[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine
spamming?
Josh King
josh at ucimc.org
Mon Jun 8 19:11:08 CDT 2009
Goddammit. I don't think we have spammers, but I will double-check.
There was a site compromise on zeco running a packet generator a while
ago, but didn't notice any spam traffic. I'll route the traffic through
our offsite relay, see if that helps.
Barry Isralewitz wrote:
> Hi IMC-Tech folks,
>
> I think chambana.net has been recently blacklisted. Are one of our
> machines infected and spamming mails and/or running malware attacks?
>
> Just got my second bounce action on a mailing list in a day -- a big
> deal, since before today, I got darned few (maybe zero?) over previous three years.
>
> The problematic IP address 75.145.177.77 seems to be one of ours...
>
> ===
> CustName: URBANA CHAMPAIGN IMC
> NetRange: 75.145.177.72 - 75.145.177.79
> CIDR: 75.145.177.72/29
> NetName: URBANA-CHAMPAIGN-IMC
> RegDate: 2008-04-28
> =====
>
> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
> I went to
> http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
> and saw...
> ===================
> IP Address 75.145.177.77 is currently listed in the CBL.
>
> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
> 5 days, 6 hours, 29 minutes ago.
>
> ATTENTION: At the time of detection, this IP was infected with, or
> NATting for a computer infected with a high volume spam sending trojan -
> it is participating or facilitating a botnet sending spam or spreading
> virus/spam trojans.
>
> ATTENTION: If you simply repeatedly remove this IP address from the CBL
> without correcting the problem, the CBL WILL eventually stop letting you
> delist it and you will have to contact us directly.
>
> This is the cutwail spamBOT
>
> You MUST patch your system and then fix/remove the trojan. Do this
> before delisting, or you're most likely to be listed again almost
> immediately.
>
> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
> prevent outbound port 25 connections to the Internet except from your
> real mail servers. Please see our recommendations on NAT firewalls
>
> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
> chance of being able to find/remove the malicious software. If you can
> find which machine[s] the malware is on.
>
> Request delisting of 75.145.177.77
> =========================
>
> Note that we shouldn't simply request delisting; we need to check for the
> problem they are complaining about first.
> Here is the text from the bounced bikecoop list mail that told me to check Spamhaus:
>
> =================
>
> Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
> said: 554
> 5.7.1 Service unavailable;
> Client host [75.145.177.77] blocked using
> zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
> reply to RCPT TO command)
>
> Final-Recipient: rfc822; ben at peartreestudio.net
> Action: failed
> Status: 5.0.0
> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
> said:
> 550-ATLAS(2503): 75.145.177.77 is blacklisted and not
> authenticated.
> Please 550-request delisting via the following link: 550
> http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
> MAIL
> FROM command)
>
> And I see a
> ====
>> host 75.145.177.77
> 77.177.145.75.in-addr.arpa domain name pointer 75-145-177-77-Illinois.hfc.comcastbusiness.net.
> ====
>
>
>
> Cheers,
>
> Barry
>
--
Josh King
--
"I am an Anarchist not because I believe Anarchism is the final goal,
but because there is no such thing as a final goal." -Rudolf Rocker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.chambana.net/mailman/archive/imc-tech/attachments/20090608/1bfd68f4/signature.pgp
More information about the IMC-Tech
mailing list