jaybeckham Posted December 16, 2007 Posted December 16, 2007 Here is what Spamcop says: System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) I also get the hour count down from 24... it will go down to 11 or so and then start over. 70.109.95.137 is a Verizon server .hag.east.verizon.net . My ISP is SkyWeb and is a WiMax type service. I have a wireless device that communicates with their (SkyWeb) device on a local radio tower. They apparently buy their feed from VErizon on a T-1 cable I imagine. They do not provide email service and also refuse to help me. My various email accounts are related to several domains I own which are hosted at IXWebHosting. They also refuse to help me. I also found out one of the offending domains and contacted GoDaddy that sold/registered the domain and no answer from them so far. Also each of my domains have static IP addresses but not 70.109.95.137. I assume that is a mail server. Any help would be appreciated. Jay Beckham Berkeley Springs, WV jay[at]thebeckhams.us PS All of my domains can't send email except with Web Mail (Horde).
StevenUnderwood Posted December 16, 2007 Posted December 16, 2007 Any help would be appreciated. Are you saying all of your email is being sent through that IP address and being bounced? Is your Web Mail (Horde) account through spamcop? Can you email to your webmail account (which does not block any emails) or send me an email using the address in my sig (put "SpamCop forum request" in the subject)? I would like to see where your email is getting to that verizon address? Are you specifically using that server for outgoing, or is it being forwarded there by a provider?
Derek T Posted December 16, 2007 Posted December 16, 2007 Here is what Spamcop says: System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) I also get the hour count down from 24... it will go down to 11 or so and then start over. 70.109.95.137 is a Verizon server .hag.east.verizon.net . My ISP is SkyWeb and is a WiMax type service. I have a wireless device that communicates with their (SkyWeb) device on a local radio tower. They apparently buy their feed from VErizon on a T-1 cable I imagine. They do not provide email service and also refuse to help me. My various email accounts are related to several domains I own which are hosted at IXWebHosting. They also refuse to help me. I also found out one of the offending domains and contacted GoDaddy that sold/registered the domain and no answer from them so far. Also each of my domains have static IP addresses but not 70.109.95.137. I assume that is a mail server. Any help would be appreciated. Jay Beckham Berkeley Springs, WV jay[at]thebeckhams.us PS All of my domains can't send email except with Web Mail (Horde). Senderbase shows a recent 800% increase in traffic from that server which might suggest that someone is using that server to send spam. From what you say, that's probably a shared server so you may be an innocent bystander. Two questions: 1. Who do you actually pay to provide you with a mail-server? This is who you should take this matter up with. 2. Could you please post (in full) the rejection message you receive as it will help us to help you. It is unlikely that anything is stopping you sending mail (see FAQs) - some people are choosing not to receive it.
jaybeckham Posted December 16, 2007 Author Posted December 16, 2007 Senderbase shows a recent 800% increase in traffic from that server which might suggest that someone is using that server to send spam. From what you say, that's probably a shared server so you may be an innocent bystander. Two questions: 1. Who do you actually pay to provide you with a mail-server? This is who you should take this matter up with. 2. Could you please post (in full) the rejection message you receive as it will help us to help you. It is unlikely that anything is stopping you sending mail (see FAQs) - some people are choosing not to receive it. Derek & Steven I pay SkyWeb for a connection to the internet only. I pay IXWebHosting.com to host my domains. So basically I believe the 70.109.95.137 must be a DNS server or at least that what Skyweb has told me. My router shows a Gateway IP Address of 172.16.16.1 and a DNS server of 172.16.16.1 also. IXWebHosting furnishs me Static IPs for each of my domains. Here is the messages I am getting: The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'yakinhix[at]yahoo.com'. Subject 'Re: Cruise Request', Account: 'mail.cruisesonthesea.com(1)', Server: 'mail.cruisesonthesea.com', Protocol: SMTP, Server Response: '451 Blocked - see http://www.spamcop.net/bl.shtml?70.109.95.137', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC79 The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'deputies[at]admin.spamcop.net'. Subject 'Re: BL dispute: IP:70.109.95.137', Account: 'mail.thebeckhams.us', Server: 'mail.thebeckhams.us', Protocol: SMTP, Server Response: '451 Blocked - see http://www.spamcop.net/bl.shtml?70.109.95.137', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC79 Thanks Jay Beckham
jaybeckham Posted December 16, 2007 Author Posted December 16, 2007 Are you saying all of your email is being sent through that IP address and being bounced? Is your Web Mail (Horde) account through spamcop? Can you email to your webmail account (which does not block any emails) or send me an email using the address in my sig (put "SpamCop forum request" in the subject)? I would like to see where your email is getting to that verizon address? Are you specifically using that server for outgoing, or is it being forwarded there by a provider? Steven I keep getting no user messages for your email. Tried underwoodforum underwood.forum and underwood+forum all at spamcop.net None worked... email me at jay[at]thebeckhams.us and I can reply from Gorde. I can also post the message source on here as it shows the IPs etc. Jay
Miss Betsy Posted December 16, 2007 Posted December 16, 2007 I don't know whether this has any bearing on this topic, but a little bit ago, IXWebhosting was apparently using spamcop to filter /outgoing/ email. Also, there have been several people with wireless connections that were not secure and a neighbor's infected computer was sending email through them. one of the topics I don't know very much about how this all works, but if those two things are the problem here, the IP address which is blocked is your computer (from your connection with Skyweb) and something is sending email through it so that when you send legitimate email from it to IXWebhosting's email servers, they block it because it is on the spamcop bl. (I think, but it was only a quick read, that a spammer could set up a smtp server to send spam on your computer). The senderbase statistics and the up and down of the number of hours on the bl seems to me to point to an infected computer. Miss Betsy
