[Resolved] Trying to resolve persistent block from SpamCop!?

[therocket954]

OK.... for starters, my eyes burn from reading and learning about SpamCop which I've never heard of before today.

When I'm at home and sending email, there's no problem.

When I'm at work, I have Outlook configured to handle my personal email account which is eric[at]venomvisuals.com Here's the error message Outlook provides:

The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'eric[at]venomvisuals.com'. Subject 'test', Account: 'Home Email', Server: 'mail.venomvisuals.com', Protocol: SMTP, Server Response: '451 Blocked - see http://www.spamcop.net/bl.shtml?67.38.62.43', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC79

What I'm so confused about..... if I'm using my own mailserver (mail.venomvisuals.com) for incoming and outgoing email, how is SpamCop allowed to block my email. I've read that SpamCop cannot touch my email, but recipients have the option of blocking my email..... however, if I'm sending an email to anyone, (including myself), I still get blocked which is extremely frustrating and contradicting.

Since sending from home is fine, I'm assuming it has something to do with my dayjob's IP address. We have MANY machines here, however, they are all behind a single IP Address (67.38.62.43). Is SpamCop ignoring the mailserver information and watching the sender's (my) IP Address?

Given the above information, I'm further assuming that my dayjob's IP Address has been blacklisted, causing the block.... which could mean that ANYONE's machine could be infected and sending spam.... And Since SpamCop will not give out specific reasons why we're blacklisted, how does one go about finding the culprit / resolution to this problem!?

Any help (or corrections to my above assumptions) is greatly appreciated!! (And sorry for the novel I just typed).

[Miss Betsy]

If you go to the link provided in the error message, this is what it says:

67.38.62.43 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

Looking for potential administrative email addresses for 67.38.62.43:

Cannot find an MX for smtp.jrbpersonnel.com

67.38.62.45 is an MX ( 10 ) for jrbpersonnel.com

Listing History

In the past 4.0 days, it has been listed 2 times for a total of 2.3 days

Since both spam traps and users have reported spam, it probably means that there is an infected computer using this IP address.

I would report the problem to your work IT department since this is your work's IP address and inform them that there is an infected machine on their network. According to the Senderbase information, this IP address is also listed at cbl.abuseat.org http://cbl.abuseat.org/lookup.cgi?ip=67.38.62.43

The volume change of emails sent in the past month was 351% which is also indicative of an infected machine. The IT department had better act quickly before this IP address gets on any more lists. They should be able to look at the logs to see which machine is sending more than the usual number of messages. If they have problems finding the computer that is infected, there are server admins here who will try to help them troubleshoot.

I don't use Outlook so don't know if I am correct, but I think that the email you were sending was going to more than one recipient and that one of the recipients is using the spamcop blocklist to block spam (from your reading you understand that it blocks all email from a particular IP address whether or not the email is spam. IOW, your email is not being blocked because it has been detected as a spam email, but because it is coming from an IP address that has been reported as sending spam. Your email address and the domain name have nothing to do with blocklists which are only IP addresses.)

Since I am not technically fluent, I am not sure exactly what your problem is with "using my own mailserver (mail.venomvisuals.com) for incoming and outgoing email" I think that if you are using your work computer for sending email that you are not using your own mail server, but theirs. Or maybe it is because incoming servers scan for the 'source' (i.e. the computer that uses hotmail servers or your venomvisuals mailserver, for instance). Whatever, your email is being rejected because of your work IP address which is where you are when you send the email and get the rejection message.

Hope this helps you understand the problem you are having. If you have further questions, please ask.

Miss Betsy

[Telarin]

Can you please clarify what you mean when you say mail.venomvisuals.com is your server? Is it physically your server that you loaded a Server OS on and loaded and configured mail software, or is it a server that belongs to a hosting company that you are paying to use?

It is possible that if the server belongs to a hosting company, they have configured it to filter SMTP submissions based off the originating IP address. This is definitely NOT how spamcop was intented to be used, and is in fact probably not a good idea, but there are several ISPs that do it anyway.

The listing on your office's IP address is definitely a problem as well, so there are really two approaches you can take to correct this problem. Get your office's IT staff to fix their listing, or get your hosting company to correct the misconfiguration of their filtering of SMTP submissions. Fixing either one of those problems should make your email work.

Now, I suspect your hosting company (if indeed that is who the SMTP server belongs to) will not change their configuration just because one user complains. On the other hand, fixing an office spewing spam onto the internet is something your IT department needs to handle anyway, as this means they most likely have an infected machine somewhere inside their network. All things considered, I would try to tackle the office side of the problem first, and only resort to getting your host to change their mail policy as a last resort.

