Jump to content

CES outbound server is getting listed on some RBLs


Recommended Posts

I just sent the following alert to JT:

I just had a message that I sent using "smtp.cesmail.net" blocked by a provider using the Barracuda Networks technology. Here's the error:

5.1.0 - Unknown address error 554-'Service unavailable; Client host [c60.cesmail.net] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=216.154.195.49'

According to the Barracuda URL:

The IP address 216.154.195.49 is listed in the Barracuda Reputation System as "poor" as of 05/05/08 10:43:42 PST.

So I did a lookup on the OpenRBL, where there was a listing at the "LashBacks Unsubscribe Blacklist." So I tried delisting there and it said:

"This IP was delisted before. To delist this IP again, please email delist[at]lashback.com with the IP address that you wish to remove from the blacklist."

Also, according to the CompleteWhois RBL lookup, the IP was recently listed at TQMCube, but I think that listing expired.

I did a lookup in the SpamCop reporting history and found a lot of potential backscatter hits, like this:

Submitted: Friday, May 02, 2008 7:39:11 PM -0700:

Delivery Status Notification (Failure)

* 3078160525 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

So, it seems that someone whose computer is permitted to use the outbound SMTP is spewing out junk that's affecting the reputation of the IP (the senderbase stats show an alarming 248% increase in the last day), and we're starting to have our messages blocked.

DT

Link to comment
Share on other sites

It does seem a bit curious about the difference between items like;

3085066446 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net

and

3078160525 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

but of course, all I can see is the Subject Lines of the reported item.

This does seem to also tie into some of the recent Discussion traffic in the Topic Phishing For Webmail, Jeff's system was sending spam

Link to comment
Share on other sites

I just sent the following alert to JT:

Getting added to more and more blacklists

SpamCop has sent three reports just today (last 24hrs to "mailsys#admin.spamcop.net[at]devnull.spamcop.net" over 90 days Mail server (which the SCBL will be reluctant to list) IP 216.154.195.49 seems to have persistent spew of spam

Seems either we have a spammer signed up to SpamCop email or their computer is compromised

Link to comment
Share on other sites

I've received further details from Barracuda Networks about the stuff being sent from the SpamCop Email System server. Here are three actual spam messages supplied as samples of the spew, and they've given SpamCop 7 days to stop these or the IP will go back on their blocklist. I'll send these to JT, and perhaps Don D'Minion has already taken a close look at the stuff coming from the IP that's been reported.

Received: from c60.cesmail.net (localhost [127.0.0.1])

by barracuda.1.uofdn.org (spam Firewall) with ESMTP id 418F6A8A91

for <=redacted=[at]uofdn.org>; Mon, 5 May 2008 14:22:55 -0700 (PDT)

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by barracuda.1.uofdn.org with ESMTP id 3IN09np9B42ZtFtI for <=redacted=[at]uofdn.org>; Mon, 05 May 2008 14:22:55 -0700 (PDT)

Received: from unknown (HELO delta2) ([192.168.1.50])

by c60.cesmail.net with ESMTP; 05 May 2008 13:59:18 -0400

Received: from 62.32.32.77 ([62.32.32.77]) by webmail.spamcop.net (Horde

MIME library) with HTTP; Mon, 05 May 2008 12:59:11 -0500

Message-ID: <20080505125911.q66nbabr40ssg8cs-jrergrqql[at]fcnzpbc.arg[at]webmail.spamcop.net>

Date: Mon, 05 May 2008 12:59:11 -0500

From: Joseph Poon <=redacted=[at]yahoo.cn>

Reply-To: =redacted=[at]hotmail.com

To: undisclosed-recipients:;

Subject: [bULK] BUSINESS PROPOSAL

MIME-Version: 1.0

Content-Type: text/plain;

charset=ISO-8859-1;

DelSp="Yes";

format="flowed"

Content-Disposition: inline

Content-Transfer-Encoding: 7bit

User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

MR.JOSEPH POON

HANG SENG BANK LTD.

83, Des Voeux Road,

Central HK,

Hong Kong.

Dear Friend,

My name is Joseph Poon, I work with HANG SENG BANK, HONG KONG.I have a

Business Proposal of ($22,400,000.00) for you to handle with me from my

bank.I will need you to assist me in executing this Business Project

from Hong Kong to your country. I need to know if you will be able to handle

this with me before I explain to you in details ? Should you be interested

please send me your full names,private phone/fax and current residential

address and finally after that I shall provide you with more details of this

operation.You can contact me via this email: =redacted=[at]hotmail.com

Kind Regards

Joseph Poon

=redacted=[at]hotmail.com

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by barracuda.assistguide.net (spam Firewall) with ESMTP id 7307F33A4B

for <=redacted=[at]actsinc.net>; Mon, 5 May 2008 09:08:14 -0500 (CDT)

Received: from unknown (HELO epsilon2) ([192.168.1.60])

by c60.cesmail.net with ESMTP; 05 May 2008 10:08:15 -0400

Received: from 81.199.149.98.ipplanet.com (81.199.149.98.ipplanet.com

[81.199.149.98]) by webmail.spamcop.net (Horde MIME library) with HTTP;

Mon, 05 May 2008 09:08:10 -0500

Message-ID: <20080505090810.yaxz6dicgg84okks-jrergrqql[at]fcnzpbc.arg[at]webmail.spamcop.net>

Date: Mon, 05 May 2008 09:08:10 -0500

From: ECOWAS/SHELL DONATIONS 2008 <=redacted=[at]walla.com>

Reply-To: =redacted=[at]hotmail.com

To: undisclosed-recipients:;

