EVV532 Posted February 5, 2008 Share Posted February 5, 2008 67.38.176.142 is listed. Can someone help us determine why? We had one computer with NTRootkit-J last week. I think we have it eradicated. Any ideas would be appreciated. Thanks, EVV532 Link to comment Share on other sites More sharing options...
Lking Posted February 5, 2008 Share Posted February 5, 2008 67.38.176.142 is listed. Can someone help us determine why? The best source for the information you are asking for is to go to the spamcop web page and click on the Blocking List Tab. There you will find a window to inter your numeric IP address. When you click on the button you will see that at this time: If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) There is also some additional information about your IP and mail.threeieng.com that you should address. Hope this helps. Link to comment Share on other sites More sharing options...
EVV532 Posted February 5, 2008 Author Share Posted February 5, 2008 The best source for the information you are asking for is to go to the spamcop web page and click on the Blocking List Tab. Yep. Did that earlier. Still trying to find the original cause for getting listed in the first place. Link to comment Share on other sites More sharing options...
Lking Posted February 5, 2008 Share Posted February 5, 2008 Still trying to find the original cause for getting listed in the first place. The original cause for being listed seems to be that mail from your IP was received by some of SpamCop's spam traps. Apparently three times during the last five days. Spamtraps are: "Non-existent email addresses set up by SpamCop to definitively identify spam. As SpamCop never used these email addresses to signup for a mailing list or purchase an item, for example, SpamCop knows spammers harvested the emails for their mailing lists." System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) The fact that your volume of email has increased 1050% over last month would indicate that something has changed. Do you know what has changed? There are lots of tools available to help you identify malware on your machines if you can't account for the increase in volume in other ways. Link to comment Share on other sites More sharing options...
Farelf Posted February 5, 2008 Share Posted February 5, 2008 Yep. Did that earlier. Still trying to find the original cause for getting listed in the first place.Lou (preceding post) has mentioned the SenderBase stats, which you can access via the lookup you know about. You only seem to be listed on the SCbl, looking at http://www.robtex.com/rbl/67.38.176.142.html (so no evidence is available from other sources) but the hits on SC spamtraps seem to continue going by SenderBase and the currency of your listing in the SCbl. And spamtrap evidence is secret. The deputies (deputies[at]admin.spamcop.net) might be able to tell you the TYPE of traffic they are seeing in the spamtraps (NDNs, etc) which could maybe help you home in on the continuing problem. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 6, 2008 Share Posted February 6, 2008 If your senderbase stats are not going down, then perhaps there is something else or you didn't get what you had completely eradicated. Miss Betsy Link to comment Share on other sites More sharing options...
Telarin Posted February 6, 2008 Share Posted February 6, 2008 My first suggestion is to get a quick fix in until you can more definatively track down the problem machine. The first thing I would suggest doing is configure your firewall to only allow outgoing port 25 traffic from your mailserver. This will block any infected computers on your network from sending out mail. If your router/firewall supports it, configuring it to log those failed attempts can be very useful in tracking down the infected computer. Link to comment Share on other sites More sharing options...
Lking Posted February 6, 2008 Share Posted February 6, 2008 Telarin your right it doesn't look like the fix is in yet. Last I checked the volume is up to 1228% over 1050% yesterday. There must also been some additional hits at the spam Traps because the time remaining on the list has increased also. Keep digging EVV532, the problem is there somewhere. Link to comment Share on other sites More sharing options...
EVV532 Posted February 6, 2008 Author Share Posted February 6, 2008 Telarin your right it doesn't look like the fix is in yet. Last I checked the volume is up to 1228% over 1050% yesterday. There must also been some additional hits at the spam Traps because the time remaining on the list has increased also. I was watching the time tick down ... 3 .... 2 - then 22. Bummer! We're still digging. Trying the port 25 blocking suggestion. Thanks to all. Any other additional ideas are appreciated. Link to comment Share on other sites More sharing options...
petzl Posted February 6, 2008 Share Posted February 6, 2008 I was watching the time tick down ... 3 .... 2 - then 22. Bummer! We're still digging. Trying the port 25 blocking suggestion. Thanks to all. Any other additional ideas are appreciated. http://forum.spamcop.net/scwik/Bounce Your not mindlessly bouncing email? Link to comment Share on other sites More sharing options...
Lking Posted February 6, 2008 Share Posted February 6, 2008 Your not mindlessly bouncing email? In this case wouldn't that require SpamCop spam Traps to send email or someone to know the address of a spam trap and include it in an email to EVV532? I don't think either is very likely (nada!). If he had been reported by someone other than a spam trap, what you suggest is very likely. Link to comment Share on other sites More sharing options...
Farelf Posted February 7, 2008 Share Posted February 7, 2008 Now promoting itself to a few more lists - http://www.robtex.com/rbl/67.38.176.142.html Listingrisk No longer a risk, your IP got listed :-( Link to comment Share on other sites More sharing options...
Derek T Posted February 7, 2008 Share Posted February 7, 2008 In this case wouldn't that require SpamCop spam Traps to send email or someone to know the address of a spam trap and include it in an email to EVV532? I don't think either is very likely (nada!). If he had been reported by someone other than a spam trap, what you suggest is very likely. Au contraire, very likely and very common. Spamtrap addresses are 'out there' to attract the scrapers: that's the whole point. No human needs to know them. Human report now received Submitted: Thu, 07 Feb 2008 08:29:45 GMT: Crazy Britney does it again! * 2820599222 ( 67.38.176.142 ) To: abuse[at]prodigy.net Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.