andreguerreiro Posted June 6, 2008 Posted June 6, 2008 Hi My IP ( 194.79.71.78 ) was (rightly) blacklisted, because of a spam attack. After finding the culprit and dealing with that issue, I need my IP off your blacklist ASAP, don't know if anyone can help me. Can't really afford to wait up to 24 hours (I need it up yesterday ). Is this a possibility?
Merlyn Posted June 6, 2008 Posted June 6, 2008 You do not have to wait 24 hours If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 18 hours. Time passes fast.
Telarin Posted June 6, 2008 Posted June 6, 2008 Yep, you can do an express delisting by going here: http://www.spamcop.net/w3m?action=checkblo...ip=194.79.71.78 And using the delist option at the bottom. However, be aware that you can only ever do this once, so if the spam problem is not resolved and you get listed again, you will have to wait for this listing to expire normally.
andreguerreiro Posted June 6, 2008 Author Posted June 6, 2008 You do not have to wait 24 hours If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 18 hours. Time passes fast. Tyvm for the fast reply, but what I was really asking was if there was an unautomated way to remove me from that list... I guess not, right?
Merlyn Posted June 6, 2008 Posted June 6, 2008 Tyvm for the fast reply, but what I was really asking was if there was an unautomated way to remove me from that list... I guess not, right? Yes there is a way see Will's answer above
andreguerreiro Posted June 6, 2008 Author Posted June 6, 2008 Yep, you can do an express delisting by going here: http://www.spamcop.net/w3m?action=checkblo...ip=194.79.71.78 And using the delist option at the bottom. However, be aware that you can only ever do this once, so if the spam problem is not resolved and you get listed again, you will have to wait for this listing to expire normally. Yes, I tried that, but unfortunately, the e-mails presented in that form do not belong to me, they all belong to my isp (novis.pt).
StevenUnderwood Posted June 6, 2008 Posted June 6, 2008 Hi My IP ( 194.79.71.78 ) was (rightly) blacklisted, because of a spam attack. After finding the culprit and dealing with that issue, I need my IP off your blacklist ASAP, don't know if anyone can help me. Can't really afford to wait up to 24 hours (I need it up yesterday ). Is this a possibility? Have you followed: http://www.spamcop.net/bl.shtml?194.79.71.78 Then followed the link on that page: Information about the reasons for listing (blocking) your mail server (194.79.71.78) However, following that will not allow you to ever do it again. If you follow the SenderBase link on that page, you will currently see: Last day 3.4 2040% Last month 2.1 Which is not a good sign.
Merlyn Posted June 6, 2008 Posted June 6, 2008 More info on that IP: Listed by: UCEPROTECTL3 UCEPROTECT®-Network Project - Level 3: dnsbl-3.uceprotect.net -> 127.0.0.2 Your ISP NOVIS Novis Telecom, S.A./AS2860 is UCEPROTECT-Level3 listed because he is responsible for a total of 1111 abusers on the net. See: http://www.uceprotect.net/rblcheck.php?ipr=194.79.71.78 DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=194.79.71.78 Even though you are no longer on the CBL because It was previously listed, but was removed at 2008-06-06 16:09 GMT If you haven't fixed your problem it will be re-listed. You are in a couple more but they should not cause you a problem.
andreguerreiro Posted June 6, 2008 Author Posted June 6, 2008 Have you followed: http://www.spamcop.net/bl.shtml?194.79.71.78 Then followed the link on that page: Information about the reasons for listing (blocking) your mail server (194.79.71.78) Yes, I have followed those links and verified that there was indeed a spam problem in my organization. However, as I stated, the spam problem was solved, since then. Hence the removal request
StevenUnderwood Posted June 6, 2008 Posted June 6, 2008 Yes, I have followed those links and verified that there was indeed a spam problem in my organization. However, as I stated, the spam problem was solved, since then. Hence the removal request Has the Senderbase numbers been dropping? If not, you may not be done fixing things. You can always follow the links on that page to delist yourself and hope you fixed the problem. As stated here, there is no second chance with that option. After that, you will need to contact the deputies and prove what you did fixed the issue before they will remove you. If none of the email addresses listed there are yours, you will need to have your ISP do the delisting.
