Help.....still being blocked!

[cpproducts]

Please help

My company has been blocked for almost two weeks. We cannot send email out to customers at all.

I have scanned the systems with Spybot, AdAware, and a couple of Anti-virus program and found nothing on any PC.

However, we are still blocked from sending mail out from this domain.

There are two email sever domain we use on same PC and outlook, one has never been blocked.

http://www.spamcop.net/bl.shtml?204.16.178.124

please guide me. I contact them and they said cannot be delisted manually.

[turetzsr]

Hi, cpproducts

...Please read the sections of the "SpamCop FAQ" (see link near top left of all SpamCop Forum pages) that relate to being blocked. Also please read:

• Information about the reasons for listing (blocking) your mail server (204.16.178.124), which appears in a link to the "http://www.spamcop.net/bl.shtml?204.16.178.124" page to which you referred. Note: the SpamCop Glossary has an entry for "Spamtrap."
  
• Q&A about blocklists.
  
• Pinned: Why Am I Blocked? FAQ, which appears under "Important Topics" on the "SpamCop Blocklist Help" main page.
  

If you still have questions after reading these, please post them as replies here. Thanks!

[Miss Betsy]

Since there are only spam traps listed, it may be that you have auto replies like out-of-office replies or you are accepting all email and then deciding that it is not deliverable and sending NDRs to the 'forged' return path of spam. Did the deputies tell you what sort of emails were hitting the spam traps?

Also, it doesn't affect the spamcop blocklist, but there are a lot of server admins who won't accept email from 'no reverse DNS' - I can't tell you how to fix that, but perhaps someone will.

I don't know much about email servers, but I wouldn't think that you could have two IP addresses on the same server. You may mean that you have two domains and that one domain is not being blocked.

I also don't quite understand about not being able to send outgoing email. That sounds as though you are using a web hosting server to send email and that email server is not allowing you to send email through it. That might not be what you mean, however.

Miss Betsy

[Farelf]

...please guide me. I contact them and they said cannot be delisted manually.

SpamCop is the least of your worries, you are on other blocklists may be harder to negotiate (SC has automatic delisting after the spam stops).

See, for the list: http://www.robtex.com/rbl/204.16.178.124.html

The positive side of that is that while SC can give you no details (to keep the spamtraps secure) others may - you should check them. Already I see from the very first one: http://cbl.abuseat.org/lookup.cgi?ip=204.1...;.submit=Lookup

IP Address 204.16.178.124 is currently listed in the CBL.

It was detected at 2008-08-25 16:00 GMT (+/- 30 minutes), approximately 9 hours ago.

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL stop letting you delist it.

This is the Srizbi BOT

You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

So, straight away, you know what to look for on your system. Don't panic, work logically and thoroughly and be aware there might be more than one problem.

[cpproducts]

SpamCop is the least of your worries, you are on other blocklists may be harder to negotiate (SC has automatic delisting after the spam stops).

See, for the list: http://www.robtex.com/rbl/204.16.178.124.html

The positive side of that is that while SC can give you no details (to keep the spamtraps secure) others may - you should check them. Already I see from the very first one: http://cbl.abuseat.org/lookup.cgi?ip=204.1...;.submit=Lookup So, straight away, you know what to look for on your system. Don't panic, work logically and thoroughly and be aware there might be more than one problem.

I have scanned all the system using that particular email domain that is being blocked. I have used several software to scan them and found nothing.

There are two email domain in my company using different hosting service. One has been blocked, but the other one has been fine. I have scanned all the systems using the one that has been blocked several times

please advise...

[StevenUnderwood]

I have scanned all the system using that particular email domain that is being blocked.

Block lists do not care about email domains, only IP addresses. Any machine(s) behind the IP address (204.16.178.124) could be infected and sending spam to the internet.

One human report: Submitted: Tuesday, August 26, 2008 12:48:49 PM -0400:

You've received a greeting ecard

3421599172 ( 204.16.178.124 ) To: postmaster[at]icore.com

Also, sender base is showing an increase from that IP address of 1250% (~10000 messages sent in the last day) http://www.senderbase.org/senderbase_queri...=204.16.178.124 Can you explain those numbers?

It sounds like you may need to hire a professional to find and eliminate the malware on your systems.

[Wazoo]

My company has been blocked for almost two weeks.

Interesting in that SenderBase data states: Date of first message seen from this address 2008-08-22 ... hardly two weeks.

We cannot send email out to customers at all.

