[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine spamming?

Barry Isralewitz barryi at ks.uiuc.edu
Tue Jun 9 11:12:00 CDT 2009 

Hi Josh,

On Mon, Jun 08, 2009 at 10:59:13PM -0500, Josh King wrote:
> I haven't been using one of our offsite servers as a mail relayhost  
> since we had problems with it a few weeks ago. I reinstated it, and now  
> all outgoing mail is getting sent through it instead of direct from the  
> mailserver at the IMC. I haven't seen more bounces in the logs so far,  
> so I think we just have to keep an eye on it.

  Short version:  Josh, could you click the "Request delisting" link on
the below cbl.abuseat.org page, to request de-listing of our host
75.145.177.77 from CBL.

  Details:
  Our server 75.145.177.77 (mail.chambana.net) is still listed in CBL,
and thus XBL, and thus Spamhaus.  This means bounces are still
possible/likely from mail servers that rely on either (correct?) --
like some/all hotmail.com accounts .  (Who knows, there might also might
be non-bounce filtering based on SBL , PBL, XBL, Spamhaus, etc that we are not hearing
about.)
  Checking right now (Tue Jun  9 11:00:56 CDT 2009):
http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77&.submit=Lookup
==============
IP Address 75.145.177.77 is currently listed in the CBL.

It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
5 days, 22 hours, 59 minutes ago.
===============
 Josh, can you click the "de-list" link on the above page to request
de-listing from CBL.  I'd do it myself, but since we need to keep the
number of requests low, and we might need to do this again before
problem is resolved, seems best to have only one person doing it.   The
site will start ignoring de-list requests if we cry "wolf" too many
times (well, really cry "no wolf" too many times), i.e. if  too many
de-list requests are made without a halt to the spam/malware traffic. 

 Let me know when you request the de-list (or if you already have done
this).  If we are de-listed, and soon re-listed, we'll know we're still
a source of spam/malware traffic and have some looking around to do....


        Cheers,

        Barry




>
> Mike Lehman wrote:
>> I noticed a lot of bounces this morning, too. Rarely get them. FWIW
>> Mike Lehman
>>
>> Josh King wrote:
>>> Goddammit. I don't think we have spammers, but I will double-check.  
>>> There was a site compromise on zeco running a packet generator a 
>>> while ago, but didn't notice any spam traffic. I'll route the traffic 
>>> through our offsite relay, see if that helps.
>>>
>>> Barry Isralewitz wrote:
>>>> Hi IMC-Tech folks,
>>>>
>>>>   I think chambana.net has been recently blacklisted. Are one of our
>>>> machines infected and spamming mails and/or running malware 
>>>> attacks?   Just got my second bounce action on a mailing list in a 
>>>> day -- a big
>>>> deal, since before today, I got darned few (maybe zero?) over  
>>>> previous three years.
>>>>
>>>> The problematic IP address 75.145.177.77 seems to be one of ours...
>>>>
>>>> ===
>>>>  CustName:   URBANA CHAMPAIGN IMC
>>>>  NetRange:   75.145.177.72 - 75.145.177.79  CIDR:        
>>>> 75.145.177.72/29  NetName:    URBANA-CHAMPAIGN-IMC  RegDate:     
>>>> 2008-04-28 =====
>>>>
>>>> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
>>>>   I went to http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
>>>>   and saw...
>>>> ===================
>>>> IP Address 75.145.177.77 is currently listed in the CBL.
>>>>
>>>> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
>>>> 5 days, 6 hours, 29 minutes ago.
>>>>
>>>> ATTENTION: At the time of detection, this IP was infected with, or
>>>> NATting for a computer infected with a high volume spam sending trojan -
>>>> it is participating or facilitating a botnet sending spam or spreading
>>>> virus/spam trojans.
>>>>
>>>> ATTENTION: If you simply repeatedly remove this IP address from the CBL
>>>> without correcting the problem, the CBL WILL eventually stop letting you
>>>> delist it and you will have to contact us directly.
>>>>
>>>> This is the cutwail spamBOT
>>>>
>>>> You MUST patch your system and then fix/remove the trojan. Do this
>>>> before delisting, or you're most likely to be listed again almost
>>>> immediately.
>>>>
>>>> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
>>>> prevent outbound port 25 connections to the Internet except from your
>>>> real mail servers. Please see our recommendations on NAT firewalls
>>>>
>>>> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
>>>> chance of being able to find/remove the malicious software. If you can
>>>> find which machine[s] the malware is on.
>>>>
>>>> Request delisting of 75.145.177.77
>>>> =========================
>>>>
>>>> Note that we shouldn't simply request delisting; we need to check 
>>>> for the
>>>> problem they are complaining about first.
>>>> Here is the text from the bounced bikecoop list mail that told me 
>>>> to check Spamhaus:
>>>>
>>>> =================
>>>>
>>>>   Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
>>>> said: 554
>>>>         5.7.1 Service unavailable;
>>>>         Client host [75.145.177.77] blocked using
>>>>         zen.spamhaus.org;
>>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
>>>>         reply to RCPT TO command)
>>>>
>>>> Final-Recipient: rfc822; ben at peartreestudio.net
>>>> Action: failed
>>>> Status: 5.0.0
>>>> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
>>>> said:
>>>>         550-ATLAS(2503): 75.145.177.77 is blacklisted and not
>>>> authenticated.
>>>>         Please 550-request delisting via the following link: 550
>>>>         http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
>>>> MAIL
>>>>         FROM command)
>>>>
>>>>   And I see a ====
>>>>> host 75.145.177.77
>>>> 77.177.145.75.in-addr.arpa domain name pointer  
>>>> 75-145-177-77-Illinois.hfc.comcastbusiness.net.
>>>> ====
>>>>
>>>>
>>>>
>>>>          Cheers,
>>>>
>>>>          Barry
>>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> IMC-Tech mailing list
>>> IMC-Tech at lists.ucimc.org
>>> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>>>   
>>
>
> -- 
> Josh King
> --
> "I am an Anarchist not because I believe Anarchism is the final goal,  
> but because there is no such thing as a final goal." -Rudolf Rocker
>
>



-- 
Barry Isralewitz, Ph. D.
Theoretical and Computational Biophysics Group
3043 Beckman, University of Illinois at Urbana-Champaign
Office Phone: (217) 244-1612    Home Phone: (217) 337-6364
email: barryi at ks.uiuc.edu   http://www.ks.uiuc.edu/~barryi

More information about the IMC-Tech mailing list