DavidT Posted May 5, 2008 Posted May 5, 2008 I just sent the following alert to JT: I just had a message that I sent using "smtp.cesmail.net" blocked by a provider using the Barracuda Networks technology. Here's the error: 5.1.0 - Unknown address error 554-'Service unavailable; Client host [c60.cesmail.net] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=216.154.195.49' According to the Barracuda URL: The IP address 216.154.195.49 is listed in the Barracuda Reputation System as "poor" as of 05/05/08 10:43:42 PST. So I did a lookup on the OpenRBL, where there was a listing at the "LashBacks Unsubscribe Blacklist." So I tried delisting there and it said: "This IP was delisted before. To delist this IP again, please email delist[at]lashback.com with the IP address that you wish to remove from the blacklist." Also, according to the CompleteWhois RBL lookup, the IP was recently listed at TQMCube, but I think that listing expired. I did a lookup in the SpamCop reporting history and found a lot of potential backscatter hits, like this: Submitted: Friday, May 02, 2008 7:39:11 PM -0700: Delivery Status Notification (Failure) * 3078160525 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net So, it seems that someone whose computer is permitted to use the outbound SMTP is spewing out junk that's affecting the reputation of the IP (the senderbase stats show an alarming 248% increase in the last day), and we're starting to have our messages blocked. DT
Wazoo Posted May 5, 2008 Posted May 5, 2008 It does seem a bit curious about the difference between items like; 3085066446 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net and 3078160525 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net but of course, all I can see is the Subject Lines of the reported item. This does seem to also tie into some of the recent Discussion traffic in the Topic Phishing For Webmail, Jeff's system was sending spam
petzl Posted May 6, 2008 Posted May 6, 2008 I just sent the following alert to JT: Getting added to more and more blacklists SpamCop has sent three reports just today (last 24hrs to "mailsys#admin.spamcop.net[at]devnull.spamcop.net" over 90 days Mail server (which the SCBL will be reluctant to list) IP 216.154.195.49 seems to have persistent spew of spam Seems either we have a spammer signed up to SpamCop email or their computer is compromised
DavidT Posted May 6, 2008 Author Posted May 6, 2008 I've received further details from Barracuda Networks about the stuff being sent from the SpamCop Email System server. Here are three actual spam messages supplied as samples of the spew, and they've given SpamCop 7 days to stop these or the IP will go back on their blocklist. I'll send these to JT, and perhaps Don D'Minion has already taken a close look at the stuff coming from the IP that's been reported. Received: from c60.cesmail.net (localhost [127.0.0.1]) by barracuda.1.uofdn.org (spam Firewall) with ESMTP id 418F6A8A91 for <=redacted=[at]uofdn.org>; Mon, 5 May 2008 14:22:55 -0700 (PDT) Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by barracuda.1.uofdn.org with ESMTP id 3IN09np9B42ZtFtI for <=redacted=[at]uofdn.org>; Mon, 05 May 2008 14:22:55 -0700 (PDT) Received: from unknown (HELO delta2) ([192.168.1.50]) by c60.cesmail.net with ESMTP; 05 May 2008 13:59:18 -0400 Received: from 62.32.32.77 ([62.32.32.77]) by webmail.spamcop.net (Horde MIME library) with HTTP; Mon, 05 May 2008 12:59:11 -0500 Message-ID: <20080505125911.q66nbabr40ssg8cs-jrergrqql[at]fcnzpbc.arg[at]webmail.spamcop.net> Date: Mon, 05 May 2008 12:59:11 -0500 From: Joseph Poon <=redacted=[at]yahoo.cn> Reply-To: =redacted=[at]hotmail.com To: undisclosed-recipients:; Subject: [bULK] BUSINESS PROPOSAL MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) MR.JOSEPH POON HANG SENG BANK LTD. 83, Des Voeux Road, Central HK, Hong Kong. Dear Friend, My name is Joseph Poon, I work with HANG SENG BANK, HONG KONG.I have a Business Proposal of ($22,400,000.00) for you to handle with me from my bank.I will need you to assist me in executing this Business Project from Hong Kong to your country. I need to know if you will be able to handle this with me before I explain to you in details ? Should you be interested please send me your full names,private phone/fax and current residential address and finally after that I shall provide you with more details of this operation.You can contact me via this email: =redacted=[at]hotmail.com Kind Regards Joseph Poon =redacted=[at]hotmail.com Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by barracuda.assistguide.net (spam Firewall) with ESMTP id 7307F33A4B for <=redacted=[at]actsinc.net>; Mon, 5 May 2008 09:08:14 -0500 (CDT) Received: from unknown (HELO epsilon2) ([192.168.1.60]) by c60.cesmail.net with ESMTP; 05 May 2008 10:08:15 -0400 Received: from 81.199.149.98.ipplanet.com (81.199.149.98.ipplanet.com [81.199.149.98]) by webmail.spamcop.net (Horde MIME library) with HTTP; Mon, 05 May 2008 09:08:10 -0500 Message-ID: <20080505090810.yaxz6dicgg84okks-jrergrqql[at]fcnzpbc.arg[at]webmail.spamcop.net> Date: Mon, 05 May 2008 09:08:10 -0500 From: ECOWAS/SHELL DONATIONS 2008 <=redacted=[at]walla.com> Reply-To: =redacted=[at]hotmail.com To: undisclosed-recipients:; Subject: Congratulations Your Email Won($1,000,000.00) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) This is to inform you that you have won a prize money of One Million United States Dollars, ($1,000,000.00) for this year 2008 Lottery promotion which is organized by ECOWAS DONATIONS 2008.These are your identificationnumbers: Batch number..ECW 09102XNReffnumber..ECW35447XNWinningnumber..ECW09788 These numbers fall within yourLocationfile, you are requested to contact the events manager/ClaimsDepartment, send your winningidentification numbers to her,to enable herverify your claims.