If only the SpamCopDNSBL was involved, this wouldn't be very likely, except for one specific circumstance / configuration.

I have scanned the systems with Spybot, AdAware, and a couple of Anti-virus program and found nothing on any PC.

Although it sounds like you've attempted some searching, note that not all tools look for or find everything. One of the most obvious issues would include the versions of the applications you're using and whether they are up to date.

However, we are still blocked from sending mail out from this domain.

This tends to lean towards that 'special' configuration mentioned above.

There are two email sever domain we use on same PC and outlook, one has never been blocked.

This appears to have been interpreted by most as you actually running an actual e-mail server at this IP Address. Howevcer, it doesn't actually appear that you are.

telnet 204.16.178.124 25

Connecting To 204.16.178.124...Could not open connection to the host, on port 25 : Connect failed

The alternative seems to be that you are simply trying to send e-mail out from this system/network to two different ISPs/Hosts, based on the unnamed Domains in question. This would fit into the 'special' configuration.

You are posting here from the same IP Address. That IP Address is seen via SenderBase as generating a lot of traffic. You were queried about this previously, but you have made no reply. As of a few hours ago:

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.2 .. 1390%

Last month .. 3.0

At the time of this post;

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.1 .. 1068%

Last month .. 3.1

If you weren't actually running an e-mail server at this IP Address, the traffic would typically be zero. However, something at this IP Address is spewing enough 'bad' traffic that it has become listed in several BLs.

So here's my guess, again, based on previous issues, complaints, and circumstances seen here and elsewhere. The Domain you're having problems with actually connects to an ISP/Host that uses the SpamCopDNSBL to filter its incoming connections. Your system is trying to make a connection to send your e-mail (for that Domain) and it is being rejected/denied due to the various BL listings. It would have been helpful had you actually defined these folks as the ones doing the blocking against you. Typically, in this circumstance, most folks find that if the ISP/Host offers a web-mail interface, they find that their outgoing e-mail will be handled with no issues using that connection mode.

http://www.spamcop.net/bl.shtml?204.16.178.124

please guide me. I contact them and they said cannot be delisted manually.

It wouldn't even help if they did. Based on the traffic data and other multiple BL listings, you'd find it listed yet again in no time.

Bottom line, you need to identify just which system is in fact spewing stuff via the IP Address in question. As you want to imply that all )of your) systems have been scanned with nothing found, then the next obvious direction would be a hijacked wireless connection point being in the mix. Yet again, a fact not brought up in your starting post.

Bottom line, very hard to troubleshoot from this side of the screen with so much data not provided.

[cpproducts]

thanks for all reply

I don't know there were those spams sent out at all.

We have received spams and the email spam showing above on Sendbase is exactly the same that we got.

I will perform scan on all system once again.

We use Kaspersky Internet secuirty 7.0

Spybot

Adware

I am not expert on this issue and really puzzled what to do now.

[DavidT]

I am not expert on this issue and really puzzled what to do now.

You should probably obtain the services of someone who has more expertise and have them disinfect your computers. If you have a server, make sure that you don't have port 25 (SMTP) open, allowing infected machines to directly spew spam. I'm not a Microsoft server admin, so perhaps others can lend you some free expertise in that area.

DT

[Wazoo]

Beginning to wonder if there's a language issue going on here. IP Addresses involved seem to track back to U.S. sources, but ...????

I don't know there were those spams sent out at all.

Have you done any research on the data provided thus far? As noted previously, http://cbl.abuseat.org/lookup.cgi?ip=204.1...;.submit=Lookup states:

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL stop letting you delist it.

This is the Srizbi BOT

We have received spams and the email spam showing above on Sendbase is exactly the same that we got.

I don't understand. SenderBase does not 'show' you any spam.

I will perform scan on all system once again.

We use Kaspersky Internet secuirty 7.0

Spybot

Adware

I am not familiar with 'Adware' ... The tool usually suggested is Ad-Aware. In addition, there are several on-line scanners that can be used from other anti-virus application providers. Symantec, Trend-Micro, etc. etc.

I am not expert on this issue and really puzzled what to do now.

You're certainly not helping anyone here attempting to help you by continuing to not provide any additional data about your set-up. For example, you made absolutely no comment about a wireless router/access-point being involved. You have made no mention of any firewalls in use. You have yet to confirm that you are or are not running an actual e-mail server on your own.

