[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine spamming?

Josh King josh at ucimc.org
Mon Jun 8 22:59:13 CDT 2009 

I haven't been using one of our offsite servers as a mail relayhost 
since we had problems with it a few weeks ago. I reinstated it, and now 
all outgoing mail is getting sent through it instead of direct from the 
mailserver at the IMC. I haven't seen more bounces in the logs so far, 
so I think we just have to keep an eye on it.

Mike Lehman wrote:
> I noticed a lot of bounces this morning, too. Rarely get them. FWIW
> Mike Lehman
> 
> Josh King wrote:
>> Goddammit. I don't think we have spammers, but I will double-check. 
>> There was a site compromise on zeco running a packet generator a while 
>> ago, but didn't notice any spam traffic. I'll route the traffic 
>> through our offsite relay, see if that helps.
>>
>> Barry Isralewitz wrote:
>>> Hi IMC-Tech folks,
>>>
>>>   I think chambana.net has been recently blacklisted. Are one of our
>>> machines infected and spamming mails and/or running malware attacks? 
>>>   Just got my second bounce action on a mailing list in a day -- a big
>>> deal, since before today, I got darned few (maybe zero?) over 
>>> previous three years.
>>>
>>> The problematic IP address 75.145.177.77 seems to be one of ours...
>>>
>>> ===
>>>  CustName:   URBANA CHAMPAIGN IMC
>>>  NetRange:   75.145.177.72 - 75.145.177.79  CIDR:       
>>> 75.145.177.72/29  NetName:    URBANA-CHAMPAIGN-IMC  RegDate:    
>>> 2008-04-28 =====
>>>
>>> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
>>>   I went to http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
>>>   and saw...
>>> ===================
>>> IP Address 75.145.177.77 is currently listed in the CBL.
>>>
>>> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
>>> 5 days, 6 hours, 29 minutes ago.
>>>
>>> ATTENTION: At the time of detection, this IP was infected with, or
>>> NATting for a computer infected with a high volume spam sending trojan -
>>> it is participating or facilitating a botnet sending spam or spreading
>>> virus/spam trojans.
>>>
>>> ATTENTION: If you simply repeatedly remove this IP address from the CBL
>>> without correcting the problem, the CBL WILL eventually stop letting you
>>> delist it and you will have to contact us directly.
>>>
>>> This is the cutwail spamBOT
>>>
>>> You MUST patch your system and then fix/remove the trojan. Do this
>>> before delisting, or you're most likely to be listed again almost
>>> immediately.
>>>
>>> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
>>> prevent outbound port 25 connections to the Internet except from your
>>> real mail servers. Please see our recommendations on NAT firewalls
>>>
>>> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
>>> chance of being able to find/remove the malicious software. If you can
>>> find which machine[s] the malware is on.
>>>
>>> Request delisting of 75.145.177.77
>>> =========================
>>>
>>> Note that we shouldn't simply request delisting; we need to check for 
>>> the
>>> problem they are complaining about first.
>>> Here is the text from the bounced bikecoop list mail that told me to 
>>> check Spamhaus:
>>>
>>> =================
>>>
>>>   Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
>>> said: 554
>>>         5.7.1 Service unavailable;
>>>         Client host [75.145.177.77] blocked using
>>>         zen.spamhaus.org;
>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
>>>         reply to RCPT TO command)
>>>
>>> Final-Recipient: rfc822; ben at peartreestudio.net
>>> Action: failed
>>> Status: 5.0.0
>>> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
>>> said:
>>>         550-ATLAS(2503): 75.145.177.77 is blacklisted and not
>>> authenticated.
>>>         Please 550-request delisting via the following link: 550
>>>         http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
>>> MAIL
>>>         FROM command)
>>>
>>>   And I see a ====
>>>> host 75.145.177.77
>>> 77.177.145.75.in-addr.arpa domain name pointer 
>>> 75-145-177-77-Illinois.hfc.comcastbusiness.net.
>>> ====
>>>
>>>
>>>
>>>          Cheers,
>>>
>>>          Barry
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> IMC-Tech mailing list
>> IMC-Tech at lists.ucimc.org
>> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>>   
> 

-- 
Josh King
--
"I am an Anarchist not because I believe Anarchism is the final goal, 
but because there is no such thing as a final goal." -Rudolf Rocker


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.chambana.net/mailman/archive/imc-tech/attachments/20090608/16d0aee5/signature.pgp

More information about the IMC-Tech mailing list