Sorry for the typos previously but this is what we figured out.. I have a proxy server that I use for content filtering... I had its IP address in my allowable SMTP pool They were running thru the proxy back to the Imail server... I have no idea how they figured that out since my Imail server is 65.240.164.10 and the proxy is on another network 208.251.150.137
http://www.senderbase.org/search?searchBy=ipaddress&searchString=208.251.150.137 Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" ----- Original Message ----- From: "Richard Farris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 11, 2004 12:29 PM Subject: Re: [Declude.JunkMail] Fw: Help, I have been blacklisted > I actually saw it this happening but didnt know what was taking all my > resources...and I am not really that technical so it was just trial and > error and help from you folks...I took out the proxy IP in my allowable for > SMTP and everything seems to be back the way I am used to....I guess I will > have to weight and find out.. > > SPAMCOP says I will be delisted in 2 days if nothing else comes across..what > about the other spam filter tools that I am listed on..does anyone know > about those.. > > Richard Farris > Ethixs Online > 1.270.247.5555 Office > 1.800.548.3877 Tech Support > "Crossroads to a Cleaner Internet" > > ----- Original Message ----- > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 11, 2004 11:55 AM > Subject: Re: [Declude.JunkMail] Fw: Help, I have been blacklisted > > > > > > >My log files have trippled in size the last 3 days. > > > > Quick action is key to hijacking. The spammer has already gotten his > > money's worth from your service. Three days of spamming before getting > > kicked off is excellent for a spammer. They are happy with 12 hours if > > they can get it. > > > > Entering your IP in the Spam Database Lookup tool at > > http://www.DNSstuff.com shows the PSBL listing, which lists this evidence: > > > > From [EMAIL PROTECTED] Tue Sep 07 15:20:34 2004 > > Delivery-date: Tue, 07 Sep 2004 15:20:34 -0400 > > Received: from [65.240.164.10] (helo=ethixs.com) > > by mail.victim.example with esmtp (Exim 4.41) > > id 1C4lW6-0003Ru-1O > > for [EMAIL PROTECTED]; Tue, 07 Sep 2004 15:20:34 -0400 > > Received: from scooping [201.129.134.20] by ethixs.com with ESMTP > > (SMTPD32-7.11) id A85B449A025C; Tue, 07 Sep 2004 15:13:31 -0400 > > From: "Moira Shori"<[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: FDA APPROVED PRESCRl|PT|0N MEDI1CATlONS. > > Mime-Version: 1.0 > > Date: Tue, 7 Sep 2004 15:14:03 -0400 > > > > Removing all but the Received: headers brings it down to: > > > > Received: from [65.240.164.10] (helo=ethixs.com) > > by mail.victim.example with esmtp (Exim 4.41) > > id 1C4lW6-0003Ru-1O > > for [EMAIL PROTECTED]; Tue, 07 Sep 2004 15:20:34 > > -0400 > > Received: from scooping [201.129.134.20] by ethixs.com with ESMTP > > (SMTPD32-7.11) id A85B449A025C; Tue, 07 Sep 2004 15:13:31 > > -0400 > > > > The first Received: header is from the mailserver that actually received > > the spam. The second one is the one that it apparently from your > > mailserver. And guess what? It matches the IMail Received: header format > > perfectly. Guess what else? You can cross-reference that with your IMail > > log files to prove that IMail did indeed send the E-mail. And you can > > check to see if the IP 201.129.134.20 is allowed to relay. And you can > > check to see if any funky stuff went on to get the E-mail sent out (such > as > > authentication or a deprecated routing format using '%' or '!'). > > > > -Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > > since 2000. > > Declude Virus: Ultra reliable virus detection and the leader in mailserver > > vulnerability detection. > > Find out what you've been missing: Ask for a free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