Wazoo Posted December 16, 2007 Posted December 16, 2007 Here is what Spamcop says: System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) But did you then loookup the definition of 'spamtrap' and apply that knowledge against the Why am I Blocked? Pinned and FAQ entry/item? That http://www.spamcop.net/w3m?action=checkblo...p=70.109.95.137 (currently) only shows spamtrap hits has some specific meaning, and how to ask for more data is within that FAQ/Pinned item. 70.109.95.137 is a Verizon server .hag.east.verizon.net . My ISP is SkyWeb and is a WiMax type service. I have a wireless device that communicates with their (SkyWeb) device on a local radio tower. They apparently buy their feed from VErizon on a T-1 cable I imagine. They do not provide email service and also refuse to help me. My various email accounts are related to several domains I own which are hosted at IXWebHosting. They also refuse to help me. I also found out one of the offending domains and contacted GoDaddy that sold/registered the domain and no answer from them so far. Also each of my domains have static IP addresses but not 70.109.95.137. I assume that is a mail server. some details not provided, others a missing detail .... 70.109.95.137 ==> static-70-109-95-137.hag.east.verizon.net (the 'static' part usually carries some extra baggage and significance. One would normally be paying 'extra' for a 'static' IP Address, but the killer part of this designation is that it would tend to rule out that you simply got handed a bad DHCP-assigned IP Address at your last connection ... the 'static' would normally suggest that this is 'your' IP address, period. You posted from this IP address, your e-mail handling issues are pointed to this IP address, so it seems to be agreed that this address could be specifically associated with 'your computer' In that case, that it's only spamtrap hits being shown on the SpamCopDNSBL rears its head again, as this would tend to rule out the typical infected computer, as those tend to send spam 'everywhere' .. so, what are the anti-virus, anti-malware,anti-spyware tools installed, and what are the results of any of those self-tests? On the other hand, one could suppose that this IP address is actually assigned to the un-named device that connects to the tower. In my mind, there are at least three definitions of Wi-Max floating around out there, so not sure if you're talking about some marketing-hype term or if you're talking about one of the proprietary (usually bragging about connection distance) connection protocol by a certain manufacturer of the devices in use, or if you're talking about an attempted mesh-network environment by some major corporations (recalling that the most recent press releases on that stuff was that it wasn't really flying, two parties dropped out, on and on ...) However, with all that said, the question then would be what kind of security is invoked on this un-named device? What capabilities does this device offer? The point being .. who else has access to/through this un-named device? PS All of my domains can't send email except with Web Mail (Horde). The difference ..... e-mail sent via your e-mail client basically says it's coming from your computer/your un-named device (based on the IP address involved) which has made it onto the SpamCopDNSBL ... which is being used by the receiving ISP in a blocking fashion, thusly refusing your e-mail. Using the web-mail Horde application actually then shows your e-mail as coming from that ISP/Host's e-mail servers .. which are not listed in the SpamCopDNSBL. I pay SkyWeb for a connection to the internet only. I pay IXWebHosting.com to host my domains. So basically I believe the 70.109.95.137 must be a DNS server or at least that what Skyweb has told me. My router shows a Gateway IP Address of 172.16.16.1 and a DNS server of 172.16.16.1 also. IXWebHosting furnishs me Static IPs for each of my domains. Now we have a computer, an un-named device, and a router. More confusion or more detail, it's hard to say from this side of the screen. 172.15.0.0/12 - RFC1918 private network ... question would be whrther this is 'your' network or SkyWeb's network designation. 70.109.95.137 still not determined as to whether this is your computer or your in-named connection device .. but this would not normally be identified as your DNS source (unless you did some configuration manipulations to casue a DNS service to exist and be running on whatever device this IP address actually is ..... To flush this out a bit more, winipcfg from the Start | Run line (if 98SE or prior) or Start | Run | cmd and then winipcfg if Win-ME or later .. select your actual network card from that list ... what IP address has your computer actually been assigned? This would rule out either your computer or your un-named device as being "the" item with the most direct link to the issue (intentionally ignoring your last added router in this .. as it's confusing enough with just two items in the mix) Here is the messages I am getting: The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'deputies[at]admin.spamcop.net'. Subject 'Re: BL dispute: IP:70.109.95.137', Account: 'mail.thebeckhams.us', Server: 'mail.thebeckhams.us', Protocol: SMTP, Server Response: '451 Blocked - see http://www.spamcop.net/bl.shtml?70.109.95.137', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC79 Problem: you don't say just where this error message came from. As Miss Betsy mentioned, IXWebHosting is getting a bit famous here over the last couple of weeks, based on a storyline like this, so I/we can assume that it's a rejection from IXWebHosting that you've (partially) quoted. You are attempting to send e-mail from an IP address that is listed in the SpamCopDNSBL, and they are applying a temporary (4xx error message) block against traffic from that IP address. Use of the SpamCopDNSBL in a blocking fashion is not recommended by SpamCop.net, but this is up to the ISP/Host that's using the database. The general thought process being here that if they accepted 'your' e-mail, they'd also have to deal with the thousands of (not your) spam e-mails coming from that same IP address. Best guess at this point .. your wireless connection/access point is not secure. Best next guess ... your hardware collection/network/whatever hasn't been fully defined/described and there's even more un-named hardware in the mix that's been compromised. What's needed .. a real description of just what device actually has this IP address asigned to it. Is it actually anything 'you' have control of? http://www.senderbase.org/senderbase_queri...g=70.109.95.137 in addition to the increase in the last day's traffic, there are some other questionable items .... How long has this IP address been "yours" ??? Date of first message seen from this address 2007-01-12 That there's a "monthly" average existing that SenderBase's "Magnitude" Explained suggests is around 2,000 e-mails a day ... (last 24 hours looking like 15,000 e-mails a day) .... does this "look like you" ..????
