[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine
spamming?
Barry Isralewitz
barryi at ks.uiuc.edu
Mon Jun 8 18:30:03 CDT 2009
Hi IMC-Tech folks,
I think chambana.net has been recently blacklisted. Are one of our
machines infected and spamming mails and/or running malware attacks?
Just got my second bounce action on a mailing list in a day -- a big
deal, since before today, I got darned few (maybe zero?) over previous three years.
The problematic IP address 75.145.177.77 seems to be one of ours...
===
CustName: URBANA CHAMPAIGN IMC
NetRange: 75.145.177.72 - 75.145.177.79
CIDR: 75.145.177.72/29
NetName: URBANA-CHAMPAIGN-IMC
RegDate: 2008-04-28
=====
Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
I went to
http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
and saw...
===================
IP Address 75.145.177.77 is currently listed in the CBL.
It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
5 days, 6 hours, 29 minutes ago.
ATTENTION: At the time of detection, this IP was infected with, or
NATting for a computer infected with a high volume spam sending trojan -
it is participating or facilitating a botnet sending spam or spreading
virus/spam trojans.
ATTENTION: If you simply repeatedly remove this IP address from the CBL
without correcting the problem, the CBL WILL eventually stop letting you
delist it and you will have to contact us directly.
This is the cutwail spamBOT
You MUST patch your system and then fix/remove the trojan. Do this
before delisting, or you're most likely to be listed again almost
immediately.
If this IP is a NAT firewall/gateway, you MUST configure the NAT to
prevent outbound port 25 connections to the Internet except from your
real mail servers. Please see our recommendations on NAT firewalls
The Microsoft MSRT (Malicious Software Removal Tool) stands a good
chance of being able to find/remove the malicious software. If you can
find which machine[s] the malware is on.
Request delisting of 75.145.177.77
=========================
Note that we shouldn't simply request delisting; we need to check for the
problem they are complaining about first.
Here is the text from the bounced bikecoop list mail that told me to check Spamhaus:
=================
Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
said: 554
5.7.1 Service unavailable;
Client host [75.145.177.77] blocked using
zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
reply to RCPT TO command)
Final-Recipient: rfc822; ben at peartreestudio.net
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
said:
550-ATLAS(2503): 75.145.177.77 is blacklisted and not
authenticated.
Please 550-request delisting via the following link: 550
http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
MAIL
FROM command)
And I see a
====
> host 75.145.177.77
77.177.145.75.in-addr.arpa domain name pointer 75-145-177-77-Illinois.hfc.comcastbusiness.net.
====
Cheers,
Barry
--
Barry Isralewitz, Ph. D.
Theoretical and Computational Biophysics Group
3043 Beckman, University of Illinois at Urbana-Champaign
Office Phone: (217) 244-1612 Home Phone: (217) 337-6364
email: barryi at ks.uiuc.edu http://www.ks.uiuc.edu/~barryi
More information about the IMC-Tech
mailing list