Jump to content

Help with IP blocklisted


studioarici

Recommended Posts

Hi, my IP have been blocklisted for this reason :

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

I can't understand this message and why my IP was blocklisted. The IP is linked to an architectural office and obviously this isn't a spammer. I would ask you another thing. I need to find the email that cause this blocklisting because i have to investigate about who sent these.

Thanks for reply

Link to comment
Share on other sites

There isn't much more that one can tell you unless you give your IP address. When mail is sent only to spam traps, it is usually (but not always) because of automatic replies, like out-of-office replies. When automatic replies are sent indiscriminately, they also respond to spam. Because spam usually has forged return addresses, the replies are sent to spam traps (as well as to the innocent persons whose email address has been forged). The way around that is to filter incoming email for spam and to whitelist those who would benefit from getting an out of office reply.

Another reason that your email has been blocked could be that you are using a shared IP address with other people who use your web host. One of them may have a compromised computer or is really sending spam. The person to check with is your email service provider in that case. If it is your dedicated IP address that is listed, then the first thing to do is to scan all the computers for trojans and make sure that they all have up to date virus protection and are properly firewalled. Very often, a wireless router that is not secure is the culprit (someone outside the office is able to use the router to spew spam).

You can write to the deputies, but be sure to include the IP address in your email. However, because spam traps are secret addresses that have never sent email, all they can tell you is the kind of email that is being received - such as out-of-office replies or real spam.

Until you post the IP address in the message, there isn't much more that any one can tell you. However, there are other people here who can give you good advice once you do that. It wouldn't hurt either to give more information about how you are connected to the internet.

Miss Betsy

Link to comment
Share on other sites

I can't understand this message and why my IP was blocklisted. The IP is linked to an architectural office and obviously this isn't a spammer. I would ask you another thing. I need to find the email that cause this blocklisting because i have to investigate about who sent these.

The IP address you posted from is currently listed with the same reason, so I ASSUME you are talking about http://www.spamcop.net/bl.shtml?79.38.194.217. This IP address is showing NO manual reports. Please read that page carefully as it describes the most likely probelms.

What the message says is that some messages (not necessarily your standard spam type message) have reached email addresses that have never been used for anything from your IP address. The addresses are hidden on web sites around the internet where web bots collect them and add them to spammers lists. What usually has happened is that your mail server rejects non-deliverable emails by sending a message to the (always forged on spam) return address. This return address was (for at least some of those messages) spamcop's spamtrap addresses.

If you have ever received a whole bunch of bounces for messages you did not send, you were the victim of servers set up like yours currently is.

Link to comment
Share on other sites

Yes, StevenUnderwood, my IP is 79.38.194.217.

I have to ask you what i have to do to solve my problem beacuse i don't know how to resolve it.

I have just tested all PCs with spybotSearch&Destroy and the were clean. I also use windows firewall and NOD32 antivirus on all 5 PCs.

I wonder if you can help me to avoid blocking emails. Thanks a lot

Link to comment
Share on other sites

I have just tested all PCs with spybotSearch&Destroy and the were clean. I also use windows firewall and NOD32 antivirus on all 5 PCs.

http://www.senderbase.org/senderbase_queri...g=79.38.194.217

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.8 .. 176%

Last month .. 3.4

Date of first message seen from this address 2008-07-22

Only 5 computers, but cranking out 10,000+ e-mails a day????? Other BLs have picked up / added this IP Address. More definition on just what is being used for an e-mail server ... inhouse, ISP/Host, etc. If one was to place that kind of traffic on someone's desktop PC, one would think that user would be asking for a heck of an system upgrade because this one was running so slow ...?????

How many other people are actually "sharing" this IP Address? As asked so many times in so many other Discussions, is there a(n insecure) wireless router in the mix?

Link to comment
Share on other sites

79.38.194.217 = host217-194-static.38-79-b.business.telecomitalia.it is sending mail (possibly virus traffic) to our spam traps.

A spam trap is a non-existent address at a small vanity domain owned by us or one of our associates.

There doesn't seem to be any payload in the emails, so they are not ordinary profit oriented spam.