StevenUnderwood Posted December 17, 2007 Posted December 17, 2007 70.109.95.137 ==> static-70-109-95-137.hag.east.verizon.net (the 'static' part usually carries some extra baggage and significance. One would normally be paying 'extra' for a 'static' IP Address, but the killer part of this designation is that it would tend to rule out that you simply got handed a bad DHCP-assigned IP Address at your last connection ... the 'static' would normally suggest that this is 'your' IP address, period. You posted from this IP address, your e-mail handling issues are pointed to this IP address, so it seems to be agreed that this address could be specifically associated with 'your computer' In that case, that it's only spamtrap hits being shown on the SpamCopDNSBL rears its head again, as this would tend to rule out the typical infected computer, as those tend to send spam 'everywhere' .. so, what are the anti-virus, anti-malware,anti-spyware tools installed, and what are the results of any of those self-tests? Parse of a message Jay sent me... 70.109.95.137 is as far back as the email headers go, but HTTP was used to send this message via a Horde webmail system, so the fact it matches the posting IP here is not surprising. This could still be a proxy IP with everything behind it being hidden. http://www.spamcop.net/sc?id=z1569291528ze...29f08f5edede65z I would also like to see a set of SMTP headers, but if every email is being bounced, then it is because your SMTP provider (still not disclosed who you are paying for that service, the web host perhaps) is using Spamcop on outgoing messages as described earlier and you won't be able to provide that. The company providing your SMTP is the one to complain to unless you run your own mail server.
jaybeckham Posted December 17, 2007 Author Posted December 17, 2007 Steven I would assume that IXWebHosting is whom I am paying for hosting is providing the mail-server as SkyWeb does not provide me any email services, just internet access. I do not know how email works but apparently my POP3 out going messages are going to 70.109.95.137 as is all of my internet traffic. The POP3 and SMTP all go to mail.thebeckhams.us The outgoing is using port 110 and the incoming mail is using port 25. Those server names are setup in the IXWebHosting control panel. The domain's IP is 76.162.76.114. The primary DNS is 71.18.255.99 In the meantime I am running spyware detection (Ad-Aware) and will be setting my router to WPA Thanks Jay Beckham
StevenUnderwood Posted December 17, 2007 Posted December 17, 2007 I would assume that IXWebHosting is whom I am paying for hosting is providing the mail-server as SkyWeb does not provide me any email services, just internet access. I do not know how email works but apparently my POP3 out going messages are going to 70.109.95.137 as is all of my internet traffic. The POP3 and SMTP all go to mail.thebeckhams.us The outgoing is using port 110 and the incoming mail is using port 25. Those server names are setup in the IXWebHosting control panel. The domain's IP is 76.162.76.114. The primary DNS is 71.18.255.99 In the meantime I am running spyware detection (Ad-Aware) and will be setting my router to WPA For your information: mail.thebeckhams.us = mail48.ixwebhosting.com = 76.162.254.48 POP3 (port 110) would be incoming. Your machine connects on port 110 to collect messages from your POP server. SMTP (port 25) would be outgoing. Virtually all mail travels the internet from server to server via SMTP. I am guessing the verizon IP is based on your internet provider, which you may be sharing with others. It is also possible this is your specific IP in which case you have some serious issues as described earlier (15000 emails in the last 24 hours, some hitting spamtraps.) I would inquire with ixwebhosting whether they are using SpamCop to block your outgoing SMTP messages. I would provide them the bounces you provided to us and tell them you are not getting the service you are paying for. I would also contact your ISP about the following blocklist listings, perhaps inquiring exactly why all your internet traffic is seen as coming from that IP address: bl.spamcop.net http://spamcop.net/w3m?action=checkblock&a...p=70.109.95.137 cbl.abuseat.org http://cbl.abuseat.org/lookup.cgi?ip=70.109.95.137 You can confirm this with several sites that will show you what IP the request is coming from. One I use is: http://www.dslreports.com/whois
Wazoo Posted December 17, 2007 Posted December 17, 2007 It does appear that my lengthy detailed post has pretty much been ignored. Thanks. For those not quite keeping up, the appearances are that IXWebHosting isn't actually blocking e-mail 'outgoing' from IXWebHosting .. it is refusing to accept e-mail that is attempted to be sent from whatever device is sitting at 70.109.95.137 .. though at this point, no one can tell just what this device is or where it sits in jaybeckham's network/path/configuration/whatever. Historically, this scenario has resulted from a wireless router/connection point being used by someone other than the owner .. at least in the last half-dozen or so situations addressed within thsis Forum. Asked and not answered .... What is the assigned IP address of the computer used to try to send these e-mails? Does the 'router' have an assigned IP address? Does the "connection device" have an assigned IP address? Does either unit have any kind of logging service, who/what is connected service, etc.? Is there a firewall anywhere in this morass? Actually identifying the equipment involved may (or may not) actually help (us to help you) ...???? http://www.senderbase.org/senderbase_queri...g=70.109.95.137 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 4.1 .. 615% Last month .. 3.3 OK, traffic reduced from 800%+ to 600%+ .... did you actually get around to changing the security bits or is that the 'problem' has moved on or shut down his/her computer? NOTE: ad-aware is but one tool in the arsenal that should be in place and used.