Subject: Congratulations Your Email Won($1,000,000.00)

MIME-Version: 1.0

Content-Type: text/plain;

charset=ISO-8859-1;

DelSp="Yes";

format="flowed"

Content-Disposition: inline

Content-Transfer-Encoding: 7bit

User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

This is to inform you that you have won a prize money of One Million

United States Dollars, ($1,000,000.00) for this year 2008 Lottery

promotion which is organized by ECOWAS DONATIONS 2008.These are your

identificationnumbers: Batch number..ECW

09102XNReffnumber..ECW35447XNWinningnumber..ECW09788 These numbers

fall within yourLocationfile, you are requested to contact the events

manager/ClaimsDepartment, send your winningidentification numbers to

her,to enable herverify your claims.(CONTACT FINANCE

DEPARTMENT)Name:Mrs.Jane Okeke

Tel:+2348060056926E-mail:,=redacted=[at]hotmail.com,=redacted=[at]yahoo.no,

To

claim your prize, please contact:with the following

information..1.Name,Address, Occupation, Age, Phone number,

Occupation, Country Thank you and Accept my hearty congratulationsonce

again! Yours faithfully,Mrs.Mary Jones

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by cuda.lamar.com (spam Firewall) with ESMTP id A81C680D541

for <=redacted=[at]lamar.com>; Mon, 21 Apr 2008 06:00:46 -0500 (CDT)

Received: from unknown (HELO epsilon2) ([192.168.1.60])

by c60.cesmail.net with ESMTP; 21 Apr 2008 07:00:25 -0400

Received: from 70-3.vgccl.net (70-3.vgccl.net [41.220.70.3]) by

webmail.spamcop.net (Horde MIME library) with HTTP; Mon, 21 Apr 2008

07:00:17 -0400

Message-ID: <20080421070017.zf0wtsr8o4s80800[at]webmail.spamcop.net>

Date: Mon, 21 Apr 2008 07:00:17 -0400

From: Free Lottery Game <=redacted=[at]lotterygame.com>

Reply-To: =redacted=[at]jmail.co.za

To: undisclosed-recipients:;

Subject: Our Esteemed Winner

MIME-Version: 1.0

Content-Type: text/plain;

charset=ISO-8859-1;

DelSp="Yes";

format="flowed"

Content-Disposition: inline

Content-Transfer-Encoding: quoted-printable

User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

WINNING DETAILS:

Ref. No: KPC/9080118308/02/TCA

Batch No: 12/25/0034

Ticket Number: ZZ 3502 /8707-01

Dear Winner

We are pleased to inform you of the final announcement that you are one

of our year winner of the Microsoft Award Team, held on the

1st of March, 2008.You have therefore been approved to claim a total

sum of =A3500,000.00 Pounds.

Please contact Claims Officer for the claim of your winning prize.

Mrs.Eva pedro

Email:=redacted=[at]jmail.co.za

Congratulation once more and have a nice day.

Your's Sincerely,

Jimmy Phillips

Online Co-ordinator.

If these are valid messages, then there's a BIG problem with the SpamCop webmail system, and therefore also with those of us who use the SMTP services.

DT

Link to comment
Share on other sites

I'll send these to JT, and perhaps Don D'Minion has already taken a close look at the stuff coming from the IP that's been reported.

If these are valid messages, then there's a BIG problem with the SpamCop webmail system, and therefore also with those of us who use the SMTP services.

Per Don's post at http://forum.spamcop.net/forums/index.php?...ost&p=64243 ... yet another bit of an idiotic action taken in reference to the phishing spam, resulting in yet another compromised SpamCop e-mail account being used by a spammer.

Link to comment
Share on other sites

Per Don's post at http://forum.spamcop.net/forums/index.php?...ost&p=64243 ... yet another bit of an idiotic action taken in reference to the phishing spam, resulting in yet another compromised SpamCop e-mail account being used by a spammer.

1. This entire thing was stated as to why JT hesitated going into the SMTP business in the first place, spammers would LOVE to gain access to the spamcop system and start getting it listed throughout the internet. I hope this episode does not end the "Beta" that has been going on.

2. I find it interesting that this spammer is using the HTTP interface for this round (enough said).

Link to comment
Share on other sites

This entire thing was stated as to why JT hesitated going into the SMTP business in the first place, spammers would LOVE to gain access to the spamcop system and start getting it listed throughout the internet. I hope this episode does not end the "Beta" that has been going on.

It shouldn't, because it had nothing to do with the SMTP service -- it was apparently due to silly people (perhaps a harsher term would be appropriate) who gave up their webmail login information. Webmail systems have to send mail, so short of increasing the IQs of the users (oops...I went negative), there isn't a foolproof solution.

As I posted in the other thread:

I just received a phone call from one of the admins at Barracuda Networks, clarifying their recent blocking of the SpamCop Email System IP. Seems there's a bit of sensitivity WRT blocking a competitor (Ironport) so they wanted to make sure I was fully informed.

DT

Edited by DavidT
Link to comment
Share on other sites

It does seem a bit curious about the difference between items like;

3085066446 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net

and

3078160525 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

mailsys[at]admin.spamcop.net is me.

The bottom report is a bounce coming from Jeff's system.

The top one is a "relay" report telling me that a reported email was handled by Jeff's system, but it wasn't identified as the source. Mailsys[at]admin.spamcop.net was (until just now) set to refuse relay reports, hence the "devnull" business. I don't remember why I set the account that way, but I'll bet I remember pretty quickly now that I've enabled relay reports again.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...