all for the very quick response. I wasn't convinced that the problem was resolved but was under pressure from users - so I took a chance, delisted us, and unfortunately got burned. We got hit with an MSN Messenger virus a few days ago, and it's entirely possible that this has left a nasty mailer somewhere. I have been de-lousing our desktop PCs but have not yet got to all of them. Unfortunately I haven't been able to identify exactly what payload was carried by the MSN message. Alex Link to comment Share on other sites More sharing options...
GraemeL Posted October 25, 2006 Share Posted October 25, 2006 Thanks all for the very quick response. I wasn't convinced that the problem was resolved but was under pressure from users - so I took a chance, delisted us, and unfortunately got burned. We got hit with an MSN Messenger virus a few days ago, and it's entirely possible that this has left a nasty mailer somewhere. I have been de-lousing our desktop PCs but have not yet got to all of them. Unfortunately I haven't been able to identify exactly what payload was carried by the MSN message. On a side note, you have SMTP AUTH enabled, though I couldn't find any weak username/password combinations on your system. If you don't need remote users to be able to send mail through your server from random locations, you should disable remote authentication to reduce your attack surface. Link to comment Share on other sites More sharing options...
Telarin Posted October 25, 2006 Share Posted October 25, 2006 If you use a single public IP shared between your mail server and your users using a NAT appliance, you should also consider configuring your firewall to block all outbound traffic on port 25 unless it originates at the mail server. Link to comment Share on other sites More sharing options...
AlexWebster Posted October 25, 2006 Author Share Posted October 25, 2006 Surprisingly, our firewall was set up allow outgoing SMTP from anyone. Our network manager has now changed this. Hopefully that will stem the tide, and we will then sniff the network for smtp packets going outwards in an attempt to find the offending computer/s. Re SMTP AUTH, I should be able to disable this - although I would have thought that this would increase rather than decrease the risk...? I have contacted Infonet and hopefully will be a bit better informed in future. Many thanks again for all your help. Alex Link to comment Share on other sites More sharing options...
GraemeL Posted October 25, 2006 Share Posted October 25, 2006 Re SMTP AUTH, I should be able to disable this - although I would have thought that this would increase rather than decrease the risk...? Having it enabled allows anybody with a valid username/password combination to relay mail through your server from any IP address on the internet. You didn't detect me scanning around 250 combinations and a spammer might try tens of thousands to get access to your server. Link to comment Share on other sites More sharing options...
dra007 Posted October 25, 2006 Share Posted October 25, 2006 What intrigues me is why would an abuse desk use a name which literarly translates as "the cat" and is not a real name. Link to comment Share on other sites More sharing options...
AlexWebster Posted October 26, 2006 Author Share Posted October 26, 2006 Whimsy? "The Cat"? Are you sure about that? What intrigues me is why would an abuse desk use a name which literarly translates as "the cat" and is not a real name. Link to comment Share on other sites More sharing options...
Farelf Posted October 26, 2006 Share Posted October 26, 2006 What intrigues me is why would an abuse desk use a name which literarly translates as "the cat" and is not a real name.Mircea Pisica, Principal Systems Engineer, Infonet Services Corporation? http://cnscenter.future.co.kr/rsc-center/p...PLScon2004.html and many other references? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.