Wazoo Posted December 17, 2007 Posted December 17, 2007 data point Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 4.0 .. 421% Last month .. 3.3
jaybeckham Posted December 17, 2007 Author Posted December 17, 2007 Sorry but I had to go to work this morning at 6 am and have finally gotten back home. I will answer as much as I can with in the body of the latest reply...... It does appear that my lengthy detailed post has pretty much been ignored. Thanks. For those not quite keeping up, the appearances are that IXWebHosting isn't actually blocking e-mail 'outgoing' from IXWebHosting .. it is refusing to accept e-mail that is attempted to be sent from whatever device is sitting at 70.109.95.137 .. though at this point, no one can tell just what this device is or where it sits in jaybeckham's network/path/configuration/whatever. Historically, this scenario has resulted from a wireless router/connection point being used by someone other than the owner .. at least in the last half-dozen or so situations addressed within thsis Forum. 70.109.95.137 is apparently a Verizon server that Skyweb is sending me and others throught. I have a Netgear Wireless router and the Internet side is attached by Cat5 to an antenna. The antenna is mounted on the side of the house and looks a bit like Mickey Mouse Ears... Several miles from me is a large radio station antenna and on top of the mast is a device of some kind that can send and receive wireless signals in the 900 mhz range I believe. From there I am told that hook to a T1 line owned by Verizon. Asked and not answered .... What is the assigned IP address of the computer used to try to send these e-mails? Does the 'router' have an assigned IP address? Does the "connection device" have an assigned IP address? I have three computers attached to the router via Cat5. I rarely use the wireless accept with my laptop. This afternoon I installed WPA securtiy to that router with a password. Each of my computers are set to automatically assign an IP. At this moment the computer I am typing on is 192.168.1.2 and the computer in my basement is 192.168.1.5 My static IP Address is 172.16.19.179 The Gateway IP Address is 172.16.16.1 The DNS server is 172.16.16.1 Primary The Secodary DNS Server is 4.2.2.4 The LAN TCO/IP IP is 192.168.1.1 That is all the setting that are shown in the router. Does either unit have any kind of logging service, who/what is connected service, etc.? Yes the router has a log. Below is the most recent log. [ALLOW:www.directmessagelab1.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:53:47 [ALLOW:forum.spamcop.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:54:03 [ALLOW:toolbarqueries.google.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:54:04 [ALLOW:forum.spamcop.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:54:05 [ALLOW:alpha.cesmail.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:54:05 [ALLOW:forum.spamcop.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:54:06 [ALLOW:update.directmessagelab1.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:02 [ALLOW:cruisesonthesea.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:03 [ALLOW:cruisesonthesea.jurni.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:03 [ALLOW:toolbarqueries.google.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:06 [ALLOW:cruisesonthesea.jurni.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:06 [ALLOW:data.vacationport.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:07 [ALLOW:images.vacationport.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:07 [ALLOW:toolbarqueries.google.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:17 [ALLOW:forum.spamcop.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:48 [ALLOW:toolbarqueries.google.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:49 [ALLOW:forum.spamcop.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:49 [ALLOW:alpha.cesmail.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:49 [ALLOW:forum.spamcop.net] Source: 192.168.1.2 Monday, 17 Dec 2007 14:55:49 [ALLOW:www.directmessagelab1.com] Source: 192.168.1.2 Monday, 17 Dec 2007 14:58:47 [ALLOW:update.directmessagelab1.com] Source: 192.168.1.2 Monday, 17 Dec 2007 15:05:03 [ALLOW:www.directmessagelab1.com] Source: 192.168.1.2 Monday, 17 Dec 2007 15:08:47 [ALLOW:update.directmessagelab1.com] Source: 192.168.1.2 Monday, 17 Dec 2007 15:15:03 You will not some www.directmessagelab1.com and update.directmessagelab1.com items. I have no idea of what that is. The one that says 15:15:03 is the moment I tried to send some emails....hmmmm that is unusual... I will receive some emails and see what happens.... Nothing was added to the log.... just when I try to receive. Apparently Direct Messages is from a company called Passport to Profit which is a travel agent related product that I use. Apparently when I send email it first off also???? I will uninstall the program and see what happens as I rarely us it anyway.... Perhaps SpamCop sees it as spam??? There isn't anyway to uninstall it. It is on my Startup menu so I took it off. Is there a firewall anywhere in this morass? Yes....The Windows XP SP2 firewall is the only on. Should I shut it down? Actually identifying the equipment involved may (or may not) actually help (us to help you) ...???? http://www.senderbase.org/senderbase_queri...g=70.109.95.137 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 4.1 .. 615% Last month .. 3.3 OK, traffic reduced from 800%+ to 600%+ .... did you actually get around to changing the security bits or is that the 'problem' has moved on or shut down his/her computer? Yes I added the WPA to my router. NOTE: ad-aware is but one tool in the arsenal that should be in place and used. I installed and ran Ad-Aware and Spybot Search and Destory (free versions) and am running the free version of Avast. Previously I was using BitDefender paid version. I still have it available...but one of the tech guys at Skyweb has suggested Avast when I first started getting blocked last month. Moderator Edit: fixed the quoting so as to separate the replies to each bit of query.