andreguerreiro Posted June 6, 2008 Author Posted June 6, 2008 Even though you are no longer on the CBL because It was previously listed, but was removed at 2008-06-06 16:09 GMT If you haven't fixed your problem it will be re-listed. You are in a couple more but they should not cause you a problem. I had already checked, and yes, I was listed at CBL, but after asking for removal (after the problem had been solved), I can now send to addresses that were using that blacklist. Apparently, though, SpamCop is somewhat popular, and while i was able to solve the problem for a few e-mail servers, most are still giving me problems
StevenUnderwood Posted June 6, 2008 Posted June 6, 2008 I had already checked, and yes, I was listed at CBL, but after asking for removal (after the problem had been solved), I can now send to addresses that were using that blacklist. Apparently, though, SpamCop is somewhat popular, and while i was able to solve the problem for a few e-mail servers, most are still giving me problems Have you followed the advice you have received here? If you feel so strongly your problem is resolved, follow the delisting procedure. It will take a little while for the changes to propagate, but much less than 18 hours. Are you also responsible for 194.79.71.178? According to Senderbase, that is pushing out as many messages as 194.79.71.78. 10^3.4 = 2500 messages in the last day to addresses monitored by SenderBase.
andreguerreiro Posted June 6, 2008 Author Posted June 6, 2008 Have you followed the advice you have received here? If you feel so strongly your problem is resolved, follow the delisting procedure. It will take a little while for the changes to propagate, but much less than 18 hours. Are you also responsible for 194.79.71.178? According to Senderbase, that is pushing out as many messages as 194.79.71.78. 10^3.4 = 2500 messages in the last day to addresses monitored by SenderBase. Yes, I have followed the very valuable and much appreciated advice given here. I have, however to contact my ISP in order to get delisted, and I am not confident on the results (it's 8 PM here). As for 194.79.71.178: I'm happy to say I'm not responsible for that IP
turetzsr Posted June 6, 2008 Posted June 6, 2008 Yes, I have followed those links and verified that there was indeed a spam problem in my organization. <snip> ...Please don't use all capital letters to refer to spam unless you are referring to the lunch meat product manufactured by Hormel. Please see the first part of my post in Forum thread "Seeking suggestions for handling bounces/misdirects". Thank you!
Wazoo Posted June 7, 2008 Posted June 7, 2008 Last day 3.4 2040% Last month 2.1 Yes, I have followed those links and verified that there was indeed a spam problem in my organization. However, as I stated, the spam problem was solved, since then. Hence the removal request Personally, I don't think the problem has been resolved, but only you would theoretically know for sure. About seven hours ago, http://www.senderbase.org/senderbase_queri...ng=194.79.71.78 showed; Date of first message seen from this address 2008-06-05 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 3.4 .. 1935% Last month .. 2.1 Currently reading; Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ..... 3.4 .. 1961% Last month .. 2.1 Maybe you can justify those numbers .... something on the order of 9-10,000 e-mails a day ...??? From this side of the screen, that there 'was' a problem that is now 'fixed' it would seem that the traffic flow would be going down. In the past, when others have stated "problem resolved" those numbers went down very quickly. On the other hand, I am very curious as to the 'immediacy' involved, the 'spam attack' .. actually the whole situation when the SendeBase data states that e-mail was only seen starting 'today' from that IP Address. 194.79.71.78 RTT: 164ms TTL: 50 (194-79-71-78.net.novis.pt ok) doesn't really jump right out and say "e-mail server" to me. At the time of this posting, http://www.spamcop.net/w3m?action=blcheck&...ip=194.79.71.78 still only talks about spamtrap hits. Based on the math found at What is the SpamCop Blocking List (SCBL)? you will note that spamtrap hits carry a heavy penalty. Even if there are to be no more spamtrap hits, the extra weight involved will pretty much ensure that the majority of the 24 hour maximum will run its course. Assumedly, in your favour, the counter is down to 11 hours at present, suggesting that there have been no 'new' spamtrap hits that would have reset the timer.