(CONTACT FINANCE DEPARTMENT)Name:Mrs.Jane Okeke Tel:+2348060056926E-mail:,=redacted=[at]hotmail.com,=redacted=[at]yahoo.no, To claim your prize, please contact:with the following information..1.Name,Address, Occupation, Age, Phone number, Occupation, Country Thank you and Accept my hearty congratulationsonce again! Yours faithfully,Mrs.Mary Jones Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by cuda.lamar.com (spam Firewall) with ESMTP id A81C680D541 for <=redacted=[at]lamar.com>; Mon, 21 Apr 2008 06:00:46 -0500 (CDT) Received: from unknown (HELO epsilon2) ([192.168.1.60]) by c60.cesmail.net with ESMTP; 21 Apr 2008 07:00:25 -0400 Received: from 70-3.vgccl.net (70-3.vgccl.net [41.220.70.3]) by webmail.spamcop.net (Horde MIME library) with HTTP; Mon, 21 Apr 2008 07:00:17 -0400 Message-ID: <20080421070017.zf0wtsr8o4s80800[at]webmail.spamcop.net> Date: Mon, 21 Apr 2008 07:00:17 -0400 From: Free Lottery Game <=redacted=[at]lotterygame.com> Reply-To: =redacted=[at]jmail.co.za To: undisclosed-recipients:; Subject: Our Esteemed Winner MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) WINNING DETAILS: Ref. No: KPC/9080118308/02/TCA Batch No: 12/25/0034 Ticket Number: ZZ 3502 /8707-01 Dear Winner We are pleased to inform you of the final announcement that you are one of our year winner of the Microsoft Award Team, held on the 1st of March, 2008.You have therefore been approved to claim a total sum of =A3500,000.00 Pounds. Please contact Claims Officer for the claim of your winning prize. Mrs.Eva pedro Email:=redacted=[at]jmail.co.za Congratulation once more and have a nice day. Your's Sincerely, Jimmy Phillips Online Co-ordinator. If these are valid messages, then there's a BIG problem with the SpamCop webmail system, and therefore also with those of us who use the SMTP services. DT
Wazoo Posted May 6, 2008 Posted May 6, 2008 I'll send these to JT, and perhaps Don D'Minion has already taken a close look at the stuff coming from the IP that's been reported. If these are valid messages, then there's a BIG problem with the SpamCop webmail system, and therefore also with those of us who use the SMTP services. Per Don's post at http://forum.spamcop.net/forums/index.php?...ost&p=64243 ... yet another bit of an idiotic action taken in reference to the phishing spam, resulting in yet another compromised SpamCop e-mail account being used by a spammer.
StevenUnderwood Posted May 6, 2008 Posted May 6, 2008 Per Don's post at http://forum.spamcop.net/forums/index.php?...ost&p=64243 ... yet another bit of an idiotic action taken in reference to the phishing spam, resulting in yet another compromised SpamCop e-mail account being used by a spammer. 1. This entire thing was stated as to why JT hesitated going into the SMTP business in the first place, spammers would LOVE to gain access to the spamcop system and start getting it listed throughout the internet. I hope this episode does not end the "Beta" that has been going on. 2. I find it interesting that this spammer is using the HTTP interface for this round (enough said).
DavidT Posted May 6, 2008 Author Posted May 6, 2008 This entire thing was stated as to why JT hesitated going into the SMTP business in the first place, spammers would LOVE to gain access to the spamcop system and start getting it listed throughout the internet. I hope this episode does not end the "Beta" that has been going on. It shouldn't, because it had nothing to do with the SMTP service -- it was apparently due to silly people (perhaps a harsher term would be appropriate) who gave up their webmail login information. Webmail systems have to send mail, so short of increasing the IQs of the users (oops...I went negative), there isn't a foolproof solution. As I posted in the other thread: I just received a phone call from one of the admins at Barracuda Networks, clarifying their recent blocking of the SpamCop Email System IP. Seems there's a bit of sensitivity WRT blocking a competitor (Ironport) so they wanted to make sure I was fully informed. DT
SpamCopAdmin Posted May 7, 2008 Posted May 7, 2008 It does seem a bit curious about the difference between items like; 3085066446 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net and 3078160525 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net mailsys[at]admin.spamcop.net is me. The bottom report is a bounce coming from Jeff's system. The top one is a "relay" report telling me that a reported email was handled by Jeff's system, but it wasn't identified as the source. Mailsys[at]admin.spamcop.net was (until just now) set to refuse relay reports, hence the "devnull" business. I don't remember why I set the account that way, but I'll bet I remember pretty quickly now that I've enabled relay reports again. - Don D'Minion - SpamCop Admin -
Recommended Posts
Archived
This topic is now archived and is closed to further replies.