Try reading some of the previously existing Discussions on the same subject. Start turning off systems (again, making an assumption that an actual network is invovled) and see if the SenderBase traffic numbers make a significant downturn. Ask the various users (network assumption again) if they have noticed that their computer has gotten way slow within the last week or so. If there's a wireless router in the mix, get it secured .. again, perhaps turn it off for a while and check the SenderBase numbers.

[Merlyn]

This machine is still spewing it's junk to the internet. I believe it's time for NetOps over at icore to be notified about this machine/ip.

[DavidT]

Another OP who doesn't bother coming back for answers....sheer stupidity.

DT

[Farelf]

Continues unabated (another recent SC hit, volume seen by SenderBase still 'up there'). As Wazoo said, 204.16.178.124 not open to relay in the normal course of events, something within the (presumed) network appears to be sending through it and what it is sending appears to be trojan downloaders or similar. Which is particularly BAD for the rest of us.

Just for the record in this (so far) unsatisfactory saga. These people - http://www.mxtoolbox.com/blacklists.aspx offer assistance. No idea who they are or what they're like but they're certainly set up to snag the attention of anyone with BL problems and insufficient technical resources to sort it out. It would be good to know how useful they are in a real-life case or two. After detailing the blocking list results they have a "Click here for some suggestions." which leads to:

"Live Email Blacklist Help

If you are on a blacklist, and you are not a spammer, we can help you. We are always happy to look at your particular situation and make recommendations at no charge. For more complex problems, we have affordable managed solutions which will make your email as reliable as it was when spam was just a canned meat. In any case, we can solve your problem." and "Please note that at this time we are only able to respond to requests from the United States or Canada."

They are a business, their solutions are going to involve commercial transactions. But they also have free tools that perform MX lookups, service tests, relay tests, BL searches and the like all of which are often deep mysteries to those landing 'here' and desperate. And who aren't necessarily able to engage in the dialog necessary to get themselves sorted out.

Just a thought - no recommendation or specific representation.

[cpproducts]

thanks all.

I am trying to contact them and see what can be done...

we have wireless router too.... but there is no virtual firewall

[Wazoo]

I am trying to contact them and see what can be done...

we have wireless router too.... but there is no virtual firewall

I personally find it amazing that this is all that gets said. Nothing about troubleshooting, nothing about the previous suggestions, nothing about actual analysis, nothing provided for additional data about the (network) configuration. For example, how many wireless connections are showing on the router as compared to how many wireless computers/devices are actually in use by authorized computers/devices?

[cpproducts]

I personally find it amazing that this is all that gets said. Nothing about troubleshooting, nothing about the previous suggestions, nothing about actual analysis, nothing provided for additional data about the (network) configuration. For example, how many wireless connections are showing on the router as compared to how many wireless computers/devices are actually in use by authorized computers/devices?

sorry, here is some more information. Please forgive me since I am not expert in this area at all. My company has no IT professional so I was asked to check if I can do anything.

We have around 17 PCs in our company. Our company has one server to store our database that is provided by an information system company (non network/security related, only database for our work, inventory, sales).

We use T1 line with one router and switch, no virtual firewall or device firewall connected. We also use VOIP phone.

All the PCs have antivirus software with full update. I have scanned all PCs a couple of times with ad-aware, Spy Bot, and cleaned all suspicious files.

There are 2 domain email that we use from two different provider. First one used by 17 people and the other one that has been blocked by spamcop is used by 3 people. It's the email server that we use. First one from yahoo business, the second one that has been blocked is from IX webhosting.

We also have one wireless router and only one PC was using network through wireless. The wireless is enscrypted and requires password to connect.

We use the same IP address among all of us.

I have to admit I really don't know what to do much. If there is any kind of service, or professional you guys can recommend us to help with this?

[Telarin]

Ahah, now we are getting somewhere... There are a couple possibilities here:

1) Your network IP address is listed on the SCBL. IX Webhosting is using the SCBL to filter outgoing email. This is definitely not a recommended configuration, but some hosts do it anyway. In this case, there are two approaches you can take. You should figure out why you are listed, and get the listing fixes, and also try to convince IX Webhosting to fix their configuration.

2) IX Webhostings mail server is listed on the SCBL. If this is the case, the problem may have nothing to do with you, as I am guessing you are using a shared mail server. In this case, IX Webhosting would need to determine which of their clients is sending spam, and put a stop to it as quickly as possible.

At this point, it is impossible to tell whether the IP address you provided in your earlier post belongs to you or to IX Webhosting.

