[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine
spamming?
Mike Lehman
rebelmike at earthlink.net
Mon Jun 8 22:48:18 CDT 2009
I noticed a lot of bounces this morning, too. Rarely get them. FWIW
Mike Lehman
Josh King wrote:
> Goddammit. I don't think we have spammers, but I will double-check.
> There was a site compromise on zeco running a packet generator a while
> ago, but didn't notice any spam traffic. I'll route the traffic
> through our offsite relay, see if that helps.
>
> Barry Isralewitz wrote:
>> Hi IMC-Tech folks,
>>
>> I think chambana.net has been recently blacklisted. Are one of our
>> machines infected and spamming mails and/or running malware attacks?
>> Just got my second bounce action on a mailing list in a day -- a big
>> deal, since before today, I got darned few (maybe zero?) over
>> previous three years.
>>
>> The problematic IP address 75.145.177.77 seems to be one of ours...
>>
>> ===
>> CustName: URBANA CHAMPAIGN IMC
>> NetRange: 75.145.177.72 - 75.145.177.79 CIDR:
>> 75.145.177.72/29 NetName: URBANA-CHAMPAIGN-IMC RegDate:
>> 2008-04-28 =====
>>
>> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
>> I went to http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
>> and saw...
>> ===================
>> IP Address 75.145.177.77 is currently listed in the CBL.
>>
>> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
>> 5 days, 6 hours, 29 minutes ago.
>>
>> ATTENTION: At the time of detection, this IP was infected with, or
>> NATting for a computer infected with a high volume spam sending trojan -
>> it is participating or facilitating a botnet sending spam or spreading
>> virus/spam trojans.
>>
>> ATTENTION: If you simply repeatedly remove this IP address from the CBL
>> without correcting the problem, the CBL WILL eventually stop letting you
>> delist it and you will have to contact us directly.
>>
>> This is the cutwail spamBOT
>>
>> You MUST patch your system and then fix/remove the trojan. Do this
>> before delisting, or you're most likely to be listed again almost
>> immediately.
>>
>> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
>> prevent outbound port 25 connections to the Internet except from your
>> real mail servers. Please see our recommendations on NAT firewalls
>>
>> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
>> chance of being able to find/remove the malicious software. If you can
>> find which machine[s] the malware is on.
>>
>> Request delisting of 75.145.177.77
>> =========================
>>
>> Note that we shouldn't simply request delisting; we need to check for
>> the
>> problem they are complaining about first.
>> Here is the text from the bounced bikecoop list mail that told me to
>> check Spamhaus:
>>
>> =================
>>
>> Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
>> said: 554
>> 5.7.1 Service unavailable;
>> Client host [75.145.177.77] blocked using
>> zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
>> reply to RCPT TO command)
>>
>> Final-Recipient: rfc822; ben at peartreestudio.net
>> Action: failed
>> Status: 5.0.0
>> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
>> said:
>> 550-ATLAS(2503): 75.145.177.77 is blacklisted and not
>> authenticated.
>> Please 550-request delisting via the following link: 550
>> http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
>> MAIL
>> FROM command)
>>
>> And I see a ====
>>> host 75.145.177.77
>> 77.177.145.75.in-addr.arpa domain name pointer
>> 75-145-177-77-Illinois.hfc.comcastbusiness.net.
>> ====
>>
>>
>>
>> Cheers,
>>
>> Barry
>>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> IMC-Tech mailing list
> IMC-Tech at lists.ucimc.org
> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>
More information about the IMC-Tech
mailing list