Wazoo Posted December 18, 2007 Posted December 18, 2007 Thanks for the follow-up. 70.109.95.137 is apparently a Verizon server that Skyweb is sending me and others throught. I have a Netgear Wireless router I/we are still looking at getting 'you' connected to this IP address. The SenderBase numbers are still coming down, but a check at this time still shows a magnitude equating to approxiamtely 2,000 e-mails a day. A NetGear wireless router just looked at 'here' .. under the 'Admin' web-page seen by connecting to it directly via a web-browser ... under the section (which may or may not match your experience); Maintenance . Router Status .. Internet Port My DHCP (client) assigned IP address is shown .. in this case, if the 70.109.95.137 is "you/yours" .. this is where that IP address will show up. If so, this would indicate that you and only you is supposed to be the only user of that IP Address. If it shows up as a 172.16.x.x. number, ick!!! I would hate to try to sort out the problems involved with that. However, I'm still wondering about the 2,000 e-mails-a-day factor. and the Internet side is attached by Cat5 to an antenna. The antenna is mounted on the side of the house and looks a bit like Mickey Mouse Ears... That would be so illegal in almost all of the civilized world. There has to be yet another box that your CAT5 cable connects to, and that box actually connects to the antenna. You didn't mention whether you're in your own house or if it's possibly some kind of multi-family type dwelling ... point being that this additional box could also be a router to separate traffic between different familes or even houses ....????? Basically again at the issue of whether this is 'your' IP Address or if you are sharing this specific connection. Some of this would also tie into the liklyhood of just who might be 'close enough' to connect via your wireless connection .. the catch is that with the high-gain antennas in use, this other party might not have to be within the few hundred feet/metres/etc. of your wireless router to actually get into the stream ....???? Several miles from me is a large radio station antenna and on top of the mast is a device of some kind that can send and receive wireless signals in the 900 mhz range I believe. From there I am told that hook to a T1 line owned by Verizon. The thoughts of a high-gain directional antenna system would make sense in that 'several miles' description. I have three computers attached to the router via Cat5. I rarely use the wireless accept with my laptop. This afternoon I installed WPA securtiy to that router with a password. Possible semantics, but .. 'password' really should be 'passphrase' for that yet another level of protection. That the network has much expanded in this more complete network description does offer multiple points of issue that definitely weren't brough up in the original query. A few thousand e-mails a day probably wouldn't be enough traffic to make a bandwidth issue known if there's already this shared-mode going on. My static IP Address is 172.16.19.179 The Gateway IP Address is 172.16.16.1 The DNS server is 172.16.16.1 Primary The Secodary DNS Server is 4.2.2.4 The LAN TCO/IP IP is 192.168.1.1 That is all the setting that are shown in the router. If this actually the case, (the 70.109.85.137 IP address does not exist at all on that router) then you are still at the mercy of whoever else is actually sharing that IP address with you. This specific question may have to be asked at your SkyWeb connection ... again, pointing out the 2,000 e-mails a day as seen by SenderBase if you aren't sending out that much e-mail (and noting that the SenderBase Magnitude numbers are only those e-mails 'seen' by the world-wide monitoring connections, the real traffic is probably even higher.) The question might be something to pin down whether this is 'your IP address or if it's 'the IP address' for a housing area, say several buildings ...???? Yes the router has a log. Below is the most recent log. You will not some www.directmessagelab1.com and update.directmessagelab1.com items. I have no idea of what that is. The one that says 15:15:03 is the moment I tried to send some emails....hmmmm that is unusual... I will receive some emails and see what happens.... Nothing was added to the log.... just when I try to receive. Apparently Direct Messages is from a company called Passport to Profit which is a travel agent related product that I use. Apparently when I send email it first off also???? I will uninstall the program and see what happens as I rarely us it anyway.... Perhaps SpamCop sees it as spam??? There isn't anyway to uninstall it. It is on my Startup menu so I took it off. Nothing in that log that appears to deal with e-mail. Attempting to research directmessagelab stuff .... a web-page that basically does not work on my (secured) systems ... no links (again, nothing that works from here) to any actual data. Via Google listings to various press releases, oRbitz postings in yet another Forum touting their 'new' tools that in fact use DirectMessageLab crap, and numerous web-pages with their 'links' .. I would never install this garbage on my systems. The fact that you can't find a way to 'remove' it is more than likely because this isn't an application .... it's a web-browser hack, something that SpyBot should allow you to see under something like Browser Helper Objects and/or ActiveX crap (seen from the complaints that a Mac version does not exist) Your repeated and various log listings are due to this thing making constant checks for updated material for whatever "Brand Channel(s)" you have subscribed to. Yes....The Windows XP SP2 firewall is the only on. Should I shut it down? Only if you are going to actually install/use one that offers something a bit closer to 'total' protection. At present, you have a NetGear router (again, un-named) that would typically offer some NAT type of firewall protection, the XP firewall doing some additional inbound protection .... but also noting that your reply was in the singular, are all of the computers XP-SP2? Yes I added the WPA to my router. That should remove your wireless router from the list of possible connection points by others. (noting the above mention of "passphrase" ... I installed and ran Ad-Aware and Spybot Search and Destory (free versions) and am running the free version of Avast. Previously I was using BitDefender paid version. I still have it available...but one of the tech guys at Skyweb has suggested Avast when I first started getting blocked last month. Thanks for that clarification. Each tool has specific things that it does and does well, but none of them are all-encompassing. Noting that those tools advertised as 'doing everything' generally don't work worth a dang on anything.