Can you provide a copy of one or more of the rejection messages you are receiving?

Is 100% of the email sent through IX Webhosting being blocked, or just a portion of it?

What kind of security is setup on your Wireless Access point? It is possible that if you have no security set on this, someone outside your company could be hijacking internet service from you with an infected machine.

You need to have some kind of firewall setup, even if it is simply some kind of NAT configuration to hide your internal IPs from the internet. I suspect that your router is configured for NAT, but cannot be sure without more information. Do each of your internal computers have a public IP address, or do they all share a single public IP address through the router?

[Wazoo]

Ahah, now we are getting somewhere... There are a couple possibilities here:

1) Your network IP address is listed on the SCBL. IX Webhosting is using the SCBL to filter outgoing email. This is definitely not a recommended configuration, but some hosts do it anyway. In this case, there are two approaches you can take. You should figure out why you are listed, and get the listing fixes, and also try to convince IX Webhosting to fix their configuration.

2) IX Webhostings mail server is listed on the SCBL. If this is the case, the problem may have nothing to do with you, as I am guessing you are using a shared mail server. In this case, IX Webhosting would need to determine which of their clients is sending spam, and put a stop to it as quickly as possible.

3. IX WebHosting mail server is using the SpamCopDNSBL against incoming connections in a blocking fashion, which is also not recommended, even by SpamCop.net. (Noting yet again, SpamCop.net does not have the capability to block anything between the user's computer (network) and the ISP/Host in question. Any blocking action is configured by the ISP/Host.)

At this point, it is impossible to tell whether the IP address you provided in your earlier post belongs to you or to IX Webhosting.

I'd noted previously that the user was posting here from the same IP Address in question. Assumption has to be that this is the IP Address associated with the T1 connected router.

Can you provide a copy of one or more of the rejection messages you are receiving?

That would certainly help to clear up a few things.

Is 100% of the email sent through IX Webhosting being blocked, or just a portion of it?

I read that it's all, which suggests my item #3 add above.

nd of security is setup on your Wireless Access point? It is possible that if you have no security set on this, someone outside your company could be hijacking internet service from you with an infected machine.

This certainly goes back to what I have suggested before (and certainly documented in numerous previous entries within this Forum) .... Evn the cheap (wireless) routers these days have an Administrative screen to document the connections made (though this is primarily targeted towards the DHCP assignments ... unfortunately, whch router is handing out DHCP data has not been defined (thought it certainly could be both)

So the question on this goes to just who might have access to the router configuration screens? Does either router maintain/provide any logging of activity? Brand name/Model numbers would probably help if you don't know how to access the Admin controls of these routers.

You need to have some kind of firewall setup, even if it is simply some kind of NAT configuration to hide your internal IPs from the internet. I suspect that your router is configured for NAT, but cannot be sure without more information. Do each of your internal computers have a public IP address, or do they all share a single public IP address through the router?

Assumptions: Windows, general default configuration .... double click on the 'network traffic' icon at the bottom right of the desktop ... click on the "Support" Tab .. look at "IP Address" ... an Address of 192.168.x.x would be the answer for the "shared IP Address" scenario listed above.

The wireless is enscrypted and requires password to connect.

Not stated: what encryption? WEP was basically broken years ago, for example.

[cpproducts]

here is the message I got when trying to send out message

The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'xxxxx[at]hotmail.com'. Subject 'test', Account: 'mail.cpthaithai.com', Server: 'mail.cpthaithai.com', Protocol: SMTP, Server Response: '451 Blocked - see http://www.spamcop.net/bl.shtml?204.16.178.124', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC79

we are thinking about changing email server to another provider. I contacted IX Webhosting several times but they insisted they is nothing they can do.

We are working on installing Virtual Firewall with our ISP. I am not sure if will help

Moderator Edit: Yet again, deleting the entire quoted previous post .. the reply provided is actually in response to a single sentence found in several previous posts, so the quoting of Farelf's last post in its entirety is totally unnecessary.)

[Farelf]

Google with the phrase secure wireless router and see if there is anything in the first few hits that makes sense and that you can use to change your settings for that connection.

[Wazoo]

Account: 'mail.cpthaithai.com', Server: 'mail.cpthaithai.com', Protocol: SMTP, Server Response: '451 Blocked - see http://www.spamcop.net/bl.shtml?204.16.178.124', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC79

Not stated anywhere thus far .. is this ISP/Host known to you? Does it have anything to do with the 'blocked' Domain? The real question boils down to ... is this the ISP/Host for the outgoing e-mails with the 'blocked' problem?

we are thinking about changing email server to another provider. I contacted IX Webhosting several times but they insisted they is nothing they can do.

