[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine
spamming?
Josh King
josh at ucimc.org
Mon Jun 8 22:59:13 CDT 2009
I haven't been using one of our offsite servers as a mail relayhost
since we had problems with it a few weeks ago. I reinstated it, and now
all outgoing mail is getting sent through it instead of direct from the
mailserver at the IMC. I haven't seen more bounces in the logs so far,
so I think we just have to keep an eye on it.
Mike Lehman wrote:
> I noticed a lot of bounces this morning, too. Rarely get them. FWIW
> Mike Lehman
>
> Josh King wrote:
>> Goddammit. I don't think we have spammers, but I will double-check.
>> There was a site compromise on zeco running a packet generator a while
>> ago, but didn't notice any spam traffic. I'll route the traffic
>> through our offsite relay, see if that helps.
>>
>> Barry Isralewitz wrote:
>>> Hi IMC-Tech folks,
>>>
>>> I think chambana.net has been recently blacklisted. Are one of our
>>> machines infected and spamming mails and/or running malware attacks?
>>> Just got my second bounce action on a mailing list in a day -- a big
>>> deal, since before today, I got darned few (maybe zero?) over
>>> previous three years.
>>>
>>> The problematic IP address 75.145.177.77 seems to be one of ours...
>>>
>>> ===
>>> CustName: URBANA CHAMPAIGN IMC
>>> NetRange: 75.145.177.72 - 75.145.177.79 CIDR:
>>> 75.145.177.72/29 NetName: URBANA-CHAMPAIGN-IMC RegDate:
>>> 2008-04-28 =====
>>>
>>> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
>>> I went to http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
>>> and saw...
>>> ===================
>>> IP Address 75.145.177.77 is currently listed in the CBL.
>>>
>>> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
>>> 5 days, 6 hours, 29 minutes ago.
>>>
>>> ATTENTION: At the time of detection, this IP was infected with, or
>>> NATting for a computer infected with a high volume spam sending trojan -
>>> it is participating or facilitating a botnet sending spam or spreading
>>> virus/spam trojans.
>>>
>>> ATTENTION: If you simply repeatedly remove this IP address from the CBL
>>> without correcting the problem, the CBL WILL eventually stop letting you
>>> delist it and you will have to contact us directly.
>>>
>>> This is the cutwail spamBOT
>>>
>>> You MUST patch your system and then fix/remove the trojan. Do this
>>> before delisting, or you're most likely to be listed again almost
>>> immediately.
>>>
>>> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
>>> prevent outbound port 25 connections to the Internet except from your
>>> real mail servers. Please see our recommendations on NAT firewalls
>>>
>>> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
>>> chance of being able to find/remove the malicious software. If you can
>>> find which machine[s] the malware is on.
>>>
>>> Request delisting of 75.145.177.77
>>> =========================
>>>
>>> Note that we shouldn't simply request delisting; we need to check for
>>> the
>>> problem they are complaining about first.
>>> Here is the text from the bounced bikecoop list mail that told me to
>>> check Spamhaus:
>>>
>>> =================
>>>
>>> Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
>>> said: 554
>>> 5.7.1 Service unavailable;
>>> Client host [75.145.177.77] blocked using
>>> zen.spamhaus.org;
>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
>>> reply to RCPT TO command)
>>>
>>> Final-Recipient: rfc822; ben at peartreestudio.net
>>> Action: failed
>>> Status: 5.0.0
>>> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
>>> said:
>>> 550-ATLAS(2503): 75.145.177.77 is blacklisted and not
>>> authenticated.
>>> Please 550-request delisting via the following link: 550
>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
>>> MAIL
>>> FROM command)
>>>
>>> And I see a ====
>>>> host 75.145.177.77
>>> 77.177.145.75.in-addr.arpa domain name pointer
>>> 75-145-177-77-Illinois.hfc.comcastbusiness.net.
>>> ====
>>>
>>>
>>>
>>> Cheers,
>>>
>>> Barry
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> IMC-Tech mailing list
>> IMC-Tech at lists.ucimc.org
>> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>>
>
--
Josh King
--
"I am an Anarchist not because I believe Anarchism is the final goal,
but because there is no such thing as a final goal." -Rudolf Rocker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.chambana.net/mailman/archive/imc-tech/attachments/20090608/16d0aee5/signature.pgp
More information about the IMC-Tech
mailing list