jaybeckham Posted December 18, 2007 Author Posted December 18, 2007 REPLIES INTERLACED WITH QUESTIONS Thanks for the follow-up. I/we are still looking at getting 'you' connected to this IP address. The SenderBase numbers are still coming down, but a check at this time still shows a magnitude equating to approxiamtely 2,000 e-mails a day. A NetGear wireless router just looked at 'here' .. under the 'Admin' web-page seen by connecting to it directly via a web-browser ... under the section (which may or may not match your experience); Maintenance . Router Status .. Internet Port My DHCP (client) assigned IP address is shown .. in this case, if the 70.109.95.137 is "you/yours" .. this is where that IP address will show up. If so, this would indicate that you and only you is supposed to be the only user of that IP Address. If it shows up as a 172.16.x.x. number, ick!!! I would hate to try to sort out the problems involved with that. However, I'm still wondering about the 2,000 e-mails-a-day factor. ROUTER IS NETGEAR WGT624 V3 MAINTENANCE DATA Internet Port MAC Address 00:14:6C:42:A6:31 IP Address 172.16.19.179 DHCP FixedIP IP Subnet Mask 255.255.240.0 Domain Name Server 172.16.16.1 4.2.2.4 That would be so illegal in almost all of the civilized world. There has to be yet another box that your CAT5 cable connects to, and that box actually connects to the antenna. You didn't mention whether you're in your own house or if it's possibly some kind of multi-family type dwelling ... point being that this additional box could also be a router to separate traffic between different familes or even houses ....????? Basically again at the issue of whether this is 'your' IP Address or if you are sharing this specific connection. Some of this would also tie into the liklyhood of just who might be 'close enough' to connect via your wireless connection .. the catch is that with the high-gain antennas in use, this other party might not have to be within the few hundred feet/metres/etc. of your wireless router to actually get into the stream ....???? REPLY The cable from the router goes to a small black box about 3 X 4. The box is attacted to 110 v ac and another wire goes up to the "device" on the roof. This is a sinngle family house. just my computer (3), the router, the black box, and the antenna. Regards the antenna being used by others, they would have to have their own and carefully aim it to the tower. Skyweb can look backwards to my router and would see more than one router... The thoughts of a high-gain directional antenna system would make sense in that 'several miles' description. Possible semantics, but .. 'password' really should be 'passphrase' for that yet another level of protection. YES Passphrase is correct That the network has much expanded in this more complete network description does offer multiple points of issue that definitely weren't brough up in the original query. A few thousand e-mails a day probably wouldn't be enough traffic to make a bandwidth issue known if there's already this shared-mode going on. If this actually the case, (the 70.109.85.137 IP address does not exist at all on that router) then you are still at the mercy of whoever else is actually sharing that IP address with you. This specific question may have to be asked at your SkyWeb connection ... again, pointing out the 2,000 e-mails a day as seen by SenderBase if you aren't sending out that much e-mail (and noting that the SenderBase Magnitude numbers are only those e-mails 'seen' by the world-wide monitoring connections, the real traffic is probably even higher.) The question might be something to pin down whether this is 'your IP address or if it's 'the IP address' for a housing area, say several buildings ...???? REPLY: Skyweb "claims" I am the only person being blocked. But my contact there is by no means an expert...mainly the receptionist Nothing in that log that appears to deal with e-mail. Attempting to research directmessagelab stuff .... a web-page that basically does not work on my (secured) systems ... no links (again, nothing that works from here) to any actual data. Via Google listings to various press releases, oRbitz postings in yet another Forum touting their 'new' tools that in fact use DirectMessageLab crap, and numerous web-pages with their 'links' .. I would never install this garbage on my systems. The fact that you can't find a way to 'remove' it is more than likely because this isn't an application .... it's a web-browser hack, something that SpyBot should allow you to see under something like Browser Helper Objects and/or ActiveX crap (seen from the complaints that a Mac version does not exist) Your repeated and various log listings are due to this thing making constant checks for updated material for whatever "Brand Channel(s)" you have subscribed to. REPLY I took it out of the Startup and it hasn't come back. Only if you are going to actually install/use one that offers something a bit closer to 'total' protection. At present, you have a NetGear router (again, un-named) that would typically offer some NAT type of firewall protection, the XP firewall doing some additional inbound protection .... but also noting that your reply was in the singular, are all of the computers XP-SP2? REPLY All of the wired computers are running XP-SP2. The laptop, rarely used, is running Vista Home Edition That should remove your wireless router from the list of possible connection points by others. (noting the above mention of "passphrase" ... Thanks for that clarification. Each tool has specific things that it does and does well, but none of them are all-encompassing. Noting that those tools advertised as 'doing everything' generally don't work worth a dang on anything. REPLY I am also running PC Tools, Spyware Doctor Thanks Jay Beckham
jaybeckham Posted December 19, 2007 Author Posted December 19, 2007 Another idea I have a static IP. And running Windows. Could I setup a mail server under windows on my computer? Would it still send to 70.109.95.137 and be blocked or would it go directed to the addressee? Thanks Jay REPLIES INTERLACED WITH QUESTIONS REPLY I am also running PC Tools, Spyware Doctor Thanks Jay Beckham
StevenUnderwood Posted December 19, 2007 Posted December 19, 2007 Another idea I have a static IP. And running Windows. Could I setup a mail server under windows on my computer? Would it still send to 70.109.95.137 and be blocked or would it go directed to the addressee? Thanks Jay The "Static IP" you are showing outside your router (172.16.19.179) is not routable on the internet, so it is likely you will still be coming through the same IP address (which is the same IP you are seen coming from here). The advantage is it would go directly to the addressee's email server, the problem is that the IP being seen is listed in several places and any server using those blocklists will reject your messages. Some people would get your messages, but likely not all. Also, your ISP may be blocking port 25 unless you go through their servers. You could try.