Received: from pfawf.telecomitalia.it (host217-194-static.38-79-b.business.telecomitalia.it [79.38.194.217])

by [our trap server] (Postfix) with SMTP id xx:xx

for <xx:xx>; Fri, 5 Sep 2008 07:xx:xx -0500 (CDT)

Date: Fri, 05 Sep 2008 12:xx:xx +0000

From: "Bingulla Dorgamas" <calamare[at]jtrg.com>

Subject: Runningman makes it into record books

Received: from kvhdu.telecomitalia.it (host217-194-static.38-79-b.business.telecomitalia.it [79.38.194.217])

by [our trap server] (Postfix) with SMTP id xx:xx

for <xx:xx>; Fri, 5 Sep 2008 01:xx:xx -0500 (CDT)

Date: Fri, 05 Sep 2008 06:xx:xx +0000

From: "Distive Bells" <elwiffo[at]we-engrave.com>

Subject: Memphis Woman Turns 116

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

Only 5 computers, but cranking out 10,000+ e-mails a day????? Other BLs have picked up / added this IP Address. More definition on just what is being used for an e-mail server ... inhouse, ISP/Host, etc. If one was to place that kind of traffic on someone's desktop PC, one would think that user would be asking for a heck of an system upgrade because this one was running so slow ...?????

How many other people are actually "sharing" this IP Address? As asked so many times in so many other Discussions, is there a(n insecure) wireless router in the mix?

This IP address is used only for our office and we're using a ethernet router provided by our provider (Telecom Italia) and set up by its technician. The router isn't wifi.

So what are u telling me is that someone is abusively using my IP address ?

Is there something or some program that i can use to check my PCs and to solve this problem ?

thanks a lot for help

Link to comment
Share on other sites

So what are u telling me is that someone is abusively using my IP address ?

No...they're not forging it, if that's what you mean. If a wireless router isn't involved, and only those few machines are connected to a "static" (unchanging) IP address, then one or more of those machines are still infected with something. It's generally a good idea to scan the machines with multiple tools, rather than just one. Other people will probably have better suggestions for those tools than I would.

Peace,

DT

Link to comment
Share on other sites

I always recommend using plain old "netstat -a" to see what's really happening on your network if you suspect an infection.

What a useful first post, kmolloy, and welcome! I had forgotten that command and will be making use of it regularly. Thanks!

DT

Link to comment
Share on other sites

I'll try to check which PC is infected when back to work.

Now, with router turned off (from yesterday evening) i see that my IP will be delisted in a short time. I'll try tomorrow to turn on 1 PC by 1 and to scan it with anti-malware/spyware/virus etc..

I wonder to solve my problem ;)

Link to comment
Share on other sites

Well, it certainly timed off OK. Turning off the router stopped the spam. And SenderBase - http://www.senderbase.org/senderbase_queri...g=79.38.194.217 - is currently showing:

[tcol]
[/tcol] Magnitude Vol Change
vs. Last Month
Last day 2.1 -95%
Last month 3.4 -
("Last day" should drop to 0 by the time you are back at work.)

I note you are listed on CBL also (link from the SenderBase display) - there is not automatic delisting there I think - http://www.senderbase.org/senderbase_queri...g=79.38.194.217

IP Address 79.38.194.217 is currently listed in the CBL.

It was detected at 2008-09-05 16:00 GMT (+/- 30 minutes), approximately 1 days, 1 hours ago.

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL stop letting you delist it.

This is the BOT

You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

When you have fixed the problem you can delist from the CBL from the link on that page.

Good luck, you should have little trouble finding the computer(s) doing this by its/their behavior but completely disinfecting from trojan installation can be difficult, it is said.

Link to comment
Share on other sites

Ok, thanks for help. I'll scan all my PCs tomorrow. Can you please tell me a program or programs to use to find this trojan/malware/spyware on the infected PC ?...
I use SuperAntiSpyware but have never had to disinfect a machine with it - that is a whole different world. If people who have actually been through the process might speak up now that would be of most value.

SenderBase is still seeing some volume from 'your' IP so it seems there are other users (it never will get to 0). But the virus sending has stopped.

Link to comment
Share on other sites

I'm scanning the first PC and when i typed netstat -a i found a bog amount of process active, here in a screen :

0001iz4.th.jpg

I think that this is the infected PC....but i'm running ad-aware, kaspersky internet security 2009, malwarebytes, but no one of these have found anything....

My last chance is to format the primary partition...but it's the last option...

:(

Link to comment
Share on other sites

I have formatted the infected PC....no one of my anti-malware/anti-spyware have found anything...

Thanks all for help :)

Thanks for keeping us informed. I hope that has fixed it - some "root-kit" infections are infamous for difficulty in detection once installed but re-formatting usually works to remove them it is said. I see you have delisted from the cbl also. Everything is clear so far.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...