Re: [anti-spam-wg@localhost] I really need your help!


Hi again,

I didn't mention it earlier that I found several of your ips in our logs, but since someone else already started it I don't see why I shouldn't continue.
Here is a specific list of ip addresses I found at our place:

62.139.100.212
62.139.109.85
62.139.121.122
62.139.148.67
62.139.174.81
62.139.174.194
62.139.228.43
62.139.252.190
62.139.28.25
62.139.64.178
62.139.81.121
62.139.88.65
62.139.90.101
62.139.218.233
62.139.42.16
62.139.74.124
62.139.80.122
62.139.1.3
62.139.82.216
62.139.80.211
62.139.189.148
62.139.252.19


Content:
* Phishing
* Spam
* May be other types but it was already rejected on connect.

* Several of the ips used the ip address of the mail server they connected to in the helo-message.
* No ips seem to resolve. Hard to tell what the addresses are used for eg dsl etc. Whois server is not helping. People might think its a badly managed network and will block it more easily instead of trying to contact you.
* The /16 is listed as dsl-cable-dhcp-dialup here with a few /24 exceptions. This kind of information is used to deny email and tell the remote to use the ISPs mailserver. Could be an idea to check this out on the public lists if this is incorrect.

Some additional info about your domain mail.egynet.com.eg:
egynet.com.eg. 86400 IN NS ns222.egynet.com.eg. <<---- connection timeout
egynet.com.eg. 86400 IN NS ns.ripe.net. <<---- returns refused!
egynet.com.eg. 86400 IN NS ns2.egynet.com.eg.
egynet.com.eg. 86400 IN NS ns22.egynet.com.eg.


Some additional info about your reverse zone 139.62.in-addr.arpa:
139.62.in-addr.arpa. 86400 IN NS ns.ripe.net. <<---- returns refused!
139.62.in-addr.arpa. 86400 IN NS ns2.egynet.com.eg.
139.62.in-addr.arpa. 86400 IN NS ns22.egynet.com.eg.


Some suggestions:

* Add reverse dns. Like AX7SHD.dsl.egynet.com.eg and smtp.egynet.com.eg
* Fix the authorative nameservers
* Block the spambots, in any way you want as long as they don't spam anymore, as soon as you can.
* Move "legit spam" servers to its own netblock. At least dont change ips. People don't like that and will block a larger piece of netblock instead.
* If you are using dhcp/radius/dynamic ip allocation, perhaps increasing the lease time would help reducing IP address changes if that is a problem. That way spambots will keep using the same IP for a longer period of time reducing the amount of listings.

Remember that your ips got listed in the first place due to spamming. You can't get them delisted if they keep spamming. Some might list the entire /16 if the spam/ip-ratio gets high enough. This is a problem indeed, but professional/serious blocklists don't do that.

So I would still recommend collecting error messages and ips from customers and take it from there. Maybe even some of the customers are also unaware running spambots. An ip is usually listed because spamming is going on you know...

j
Joergen Hovland ENK

----- Original Message ----- From: "Eng.Sherif A.Gurguis" sgurguis@localhost
To: "J�rgen Hovland" jorgen@localhost
Sent: Sunday, July 03, 2005 9:08 PM
Subject: Re: [anti-spam-wg@localhost] I really need your help!


Hi J

Thanx for your fast response.
I do not want to remove a specific IP from spam lists, but rather, I
need to remove the whole block so that if a single IP or even subnet
has become a spammer, it would not affect the others.


Regards

On 7/3/05, J�rgen Hovland jorgen@localhost wrote:
Hi

I would suggest you ask the customer(s) for the actual error message, and if possible also the specific ip address from the /16 that was being used.

j


-----Opprinnelig melding-----
Fra: anti-spam-wg-admin@localhost [
] P� vegne av Eng.Sherif A.Gurguis
Sendt: 3. juli 2005 20:54
Til: anti-spam-wg@localhost
Emne: [anti-spam-wg@localhost] I really need your help!

Hello everybody
I am from EgyNet (AS:20858), and we are assigned the following
IP blocks: 62.139.0.0/16 and 84.36.0.0/16. Recently, we have been
receiving complaints from some of our customers in the first block
that they are facing problems in sending emails as their recepients'
anti-spam systems reject emails as the source is identifed as a
spammer. I tried to lookup in the spammer databases available on the
Web, such as (http://www.rbls.org), but I could not reach any solid
point. Thus, I really need your help to discover if my 62.139.0.0/16
block is actually identified as a source of spams or not; and if yes,
how can I remove this block from the spam lists?

Thanx for your help
Best regards

==========================================
Eng. Sherif A. Gurguis
Senior Network Operations Engineer - Routing Department
Egyptian Company For Networks (EgyNet)
==========================================




--
===========================================
Eng. Sherif A. Gurguis
Senior Network Operations Engineer - Routing Department
Egyptian Company For Networks (EgyNet)
Mob.: (201)-06008589
===========================================