[UCIMC-Tech] are we blacklisted? Is a chambana.net or IMC machine
spamming?
Josh King
josh at ucimc.org
Tue Jun 9 11:35:09 CDT 2009
Hi Barry,
I just requested the delisting, so I will also be keeping an eye on
whether we get placed back on it. Thanks!
Barry Isralewitz wrote:
> Hi Josh,
>
> On Mon, Jun 08, 2009 at 10:59:13PM -0500, Josh King wrote:
>> I haven't been using one of our offsite servers as a mail relayhost
>> since we had problems with it a few weeks ago. I reinstated it, and now
>> all outgoing mail is getting sent through it instead of direct from the
>> mailserver at the IMC. I haven't seen more bounces in the logs so far,
>> so I think we just have to keep an eye on it.
>
> Short version: Josh, could you click the "Request delisting" link on
> the below cbl.abuseat.org page, to request de-listing of our host
> 75.145.177.77 from CBL.
>
> Details:
> Our server 75.145.177.77 (mail.chambana.net) is still listed in CBL,
> and thus XBL, and thus Spamhaus. This means bounces are still
> possible/likely from mail servers that rely on either (correct?) --
> like some/all hotmail.com accounts . (Who knows, there might also might
> be non-bounce filtering based on SBL , PBL, XBL, Spamhaus, etc that we are not hearing
> about.)
> Checking right now (Tue Jun 9 11:00:56 CDT 2009):
> http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77&.submit=Lookup
> ==============
> IP Address 75.145.177.77 is currently listed in the CBL.
>
> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
> 5 days, 22 hours, 59 minutes ago.
> ===============
> Josh, can you click the "de-list" link on the above page to request
> de-listing from CBL. I'd do it myself, but since we need to keep the
> number of requests low, and we might need to do this again before
> problem is resolved, seems best to have only one person doing it. The
> site will start ignoring de-list requests if we cry "wolf" too many
> times (well, really cry "no wolf" too many times), i.e. if too many
> de-list requests are made without a halt to the spam/malware traffic.
>
> Let me know when you request the de-list (or if you already have done
> this). If we are de-listed, and soon re-listed, we'll know we're still
> a source of spam/malware traffic and have some looking around to do....
>
>
> Cheers,
>
> Barry
>
>
>
>
>> Mike Lehman wrote:
>>> I noticed a lot of bounces this morning, too. Rarely get them. FWIW
>>> Mike Lehman
>>>
>>> Josh King wrote:
>>>> Goddammit. I don't think we have spammers, but I will double-check.
>>>> There was a site compromise on zeco running a packet generator a
>>>> while ago, but didn't notice any spam traffic. I'll route the traffic
>>>> through our offsite relay, see if that helps.
>>>>
>>>> Barry Isralewitz wrote:
>>>>> Hi IMC-Tech folks,
>>>>>
>>>>> I think chambana.net has been recently blacklisted. Are one of our
>>>>> machines infected and spamming mails and/or running malware
>>>>> attacks? Just got my second bounce action on a mailing list in a
>>>>> day -- a big
>>>>> deal, since before today, I got darned few (maybe zero?) over
>>>>> previous three years.
>>>>>
>>>>> The problematic IP address 75.145.177.77 seems to be one of ours...
>>>>>
>>>>> ===
>>>>> CustName: URBANA CHAMPAIGN IMC
>>>>> NetRange: 75.145.177.72 - 75.145.177.79 CIDR:
>>>>> 75.145.177.72/29 NetName: URBANA-CHAMPAIGN-IMC RegDate:
>>>>> 2008-04-28 =====
>>>>>
>>>>> Via http://www.spamhaus.org/query/bl?ip=75.145.177.77
>>>>> I went to http://cbl.abuseat.org/lookup.cgi?ip=75.145.177.77
>>>>> and saw...
>>>>> ===================
>>>>> IP Address 75.145.177.77 is currently listed in the CBL.
>>>>>
>>>>> It was detected at 2009-06-03 17:00 GMT (+/- 30 minutes), approximately
>>>>> 5 days, 6 hours, 29 minutes ago.
>>>>>
>>>>> ATTENTION: At the time of detection, this IP was infected with, or
>>>>> NATting for a computer infected with a high volume spam sending trojan -
>>>>> it is participating or facilitating a botnet sending spam or spreading
>>>>> virus/spam trojans.
>>>>>
>>>>> ATTENTION: If you simply repeatedly remove this IP address from the CBL
>>>>> without correcting the problem, the CBL WILL eventually stop letting you
>>>>> delist it and you will have to contact us directly.
>>>>>
>>>>> This is the cutwail spamBOT
>>>>>
>>>>> You MUST patch your system and then fix/remove the trojan. Do this
>>>>> before delisting, or you're most likely to be listed again almost
>>>>> immediately.
>>>>>
>>>>> If this IP is a NAT firewall/gateway, you MUST configure the NAT to
>>>>> prevent outbound port 25 connections to the Internet except from your
>>>>> real mail servers. Please see our recommendations on NAT firewalls
>>>>>
>>>>> The Microsoft MSRT (Malicious Software Removal Tool) stands a good
>>>>> chance of being able to find/remove the malicious software. If you can
>>>>> find which machine[s] the malware is on.
>>>>>
>>>>> Request delisting of 75.145.177.77
>>>>> =========================
>>>>>
>>>>> Note that we shouldn't simply request delisting; we need to check
>>>>> for the
>>>>> problem they are complaining about first.
>>>>> Here is the text from the bounced bikecoop list mail that told me
>>>>> to check Spamhaus:
>>>>>
>>>>> =================
>>>>>
>>>>> Diagnostic-Code: X-Postfix; host secondary.ecospark.net[64.40.115.71]
>>>>> said: 554
>>>>> 5.7.1 Service unavailable;
>>>>> Client host [75.145.177.77] blocked using
>>>>> zen.spamhaus.org;
>>>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77 (in
>>>>> reply to RCPT TO command)
>>>>>
>>>>> Final-Recipient: rfc822; ben at peartreestudio.net
>>>>> Action: failed
>>>>> Status: 5.0.0
>>>>> Diagnostic-Code: X-Postfix; host mx0.123-reg.co.uk[194.154.164.158]
>>>>> said:
>>>>> 550-ATLAS(2503): 75.145.177.77 is blacklisted and not
>>>>> authenticated.
>>>>> Please 550-request delisting via the following link: 550
>>>>> http://www.spamhaus.org/query/bl?ip=75.145.177.77. (in reply to
>>>>> MAIL
>>>>> FROM command)
>>>>>
>>>>> And I see a ====
>>>>>> host 75.145.177.77
>>>>> 77.177.145.75.in-addr.arpa domain name pointer
>>>>> 75-145-177-77-Illinois.hfc.comcastbusiness.net.
>>>>> ====
>>>>>
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Barry
>>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> IMC-Tech mailing list
>>>> IMC-Tech at lists.ucimc.org
>>>> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>>>>
>> --
>> Josh King
>> --
>> "I am an Anarchist not because I believe Anarchism is the final goal,
>> but because there is no such thing as a final goal." -Rudolf Rocker
>>
>>
>
>
>
--
Josh King
--
"I am an Anarchist not because I believe Anarchism is the final goal,
but because there is no such thing as a final goal." -Rudolf Rocker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.chambana.net/mailman/archive/imc-tech/attachments/20090609/157c3ce6/signature.pgp
More information about the IMC-Tech
mailing list