We are a large Exchange email provider in Canada and we have 3
outgoing IP address blacklisted into UCEPROTECT Level 1. The IP
addresses are:
66.46.182.52
66.46.182.54
66.46.182.55
The Reverse Lookup for these IP is relay.ihostexchange.net. Can we
know why our IP has been blocked or can we have a sample to identify
the problem?
Thanks for your help! Regards,
Karl Gagnon
MS Exchange Administrator | Level 3 Technical Support | SherWeb |
North America: 1.888.567.6610 | Europe: ++33 (0)1 72 81 35 97
For any feedback or immediate assistance on existing case, please
contact 1-888-567-6610 ext 556
Web Site : http://www.sherweb.com
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
I have found it fairly easy, to find out what caused the issues.
Have you searched your mail server logs for UCEPROTECT-Policy Server ?
e.g. 550 UCEPROTECT-Policy Server decided: 550 (V#.#-EXPO-####)
...
You hit a Spamtrap.
Counter to blacklisting increase for your IP.
421 Service not available, closing transmission channel
...
We have no user with that account here.
No PTR (Reverse-DNS) is assigned to your IP.
Welcome to UCEPROTECT-Level 1.
...
We have no user with that account here.
Your IP was detected to be a Dialup.
Welcome to UCEPROTECT-Level 1.
--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>
will be added to the BlackLists.
> We are a large Exchange email provider in Canada and we have 3
> outgoing IP address blacklisted into UCEPROTECT Level 1. The IP
> addresses are:
> 66.46.182.52
> 66.46.182.54
> 66.46.182.55
> The Reverse Lookup for these IP is relay.ihostexchange.net. Can we
> know why our IP has been blocked or can we have a sample to identify
> the problem?
Per the UCEPROTECT page, before contacting them for help as to the source
of the spam, you need to search your SMTP logs (often found in
%SYSTEMROOT%\system32\SECURITY\Logs tree) for "UCEPROTECT" assuming
your servers are set up to log verbosely enough to catch the full
SMTP-REJECT message the UCEPROTECT spam trap servers gave.
If your servers have properly configured reverse DNS so they look like
servers and not residential PCs, 50 spam trap hits on a UCEPROTECT server
is needed for a listing, otherwise 5 hits are needed.
If you don't have the SMTP Service configured to provide full reject logs
you need to do that ASAP so you can find which client is either a
professional spammer or whose PC has been hijacked by malware and turned
into a spamcaster and take appropriate action (fire the spammer, suspend
outgoing mail to a virused customer till they cleanup their PC).
--
Herb Oxley (not connected with UCEPROTECT or Admins WS)
>We are a large Exchange email provider in Canada and we have 3 outgoing
>IP address blacklisted into UCEPROTECT Level 1.
Please include the list, record and IP address in your subject.
I don't have any special insight into UCEPROTECT, but the whois record
says
ReferralServer: rwhois://rwhois.allstream.com:4321
and that server is dead; I can't even ping it. That's cause for blocking
66.46.0.0/16, IMHO.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
> ReferralServer: rwhois://rwhois.allstream.com:4321
>
> and that server is dead; I can't even ping it.
Not being able to ping something is not indicative of anything.
$ telnet rwhois.allstream.com 4321
Trying 216.13.122.14...
Connected to rwhois.allstream.com.
Escape character is '^]'.
%rwhois V-1.5:003fff:00 rwhois.bb.allstream.net (by Network Solutions, Inc. V-1.5.9.3)
^]
telnet> quit
Connection closed.
Worked just fine from here Fri Aug 29 08:54:42 UTC 2008
> That's cause for blocking 66.46.0.0/16, IMHO.
Or at least letting hostmaster at arin.net know that said ISP has
trouble understanding http://www.arin.net/policy/nrpm.html#three2
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
>Not being able to ping something is not indicative of anything.
Not by itself, but on top of being unable to get an rwhois response, ...
connected to rwhois.allstream.com [216.13.122.14:4321] ...
Timeout waiting for response.
%rwhois V-1.5:003fff:00 rwhois.bb.allstream.net (by Network Solutions,
Inc. V-1.5.9.3)
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org
--
> Not by itself, but on top of being unable to get an rwhois response, ...
>
> connected to rwhois.allstream.com [216.13.122.14:4321] ...
> Timeout waiting for response.
> %rwhois V-1.5:003fff:00 rwhois.bb.allstream.net (by Network Solutions,
> Inc. V-1.5.9.3)
Didn't go that far.
Yes, it's timing out looking up even its own address.
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
--
UCEPROTECT-Networks makes it very easy for you to track down which emails have
lead to nominations at our database.
Click on Query Database at our website or simply use
http://www.uceprotect.net/en/rblcheck.php?asn=XXXXX
where XXXXX is your AS-Number.
Click Test and wait for the page has fully loaded.
Then scroll down to the end of that page and you will find a link
which is called:
”Details about IP's involved and dates of impacts can be found here.”
Click it.
A new tab will open in your browser with all IP's listed in Level 1 for this AS
with times of listings and expected expirationdates.
If that information isn't enough to track down guilty users, simply search your
smtp-logs for that dates for following expression:
”Access denied and blocklisted”
Doing so you should be able to track down customers sending to spamtraps and
emailaddresses no longer in use for at least 2 years.
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net