[Wazoo]

MX lookup for venomvisuals.com

ns1.ixwebhosting.com reports the following MX records:

Preference Host Name IP Address TTL

10 mail6.ixwebhosting.com 76.162.254.6 86400

DNS Host: Unknown

Email Host: Unknown

This doesn't say anything specifically about 'outgoing' e-mail, but does suggest that it's in a different IP Block than what you are pointing out in your Rejection notice.

whois -h whois.godaddy.com venomvisuals.com ...

Registrant:

Domains by Proxy, Inc.

DomainsByProxy.com

Crap used/abused by spammers world-wide ....

Domain servers in listed order:

NS1.IXWEBHOSTING.COM

NS2.IXWEBHOSTING.COM

So appearances are that you do not run your own e-mail server (from home)

http://www.senderbase.org/senderbase_queri...ing=67.38.62.43

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.5 .. 1083%

Last month .. 3.4

Vastly increased from Miss Betsy's 351% number ....

67.38.62.43 = smtp.jrbpersonnel.com

Trace 67.38.62.43 ...

12.122.79.86 RTT: 17ms TTL:170 (No rDNS)

151.164.240.204 RTT: 38ms TTL:170 (No rDNS)

151.164.93.35 RTT: 28ms TTL:170 (ded2-g7-3-0.sgnwmi.sbcglobal.net ok)

67.38.61.22 RTT: 46ms TTL:170 (Duro-Last-Roofing-1083806.cust-rtr.ameritech.net ok)

* * * failed

* * * failed

* * * failed

assumedly firewalled off ????

MX lookup on jrbpersonnel.com

ns06.domaincontrol.com reports the following MX records:

Preference Host Name IP Address TTL

10 mail.jrbpersonnel.com 67.38.62.45 3600

Both Admin and Technical Contact points are listed as fsitter[at]duro-last.com .. this is where I'd suggest starting at to get the problem resolved on the jrbpersonnel.com network.

[Farelf]

SenderBase figure climbing by the minute: http://www.senderbase.org/senderbase_queri...ing=67.38.62.43

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.6 1278%

Last month 3.4

Now showing on the following BLs

http://cbl.abuseat.org cbl.abuseat.org BLACKLISTED

http://www.uceprotect.net/en/ dnsbl-1.uceprotect.net BLACKLISTED

http://sbl-xbl.spamhaus.org sbl-xbl.spamhaus.org BLACKLISTED

http://www.spamcop.net/bl.shtml bl.spamcop.net BLACKLISTED

http://www.spamhaus.org/xbl/ xbl.spamhaus.org BLACKLISTED

[therocket954]

Wow!

Thanks for the help guys. I have a lot of information to take to our I.T. department. Thank you!

Yes, Wazoo is correct. I apologize for not clarifying. I use IXWebhosting for my website, which this webhost also handles my email. So I point my Outlook POP and SMTP servers toward mail.venomvisuals.com (which is hosted at IXWebhosting).

I have Outlook setup at work, and at home. When I'm at home, there's no troubles using the same exact POP / SMTP settings.

However when I'm at work (behind 67.38.62.43) this seems to be the only time I have trouble.

This problem has become kind of "personal" so I want to resolve it. I'll keep posting as I find solutions so this may be used to help others in the future.

[Wazoo]

Yes, Wazoo is correct. I apologize for not clarifying. I use IXWebhosting for my website, which this webhost also handles my email. So I point my Outlook POP and SMTP servers toward mail.venomvisuals.com (which is hosted at IXWebhosting).

I have Outlook setup at work, and at home. When I'm at home, there's no troubles using the same exact POP / SMTP settings.

However when I'm at work (behind 67.38.62.43) this seems to be the only time I have trouble.

If I understand you correctly, what you are actually describing is that IXWebhosting is using the SpamCopDSNBL against incoming e-mail connections ... thus blocking your 'at work' output server/connection. Most employers would probably ask why you are using your 'personal/home' e-mail server to send your outgoing e-mail .. the suggestion being that you aren't doing 'company' business <g>

[therocket954]

I'm not sure if SpamCop is used by IXWebhosting.... I've been using IXWebhosting for about 4 years now and never heard of SpamCop until now.

The reason I use my personal email address at work, is because we use Lotus Notes for our work email accounts. I'm the web developer, and frequently receive multiple attachments (files / photos, etc), and Lotus is very clunky at handling attachments, and I'm un-impressed with it overall. (Speaking of which.... Lotus is down at the moment).... Also, when I'm testing our website applciations that deliver to email, I don't like to wait for Lotus Notes to replicate (happens only every 10 minutes). This is a setting our Network gurus hasn't changed yet.

Lastly, most of us here always like to have an alternative for when Lotus goes down, so it's not uncommon at my workplace for one to use both work / personal email accounts.

I'm going to see if our Network admin can scan email volume to see if they can find a particular culprit who may be sending a ton of email (voluntarily or involuntarily). Again, I will keep you guys posted.