Merlyn Posted June 7, 2008 Posted June 7, 2008 10 hours after Wazoo checked it is still spewing spam Last day 3.4 1966% Last month 2.1 I do not think it is fixed.
andreguerreiro Posted June 7, 2008 Author Posted June 7, 2008 10 hours after Wazoo checked it is still spewing spam Last day 3.4 1966% Last month 2.1 I do not think it is fixed. :\ I'm going to re-check it, then. Sorry for all your troubles, and thanks for all your help
andreguerreiro Posted June 7, 2008 Author Posted June 7, 2008 :\ I'm going to re-check it, then. Sorry for all your troubles, and thanks for all your help Report on IP address: 194.79.71.78 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day 0.0 N/A Last month 2.1 Looks solved now, right? Meanwhile, I'm off the BL and sending nicely to every recipients BTW, after checking the mail server and confirming HE wasn't sending an abnormal quantity of mails, I put a packet sniffer in the network to try to find who was sending mails, and... no one was. Guess it was just a freak ocurrence with the stats update in SenderBase, or something. Since the opening of this thread, I did, in fact, do nothing to solve the problem, as it WAS fixed. Basically, someone got infected by a trojan that sent the aforementioned spam. Meanwhile, I edited the firewall policy to only accept outgoing connections to port 25 from our server, that should avoid this ever happening again... Thank you all for your help
Wazoo Posted June 7, 2008 Posted June 7, 2008 Since the opening of this thread, I did, in fact, do nothing to solve the problem, as it WAS fixed. Basically, someone got infected by a trojan that sent the aforementioned spam. Meanwhile, I edited the firewall policy to only accept outgoing connections to port 25 from our server, that should avoid this ever happening again... Thank you all for your help Thank you for your success in closing off a source of spam. Much appreciated, even by folks that don't have a clue how much effort you spent on getting things resolved.
Miss Betsy Posted June 7, 2008 Posted June 7, 2008 It's been a long day and I am already one of those who wouldn't know how to find a computer spewing spam on a network in the first place - though I do understand that it is not an easy, quick task. But I don't understand /who/ had the trojan? The OP says that he couldn't find one; he says the mail server wasn't infected. Merlyn says that there really was spam. The OP says that problem fixed itself, but that he fixed the firewall to only allow Port 25 outgoing mail. Somewhere in all that 'sniffing' and senderbase stats, my non-technically fluent mind missed where the spam was coming from and how it was stopped. Miss Betsy
andreguerreiro Posted June 8, 2008 Author Posted June 8, 2008 It's been a long day and I am already one of those who wouldn't know how to find a computer spewing spam on a network in the first place - though I do understand that it is not an easy, quick task. But I don't understand /who/ had the trojan? The OP says that he couldn't find one; he says the mail server wasn't infected. Merlyn says that there really was spam. The OP says that problem fixed itself, but that he fixed the firewall to only allow Port 25 outgoing mail. Somewhere in all that 'sniffing' and senderbase stats, my non-technically fluent mind missed where the spam was coming from and how it was stopped. I did find the trojan running on a PC on the network, but I found it before opening this thread. The problem didn't "fix itself", I found the PC running the trojan and removed it from the network immediately after finding it. That's what fixed it. After that, it apparently took a while longer than usual for SenderBase to update its stats, which originated some concerns as to whether or not it was really fixed. I was also concerned it wasn't somehow REALLY fixed, so I double-checked: I checked the e-mail (Exchange) server and confirmed it wasn't sending mails, nor was an open relay, leaving the door open to spammers; I then put a packet sniffer on my network to see if any other PC was sending e-mails and saw that no PC was sending none whatsoever. I was then confident the problem was really fixed and, after a few hours, the SenderBase stats confirmed it, and I was off the blacklist. I then added the firewall rule to prevent this situation from ever happening again: the only computer with permission to send outgoing connections on port 25 is our mail server, so, if another computer on the network was to be infected, this wouldn't happen again. I hope I made it clear Cheers, and, once again, thank you all!
