Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: IP address listed in CBL list

  1. #1

    ip address listen in cbl list

    hello all

    im facing some horrible problem with my mail server. i have mail server running on imail. since few days im getting bounce mail with this error..


    Delivery failed 5 attempts: ***@***.com
    >
    > RCPT TO generated following response:
    > 451 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=( my mail server ip **** )
    >
    >
    >
    > Original message follows.
    >
    > Received: from britto [59.144.19.5] by seapol.com with ESMTP
    > (SMTPD32-8.15) id ACA8CC902D4; Thu, 31 Aug 2006 07:05:28 -0700
    > Message-ID: <037d01c6cd70$fbc46060$0800a8c0@britto>

    i have tried to search with given link but the my server ip is not listen in cbl or sbl list.

    IP Address **** was not found in the CBL.

    It was previously listed, but was removed at 2006-09-01 07:10 GMT

    in http://www.spamhaus.org/query/bl?ip=*****



    IP Address Lookup


    *****is not listed in the SBL

    ***** is not listed in the XBL



    If the IP you are checking is not in our database, but you are receiving bounce messages saying it is, then it is probable the IP has been removed from our database but DNS servers around the internet have not yet updated. In this case, wait 1-2 hours and the blocking should clear by itself.

    This lookup tool is for manual (non-automated) lookups only. Any perceived use of automated tools to access this system will result in firewalling or other countermeasures.

    as per the xbl website my server ip is not listed and it might take 1 to 2 hours to update DNS server around the world. but im getting bounce mail since week or more than that..

    i am able to send a mail to those email account using yahoo or hotmail or gmail.


    what should i do now.. thank in adv.
    one of the great day in my life when i found antionline.com

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: ip address listen in cbl list

    Originally posted here by pbrprince
    what should i do now.. thank in adv.
    IP Address **** was not found in the CBL.

    It was previously listed, but was removed at 2006-09-01 07:10 GMT
    You gave the answer yourself:

    If the IP you are checking is not in our database, but you are receiving bounce messages saying it is, then it is probable the IP has been removed from our database but DNS servers around the internet have not yet updated. In this case, wait 1-2 hours and the blocking should clear by itself.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    IP Address **** was not found in the CBL.

    It was previously listed, but was removed at 2006-09-01 07:10 GMT

    yester day also i saw same messege on the site...with 2006-08-31...... i dont know why they keep blocking my ip...

    everytime i need to unblock it....im using strong antivirus and baraccuda for spam.
    one of the great day in my life when i found antionline.com

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Obviously something is getting flagged from your domain whether it be legitimate "bad stuff" or a false positive.

    If this continues, perhaps it is time to contact the folks over there via telephone and see what is kicking off the flag.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Is it possible your Imail is set up as an open relay?

    We're told that Imail is open relay by default, but can be closed easily. To stop open relay, on the Imail SMTP Security panel, click Relay options:Relay for Addresses and enter your trusted ip addresses and/or subnets. Then, on the Imail SMTP Security panel, UNcheck "Disable SMTP AUTH reporting" and tell all your mail users to use SMTP AUTH in their mail client programs.
    Source

    Cheers:
    DjM

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    If you are an open relay then you can bet your arse that you're on an open relay list somewhere on the net and spammers are having a wonderful time bouncing spam off your domain.

    An open relay list is basically the newspaper to spammers which tells them where they can bounce their garbage off of without having to worry about RBLs and such.

    This would make perfect sense and you would have been made wise to it if you spoke to the folks who have tagged you.

    --TH13

    PS
    Nice grab DjM
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    thanks thehorse13

    i went through the http://www.ordb.org and i didnt found my ip listen in ordb database.

    This host is not listed in ORDB as an open mail relay


    Main database status for**** (****)
    Look up this host in non-ORDB RBL's (May take a while to load)
    The host **** is not in the main database


    DJM :- i have selected NO MAIL RELAY in smtp security. so there is no chance for relay, users have to provide valid user id and password to use smtp.



    i spoke to the CBL person...he said tht Your IP had been blocked because of virus . but we are using strong antivirus (norton enterprise) and gud firewall (barracuda). so how come virus can be distributed by our server ?? as we have 350 live sites runnig on our server we cant let it happen again.

    this is the same software i am running for my mail server since 3 years but i never face virus problem before.

    thanks for ur suggestion guys
    one of the great day in my life when i found antionline.com

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    You might like to look at this:

    http://cbl.abuseat.org/

    Please remember that AV products are mostly retrospective and reactive. They may not spot things. Whilst you would expect 98% or better detection of known malware, that rate falls to 70% or lower for variants and mutations.

    Please check out reports #10 and #11 on this site: http://www.av-comparatives.org/ to get an idea of what I am talking about

    If it is possible, I would check your server with an online scanner such as PC-Cillin (Trend Micro) or Panda.

    I am guessing as to the architecture here, but it would seem to me that if you have an infected client using your server, and your server's malware detectors don't spot the infected mail, you will forward it to it's destination? In this situation, your server is probably not infected, itself.

    This is not my area of expertise but I do know that quite a few mail servers run more than one scanner, and that the pattern files are updated on an hourly basis. Obviously this involves a greater system overhead.

    Just a thought

  9. #9
    nihil

    i have antivirus in my local server (as a software) and i am using hardware firewall+antivirus (barracuda) so when mail process start mail comes to the spool directory (Norton scan .ges and .smd files for virus in spool directory of Imail) and barracuda also scan each and every mail (that is the function of barracuda hardware antivirus) so what i am thinking is....is it possible to have totally new virus which is not yet updated by (barracuda and Norton)

    I have scanned my server with (pc-cillin Trend Micro online scan) and found nothing.

    In this case what is the best way to secure my server against deadly virus? This is the biggest problem i ever face. bcoz once my ip blocked bye the CBL and SBL none of my client can send mail ( 350 live sites ) and they are keep blocking my ip( reason virus) it means there is still something in my server which is not in database of any antivirus.

    one more thing i would like to know...why CBL doest block my local server ( Dubai base ) i am not using antivirus for scanning each mail. The server which had been blocked by CBL is U.S base. It means they are not covering Middle East area
    one of the great day in my life when i found antionline.com

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    so what i am thinking is....is it possible to have totally new virus which is not yet updated by (barracuda and Norton)
    In theory the answer is "yes". However this must be unlikely as somone else is using a scanner that detects it, or you would not be on the block list? Also you have used online scanners that should have detected something if it were there. And this has been happening for a week, which is too long in my opinion.

    This makes me wonder if your server is clean, and the problem is on one or more of your clients?

    Please check the rules you have set for your AV scanning of the actual mail items. Does it scan attachments, does it scan all file types, does it scan archived and compressed files, does it scan the body of the mail as well as the text? It could be your settings.

    I don't know if they will help, but can CPL tell you which virus it is supposed to be?

    If you have problems in the USA and not Dubai, it could be that the servers are clean, and that the infected client is in the US?

    An alternative approach would be to examine your AV logs and see which clients you are actually blocking viruses from. Those are your prime suspects I would say. I would politely contact them and ask them to update their OS and run up to date AV scans........... that might well stop it?



    EDIT: Along the same lines, if you have statistics for usage/traffic by client; I would expect an infected one to show a sudden upsurge in the period that you mention.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •