Jump to content

[Resolved] 208.49.196.41 Blocklisted


wng

Recommended Posts

Hi,

I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam.

William

wng[at]horngroup.com

Link to comment
Share on other sites

What is happening is that emails from the same IP address that your company uses to send email have been reported as spam or 'misdirected bounces'.

You may share an IP address with others. You may have an infected machine on your network that is sending spam without your knowledge. You may be accepting email and then sending a 'bounce' message to forged email addresses. You may have Out of Office replies replying to spam.

Those are some of the reasons you may get a spamcop report or your company IP address may be on the spamcop blocklist.

If you provide the IP address of the mail server that your company uses, people may be able to give better guesses on why you have a problem.

Miss Betsy

Link to comment
Share on other sites

I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam.

Sorry, all our psychics are out of the office at the moment. Read the FAQs on how to avoid a rude/silly answer, supply an IP and we might be able to help you.

Link to comment
Share on other sites

Sorry, all our psychics are out of the office at the moment. Read the FAQs on how to avoid a rude/silly answer, supply an IP and we might be able to help you.

208.49.196.41 I supplied the IP in the header of the topic.

Link to comment
Share on other sites

*quietly points out that the IP address was listed in the subject*

208.49.196.41 resolves to exchange2.horngroup.com

I'm guessing from that PTR record that this is most likely a dedicated mail server belonging to your company, so I'm going to ignore the "sharing an IP address" scenarios here.

Does the rejection message you are getting back from bounced email indicate that it was blocked due to a spamcop listing?

Currently your IP address is not listed, but I don't have the ability to see past reports, so perhaps a paying reporter will happen by soon and be able to post any reports that they can see. If there were any user reports, they would have been sent to abuse[at]gblx.net. I'm guessing that is probably your ISP, and not your organization direcly. You may want to check with those folks and find out why reports have not been forwarded to you for handling.

What version of exchange are you running? I know with some older verisions (5.5 and earlier I believe), the default behavior was to accept all mail, and then generate an email later to the (almost always forged) envelope FROM address stating that the message could not be delivered. This is no longer acceptable behavior for a mail server, as those thousands of misdirected bounces go to uninvolved third parties, and are themselves no better than spam. I believe there is a hotfix for Exchange 5.5 on Microsoft's website that allows you to disable these misdirected bounces. More recent versions of exchange do not have this problem unless they are intentionally misconfigured.

Is that IP address dedicated to JUST your mail server, or is it sitting on the same IP as the rest of your network using some kind of NAT device? If this is the case, and your router supports it, I would suggest blocking outbound connections to port 25 from anything except the mail server. There is generally no reason for PCs to try to send email direct to MX. This should also create entries in your firewall log when connections are attempted and rejected, which should help you track down an infected machine if that is causing the problem.

Link to comment
Share on other sites

http://www.spamcop.net/w3m?action=checkblo...p=208.49.196.41

208.49.196.41 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...g=208.49.196.41

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 2.0 .. -48%

Last month .. 2.3

Appearance is that someone fixed something ...???

There is no "Report History" available at the moment (no known issues with that database)

so that would imply (as per the Why am I Blocked? FAQ and Pinned entry) that the listing was due to spamtrap hits alone. Adn again, as per that referenced document and other FAQ entries, no one here can give you any detailed datsa. You must contact one of the few that have access to the database to see if they might give you some insight as to what hit the spamtraps.

Link to comment
Share on other sites

I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam.

Hi,

I need help understanding why you think you are on the Spamcop blocklist.

Link to comment
Share on other sites

Further on the IP in question...it's not listed on any other RBLs at the moment, near as I can tell, nor are there any reports in the SpamCop system, as Wazoo mentioned, so it makes one wonder if the IP was actually on the SCBL at all, or if the OP received some false indication thereof.

DT

Link to comment
Share on other sites

I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam.

You have AUTH LOGIN enabled to allow users not on your network to send mail through your server after supplying a valid username/password combination. You also have an account on the system which has a very weak password. I'll send you a PM with the username and password after I post this.

If you don't require remote users from arbitrary IPs to be able to use your server to relay mail, then you should disable that functionality. You should also check all of the passwords on your system to ensure that they are sufficiently complex to avoid brute forcing.

The fact that you're not constantly listed on the SCBL and are not listed on other blocklists makes it probable that this is not your main problem. However, your machine is currently not secure and you should fix it immediately.

You can grab the perl I used to test your box here.

Link to comment
Share on other sites

Oops, hit reply instead of edit. :blush:

Edit to add:

On further investigation, you also have PCAnywhere available on the box. This, together with the weak password means that you should treat the box as having been totally compromised and remove it from the internet until such a time as you can format all of its drives and rebuild it from scratch.

Dependant on your network/firewall configurations, you should probably also carry out a full audit of all of the machines on your internal network as the machine could have been used as a staging point for attacks against your internal networks.

Link to comment
Share on other sites

Graeme, will that scri_pt run on a Linux box? (I just tried and it died with "Can't locate Authen/SASL.pm in [at]INC")

Yup, I'm running it from a Linux box myself. SASL isn't a dependency for the scri_pt, but it may be a dependency for NET::SMTP which is needed by the scri_pt. try installing NET::SMTP via cpan and it should tell you the requirements.

Link to comment
Share on other sites

try installing NET::SMTP via cpan and it should tell you the requirements.

Any risk involved in doing that on a shared web server? I've got a VPS account, where virtualization is used to wall off the various accounts sharing the same server, so we all have root access to our own sheltered zones.

Thanks,

DT

Link to comment
Share on other sites

Any risk involved in doing that on a shared web server? I've got a VPS account, where virtualization is used to wall off the various accounts sharing the same server, so we all have root access to our own sheltered zones.

Can't think of any. Since you're running in a virtual server, you effectively have your own box to play with without the risk of being able to mess up anybody else on the same physical machine.

Run cpan and do "i NET::SMTP" and "i NET::SMTP_auth". I don't think the _auth extension is part of the default package. No idea why I put that requirement in a comment rather than in the documentation. When you do the installs, cpan will tell you all of the dependencies that you don't have installed yet and should offer to take care of them for you.

Link to comment
Share on other sites

Run cpan and do "i NET::SMTP" and "i NET::SMTP_auth"

The first worked, but the second resulted in:

cpan> i NET::SMTP_auth
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
  Database was generated on Tue, 02 Oct 2007 05:36:43 GMT
Strange distribution name [NET::SMTP_auth]
No objects found of any type for argument NET::SMTP_auth

CPAN also recommended that I do a "install Bundle::CPAN" but that failed with:

Strange distribution name [Bundle::CPAN]
Fetching with LWP:
  ftp://ftp.perl.org/pub/CPAN/authors/id/A/AN/ANDK/Bundle-CPAN-1.856.tar.gz
Out of memory!
Terminal does not support GetHistory.

?

DT

Link to comment
Share on other sites

The first worked, but the second resulted in:

cpan> i NET::SMTP_auth
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
  Database was generated on Tue, 02 Oct 2007 05:36:43 GMT
Strange distribution name [NET::SMTP_auth]
No objects found of any type for argument NET::SMTP_auth

hm, no idea. you can grab it from here a a tar bundle and do a manual install.

CPAN also recommended that I do a "install Bundle::CPAN" but that failed with:

Strange distribution name [Bundle::CPAN]
Fetching with LWP:
  ftp://ftp.perl.org/pub/CPAN/authors/id/A/AN/ANDK/Bundle-CPAN-1.856.tar.gz
Out of memory!
Terminal does not support GetHistory.

Looks like you're too limited in memory with your virtual server. The GetHistory thing shouldn't be a problem, I get it myself. I wouldn't worry about upgrading it, though you might be able to get it to work with a manual install like I suggested for the _auth package above.

This is really off-topic for here. Follow up with a post to the software forum if you need any more help.

Link to comment
Share on other sites

You have AUTH LOGIN enabled to allow users not on your network to send mail through your server after supplying a valid username/password combination. You also have an account on the system which has a very weak password. I'll send you a PM with the username and password after I post this.

If you don't require remote users from arbitrary IPs to be able to use your server to relay mail, then you should disable that functionality. You should also check all of the passwords on your system to ensure that they are sufficiently complex to avoid brute forcing.

Hey,

Thanks for the help. Apparently my company got the problem resolved, so that is why it was not showing up on the list at first. We do seem to have some kind of problem with a "service[at]poste.it" mail. I think this might be the culprit that is triggering spam block. We are working on securing the server. Thanks a lot for your help all.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...