Miss Betsy Posted December 19, 2007 Posted December 19, 2007 The senderbase statistics are still going down, but still show an increase from last month. I am not technically fluent, but it sounds to me, from the previous discussion, that you are probably sharing that IP address with others. I would interpret the senderbase statistics that putting security on your router has affected the senderbase statistics, but that there may be someone else on that IP address who also has an infected computer or insecure router. Your complaint is with Skyweb, IMHO. Others may not realize that they are being blocked or send email to servers that don't use the blocklists in question. If Skyweb is unwilling to provide technical support, then you are completely stuck. Another problem is that there is no MX for this IP. Some servers reject mail where there is no MX, I believe. Skyweb may not be getting any reports of problems since all the reports go to verizon. Again, since I don't know much about how webhosting works, this might not be a workable suggestion, but perhaps you could work with IXwebhosting to accept your emails so that you could use their mail server - particularly if you set up a mail server yourself (I don't know if it is possible, but since you have a static IP, they might be able to identify it and so allow it even though it is coming from the dirty IP). Miss Betsy
Wazoo Posted December 19, 2007 Posted December 19, 2007 REPLIES INTERLACED WITH QUESTIONS Believe me, this makes it very hard to use this Forum application to Reply using quoted material. Just back from the hospital, neighbor had a heart attack yesterday .. my vision sucks right now, else I'd 'fix' your last post like I did your previous ... IP Address 172.16.19.179 DHCP FixedIP IP Subnet Mask 255.255.240.0 Domain Name Server 172.16.16.1 4.2.2.4 Lots of stuff to wonder about in that. As I stated previously, trying to determine the actual source of the problem if you came back with the router having a WAN address of 172.16.x.x would be problematic. first things first; 4.2.2.4 ==> vnsc-pri-dsl.genuity.net ... seems like a pretty strange listing to be using for a DNS ... not SkyWeb, not Verizon, rDNS 'name' sure doesn't suggest that it's a 'real' Domain Name Server ... any idea where that actually came from? Subnet Mask 0f 255.255.240.0 generally states that IP addresses from 172.16.0.0 through 172.16.255.255 are included/allowed as part of the subnet you're connected to. What is still missing is how many of those 4,000+ IP addresses end up being routed through the routable IP address in question of 70.109.95.137. If one is to go with the story they tell you that this IP address "is" you, then the only thing that could make that transition would be that small box just prior to the antenna, but I really doubt that .. guessing that this box is simply an ethernet-to-RF convertor/amplifier. If one goes with the Internet Protocol definition, then one is still stuck with just how 'you' would be able to clear up the apparent bad-traffic issue on the routable IP Address. On one hand, the SenderBase numbers are still down, but not yet anywhere close to zero ... noting that you still have yet to address the possibility that you are in fact sending out 2,000+ e-mails a day all by your loneseome. The SpamCopDNSBL page shows that spamtrap hits are still rolling in .... when I started to reply to this yesterday, this IP address was scheduled for delisting in about 5 hours ... a check just now shows 9 hours .. see What is the SpamCop Blocking List (SCBL)? for some of the math involved ... REPLY: Skyweb "claims" I am the only person being blocked. But my contact there is by no means an expert...mainly the receptionist You may be the only person complaining. What makes you 'special' is that you are trying to send e-mail to an ISP that is using the SpamCopDNSBL in a blocking fashion. This is not a 100% universal situation. Other SkyWeb users (that may in fact be associated with this same IP Address) may be using web-mail only, other ISPs that don't do incoming blocking, on and on ... In my opinion, SkyWeb owes you an explanaion as to just how you actually connect to 70.109.95.137 .... I note that you repeatedly suggest that you/they seem to want to use the word 'server' for some reason .... if I must lean in that direction, then I would think that the actual term might be 'proxy' ... probably followed by the word server. If that's the case, then you appear to be basically hosed. On one hand, the appearances are that locking down your wireless router has reduced some traffic flow, which also implies that your network was in fact part of the problem. However, as the spamtrap hits are still arriving from the IP address in question, the question still remains as to whether you are the 'only' user associated with that IP Address. If they can tell you just where and how you actually get locked into that IP address all by youe lonesome, then you still have a problem with one of your computers. If they can't tell you anything more than the 'server' story, then they are the ones that are going to have to do some work on tracking down where the bad traffic is coming from. I do not believe that asking the Deputies for some specific data will be accepted, and in all likleyhood, any of the munged data they could/would provided (if it's a proxy server involved) probably wouldn't help 'you' .... if data exists in those headers, it probably would lead to one of those other 4,000+ 172.16.x.x addresses, which wouldn't do 'you' much good. NOTE: my last couple of attempts at trying to talk to an ISP about a user's issue didn't really work out to well, things like not knowing the user's real name, address, account data, etc. Looking at http://www.skywebinc.net/contact.htm which seems to be in the right ballpark, I don't see an 800 number, so also not into spending time trying to beat around the bushes on the dime I really don't have.
