80.53.104.91 - blocked again

[stranGer]

I am not an openrelay, can you provide me with info why am I blocked ?

80.53.104.91 - poczta.stalko-polska.com.pl

Sincerelly

stranGer

[StevenUnderwood]

I am not an openrelay, can you provide me with info why am I blocked ?

80.53.104.91 - poczta.stalko-polska.com.pl

Per: http://www.spamcop.net/w3m?action=blcheck&...ip=80.53.104.91, that IP address has:

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

[Miss Betsy]

If you have been blocked because email has gone to spam traps, then it is most likely some sort of autoresponder - misdirected bounces, out of office replies.

Miss Betsy

[stranGer]

Thank you,

Certainly,

I had 1 user with vacation message - it's removed now,

also I have changed greylisting scri_pt from qgreylist to qgreylistrbl (http://www.datenklause.de/en/software/qgreylistrbl.html)

Should I wait all 21 hours or is it possible to remove my server from list immediately ?

regards

stranGer

[Derek T]

Thank you,

Certainly,

I had 1 user with vacation message - it's removed now,

also I have changed greylisting scri_pt from qgreylist to qgreylistrbl (http://www.datenklause.de/en/software/qgreylistrbl.html)

Should I wait all 21 hours or is it possible to remove my server from list immediately ?

If you are absolutely sure the problem is resolved you have a once-in-a-lifetime express delisting on the link Steven posted. If you've already used your 'get out of jail free' card then you'll just have to wait.

[Telarin]

Just to be on the safe side, I would recommend emailing the deputies to make sure that the problem was an autoresponder and not something else. They are the only ones that have access to the messages received by the spamtraps, and while they won't give you the headers or anything, as that would potentially compromise the identity of the spamtraps, they will generally be willing to tell you what kind of traffic they are seeing.

[DavidT]

...and the address would be: deputies [at] admin.spamcop.net

DT

[SpamCopAdmin]

Should I wait all 21 hours or is it possible to remove my server from list immediately ?

The problem isn't over. The IP is sending ordinary spam to our system. As recently as two hours ago.

Received: from poczta.stalko-polska.com.pl ([80.53.104.91])

by [our trap server] with SMTP; 05 Feb 2007 06:xx:xx -0800

Received: (qmail invoked from network); Mon, 5 Feb 2007 15:xx:xx +0100

Received: from unknown (HELO domb17wkabon) (xpplasma[at]vincistar.com[at]83.252.24.253)

by 5b683550vincistar.com with SMTP; Mon, 5 Feb 2007 15:xx:xx +0100

Message-ID: <[at]domb17wkabon>

From: license <x[at]vincistar.com>

To: x

Subject: jrsteld

Date: Mon, 5 Feb 2007

- Don D'Minion - SpamCop Admin -

service[at]admin.spamcop.net

http://www.spamcop.net/

[Telarin]

Well, I guess that answers that question. Seems you have everyday spam coming from your IP address. Is that IP dedicated to your mail server, or is the NAT address of your firewall being shared by multiple machines?

If it is shared by multiple machines, any one of them could be generating the spam in question. I would recommend monitoring your firewall for any traffic outbound on port 25 from any source other than your mail server.

Of course, that assumes you have already taken appropriate steps to insure that your mail server is not the problem.

[Merlyn]

That IP among others in the /24 have spamming problems

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2

Blocked - see http://www.spamcop.net/bl.shtml?80.53.104.91

--------------------------------------------------------------------------------

PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2

Listed in PSBL, see http://psbl.surriel.com/listing?ip=80.53.104.91

--------------------------------------------------------------------------------

SPAMCANNIBAL the SpamCannibal project: bl.spamcannibal.org -> 127.0.0.2

blocked, See: http://www.spamcannibal.org/cannibal.cgi?p...p;lookup=$

--------------------------------------------------------------------------------

80.53.104.91

Last day 3.7 34060%

Last 30 days 1.8 370%

Average 1.1

-------------------------------------------------------------------------------------

Looks like the spammers have control of this IP

[Derek T]

80.53.104.91

Last day 3.7 34060%

Last 30 days 1.8 370%

Average 1.1

-----------------------------

Looks like the spammers have control of this IP

Stats to be taken with a pinch of salt as first mail from that IP seen on 2nd Feb 07: it's a new address.

[Merlyn]

Stats to be taken with a pinch of salt as first mail from that IP seen on 2nd Feb 07: it's a new address.

This is the most impressive stat and the most meaningful:

Last day 3.7 34060%

[stranGer]

I am only remote administrator and I informed proper persons to do some investigations on users desktops. It seems to me that problem has been solved (hopefully).

Now Spamcop tells me that it takes 1 hour to be delisted...

thank you very much for all suggestions!

stranGer

[Telarin]

Looks like its about to age off the SCBL. Senderbase volume is still showing a magnitude 4.0 which is up from the last check. That equates to about 10,000 emails per day flowing from that IP. Of course, those senderbase numbers seem to lag as much as 24 hours behind, so it is quite possible that if it was fixed in the last 24 hours, they might not reflect it yet. Hopefully you got everything sorted out, and won't have any more issues.