stranGer Posted February 5, 2007 Posted February 5, 2007 I am not an openrelay, can you provide me with info why am I blocked ? 80.53.104.91 - poczta.stalko-polska.com.pl Sincerelly stranGer
StevenUnderwood Posted February 5, 2007 Posted February 5, 2007 I am not an openrelay, can you provide me with info why am I blocked ? 80.53.104.91 - poczta.stalko-polska.com.pl Per: http://www.spamcop.net/w3m?action=blcheck&...ip=80.53.104.91, that IP address has: System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
Miss Betsy Posted February 5, 2007 Posted February 5, 2007 If you have been blocked because email has gone to spam traps, then it is most likely some sort of autoresponder - misdirected bounces, out of office replies. Miss Betsy
stranGer Posted February 5, 2007 Author Posted February 5, 2007 Thank you, Certainly, I had 1 user with vacation message - it's removed now, also I have changed greylisting scri_pt from qgreylist to qgreylistrbl (http://www.datenklause.de/en/software/qgreylistrbl.html) Should I wait all 21 hours or is it possible to remove my server from list immediately ? regards stranGer
Derek T Posted February 5, 2007 Posted February 5, 2007 Thank you, Certainly, I had 1 user with vacation message - it's removed now, also I have changed greylisting scri_pt from qgreylist to qgreylistrbl (http://www.datenklause.de/en/software/qgreylistrbl.html) Should I wait all 21 hours or is it possible to remove my server from list immediately ? If you are absolutely sure the problem is resolved you have a once-in-a-lifetime express delisting on the link Steven posted. If you've already used your 'get out of jail free' card then you'll just have to wait.
Telarin Posted February 5, 2007 Posted February 5, 2007 Just to be on the safe side, I would recommend emailing the deputies to make sure that the problem was an autoresponder and not something else. They are the only ones that have access to the messages received by the spamtraps, and while they won't give you the headers or anything, as that would potentially compromise the identity of the spamtraps, they will generally be willing to tell you what kind of traffic they are seeing.
DavidT Posted February 5, 2007 Posted February 5, 2007 ...and the address would be: deputies [at] admin.spamcop.net DT
SpamCopAdmin Posted February 5, 2007 Posted February 5, 2007 Should I wait all 21 hours or is it possible to remove my server from list immediately ?The problem isn't over. The IP is sending ordinary spam to our system. As recently as two hours ago. Received: from poczta.stalko-polska.com.pl ([80.53.104.91]) by [our trap server] with SMTP; 05 Feb 2007 06:xx:xx -0800 Received: (qmail invoked from network); Mon, 5 Feb 2007 15:xx:xx +0100 Received: from unknown (HELO domb17wkabon) (xpplasma[at]vincistar.com[at]83.252.24.253) by 5b683550vincistar.com with SMTP; Mon, 5 Feb 2007 15:xx:xx +0100 Message-ID: <[at]domb17wkabon> From: license <x[at]vincistar.com> To: x Subject: jrsteld Date: Mon, 5 Feb 2007 - Don D'Minion - SpamCop Admin - service[at]admin.spamcop.net http://www.spamcop.net/
Telarin Posted February 5, 2007 Posted February 5, 2007 Well, I guess that answers that question. Seems you have everyday spam coming from your IP address. Is that IP dedicated to your mail server, or is the NAT address of your firewall being shared by multiple machines? If it is shared by multiple machines, any one of them could be generating the spam in question. I would recommend monitoring your firewall for any traffic outbound on port 25 from any source other than your mail server. Of course, that assumes you have already taken appropriate steps to insure that your mail server is not the problem.
Merlyn Posted February 5, 2007 Posted February 5, 2007 That IP among others in the /24 have spamming problems SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?80.53.104.91 -------------------------------------------------------------------------------- PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2 Listed in PSBL, see http://psbl.surriel.com/listing?ip=80.53.104.91 -------------------------------------------------------------------------------- SPAMCANNIBAL the SpamCannibal project: bl.spamcannibal.org -> 127.0.0.2 blocked, See: http://www.spamcannibal.org/cannibal.cgi?p...p;lookup=$ -------------------------------------------------------------------------------- 80.53.104.91 Last day 3.7 34060% Last 30 days 1.8 370% Average 1.1 ------------------------------------------------------------------------------------- Looks like the spammers have control of this IP
Derek T Posted February 5, 2007 Posted February 5, 2007 80.53.104.91 Last day 3.7 34060% Last 30 days 1.8 370% Average 1.1 ----------------------------- Looks like the spammers have control of this IP Stats to be taken with a pinch of salt as first mail from that IP seen on 2nd Feb 07: it's a new address.
Merlyn Posted February 5, 2007 Posted February 5, 2007 Stats to be taken with a pinch of salt as first mail from that IP seen on 2nd Feb 07: it's a new address. This is the most impressive stat and the most meaningful: Last day 3.7 34060%
stranGer Posted February 8, 2007 Author Posted February 8, 2007 I am only remote administrator and I informed proper persons to do some investigations on users desktops. It seems to me that problem has been solved (hopefully). Now Spamcop tells me that it takes 1 hour to be delisted... thank you very much for all suggestions! stranGer
Telarin Posted February 8, 2007 Posted February 8, 2007 Looks like its about to age off the SCBL. Senderbase volume is still showing a magnitude 4.0 which is up from the last check. That equates to about 10,000 emails per day flowing from that IP. Of course, those senderbase numbers seem to lag as much as 24 hours behind, so it is quite possible that if it was fixed in the last 24 hours, they might not reflect it yet. Hopefully you got everything sorted out, and won't have any more issues.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.