Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

3 of our mailserver blacklisted, can we have a sample/explanation?

24 views
Skip to first unread message

pea...@gmail.com

unread,
Aug 27, 2008, 2:45:19 PM8/27/08
to
Hi guys,

We are a large Exchange email provider in Canada and we have 3
outgoing IP address blacklisted into UCEPROTECT Level 1. The IP
addresses are:

66.46.182.52
66.46.182.54
66.46.182.55

The Reverse Lookup for these IP is relay.ihostexchange.net. Can we
know why our IP has been blocked or can we have a sample to identify
the problem?

Thanks for your help! Regards,


Karl Gagnon
MS Exchange Administrator | Level 3 Technical Support | SherWeb |
North America: 1.888.567.6610 | Europe: ++33 (0)1 72 81 35 97
For any feedback or immediate assistance on existing case, please
contact 1-888-567-6610 ext 556
Web Site : http://www.sherweb.com

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 28, 2008, 7:34:50 AM8/28/08
to
pea...@gmail.com wrote:
> IP address blacklisted into UCEPROTECT Level 1.
> Can we know why our IP has been blocked
> or can we have a sample to identify the problem?

I have found it fairly easy, to find out what caused the issues.

Have you searched your mail server logs for UCEPROTECT-Policy Server ?

e.g. 550 UCEPROTECT-Policy Server decided: 550 (V#.#-EXPO-####)
...
You hit a Spamtrap.
Counter to blacklisting increase for your IP.
421 Service not available, closing transmission channel

...
We have no user with that account here.
No PTR (Reverse-DNS) is assigned to your IP.
Welcome to UCEPROTECT-Level 1.

...
We have no user with that account here.
Your IP was detected to be a Dialup.
Welcome to UCEPROTECT-Level 1.


--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>
will be added to the BlackLists.

Herb Oxley

unread,
Aug 28, 2008, 8:20:17 AM8/28/08
to
pea...@gmail.com wrote:
> Hi guys,

> We are a large Exchange email provider in Canada and we have 3
> outgoing IP address blacklisted into UCEPROTECT Level 1. The IP
> addresses are:

> 66.46.182.52
> 66.46.182.54
> 66.46.182.55

> The Reverse Lookup for these IP is relay.ihostexchange.net. Can we
> know why our IP has been blocked or can we have a sample to identify
> the problem?

Per the UCEPROTECT page, before contacting them for help as to the source
of the spam, you need to search your SMTP logs (often found in
%SYSTEMROOT%\system32\SECURITY\Logs tree) for "UCEPROTECT" assuming
your servers are set up to log verbosely enough to catch the full
SMTP-REJECT message the UCEPROTECT spam trap servers gave.

If your servers have properly configured reverse DNS so they look like
servers and not residential PCs, 50 spam trap hits on a UCEPROTECT server
is needed for a listing, otherwise 5 hits are needed.

If you don't have the SMTP Service configured to provide full reject logs
you need to do that ASAP so you can find which client is either a
professional spammer or whose PC has been hijacked by malware and turned
into a spamcaster and take appropriate action (fire the spammer, suspend
outgoing mail to a virused customer till they cleanup their PC).

--
Herb Oxley (not connected with UCEPROTECT or Admins WS)

Shmuel (Seymour J.) Metz

unread,
Aug 28, 2008, 11:40:38 AM8/28/08
to
In <45a80744-ec94-4e17...@79g2000hsk.googlegroups.com>, on
08/27/2008

at 06:45 PM, pea...@gmail.com said:

>We are a large Exchange email provider in Canada and we have 3 outgoing
>IP address blacklisted into UCEPROTECT Level 1.

Please include the list, record and IP address in your subject.

I don't have any special insight into UCEPROTECT, but the whois record
says

ReferralServer: rwhois://rwhois.allstream.com:4321

and that server is dead; I can't even ping it. That's cause for blocking
66.46.0.0/16, IMHO.


--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

Atro Tossavainen

unread,
Aug 29, 2008, 8:31:20 AM8/29/08
to
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> writes:

> ReferralServer: rwhois://rwhois.allstream.com:4321
>
> and that server is dead; I can't even ping it.

Not being able to ping something is not indicative of anything.

$ telnet rwhois.allstream.com 4321
Trying 216.13.122.14...
Connected to rwhois.allstream.com.
Escape character is '^]'.
%rwhois V-1.5:003fff:00 rwhois.bb.allstream.net (by Network Solutions, Inc. V-1.5.9.3)
^]
telnet> quit
Connection closed.

Worked just fine from here Fri Aug 29 08:54:42 UTC 2008

> That's cause for blocking 66.46.0.0/16, IMHO.

Or at least letting hostmaster at arin.net know that said ISP has
trouble understanding http://www.arin.net/policy/nrpm.html#three2

--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS

Shmuel (Seymour J.) Metz

unread,
Aug 29, 2008, 9:47:40 AM8/29/08
to
In <pgzljyg...@kruuna.helsinki.fi>, on 08/29/2008
at 12:31 PM, Atro Tossavainen
<Atro.Tossa...@helsinki.finland.invalid> said:

>Not being able to ping something is not indicative of anything.

Not by itself, but on top of being unable to get an rwhois response, ...

connected to rwhois.allstream.com [216.13.122.14:4321] ...
Timeout waiting for response.


%rwhois V-1.5:003fff:00 rwhois.bb.allstream.net (by Network Solutions,
Inc. V-1.5.9.3)

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

Atro Tossavainen

unread,
Aug 29, 2008, 7:20:03 PM8/29/08
to
"Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> writes:

> Not by itself, but on top of being unable to get an rwhois response, ...
>
> connected to rwhois.allstream.com [216.13.122.14:4321] ...
> Timeout waiting for response.
> %rwhois V-1.5:003fff:00 rwhois.bb.allstream.net (by Network Solutions,
> Inc. V-1.5.9.3)

Didn't go that far.

Yes, it's timing out looking up even its own address.

--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS

--

Claus v. Wolfhausen

unread,
Sep 4, 2008, 8:49:22 PM9/4/08
to
In article <45a80744-ec94-4e17...@79g2000hsk.googlegroups.com>,
pea...@gmail.com says...

>
>Hi guys,
>
>We are a large Exchange email provider in Canada and we have 3
>outgoing IP address blacklisted into UCEPROTECT Level 1. The IP
>addresses are:
>
>66.46.182.52
>66.46.182.54
>66.46.182.55

UCEPROTECT-Networks makes it very easy for you to track down which emails have
lead to nominations at our database.

Click on Query Database at our website or simply use

http://www.uceprotect.net/en/rblcheck.php?asn=XXXXX

where XXXXX is your AS-Number.

Click Test and wait for the page has fully loaded.
Then scroll down to the end of that page and you will find a link
which is called:

”Details about IP's involved and dates of impacts can be found here.”

Click it.

A new tab will open in your browser with all IP's listed in Level 1 for this AS
with times of listings and expected expirationdates.

If that information isn't enough to track down guilty users, simply search your
smtp-logs for that dates for following expression:

”Access denied and blocklisted”

Doing so you should be able to track down customers sending to spamtraps and
emailaddresses no longer in use for at least 2 years.

--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net

0 new messages