[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine spamming?

Josh King josh at ucimc.org
Tue Jun 9 11:35:09 CDT 2009 

Hi Barry,

I just requested the delisting, so I will also be keeping an eye on 
whether we get placed back on it. Thanks!

Barry Isralewitz wrote:
> Hi Josh,
> 
> On Mon, Jun 08, 2009 at 10:59:13PM -0500, Josh King wrote:
>> I haven't been using one of our offsite servers as a mail relayhost  
>> since we had problems with it a few weeks ago. I reinstated it, and now  
>> all outgoing mail is getting sent through it instead of direct from the  
>> mailserver at the IMC. I haven't seen more bounces in the logs so far,  
>> so I think we just have to keep an eye on it.
> 
>   Short version:  Josh, could you click the "Request delisting" link on
> the below cbl.abuseat.org page, to request de-listing of our host
> 75.145.177.77 from CBL.
> 
>   Details:
>   Our server 75.145.177.77 (mail.chambana.net) is still listed in CBL,
> and thus XBL, and thus Spamhaus.  This means bounces are still
> possible/likely from mail servers that rely on either (correct?) --
> like some/all hotmail.com accounts .  (Who knows, there might also might
> be non-bounce filtering based on SBL , PBL, XBL, Spamhaus, etc that we are not hearing
> about.)
>   Checking right now (Tue Jun  9 11:00:56 CDT 2009):
> http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77&.submit=Lookup
> ==============
> IP Address 75.145.177.77 is currently listed in the CBL.
> 
> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
> 5 days, 22 hours, 59 minutes ago.
> ===============
>  Josh, can you click the "de-list" link on the above page to request
> de-listing from CBL.  I'd do it myself, but since we need to keep the
> number of requests low, and we might need to do this again before
> problem is resolved, seems best to have only one person doing it.   The
> site will start ignoring de-list requests if we cry "wolf" too many
> times (well, really cry "no wolf" too many times), i.e. if  too many
> de-list requests are made without a halt to the spam/malware traffic. 
> 
>  Let me know when you request the de-list (or if you already have done
> this).  If we are de-listed, and soon re-listed, we'll know we're still
> a source of spam/malware traffic and have some looking around to do....
> 
> 
>         Cheers,
> 
>         Barry
> 
> 
> 
> 
>> Mike Lehman wrote:
>>> I noticed a lot of bounces this morning, too. Rarely get them. FWIW
>>> Mike Lehman
>>>
>>> Josh King wrote:
>>>> Goddammit. I don't think we have spammers, but I will double-check.  
>>>> There was a site compromise on zeco running a packet generator a 
>>>> while ago, but didn't notice any spam traffic. I'll route the traffic 
>>>> through our offsite relay, see if that helps.
>>>>
>>>> Barry Isralewitz wrote:
>>>>> Hi IMC-Tech folks,
>>>>>
>>>>>   I think chambana.net has been recently blacklisted. Are one of our
>>>>> machines infected and spamming mails and/or running malware 
>>>>> attacks?   Just got my second bounce action on a mailing list in a 
>>>>> day -- a big
>>>>> deal, since before today, I got darned few (maybe zero?) over  
>>>>> previous three years.
>>>>>
>>>>> The problematic IP address 75.145.177.77 seems to be one of ours...
>>>>>
>>>>> ===
>>>>>  CustName:   URBANA CHAMPAIGN IMC
>>>>>  NetRange:   75.145.177.72 - 75.145.177.79  CIDR:        
>>>>> 75.145.177.72/29  NetName:    URBANA-CHAMPAIGN-IMC  RegDate:     
>>>>> 2008-04-28 =====
>>>>>
>>>>> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
>>>>>   I went to http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
>>>>>   and saw...
>>>>> ===================
>>>>> IP Address 75.145.177.77 is currently listed in the CBL.
>>>>>
>>>>> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
>>>>> 5 days, 6 hours, 29 minutes ago.
>>>>>
>>>>> ATTENTION: At the time of detection, this IP was infected with, or
>>>>> NATting for a computer infected with a high volume spam sending trojan -
>>>>> it is participating or facilitating a botnet sending spam or spreading
>>>>> virus/spam trojans.
>>>>>
>>>>> ATTENTION: If you simply repeatedly remove this IP address from the CBL
>>>>> without correcting the problem, the CBL WILL eventually stop letting you
>>>>> delist it and you will have to contact us directly.
>>>>>
>>>>> This is the cutwail spamBOT
>>>>>
>>>>> You MUST patch your system and then fix/remove the trojan. Do this
>>>>> before delisting, or you're most likely to be listed again almost
>>>>> immediately.
>>>>>
>>>>> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
>>>>> prevent outbound port 25 connections to the Internet except from your
>>>>> real mail servers. Please see our recommendations on NAT firewalls
>>>>>
>>>>> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
>>>>> chance of being able to find/remove the malicious software. If you can
>>>>> find which machine[s] the malware is on.
>>>>>
>>>>> Request delisting of 75.145.177.77
>>>>> =========================
>>>>>
>>>>> Note that we shouldn't simply request delisting; we need to check 
>>>>> for the
>>>>> problem they are complaining about first.
>>>>> Here is the text from the bounced bikecoop list mail that told me 
>>>>> to check Spamhaus:
>>>>>
>>>>> =================
>>>>>
>>>>>   Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
>>>>> said: 554
>>>>>         5.7.1 Service unavailable;
>>>>>         Client host [75.145.177.77] blocked using
>>>>>         zen.spamhaus.org;
>>>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
>>>>>         reply to RCPT TO command)
>>>>>
>>>>> Final-Recipient: rfc822; ben at peartreestudio.net
>>>>> Action: failed
>>>>> Status: 5.0.0
>>>>> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
>>>>> said:
>>>>>         550-ATLAS(2503): 75.145.177.77 is blacklisted and not
>>>>> authenticated.
>>>>>         Please 550-request delisting via the following link: 550
>>>>>         http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
>>>>> MAIL
>>>>>         FROM command)
>>>>>
>>>>>   And I see a ====
>>>>>> host 75.145.177.77
>>>>> 77.177.145.75.in-addr.arpa domain name pointer  
>>>>> 75-145-177-77-Illinois.hfc.comcastbusiness.net.
>>>>> ====
>>>>>
>>>>>
>>>>>
>>>>>          Cheers,
>>>>>
>>>>>          Barry
>>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> IMC-Tech mailing list
>>>> IMC-Tech at lists.ucimc.org
>>>> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>>>>   
>> -- 
>> Josh King
>> --
>> "I am an Anarchist not because I believe Anarchism is the final goal,  
>> but because there is no such thing as a final goal." -Rudolf Rocker
>>
>>
> 
> 
> 

-- 
Josh King
--
"I am an Anarchist not because I believe Anarchism is the final goal, 
but because there is no such thing as a final goal." -Rudolf Rocker


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.chambana.net/mailman/archive/imc-tech/attachments/20090609/157c3ce6/signature.pgp

More information about the IMC-Tech mailing list