VRod74 Posted November 10, 2006 Share Posted November 10, 2006 Hi, 68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out. Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean. I'm going nuts here, what else am I missing? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 10, 2006 Share Posted November 10, 2006 68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out. Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean. I'm going nuts here, what else am I missing? You are correct that it is not listed and the only publically available report in the last 30 days is: Submitted: Friday, November 03, 2006 5:24:58 AM -0500: Undeliverable: spam: Eleanor wrote: 1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net. Link to comment Share on other sites More sharing options...
Wazoo Posted November 10, 2006 Share Posted November 10, 2006 68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out. Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean. I'm going nuts here, what else am I missing? What's missing 'here' is an example of one or more of the rejection notices you say you are receiving. http://spamcop.net/w3m?action=checkblock&ip=68.160.79.3 68.160.79.3 not listed in bl.spamcop.net http://www.senderbase.org/search?searchBy=...ing=68.160.79.3 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.5 .. 650% Last 30 days .. 3.2 .. 277% Average ........ 2.6 Can you justify that increase in traffic as something other than spam/misdirected bouces/etc. ?? Report History: Submitted: Friday, November 03, 2006 4:24:58 AM -0600: Undeliverable: spam: Eleanor wrote: 1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net The only item showing as a reported spam .... So, from 'just another user' viewpoint, it is not currently listed, no sign available that it was ... so if it was, it's not now .. The other possibility is that the receiving ISP has a screwed up configuration, whereas your e-mail may be rejected, but the wrong 'justification/error' message is being generated .... Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 10, 2006 Share Posted November 10, 2006 You do not get any 'bouncebacks' from spamcop. You get rejection messages by server admins who are using the spamcop blocklist. Some admins are lazy and use the spamcop message format to reject email for reasons other than that the IP address is on the spamcop bl. Your IP address is not listed on any other blocklists, however. Are all the 'bouncebacks' coming from one place? If so, it would probably be a good idea to contact that server admin and ask hir. It might be a good idea to provide the rejection message. The only alarming thing is that your senderbase stats show an increase. A real server admin may be by shortly to ask you more technical questions. Meanwhile, I would continue looking for a way that something could be compromised. Miss Betsy Link to comment Share on other sites More sharing options...
VRod74 Posted November 10, 2006 Author Share Posted November 10, 2006 You are correct that it is not listed and the only publically available report in the last 30 days is: Submitted: Friday, November 03, 2006 5:24:58 AM -0500: Undeliverable: spam: Eleanor wrote: 1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net. Sorry I call them bounced emails... Here is are two examples: ****** Message from InterScan Messaging Security Suite ****** Sent <<< [session Initiation] Received >>> 554 http://www.senderbase.org/search?searchstring=68.160.79.3 Unable to deliver message to <2046[at]prtc.net>. ************************ End of message ********************** and the other is this: ****** Message from InterScan Messaging Security Suite ****** Sent <<< [session Initiation] Received >>> 554 "your access to this mail system has been rejected due to the sending mta's poor reputation. please reference the following url for more information: http://www.senderbase.org/search?searchstring=68.160.79.3 if you believe that this failure is in error, please contact the intended recipient via alternate means." Unable to deliver message to <mleone[at]oxfordshirtmakers.com>. ************************ End of message ********************** I have already contacted Verizon.net regarding this. I haven't heard from them since. By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can. Link to comment Share on other sites More sharing options...
Wazoo Posted November 10, 2006 Share Posted November 10, 2006 OK, what I am seeing is that the SpamCopDNSBL is not involved here. Those rejection notices are dealing with something using SenderBase Reputation scores to make the call. And the only thing I can suggest on that is to point back to my previous question .... OK, you edited your last while I was typing in the above ... editing this one to add a reply; By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can. No, your "incoming" is not what is 'scored' on that SenderBase page. However, the 'connection' may be that your server is sending out those mis-directed bounces in reply to that flood of spam .... which then may also be feeding into the 'bad reputation' point scoring' ...??? Link to comment Share on other sites More sharing options...
Telarin Posted November 10, 2006 Share Posted November 10, 2006 Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase? The senderbase reputation, while handled by IronPort, the same company that owns Spamcop, is not in any way related to the SCBL. I would try to contact the receiving ISP to find out what the problem is, since I don't believe there is any way to access the "Senderbase reputation" without paying for that service. It doesn't appear that that IP is listed in ANY blocklists, so I would write this off as a clueless admin on the receiving end. Link to comment Share on other sites More sharing options...
VRod74 Posted November 11, 2006 Author Share Posted November 11, 2006 Wazoo I will check my spam server and see if this is a case of misdirection based on the traffic information from senderbase. I will monitor outgoing traffic from side and see what's happening. Link to comment Share on other sites More sharing options...
Wazoo Posted November 11, 2006 Share Posted November 11, 2006 Wow! Something appears to have happened for sure ... Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.1 .. 106% Last 30 days .. 3.2 .. 278% Average ........ 2.6 Thanks! Link to comment Share on other sites More sharing options...
Farelf Posted November 11, 2006 Share Posted November 11, 2006 ... Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase? ...The concept is addressed in the IronPort whitepaper http://www.ironport.com/pdf/ironport_c60_rep_based_paper.pdf - part of the "solution" package. Link to comment Share on other sites More sharing options...
VRod74 Posted November 12, 2006 Author Share Posted November 12, 2006 Ok I got listed this time. Although traffic from senderbase.org has lowered. 68.160.79.3 listed in bl.spamcop.net (127.0.0.2) Listing History In the past 8.5 days, it has been listed 4 times for a total of 3.5 days. It's definitely misdirected spam from side, i'll get working on this. Link to comment Share on other sites More sharing options...
Wazoo Posted November 12, 2006 Share Posted November 12, 2006 It's definitely misdirected spam from side, i'll get working on this. There is still only the one 'reported' spam ... the SpamCopDNSBL page only mentions spamtrap hits. Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.3 200% Last 30 days 3.2 285% Average 2.6 It may have been that the spammer took a bit of a break from your server, allowing it to fall off the 'listed' status .... then came back .... Good luck and thanks for keeping at it! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.