I'm more than a bit tired, so not into getting excited and trying to search the answer ... I'm going to ask you. What is the seemingly suggested connection between IX Webhosting and cpthaithai.com (who actually is an opentransfer.com asset)

We are working on installing Virtual Firewall with our ISP. I am not sure if will help

Much too vague in its description. What seems to be needed is an actual firewall at your connection to the router with the T1 connection. It's pretty rare that an ISP would offer to do this without generating quite a bill for services and hardware provided. What's even worse .... a (virtual ??) firewall that works great between you and your ISP would probably also result in NO e-mail connection allowed to your OTHER e-mail (Domain) server.

You have answered none of the questions I've posed (some repeatedly) about just who is accessing your wireless router.

If it hasn't been noted yet, the IP Address in question has made it into several other BLs.

[Wazoo]

Had my fingers crossed, but .... No idea what your business hours might be, but was looking at it being late Friday evening. There was the thought that perhaps a simple bit of troublewshooting might come into play and computers would be shut down/taken off-line. Of probable more import, the wireless modem being shut-down/disconnected for the week-end. However, http://www.senderbase.org/senderbase_queri...=204.16.178.124 shows no sign of a slowdown in e-mail traffic seen from this IP Address.

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.3 .. 127%

Last month .. 3.9

[Merlyn]

Still getting phishing scams as of yesterday the 5th - 2008-09-05 15:35:26

Subject: Sun Trust Banks Regulation Update Alert

[Wazoo]

However, http://www.senderbase.org/senderbase_queri...=204.16.178.124 shows no sign of a slowdown in e-mail traffic seen from this IP Address.

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 4.3 .. 127%

Last month .. 3.9

OK, either someone has done something or we have another SenderBase query issue;

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 3.9

[Merlyn]

If he pulled the plug Friday night wouldn't it show 0 for yesterday?

Mail has also come from 204.16.178.122 but it is not in any BL's.

If he is running a mail server them he should also fix his dns. Most mail admins would not accept email from these servers.

Last spam received still from the 5th

Here is the last week in review for 204.16.178.124

2008-09-01 15:38:15.52524 received spamtrap mail

2008-09-01 18:15:54.186226 received spamtrap mail

2008-09-01 20:48:16.248339 received spamtrap mail

2008-09-01 21:04:01.742892 received spamtrap mail

2008-09-01 21:04:07.572854 received spamtrap mail

2008-09-01 21:05:37.699292 received spamtrap mail

2008-09-02 11:35:17.362489 received spamtrap mail

2008-09-02 14:48:08.375806 received spamtrap mail

2008-09-03 11:24:56.563608 received spamtrap mail

2008-09-03 11:27:12.000281 received spamtrap mail

2008-09-03 11:27:21.907506 received spamtrap mail

2008-09-03 11:41:58.931235 received spamtrap mail

2008-09-03 12:08:12.200371 received spamtrap mail

2008-09-03 12:15:34.07963 received spamtrap mail

2008-09-03 12:22:29.255998 received spamtrap mail

2008-09-03 12:23:59.723826 received spamtrap mail

2008-09-03 12:34:19.93141 received spamtrap mail

2008-09-03 12:35:52.693068 received spamtrap mail

2008-09-03 13:21:57.253962 received spamtrap mail

2008-09-04 11:09:28.495876 received spamtrap mail

2008-09-04 11:10:15.998042 received spamtrap mail

2008-09-04 12:02:12.929902 received spamtrap mail

2008-09-04 12:59:31.365288 received spamtrap mail

2008-09-04 13:48:57.055168 received spamtrap mail

2008-09-04 14:57:34.360341 received spamtrap mail

2008-09-04 14:57:34.360941 received spamtrap mail

2008-09-04 14:57:39.029985 received spamtrap mail

2008-09-04 16:11:52.351746 received spamtrap mail

2008-09-04 16:30:18.198819 received spamtrap mail

2008-09-04 16:37:31.134993 received spamtrap mail

2008-09-04 16:55:58.026908 received spamtrap mail

2008-09-04 16:56:00.20581 received spamtrap mail

2008-09-05 09:59:53.59665 received spamtrap mail

2008-09-05 14:50:27.019203 received spamtrap mail

2008-09-05 15:35:26.432107 received spamtrap mail