Solved

Removal from DNS Block Lists

Posted on 2002-05-20
11
418 Views
Last Modified: 2008-03-04
I am running an email server for multiple client of ours.  Recently, almost all of our clients have complained that they are getting email bounced back with the following error:

----- The following addresses had permanent fatal errors ----- <jdoe@mycompany.com>
(reason: 550 5.7.1 your server is on the OSIRUSOFT relay exclusion list, see http://relays.osirusoft.com/ )

I went to relays.osirusoft.com and spent two hours trying to find out what caused the problem.  They have so much "BS" information, I can't figure out what to do.  I sent an email to retest@relays.osirusoft.com and I received no reply.  I need to find out how to stop "servers/ISPs/etc." from blocking legitimate email from my clients.  I know that none of my clients that are on that server send out spam.  The server is setup to require SMTP authentication, so it shouldn't be possible for others to send mail through it.  I would like to find out how our ip address got listed on these databases, but more importantly, how to remove it and quickly.  If you do a test on our IP address at the relays.osirusoft.com site, it comes back with the following:

(127.0.0.4) {---My Email Server's IP Address---} is DNSbl listed. by relays.osirusoft.com
[1] ScottRichter, see http://spews.org/ask.cgi?S511
If you're listed by spamhaus.relays.osirusoft.com, please take this issue up with spamhaus.org
If you're listed by spamsites.relays.osirusoft.com, please take this issue up with spamsites.org
If you're listed by spews.relays.osirusoft.com, please take this issue up with spews.org
If you're not listed as a 127.0.0.2 or 127.0.0.3, please don't bother the administrator of relays.osirusoft.com
The data in relays.osirusoft.com is a composite of all other subzones. This list is used to stop spam from entering osirusoft.com's mail server.

(127.0.0.4) {---My Email Server's IP Address---} is DNSbl listed. by xbl.selwerd.cx
listwashing
please see http://selwerd.cx/xbl/
this is not a list of open relays

(127.0.0.7) {---My Email Server's IP Address---} is DNSbl listed. by blackholes.five-ten-sg.com
added 2001-11-12; spam support - hosting messagemedia.com
added 2002-03-25; spam support - allowing opt-out mailing
added 2002-03-03; spam support - hosting http://www.bid4vacations.com
added 2002-04-14; spam support - hosting http://worldsubmissionservice.com/
added 2002-04-23; spam support - hosting mb01.net

(127.0.0.4) {---My Email Server's IP Address---} is DNSbl listed. by spews.relays.osirusoft.com
[1] ScottRichter, see http://spews.org/ask.cgi?S511
Please visit this link for questions about why your mail was bounced.
Please visit this link for instructions about how spews operates.
This zone maintained by spews.org
0
Comment
Question by:bmccleary
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 3

Expert Comment

by:DVB
ID: 7022364
http://spews.org/html/S511.html
has all the gory details of the spammer(s) hosted by your system.
You probably have Scott Richter as one of your clients.
Get rid of that domain, and make sure the NS don't point to you.
BTW, you are in my SMTP access.db as well for allowing spammer to operate from your server.
The problem is at your end. Get rid of the spammer, fix your policies nd enforce them and you will be off those blacklists.
(after ensuring that you are really trying to fix the problem)

Good luck. Clean up the Net.
0
 

Author Comment

by:bmccleary
ID: 7022430
DVB,
Thanks for the quick reply, but I am still confused.  I read through all the information at that S511 page and I saw nothing that listed our domain or IP address.  I might as well tell you our email IP address... it is 66.45.30.98. The closest thing that I could find is that the same subnet 66.45.30.0 (inflow) was listed.  It is a new server and I only have 4 clients on it now and I KNOW that none of them send out spam.  Scott Richter is NOT one of my clients, and the only coincidence is that he resides in Colorado, the same as us.  How did you know that we were in your database?  I didn't provide the email server's IP address in the original post.  
That being said, our email server is our own, but it is managed by our ISP and they say the problem is on our end.  We are dedicated to providing quality business class hosting and we can't be listed on these servers.  We have enabled SMTP autentication for sending email, so shouldn't this be the "policy fix"?  Again, this issue is almost foreign to me so any help is certainly appreciated!!!
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7022872
I couldn't find you on any blacklist.
You might want to start here:
http://mail-abuse.org/
http://mail-abuse.org/rbl/candidacy.html
http://spam.abuse.net/spam/
http://www.mail-abuse.org/tsi/
http://www.pingmeplease.com/
http://mail-abuse.org/cgi-bin/nph-rss
66.45.30.98 is NOT currently on the RSS list.
Sorry, can't find any spam in the archive for 66.45.30.98. Contact us if you need assistance
http://mail-abuse.org/cgi-bin/lookup
http://spam.abuse.net/spam/goodsites/



Inflow (NETBLK-NFLO-AR-2)
   938 Bannock St

   Denver, CO 80204

   US

   Netname: NFLO-AR-2
   Netblock: 66.45.0.0 - 66.45.127.255
   Maintainer: NFLO

   Coordinator:
      Inflow, Joe  (JI133-ARIN)  hostmaster@inflow.com
      (303) 942-2800

   Domain System inverse mapping provided by:

   NS1.INFLOW.NET          209.119.36.3
   NS2.INFLOW.NET          208.169.16.115

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 09-Oct-2001.
   Database last updated on  19-May-2002 19:58:40 EDT.