Wazoo Posted June 8, 2008 Posted June 8, 2008 But I don't understand /who/ had the trojan? The OP says that he couldn't find one; he says the mail server wasn't infected. Merlyn says that there really was spam. The OP says that problem fixed itself, but that he fixed the firewall to only allow Port 25 outgoing mail. Somewhere in all that 'sniffing' and senderbase stats, my non-technically fluent mind missed where the spam was coming from and how it was stopped. What I read is that he believes that the actual problem had been fixed prior to starting this Topic. What I believe, the real problem has not been fixed, but the change to the firewall configuration stopped the spew output. End result = good! The time lag seen in the SnderBase traffic assumedly follows the firewall configuration change, noting as to just how fast the traffic did go to "0" If it helps, liken it to all the recent versions of the similar situation that included a wireless router in the mix. Once entry to that router was blocked off to unauthorized traffic, the spam stopped. Nothing was 'accomplished' as far as stopping the computer that was actually causing the problem, it was simply no longer allowed the path to the net. The (probable) analogy here is that the fireall was allowing bad traffic to leave via the impacted IP Address. If one goes with a compromised computer as being the source, the indication is that this specific computer is still spewing, but the output traffic is being blocked by the new firewall settings. Things not talked to include; .. SpamCopDNSBL (and other BLs) listing occured on the day that SenderBase 'saw' e-mail from that IP Address .. rDNS doesn't suggest an e-mail server at all .. SenderBase traffic of 0.0 hints at either no e-mail server or very little traffic at all .. one could go with passwords, configurations, various ettings of a brand new e-mail server set-up to handle "internal" e-mail that wasn't secured from the start ...???? (total guess at network configuration) telnet 194.79.71.78 25 220 easyworld.pt Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Sun, 8 Jun 2008 01:12:25 +0100 (although this doesn't necessarily jive with the firewall configuration as described being the solution ... just noting that a Windows-based e-mail server was put in-place/on-line and there were spam problems almost immediately) Edit: me and my long answers .. I see that andreguerreiro replied while I was typing this up ...
Miss Betsy Posted June 8, 2008 Posted June 8, 2008 Well, I am really glad to hear that the trojanned computer was 'cleaned' and not just blocked! I was concerned that it had just stopped for a while - something that lulls people into thinking the problem is fixed because the senderbase stats go down and the IP ages off the scbl. Then it starts up again and the IP address is back on the scbl. As Wazoo said, thanks for taking the time to track it down and for continuing to investigate to make sure all was taken care of when the indicators were not responding properly! Miss Betsy
andreguerreiro Posted June 8, 2008 Author Posted June 8, 2008 What I read is that he believes that the actual problem had been fixed prior to starting this Topic. What I believe, the real problem has not been fixed, but the change to the firewall configuration stopped the spew output. End result = good! The time lag seen in the SnderBase traffic assumedly follows the firewall configuration change, noting as to just how fast the traffic did go to "0" I really believe it was SenderBase taking too long to update their stats... As I said, no computer was spewing spam today, as I confirmed during the afternoon (my afternoon, GMT). If it helps, liken it to all the recent versions of the similar situation that included a wireless router in the mix. Once entry to that router was blocked off to unauthorized traffic, the spam stopped. Nothing was 'accomplished' as far as stopping the computer that was actually causing the problem, it was simply no longer allowed the path to the net. The (probable) analogy here is that the fireall was allowing bad traffic to leave via the impacted IP Address. If one goes with a compromised computer as being the source, the indication is that this specific computer is still spewing, but the output traffic is being blocked by the new firewall settings. Things not talked to include; .. SpamCopDNSBL (and other BLs) listing occured on the day that SenderBase 'saw' e-mail from that IP Address True, as indeed there was spam going out from this IP. Your analogy is correct. Although the computer may still be sending spam (it is not, as it is offline now), it now isn't allowed to pass through the firewall. .. rDNS doesn't suggest an e-mail server at all DNS is externally managed, and I wasn't aware of that (I became aware during today). .. SenderBase traffic of 0.0 hints at either no e-mail server or very little traffic at all Well, the server is there, traffic is so low because it's the weekend, and we're a small company, so the "very little traffic" part should be true. We recieve a whole lot more mail than we send. .. one could go with passwords, configurations, various ettings of a brand new e-mail server set-up to handle "internal" e-mail that wasn't secured from the start ...???? (total guess at network configuration) telnet 194.79.71.78 25 220 easyworld.pt Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Sun, 8 Jun 2008 01:12:25 +0100 (although this doesn't necessarily jive with the firewall configuration as described being the solution ... just noting that a Windows-based e-mail server was put in-place/on-line and there were spam problems almost immediately) This server has been online for more than a year, so "almost immediately" seems untrue. Well, I am really glad to hear that the trojanned computer was 'cleaned' and not just blocked! I was concerned that it had just stopped for a while - something that lulls people into thinking the problem is fixed because the senderbase stats go down and the IP ages off the scbl. Then it starts up again and the IP address is back on the scbl. As Wazoo said, thanks for taking the time to track it down and for continuing to investigate to make sure all was taken care of when the indicators were not responding properly! Cleaned isn't the exact word... It was taken offline to be reinstalled first thing Monday, so the end result will be the same And you are welcome as to me taking the time, though I would always take it, as the one responsible for all this mess was me (for not having the firewall rule in the first place, not for the infected computer: that was a naive user).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.