Re: Delisting

Luis wrote:
> Hi everybody
>
> Yesterday my server was listed as Spammer, and I did everything I
> could do to delist it from Spamcop and worked.
> I don't know why, within less than 24 hours I was listed again...
> Now, I need to know how many time I need to be delisted again.
> PS.: My Exchange is ok, relay is closed.
> In my network, only the Exchange server has access to the port 25,
> and I am sure that I do not have trojans...

Your posting IP is 200.219.199.138  rDNS  smtpout.investtur.com  which
is currently SCbl listed (only) for hitting spamtraps.  I don't find any
spam output from it in sightings.

There's a webserver at www.investtur.com but I don't see any formmail
there that might be exploited.

There's a mailserver at 200.219.199.104 rDNS mail.investtur.com but it
doesn't seem to relay promiscuously for the abuse.net script

If there were any notifications from spamcop reporters about spam
sourced from the server, they would go to

Reporting addresses:
admin@comdominio.com.br
abuse@comdominio.com.br
postmaster@comdominio.com.br
mail-abuse@cert.br

... but spamtrap hits don't generate reports.

If you are managing the server, you should have logs of its output.  It
is putting out quite a bit of mail:

Report on IP address: 200.219.199.138
Hostname: smtpout.investtur.com
Volume Statistics for this IP
   Magnitude     Vol Change  vs. Last Month
Last day  3.5     633%
Last 30d  2.7

Last month, the average daily output was around 500 now it is over
3000/d.

Does that sound right to you?


-- 
Mike Easter
kibitzer, not SC admin

"Luis" <lfv@ig.com.br> wrote in message 
news:fsejci$gkp$1@news.spamcop.net...

Sigh,... I'm going to use BOFH speak here, but you should not be 
administering a network or mail server. If you were sufficiently competent 
to do that, you'd know that there is nothing that folks who read this 
newsgroup can possibly do for you especially if you don't even mention the 
listed IP number. With that information some helpful suggestions could be 
made. 

Hi everybody

Yesterday my server was listed as Spammer, and I did everything I could do 
to delist it from Spamcop and worked.
I don't know why, within less than 24 hours I was listed again... Now, I 
need to know how many time I need to be delisted again.
PS.: My Exchange is ok, relay is closed.
In my network, only the Exchange server has access to the port 25, and I am 
sure that I do not have trojans...

Plese, help me.
Tks.

"Luis" <lfv@ig.com.br> wrote in message 
news:fsejci$gkp$1@news.spamcop.net...
> Hi everybody
>
> Yesterday my server was listed as Spammer, and I did everything I could do

> to delist it from Spamcop and worked.
> I don't know why, within less than 24 hours I was listed again... Now, I 
> need to know how many time I need to be delisted again.
> PS.: My Exchange is ok, relay is closed.
> In my network, only the Exchange server has access to the port 25, and I 
> am sure that I do not have trojans...

Are you absolutely sure you do not have trojans?  I am not a server admin 
and I don't know what  could go wrong.  However, this is a link to the forum 
where some exploits are discussed. 
http://forum.spamcop.net/forums/index.php?showtopic=972

If you are only getting spamtrap hits, then it could be that you are 
accepting email and then sending an email to the return path - or other 
automatic replies to spam.

Miss Betsy 

On Wed, 26 Mar 2008 19:34:57 -0300, Luis <lfv@ig.com.br> wrote:

> Yesterday my server was listed as Spammer, and I did everything I could do

> to delist it from Spamcop and worked.
> I don't know why, within less than 24 hours I was listed again... Now, I 
> need to know how many time I need to be delisted again.
> PS.: My Exchange is ok, relay is closed.

Since I'm on a roll with guesses today, and since your listed IP is
apparently an Exchange Server which you believe to be relay secure,
I will take a guess that it is actually an Exchange Server with
SMTP AUTH (AUTH LOGIN) enabled (Exchange's default) which one or more
unscrupulous bulk emailers have been able to compromise by username and
password cracking and subsequent SMTP AUTH hijacking as explained at:

http://spamcop.net/fom-serve/cache/372.html

SMTP AUTH hijacking is currently rather prevalent, and almost all
current "phishing" Unsolicited Bulk Email is being sent that way.

-- 
Anthony Edwards              *     anthony.edwards@uk.easynet.net
Abuse Team Manager           *     Tel: 020 7900 4444
Easynet Ltd                  *     DDI: 0161 888 3507