0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7022900
Hmmm well I guess you provided the spews proof -
Did you read the SPEWS FAQ?

Q41: How does one contact SPEWS?  
A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above. The newsgroup news.admin.net-abuse.email (NANAE) is a good choice, and Google makes it quite easy to post messages there via the Web as M@ilGate does via email. Note that posting messages in these newsgroups & lists will not have any effect on SPEWS listings, only the discontinuation of spam and/or spam support will. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you're concerned about getting spammed, change or "mung" the email address you use to post with.

So it looks like you should do as DVB suggested above since there is no direct way to contact SPEWS.

Q5: Why are network addresses listed if no spam has originated from them?  
A5: They are listed because they have been set up by known spammers and spam support operations, most with a demonstrable repeated history of spamming or spamming services. They are also listed if they host websites advertised in spam, as this too falls under spamming services - these listings normally occur if the owners of that network address range do not remove the offenders.  
Q6: How did "I" get into SPEWS?!  
A6: Normally it is not "you" who was listed but your ISP or host. They may have been listed due to spam originating from their section of the Internet or due to their hosting or providing services for known spammers. The SPEWS bounce page covers this in more detail. Now if you are a spammer, or spammer supporter, yourself, you were listed for that reason.  

Q41: How does one contact SPEWS?  
A41: One does not. SPEWS does not receive email - it's just an automated system and website, SPEWS and other blocklist issues can be discussed in the public forums mentioned above. The newsgroup news.admin.net-abuse.email (NANAE) is a good choice, and Google makes it quite easy to post messages there via the Web as M@ilGate does via email. Note that posting messages in these newsgroups & lists will not have any effect on SPEWS listings, only the discontinuation of spam and/or spam support will. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you're concerned about getting spammed, change or "mung" the email address you use to post with.  


0
 

Author Comment

by:bmccleary
ID: 7023027
shekerra,
Thanks for the information, but it doesn't help a whole lot.  I read through those FAQ's and they basically say that you can't remove your address from these lists and that the news groups only provide a forum for a person to complain.  Again, I can't have my customers having their mail blocked, and I can wait for days/weeks/months for these databases to delete my records, especially when I don't know why it was listed in the first place.  Is my only option to get a whole new IP address? This seems like a pain in the rear.  Any suggestions?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 16

Expert Comment

by:GUEEN
ID: 7023087
I'll check further and get back to you.  I totally understand how you feel but there is such an anti-spam distaste out there that people are getting pretty harsh.
Actually I am slammed with major, major spam everyday now and I'm getting rid of one ISP due to that fact. So I know how angry I am with spam.
Did you purchase thru a reseller? Or via inflow?

http://inflow.com/customercenter/customercenter.asp

0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7023090
Dew Associates is a reseller. I'll send him this link and see if he can offer you any good advice for your problem (he may not be here until later tonight EST.)
0
 

Author Comment

by:bmccleary
ID: 7023102
shekerra,
Thanks for your attention.  We have our servers located at Inflow and they are managed by HugeHosting.com.  Huge has a ton of customers, but that IP addres is specifically assigned to us for our Email server.  If the problem is that they don't have the server set up correctly or something else that they did caused the problem, then I can bring it up to them and demand a resolution.  But, until then, I need to find out if it is us or one of our clients that is causing the problem.  For your reference, the email is sitting on a Linux box and running Ensim 3.0 Mail Server software.  We also have another email server at this location, same configuration, but with a different IP address that is not listed or blocked in any way.  FYI - the only emails that are (currently) being returned are the ones that are listed by relays.osirusoft.com.
Thanks!
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 7025920
I'd like to help, but Shekerra has given you about as much info as I could have. Someone using your IP address has been spamming. It could have been caused by many things, including a trojan or worm. If I were you, I'd start by tracking down the problem and making sure that you have resolved it. As for contacting someone, anyone with a registered site has to have a contact person with email and phone.
0
 
LVL 3

Accepted Solution

by:
DVB earned 100 total points
ID: 7032523
Get your ISP to assign you a different IP address block. Or shift your ISP.
That is what spews wants done anyway. Hit the spam supporing ISPs where it hurts them the most. You are collateral damage. Sorry.
0
 

Author Comment

by:bmccleary
ID: 7032567
DVB, dew_associates  and shekerra,
Thank you all for the information.  You are correct, the only way I will be able to completly fix the problem is by switching IP addresses.  Therefore, I am having our hosting company transfer us to a completly new IP subnet (because the entire class-c is listed on these sites).  I know that spam is a royal pain and that something needs to be done to prevent it, but it's unfortunate that there are not better methods than these block lists that can really hurt innocents.

All of your information was helpful but unfortunately I can only award the points to one person.  Also to let you know, I am going to request that this question be deleted  or audited from EE because there is too much personal information listed.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

User Beware!  This is a rather permanent solution to removing your email from an exchange server.  The only way to truly go back is to have your exchange administrator restore your mailbox from backups.  This is usually the option of last resort.  A…
This article is essential to make secure Yahoo Mail connection without facing any issue. It is providing simple steps to configure your Yahoo Mailbox to Hard drive using Microsoft Outlook.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now