Jump to content

68.160.79.3


VRod74
 Share

Recommended Posts

Hi,

68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.

Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.

I'm going nuts here, what else am I missing?

Link to comment
Share on other sites

68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.

Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.

I'm going nuts here, what else am I missing?

You are correct that it is not listed and the only publically available report in the last 30 days is:

Submitted: Friday, November 03, 2006 5:24:58 AM -0500:

Undeliverable: spam: Eleanor wrote:

1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net

Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.

Link to comment
Share on other sites

68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.

Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.

I'm going nuts here, what else am I missing?

What's missing 'here' is an example of one or more of the rejection notices you say you are receiving.

http://spamcop.net/w3m?action=checkblock&ip=68.160.79.3

68.160.79.3 not listed in bl.spamcop.net

http://www.senderbase.org/search?searchBy=...ing=68.160.79.3

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .. 650%

Last 30 days .. 3.2 .. 277%

Average ........ 2.6

Can you justify that increase in traffic as something other than spam/misdirected bouces/etc. ??

Report History:

Submitted: Friday, November 03, 2006 4:24:58 AM -0600:

Undeliverable: spam: Eleanor wrote:

1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net

The only item showing as a reported spam ....

So, from 'just another user' viewpoint, it is not currently listed, no sign available that it was ...

so if it was, it's not now ..

The other possibility is that the receiving ISP has a screwed up configuration, whereas your e-mail may be rejected, but the wrong 'justification/error' message is being generated ....

Link to comment
Share on other sites

You do not get any 'bouncebacks' from spamcop. You get rejection messages by server admins who are using the spamcop blocklist.

Some admins are lazy and use the spamcop message format to reject email for reasons other than that the IP address is on the spamcop bl. Your IP address is not listed on any other blocklists, however. Are all the 'bouncebacks' coming from one place? If so, it would probably be a good idea to contact that server admin and ask hir.

It might be a good idea to provide the rejection message. The only alarming thing is that your senderbase stats show an increase.

A real server admin may be by shortly to ask you more technical questions. Meanwhile, I would continue looking for a way that something could be compromised.

Miss Betsy

Link to comment
Share on other sites

You are correct that it is not listed and the only publically available report in the last 30 days is:

Submitted: Friday, November 03, 2006 5:24:58 AM -0500:

Undeliverable: spam: Eleanor wrote:

1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net

Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.

Sorry I call them bounced emails... Here is are two examples:

****** Message from InterScan Messaging Security Suite ******

Sent <<< [session Initiation]

Received >>> 554 http://www.senderbase.org/search?searchstring=68.160.79.3

Unable to deliver message to <2046[at]prtc.net>.

************************ End of message **********************

and the other is this:

****** Message from InterScan Messaging Security Suite ******

Sent <<< [session Initiation]

Received >>> 554 "your access to this mail system has been rejected due to the sending mta's poor reputation. please reference the following url for more information: http://www.senderbase.org/search?searchstring=68.160.79.3 if you believe that this failure is in error, please contact the intended recipient via alternate means."

Unable to deliver message to <mleone[at]oxfordshirtmakers.com>.

************************ End of message **********************

I have already contacted Verizon.net regarding this. I haven't heard from them since.

By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can.

Link to comment
Share on other sites

OK, what I am seeing is that the SpamCopDNSBL is not involved here. Those rejection notices are dealing with something using SenderBase Reputation scores to make the call. And the only thing I can suggest on that is to point back to my previous question ....

OK, you edited your last while I was typing in the above ... editing this one to add a reply;

By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can.

No, your "incoming" is not what is 'scored' on that SenderBase page. However, the 'connection' may be that your server is sending out those mis-directed bounces in reply to that flood of spam .... which then may also be feeding into the 'bad reputation' point scoring' ...???

Link to comment
Share on other sites

Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase?

The senderbase reputation, while handled by IronPort, the same company that owns Spamcop, is not in any way related to the SCBL.

I would try to contact the receiving ISP to find out what the problem is, since I don't believe there is any way to access the "Senderbase reputation" without paying for that service. It doesn't appear that that IP is listed in ANY blocklists, so I would write this off as a clueless admin on the receiving end.

Link to comment
Share on other sites

... Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase? ...
The concept is addressed in the IronPort whitepaper http://www.ironport.com/pdf/ironport_c60_rep_based_paper.pdf - part of the "solution" package.
Link to comment
Share on other sites

Ok I got listed this time. Although traffic from senderbase.org has lowered.

68.160.79.3 listed in bl.spamcop.net (127.0.0.2)

Listing History

In the past 8.5 days, it has been listed 4 times for a total of 3.5 days.

It's definitely misdirected spam from side, i'll get working on this. :P

Link to comment
Share on other sites

It's definitely misdirected spam from side, i'll get working on this. :P

There is still only the one 'reported' spam ... the SpamCopDNSBL page only mentions spamtrap hits.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.3 200%

Last 30 days 3.2 285%

Average 2.6

It may have been that the spammer took a bit of a break from your server, allowing it to fall off the 'listed' status .... then came back ....

Good luck and thanks for keeping at it!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...