Wazoo Posted December 19, 2007 Posted December 19, 2007 From: "Wazoo" To: "SpamCop Deputies" Subject: data from spamtrap hits Date: Wed, 19 Dec 2007 12:25:07 -0600 http://forum.spamcop.net/forums/index.php?showtopic=9022 User has a SkyWeb wireless connection. Attempting to use IXWebHosting for e-mail, but as noted on other Forum Topics/Discussion, IXWebHosting uses the SpamCopDNSBL in a blocking fashion. Due to spamtrap hits, the IP Address that this user's e-mail leaves from SkyWeb is listed, thus IXWebHosting rejects the e-mail attempts. Problem in trying to work out the issue ... the only IP Addresses provided by the user thus far show him on a non-routable (static) 172.16.19.179 address. This is the one found on the WAN side of his router .. the next box in the chain is the ethernet-to-RF adapter box that connects to the antenna. The next step seems to be imagining that his wireless connection is then connected to yet another router at the SkyWeb's receiving station ... what has yet to be sorted out is whether he alone has the use of the IPAddress in question of 70.109.95.137 or if this is a shared IP address. SenderBase data shows a magnitude of 3+ .... noting that user's application of a WAP passphrase on his (home) wireless router in fact has reduced traffic, so the assumption is that his wireless network was in fact part of the original problem. However, spamtrap hits still appear to be on-going, SenderBase is still showing a lot of traffic. My question is .... do any of the spamtrap hits for/from 70.109.95.137 actually include the non-routable 172.16.x.x IP addresses? Worst case, if they do, is that address 172.16.19.179 .. meaning this user or pointing to another user assigned into the same SkyWeb sub-net?
Wazoo Posted December 19, 2007 Posted December 19, 2007 I have a static IP. And running Windows. Could I setup a mail server under windows on my computer? Would it still send to 70.109.95.137 and be blocked or would it go directed to the addressee? You have thus far identified a static non-routable IP address. Attempting to send e-mail from an e-mail server from that address will result in many, many rejections. Setting up an e-mail server to use your ISP's e-mail server would leave you right where you set at the moment .. as the mystical connestion to to IP address of 70.109.95.137 would still exists, and at leat check, it's still listed in the SpamCopDNSBL. In my opinion, SkyWeb owes you a better, more specific detailed explanation of just how your traffic is actually routed .. and if it is a shared connection, then they need to find the source of the problem and get it corrected.
jaybeckham Posted December 19, 2007 Author Posted December 19, 2007 At this moment in time Skyweb has agreed to assign me to their mail server...I didn't know they had one. Still haven't gotten their promised email explaining how to make this change. So to degree they are being to accept some responsibility to fix the problem. Will let you all know what happens when it does. Thanks Jay Beckham
Wazoo Posted December 20, 2007 Posted December 20, 2007 Reply from 'one not of the three' states that there is nothing in the headers beyond the 70.109.95.137 address. That still leaves (me at least) the wonderment of just where and at what device 'you' end up being connected to this IP Address. I'm more than willing to go with that they are using a Proxy server and funneling all kinds of (user) traffic through it. Trying to analyze (make that guess) at just what services are available, what bad traffic is passing through it in what fashion, I'm going to say that this would be pretty much a lost cause from this side of the screen. Usinhg a SkyWeb e-mail server will probably allow your e-mail to go out (hard to say specificlly at this point due to nopt knowing the specifics there either) However, the first thing that comes to mind is that you will lodr your 'web-site/Domain identities, i.e., you'll ne needing/using a new e-mail address. (Use of the IXWebHost webmail application will allow the continued 'outgoing' from those addresses, if needed.) The bad part about all of this is that it appears that SkyWeb may not be digging into the real problem.
jaybeckham Posted December 23, 2007 Author Posted December 23, 2007 PROBLEM SOLVED First let me say the spaming stoped yesterday. But I see tonight it is back again. In the meantime Skyweb gave me the IP of their Mail Server and the user name and password. I changed my send SMTP to their IP and all is well with sending email. Apparently the 70.109.95.137 verizon server was a DNS server. So now I am bypassing it by going directly to Skyweb server and then the mail goes to my domains at IXWebhosting. Thought some of you would like to know and I also wish to thank everyone that has tried so hard to help me. I really do appreciate it and would like to wish each of you a Happy Holiday and a Happy New Year... Again Thanks Jay Beckham in Wild and Wonderful West Virginia...
Wazoo Posted December 23, 2007 Posted December 23, 2007 Thanks for the follow-up. Will tag this as Resolved, even though there are still a lot of questions in my mind. Apparently the 70.109.95.137 verizon server was a DNS server. So now I am bypassing it by going directly to Skyweb server and then the mail goes to my domains at IXWebhosting. The major problem with that explanation is that a system configured to deliver DNS data is not an e-mail server. For one attempted explanation, see DNS - Domain Name Server / Service ... but again, if this specific computer is actually a Proxy Server, it's hard telling just how many other unintended (or even intended) services are actually available. The major issue for you was the abusable e-mail server being taken advantage of by someone, apparently still unknown ..... http://www.senderbase.org/senderbase_queri...g=70.109.95.137 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ..... 4.1 .. 303% Last month .. 3.5 This is not a sign of 'just' a DNS server ...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.