Jump to content

Exactly: why?


Recommended Posts

Here is my IP listed in BL:

---------------------------------------

Query bl.spamcop.net - 213.208.178.242

DNS error: 213.208.178.242 is logix-gw.naukanet.ru but logix-gw.naukanet.ru has no DNS information

(Help) (Trace IP) (Senderbase lookup)

213.208.178.242 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 100 times by less than 10 users. It has been sending mail consistently for at least 9.3 days. In the past 8.5 days, it has been listed 2 times for a total of 8.0 days

* In the past week, this system has: Been reported as a source of spam less than 10 times

* Been detected sending mail to spam traps

* Been witnessed sending mail about 130 times

A sample sent sometime during the 24 hours beginning Monday, March 15, 2004 03:00:00 +0300:

Received: from -.-.- (-.-.- [213.208.178.242])

by -.-.-.- (-.-.-.-) with SMTP id -

for <-[at]-.-.-.->- Tue, - Mar 2004 - -

Subject: notice

From: xd.. at ..r.com

---------------------------------------------------

So, I would like to get clear understanding of what happened? What are the "spam" that caused my IP to be listed? My mail server is not open relay - checked by ORDB.

Surely my users occasionally get ifected, but there has not been any really massive spam sendings trough my mail server recently. Who are those "10 users", and what has disturbed them? The "sample" you show says NOTHING.

Link to comment
Share on other sites

Hi,

I'm just an ordinary non-technical user but, until someone more qualified comes along, have you looked at previous postings?

This one seems similar

Some questions from bewildered admin

It also has the links to the relevant FAQ etc. I hope it is helpful to you, if not repost with detail how your case is different. Apart from SpamCop staff, some other members are sysadmins themselves and will be able to talk at your level. It is just that those in North America are probably still asleep (or wishing they were)

Link to comment
Share on other sites

OK, your first listing of the SpamCop BL lookup ... I see this as confusing also, unless your Domain has been cut off entirely or there are some sever problems in the registration / configuration of the Domain;

03/19/04 03:41:51 whois logix-gw.naukanet.ru[at]whois.ripe.net

No entries found for the selected source(s).

03/19/04 03:40:01 dig 213.208.178.242 [at] 199.5.157.128

Dig 242.178.208.213.in-addr.arpa[at]199.5.157.128 ...

Non-authoritative answer

Recursive queries supported by this server

Query for 242.178.208.213.in-addr.arpa type=255 class=1

242.178.208.213.in-addr.arpa PTR (Pointer) logix-gw.naukanet.ru

178.208.213.in-addr.arpa NS (Nameserver) ns.naukanet.ru

178.208.213.in-addr.arpa NS (Nameserver) ns2.nsv.ru

ns.naukanet.ru A (Address) 217.150.50.50

ns2.nsv.ru A (Address) 81.26.145.66

Then we go to the "been reported about 100 times by less than 10 users" implies that there's a lot of traffic to a few people .. that's a bit unusual ...

However, the next bit "Been detected sending mail to spam traps" also suggests something not good, but noting that spamtrap hits don't send reports either.

The "sample" used to be a fairly complete listing of spams, but it was seen that spammers were using this data to keep their spew flowing, so thes samples are now incomplete and not in real-time ... which also makes it hard for "us" to try to analyze what has happened also.

That you checked the e-mail server logs and found nothing rules out several possibilities. The next item to check would be the firewall logs to see if you can discover traffic that has left your system by menas other than the e-mail server. there's the possibility that you've an infected machine on the network that's sending stuff out on its own.

One thing to try next is to send a nice request to deputies at admin.spamcop.net and ask that they take a look at the spamtrap entries. In the past, Ellen (usually) has been able to point to the machine (by IP) internal to the network that has been doing the spew. That's making a bit of a presumtion at what she/they may see in the spamtrap data, but I'm thinking it's a pretty good guess based on the report numbers offered. Here's hoping we can get the problem targetted, although I'm not sure what to tell you to do about the DNS issue ... hoping you've already got those things already being looked at.

Link to comment
Share on other sites

Thank you Wazoo,

I know there is DNS resolving trouble for 213.208.178.242, now I am solving it wit my uplink provider; anyway, I don't think it's the origin of blacklisting my mail server.

BTW, does "been reported about 100 times by less than 10 users" meen, that any 10 assholes sending 10 spam reports mentioning my mail server each, can block it??

Thanks for the admins email, I'll try to use it.

Link to comment
Share on other sites

umm, the address was deputies at admin.spamcop.net (replacing the word "at" with the symbol "[at]"

To get an IP listed on the SpamCopbl, there's a bit of a mathmatical formula in use, starting with 2 reports from 2 different users, but then factor in time, amount of traffic "seen" and spamtraps have a multiplier involved .. so yes, it's possible that less than 10 recipients of something they consider spam could tip the scales.

This DNS issue wouldn't cause an entry to a blocking list, but it would sure hamper someone trying to e-mail you <g>

Link to comment
Share on other sites

Thanks again,

how stupid of me not to guess about the coorrect address. I wroute there.

What about all the pinned and other items on the spamcop site, i've gone throgh it all, but I lack real info about what could have taken place, as I don't have the kludges of messages considered as suspicious. That's why I try to get in touch with somebody.

Link to comment
Share on other sites

logix.ru,Mar 19 2004, 03:24 AM] Here is my IP listed in BL:

---------------------------------------

Query bl.spamcop.net - 213.208.178.242

DNS error: 213.208.178.242 is logix-gw.naukanet.ru but logix-gw.naukanet.ru has no DNS information

(Help) (Trace IP) (Senderbase lookup)

213.208.178.242 listed in bl.spamcop.net (127.0.0.2)

So, I would like to get clear understanding of what happened? What are the "spam" that caused my IP to be listed? My mail server is not open relay - checked by ORDB.

Surely my users occasionally get ifected, but there has not been any really massive spam sendings trough my mail server recently. Who are those "10 users", and what has disturbed them? The "sample" you show says NOTHING.

There is spam being sent to our spamtraps from your IP which is why it is listed in the SpamCop blocklist. You can write to deputies[at]spamcop.net to continue this discussion if you would like.

Link to comment
Share on other sites

Well, what else I have to do to get my query answered or (what a crasy hope) my server unlisted? Dance on the desktop?

Stopping the spam would be a good start ;) IP's are delisted automatically 48 hrs (or less) after the last spam.

Link to comment
Share on other sites

For those who does not understand from the first attempt, I am happy to repeat by capital letters: to stop anything I need to know, WHAT HAD BEEN INTERPRETED AS spam THERE. IT IS JUST WHY I ASK TO SEND ME KIND OF KLUDGES, SAMPLE OF THE BOTHERING LETTERS, THE ADDRESSES AT WHICH THEY WERE SENT OR ANYTHING ELSE, EXCEPT THIS:

---------------------------

A sample sent sometime during the 24 hours beginning Monday, March 15, 2004 03:00:00 +0300:

Received: from -.-.- (-.-.- [213.208.178.242])

by -.-.-.- (-.-.-.-) with SMTP id -

for <-[at]-.-.-.->- Tue, - Mar 2004 - -

Subject: notice

From: xd.. at ..r.com

----------------------------

Link to comment
Share on other sites

The deputy, Ellen, told you that what was coming through your server is spam. If you do not think that anyone on your network is sending spam, then you should look for a vulnerability.

I am not an admin so I don't know all the technical terms. I do know that admins can look at logs and see if a user has sent lots of emails (which is what a spammer on your network would be doing). If no one has, then it should also be possible to see if a lot of activity has happened. That would indicate that you have an open proxy or that a virus/trojan has infected your computer or that a password has been guessed.

As I understand it, spammers can look at the samples that you are asking for and figure out how to avoid being caught. Since Ellen did not say that it looked like a vulnerability, I suspect that someone is really sending spam. That's just a guess.

The only way to get delisted is to find out where the spam is coming from and stop it. If you are not competent to do that, hire someone who can. Like drivers on the highway who do not know how to drive, server administrators who do not know how to find problems on their servers cause problems on the internet.

Miss Betsy

Link to comment
Share on other sites

Miss Betsy,

I know Mrs. SpamCops suppose some spam has been sent from my IP. I do not see any kind of abuse mailings in my logs. I do not see any security holes also, I have spent a whole day inspecting my system. That is why I need some more info about the mailings that have caused blacklisting my IP. I have told that for several times on this topic and repeating especially for you once again. In recent 10 hours I have sent 3 letters to the addresses given by Ellen and Wazoo and still have got NO answer. I am expecting the answer by e-mail, so it must be secure for SpamCops to explain me, what is the matter.

Please read carefully all the topic before posting comments, or hire somebody to do it for you.

Link to comment
Share on other sites

Stopping the spam would be a good start  IP's are delisted automatically 48 hrs (or less) after the last spam

Yup, that would be my suggestion as well. I am sorry but I have little respect for admins who fail to control their network resources and users. Make the changes to fix the problem or get a new admin, period.

I work for a school district with nearly 10,000 networked workstations in addition to many servers, wireless APs, and other network devices and when we have an issue, it takes less than an hour to resolve it. If initial action fails, remove the offending system from the network until it can be resolved properly.

Find the spammer, remove their access and make them prove they were not sending the spam. If you do not know how to find the spammer or the offending system, you should not be an admin.

Link to comment
Share on other sites

...Gee, you people are sure tough! I am beginning to understand why some users have given up trying to find help and advice in SpamCop.net fora and newsgroups. Sure, in an ideal world all admins would be omniscient but the fact that we're apparently dealing with one who isn't doesn't seem to me to justify the level of rudeness that is beginning to show. If you want to be rude, please consider doing it in a more private manner rather than in a public forum. Thanks!

Link to comment
Share on other sites

logix.ru,Mar 19 2004, 02:11 PM]<snip>

I have been suggested by Elen to discuss the problem by e-mail, and just wondering of how many days it would take to answer to my letters.

...Hint: you are not going to get an answer to that question here because no one here can possibly know when a deputy will be in a position to communicate her/his findings back to you.

...If you enjoy the abuse you've been getting, please keep right on posting your question. If you do not enjoy it, just wait and Ellen or another deputy will certainly get back to you when there is something useful to tell you. :)

Link to comment
Share on other sites

logix.ru,Mar 19 2004, 02:22 PM]To Steve: thank you for the hint.

:rolleyes:

Switching to patient waiting with hope in my soul...

...You're quite welcome.

...And don't be too patient! If there's no answer in about a week, send another e-mail to deputies <at> admin.spamcop.net.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...