Re: [IMail Forum] cbl.abuseat.org listing

[Matt]

CBL feeds it's list by way of spamtraps exclusively (to the best of my knowledge).  They also take care to try to not list non-exploited legitimate servers such as a listserv from a legitimate company that one customer just so happened to have loaded in an address that hit a spam trap.  This includes things such as whether or the IP is in DUL space, or has no reverse DNS entry, or in this case it appears that they tagged you as being exploited because your IP made multiple connections that hit their spam traps using different HELO's which is very zombie-ish. If it is in fact your IP that is making the connection (I assume they exclude multi-hop relay conditions based on the accuracy of their zone), then instead of checking for the symptom of the multiple HELO's, you should in fact be primarily concerned about the prospect of being an open relay by way of misconfiguration or exploit (most often a virus infection that opened a back door from which you were hacked).  Typically hacked/exploited servers are easy to diagnose because spammers tend to pump as much as they can out of your box, so both the processor utilization and bandwidth consumption should be telling. With what you have shared, my best guess is that you are an open relay for spammers.  Try to verify this because it is very unlikely that you would have hit their spamtraps under multiple names without being used as a spam relay. Matt Duane Hill wrote: Ok. Here is a partial snip of the conversation: ----- The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive. During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible machine name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail servers if the IP address is a NAT firewall with multiple mail servers behind it). 63.110.136.164 was found to be using several different names during multiple connections on or about 2005:01:31 ~23:30 UTC. The names seen included: opexonline.com,mail2.ispdial.com,jet-the.net,mail.ispdial.com,blazeisp.com ----- On Wednesday, February 2, 2005 at 2:30:37 AM, [EMAIL PROTECTED] confabulated: 192.168.0.2 isn't telling anybody anything. That's an unroutable IP, like 172.0.0.0/12 and 10.0.0.0/8. Since you didn't include the real domain name, we can't check for you on dnsreport.com, but you can! http://www.dnsreport.com/tools/dnsreport.ch?domain=example.com. See what's what from the point of view of outside your firewall. Dan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duane Hill Sent: Tuesday, February 01, 2005 8:55 PM To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] cbl.abuseat.org listing Just had an issue recently of having one of our IMail servers being listed on cbl.abuseat.org. I have been in a long e-mail conversation with one of the administrators with CBL. They are claiming our server is using multiple domains when connecting to their server, thus making it appear as though there is an issue with a proxy. ----- Duane Hill Sr E-Mail Administrator http://www.yournetplus.com To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================