[Telarin]

Keep in mind that most spam trojans will send email directly from the infected computer to the destination mailserver, completely bypassing your outgoing mail server. That means that they are unlikely to show up in the mail server logs.

The typical way to identify an infected computer is to block outgoing port 25 at the firewall, and then watch the logs for hits, however, since some of the users there are legitimately sending emails using outside mailservers, this approach might not be practical. I suppose they could still monitor port 25 outgoing on all computers to see if one is using it excessively, but that will require a bit more sophisticated firewall, and a lot more time digging through logs.

Another alternative is of course to go from computer to computer and make sure they all have updated antivirus on them, run a couple on-line scans, maybe ad-aware and spybot S&D to make sure they are clean. I don't know how many machines you run there, so if it is a large number this may not be terribly practical at the moment, but is something that really should be part of your network maintenance plan anyway.

A top-tier antivirus is a must-have on a corporate network. I would strongly suggest Symantec Antivirus corporate addition, which includes a mail server plug-in for Exchange, Lotus, and several other popular mail server products. That is what we use here, and I have had very good luck with it. I've also heard good things from other admins using McAfee's corporate products as well. It scares me to think that you might (and probably do) have an infected machine on your corporate network, as that means anything on any of the computers on the network (accounting information, payroll, customer information, etc) is most likely readily available to whoever is controlling the trojan.

[Snowbat]

I'm not sure if SpamCop is used by IXWebhosting.... I've been using IXWebhosting for about 4 years now and never heard of SpamCop until now.

The error message and other details you posted certianly points to IXWebhosting using the SCBL on your mail server to reject outgoing email.

User 'Chris' reports roaming employees not being able to send outbound mail through IX due to IX using the spamcop database:

http://www.vistainter.com/reviews/I/ixwebhosting.com/

IX mentions SpamCop in connection with fighting spam here, though it is not clear if they are talking about responding to abuse reports from SpamCop users, using SCBL to tag incoming email, or using SCBL to reject incoming or outgoing email:

http://www.ixwebhosting.com/index.php/v2/pages.manual9#q9

[therocket954]

I'm trying to pry our Network team away from their projects so they can take a look at this.

Us web guys are at the bottom of their totem pole. ha!

I travel occasionally and never have the problem (only at the day-job behind the affected IP)... if it happens elsewhere, I'll have to start questioning IX about their affiliation with SpamCop... but for the time being it's not a huge inconvenience given how little I use my IX mail account at work.

Thanks for the great info Telarin, I'll be sure to pass that along to our Network guys, maybe that information will get their attention a bit quicker.

Any updates, I'll be sure to post. Thanks again everyone.

[Telarin]

If not, it never hurts to mention to the CEO or Management that you believe the network has been compromised and that someone outside has access to potentially anything on the network. Its surprising how fast IT moves when something comes directly from the top of the totem pole

Oh, and always remember when speaking to management types. Actual content of your message is not nearly as important as good use of buzzwords. I suggest using the words "compromised" and "liability" in whatever you tell them...

[Merlyn]

If you have forms on your website that send mail through this address then that also might be your problem. The mail coming from this IP looks like it is from abused forms.

[therocket954]

How are you able to see the emails? Is there a way I can view them? Being on our web team, that is something I can correct and viewing the email would help me find the exploit (or which form) they are using.

However, on a side note, our site is not hosted in-house, so I doubt that's the trouble, nonetheless, I'd still like to see these emails, it would only help.

[Telarin]

Any reports generated would have gone to abuse[at]prodigy.net as the registered owners of the IP address. I am guessing there is little to no chance of getting those reports from them. You might be able to get the deputies to release at least reported emails to you by emailing deputies[at]admin.spamcop.net. However, emails that hit spamtraps do not generate reports, and you are unlikely to get those emails as that would compromise the spamtrap addresses.

[Miss Betsy]

Merlyn may have been looking at his own logs or he may have been looking at nanae sightings

The only problem is that I don't know how you find 'your' spam there.

If I were you, I would just find out what is a secure form and change any forms that you have on this website. Merlyn generally knows what he is talking about. If you are on the web team, then you should be able to do that without bothering the IT department.

Your hosting company might be able to help you to find a secure form.

Miss Betsy

[agsteele]

It is probably worth noting that the SCBL listing is over for the ip in question. The most recent user reports were for spam runs referring to various Pharmacy type spews.

Senderbase volumes down to -96% so hopefully the IT guys have blocked the hole.

Andrew

[therocket954]

Yeah... I finally got their attention (IT guys), and hopefully they fixed it for now.

Thanks again for all your help guys.

I've gained a lot of personal experience from this, which it never hurts to learn.

Thanks!

[Miss Betsy]

Glad that you got it fixed! For your sake as well as everyone who was getting the spam!

Thanks for letting us know the outcome.

Miss Betsy