212.187.57.51 Blocked

[Krijn Tanis]

Since a few day I can't send mail anymore using my chello account (mail.chello.nl). The error was the following:

551 Mail from your IP is currently blocked based on RBL listing

The http://www.spamcop.net/w3m?action=checkblo...p=212.187.57.51 page says there are only spam traps listed, but I want more details about it. I'm realy against spam (I get more the 200 messages a day on my mail adresses). So I want to find out what the reason of my IP's blacklisting is.

Some information

- I am not running a mail server

- I have a home network with several systems and users

- I have a Linux server on the netwerk, accessible from the internet (also on ssh, but good secured)

- No port 25 is linked to a local IP in the NAT table of my router

My question:

- Is a system in the network sending spam mails using a locally installed mail server?

- Is a system in the network sending spam mails using my IP on a external mail server on the internet?

- Are the other reasons?

- How can I monitor my network for all mails that are outgoing

I can't control all systems on the network because some users are not in my home. So I want to find out if they are sending spam on my network, but how do I figure this out?

Thank you in advance for all your help!

[Farelf]

Since a few day I can't send mail anymore using my chello account (mail.chello.nl). The error was the following:

The http://www.spamcop.net/w3m?action=checkblo...p=212.187.57.51 page says there are only spam traps listed, but I want more details about it. I'm realy against spam (I get more the 200 messages a day on my mail adresses). So I want to find out what the reason of my IP's blacklisting is.

Hi Krijn Tanis, as you can see via the checkblock link you have given, SpamCop would regard chello.nl as the responsible handler for c57051.upc-c.chello.nl [212.187.57.51] with any reports going to abuse[at]chello.nl (except there are no reports for spamtrap hits). Accordingly chello.nl could use the approach described in How do I get information about spam trap hits? to find out more. You talk about "my network". Then do you have administrative control of that IP address? Even so, it might be more productive to have chello.nl to do the inquiry. As another approach, you might find some detail from other blocklists - see DNSStuff spam database lookup¹ for an extensive list with links. There are quite a few (marked in red).

As for monitoring the throughput of your network, perhaps another member "here" may be able to assist. I don't see enough detail of the architecture to even know if that is possible and have no idea of the specific tools that might be used if it is. Sorry.

[¹Nah, I had a look - no evidence in any BLs there (just listed for dynamic IP block or absence of SPF record). The only Google Groups evidence is 6-7 years old. Apart from some innocent postings to Quotenet nothing seen at all "in the open".]

[Miss Betsy]

I am not a server admin. I can't answer your questions about how to monitor.

However, when there are only spam trap hits, it usually means that the network is using auto responders. Auto responders can be out of office replies. They can also be misdirected bounces. The From is almost always forged by the spammer. If the receiving server accepts all email and then decides to send a non-delivery email, the email goes to the forged From, not to the spammer. The forged From can be a spam trap address.

The only tip I know about how to monitor is to look at the firewall logs. Computers infected by the spammers to send spam sometimes use other ports than the normal port 25 to send spam.

If you share an IP address with other users, then chello.nl are the people who can do something to stop the spam. People here can help you to explain it to them.

You can still send email. Only those ISPs who use spamcop will block your email. You can sign up for a hotmail account and still email those people whose ISPs are using spamcop.

Good Luck!

Miss Betsy

[Krijn Tanis]

Hi Krijn Tanis, as you can see via the checkblock link you have given, SpamCop would regard chello.nl as the responsible handler for c57051.upc-c.chello.nl [212.187.57.51] with any reports going to abuse[at]chello.nl (except there are no reports for spamtrap hits). Accordingly chello.nl could use the approach described in How do I get information about spam trap hits? to find out more. You talk about "my network". Then do you have administrative control of that IP address? Even so, it might be more productive to have chello.nl to do the inquiry. As another approach, you might find some detail from other blocklists - see DNSStuff spam database lookup¹ for an extensive list with links. There are quite a few (marked in red).

As for monitoring the throughput of your network, perhaps another member "here" may be able to assist. I don't see enough detail of the architecture to even know if that is possible and have no idea of the specific tools that might be used if it is. Sorry.

[¹Nah, I had a look - no evidence in any BLs there (just listed for dynamic IP block or absence of SPF record). The only Google Groups evidence is 6-7 years old. Apart from some innocent postings to Quotenet nothing seen at all "in the open".]

All the other red entries are because my IP is a dynamic IP address, so I can't run a mail server on my own. Only the entry at Spamcop is about a spamtrap. I think there is nothing to worry about at this moment I guess, I just wait for new problems...

Thank you all for your information!

[Derek T]

All the other red entries are because my IP is a dynamic IP address, so I can't run a mail server on my own. Only the entry at Spamcop is about a spamtrap. I think there is nothing to worry about at this moment I guess, I just wait for new problems...

I'd say you had a problem, unless you can explain the 20-fold increase in traffic from that IP in an innocent way?

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.5 2018%

Last 30 days 2.6 146%

Average 2.2

[Wazoo]

Since a few day I can't send mail anymore using my chello account (mail.chello.nl). The error was the following:

The http://www.spamcop.net/w3m?action=checkblo...p=212.187.57.51 page says there are only spam traps listed, but I want more details about it.

Technically, this message does not say that you cannot send mail .... it actually says that another ISP refuses to accept 'your' e-mail.

551 Mail from your IP is currently blocked based on RBL listing

This message does not directly point to SpamCop.net either ... RBL is a term registered to/by another company, once known as MAPS. On the other hand, the configuration of this un-named receiving ISP's servers are up to them, to include the error messages sent .....

- I am not running a mail server

- I have a home network with several systems and users

- I have a Linux server on the netwerk, accessible from the internet (also on ssh, but good secured)

- No port 25 is linked to a local IP in the NAT table of my router

Linux server that does 'serve' what?

Port 25 assignment on the router would normally be associated with 'incoming' traffic, usually pointing that incoming Port 25 traffic 'to' the computer that would be running the e-mail server (if you had one)

- Is a system in the network sending spam mails using a locally installed mail server?

This is the way most compromised systems send their spew these days. the virus/trojan/etc. containing it's own SMTP engine.

- Is a system in the network sending spam mails using my IP on a external mail server on the internet?

Not generally applicable, as if true, one would also 'assume' that the traffic would then point back to that 'other' server for being the source ..... but, with no samples to look at ...????

- Are the other reasons?

- How can I monitor my network for all mails that are outgoing

Firewall, firewall, firewall ..... actually 'monitoring' is a technical nightmare, especially based on your indicated proficiency on how things work .... much easier to 'block' all outgoing non-authorized traffic ... but again, no one here can guess at your network configuration. For example, if the Linux box is actually 'controlling' all traffic in/out, take a look at iptables .... if it's sitting 'off to the side' .. no need to waste your time.

I can't control all systems on the network because some users are not in my home. So I want to find out if they are sending spam on my network, but how do I figure this out?

This sounds absolutely scary ..... bottom line, if it's "your" betwork, one would think that "you" are the responsible person for any and all traffic out of that network ..... if you can't control it ..... ouch!

http://www.senderbase.org/search?searchBy=...g=212.187.57.51

Addresses in chello.nl used to send email

Showing 1 - 50 out of 3093

I'm not up to looking through 3000+ addresses to see if this IP address is a chello e-mail server or not .... that you are posting from the same IP address seems to suggest that it's not ...???

Date of first message seen from this address 2006-11-16

does this date have any relationship to "your network" ..?????

.... like the day you hooked up the wireless access point?

[Farelf]

...http://www.senderbase.org/search?searchBy=...g=212.187.57.51

Addresses in chello.nl used to send email

Showing 1 - 50 out of 3093

I'm not up to looking through 3000+ addresses to see if this IP address is a chello e-mail server or not .... that you are posting from the same IP address seems to suggest that it's not ...???

Trying to work out why it would *not* be in there if the SenderBase searchBy=ipaddress points to chello.nl? It *is* there of course, record 1750 out of 3093 at the moment - 212.187.57.51 c57051.upc-c.chello.nl, as said. (Just use the export to a text file facility provided by SenderBase and search).

I'd say you had a problem, unless you can explain the 20-fold increase in traffic from that IP in an innocent way?

Note, SenderBase magnitude 3.5 (currently) means approximately 10^3.5 messages per day (seen by SenderBase) = 3160.

[Wazoo]

Trying to work out why it would *not* be in there if the SenderBase searchBy=ipaddress points to chello.nl?

Not what I was thinking about .. I was looking at the 'names' trying to guess as to how to figure oit what they might really mean. Example;

amsfep19-int.chello.nl

h137188.upc-h.chello.nl

upc-c.chello.nl

Just looked like way to much work to try to work out just what the connection might be between user, ISP, server, and traffic for any single IP address. Back to "my e-mail is blocked" but "I don't run an e-mail server" ... which would imply a shared IP address/server .... yet, the 'blocked' IP address matches the posting IP address, which either ties back to user running an e-mail server or the ISP is shoving a lot of different traffic through a single computer / proxy, which goes back to the shared server scenario, possibly making this issue not "this user's" specific problem ....

Noting: Looking for potential administrative email addresses for 212.187.57.51:

Cannot find an MX for c57051.upc-c.chello.nl

Cannot find an MX for upc-c.chello.nl

[Adriaan]

Krijn,

I have an OpenBSD firewall between my Speedtouch ADSL modem/router and my home network switch. All outgoing network traffic has to go through this box (an old Pentium 200Mhz with 2 network cards)

To monitor my network I use a pf firewall rule to log all port 25 connections initiated from my network. This info ends up in a log file which I check regulary.

A snippet from this log

Jan 31 11:29:43.901527 rule 1..23/0(match): pass out on xl0: 10.0.0.200.4411 > 62.251.0.47.25: tcp 0 (DF)
Feb 01 11:43:03.606101 rule 1..23/0(match): pass out on xl0: 192.168.222.210.11181 > 66.249.93.114.25: tcp 0 (DF)
Feb 01 12:23:38.763041 rule 1..23/0(match): pass out on xl0: 192.168.222.44.14495 > 202.83.166.115.25: tcp 0 (DF) [tos 0x10]
Feb 02 02:34:47.472237 rule 1..23/0(match): pass out on xl0: 192.168.222.210.45094 > 66.249.93.27.25: tcp 0 (DF)
Feb 02 08:29:56.186860 rule 1..23/0(match): pass out on xl0: 10.0.0.200.46741 > 62.251.0.47.25: tcp 0 (DF)
Feb 02 09:36:54.896581 rule 1..23/0(match): pass out on xl0: 10.0.0.200.19573 > 62.251.0.29.25: tcp 0 (DF)
Feb 02 09:53:09.693025 rule 1..23/0(match): pass out on xl0: 10.0.0.200.23579 > 62.251.0.47.25: tcp 0 (DF)
Feb 02 15:44:01.883023 rule 1..23/0(match): pass out on xl0: 10.0.0.200.44940 > 62.251.0.29.25: tcp 0 (DF)
Feb 02 15:55:56.850053 rule 1..23/0(match): pass out on xl0: 10.0.0.200.4480 > 62.251.0.47.25: tcp 0 (DF)
Feb 02 19:53:38.569941 rule 1..23/0(match): pass out on xl0: 10.0.0.200.14084 > 62.251.0.29.25: tcp 0 (DF)
Feb 02 20:05:02.780961 rule 1..23/0(match): pass out on xl0: 10.0.0.200.31082 > 62.251.0.47.25: tcp 0 (DF)
Feb 02 21:27:19.596962 rule 1..23/0(match): pass out on xl0: 192.168.222.210.46381 > 66.249.93.27.25: tcp 0 (DF)
Feb 03 01:22:05.911073 rule 1..23/0(match): pass out on xl0: 10.0.0.200.42254 > 62.251.0.29.25: tcp 0 (DF)

As you can see it doesn't look like I have spambot infected boxes

To be able to monitor your network, you need an appliance through which all network traffic has to pass through.

If all your network traffic goes through your Linux server, then you can monitor your network on your server.

If it doesn't, you could start with checking whether the Linux server is the culprit. Frequently cracked insecure PHP mailing scripts are a source of spam problems.

Check the mail logs of the mail server progam, to see if the mail server program is being abused to send mail.

In case the server mail log files give no indication of abuse, you could use tcpdump to log port 25 traffic

. The following is rather crude and has the disadvantage that it will log all port 25 packets sent by the server. So you better make sure you have enough space in "/var/log"

tcpdump -ttt -n -i ne3 -w /var/log/port25 "tcp dst port 25"

Explanation

-ttt					: print the timestamp
-n					  : don't resolve IP addresses to names
-i ne3				  : use network card "ne3". 
						  For Linux you will have to use "-i eth0" instead
-w /var/log/port25	  : write the data to the file "/var/log/port25"
"tcp dst port 25"	   : select TCP protocol data with destination port 25

To read the file with the paging program "less"

tcpdump -ttt -n -r /var/log/port25 | less

BTW your IP is still being blocked

$ ./zen.spamhaus 212.187.57.51 

; <<>> DiG 9.3.2-P1 <<>> -t a 51.57.187.212.zen.spamhaus.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47175
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;51.57.187.212.zen.spamhaus.org.		IN	  A

;; ANSWER SECTION:
51.57.187.212.zen.spamhaus.org. 1800 IN A	   127.0.0.11

;; Query time: 168 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Sat Feb 24 06:48:27 2007
;; MSG SIZE  rcvd: 64

This is the output of a simple scri_pt that uses the same method used by mailservers to check if the IP address they are about to receive mail from is on a RBL list.

An answer in the loopback range 127.x.x.x means it is on such a list.

PS I am from Holland too, I live in the neighourhood of -'s-Hertogenbosch

[Merlyn]

Have you been sending lots of email in the last day?

Last day 3.1 680%

Last 30 days 2.5 132%

[Farelf]

...Last day 3.1 680%

Last 30 days 2.5 132%

That's a considerable reduction from previous rates, now

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 2.9 291%

Last 30 days 2.5 132%

Average 2.2

... and *off the SCBL*. Wireless access turned off, maybe?

Adriaan - looks like some very relevant and specific advice, thanks for "stepping in" with that!

[Adriaan]

[snip]

That's a considerable reduction from previous rates, now ... and *off the SCBL*. Wireless access turned off, maybe?

[snip]

That IP address is still on several blacklists

51.57.187.212.bl.spamcop.net				  : 127.0.0.2
51.57.187.212.zen.spamhaus.org				: 127.0.0.11
51.57.187.212.combined.njabl.org			  : 127.0.0.3

Just being curious I entered the address http://212.187.57.51/ in my browser and things started to become clear.

That (Dutch language) web page shows that the OP runs a "hotspot" where people having a subscription can log in through their wireless NIC.

It is also possible to buy a card which gives you access for a limited time. http://212.187.57.51/index.php?id=3 shows the prices of these access cards.

So that is the reason, why Krijn, the OP, doesn't know everybody who connects to his network

The solution to the problem, would be to block all port SMTP traffic originated from his network.

The subscribing customers, authenticated through a password, can be allowed to submit mail , via SSL on port 587/tcp of his (mail)server. This mail having an audit trail, can be safely relayed to it's destination.

In case one this category of customers gets "botnetted" he can call the customer and tell him to clean or reinstall his box.

Those who just buy a card with an access code for a single day should not be allowed to submit and relay mail through his server. Because these people are not traceable, they will have to use a similar authenticated procedure with their own "home" ISP.

Another example, how a lack of information, can result in well meant, but not completely applicable advice

[Derek T]

That (Dutch language) web page shows that the OP runs a "hotspot" where people having a subscription can log in through their wireless NIC.

It is also possible to buy a card which gives you access for a limited time. http://212.187.57.51/index.php?id=3 shows the prices of these access cards.

So that is the reason, why Krijn, the OP, doesn't know everybody who connects to his network

I wonder if chello.nl know that he is reselling their services and if that comes within their acceptable use policy? If so, it's no wonder I get so much spam from chello.nl, I had always assumed it was trojanned machines.

[Farelf]

That IP address is still on several blacklists

51.57.187.212.bl.spamcop.net				  : 127.0.0.2
51.57.187.212.zen.spamhaus.org				: 127.0.0.11
51.57.187.212.combined.njabl.org			  : 127.0.0.3

Indeed - back on the SCBL, just about timed off at the moment. The other BLs are a little harder to get out of.

...Just being curious I entered the address http://212.187.57.51/ in my browser and things started to become clear.

That (Dutch language) web page shows that the OP runs a "hotspot" where people having a subscription can log in through their wireless NIC.

Ah ha ... yes, it does become clearer now

...So that is the reason, why Krijn, the OP, doesn't know everybody who connects to his network

Unfortunately Krijn hasn't been back since shortly after his last post, hasn't fixed the problem having so far missed your advice.

...Another example, how a lack of information, can result in well meant, but not completely applicable advice

Indeed, but the missing pieces in place now, thanks to your detective work. Hm - I used to like that Thames/Euston detective show "Van Der Valk" - probably before you were born though.

I wonder if chello.nl know that he is reselling their services and if that comes within their acceptable use policy?...

Good question.