Re: [anti-spam-wg@localhost] I really need your help!
-
To: "Eng.Sherif A.Gurguis" <>
-
From: J�rgen Hovland <>
-
Date: Mon, 4 Jul 2005 02:56:14 +0200
Hi again,
I didn't mention it earlier that I found several of your ips in our logs,
but since someone else already started it I don't see why I shouldn't
continue.
Here is a specific list of ip addresses I found at our place:
62.139.100.212
62.139.109.85
62.139.121.122
62.139.148.67
62.139.174.81
62.139.174.194
62.139.228.43
62.139.252.190
62.139.28.25
62.139.64.178
62.139.81.121
62.139.88.65
62.139.90.101
62.139.218.233
62.139.42.16
62.139.74.124
62.139.80.122
62.139.1.3
62.139.82.216
62.139.80.211
62.139.189.148
62.139.252.19
Content:
* Phishing
* Spam
* May be other types but it was already rejected on connect.
* Several of the ips used the ip address of the mail server they connected
to in the helo-message.
* No ips seem to resolve. Hard to tell what the addresses are used for eg
dsl etc. Whois server is not helping. People might think its a badly managed
network and will block it more easily instead of trying to contact you.
* The /16 is listed as dsl-cable-dhcp-dialup here with a few /24 exceptions.
This kind of information is used to deny email and tell the remote to use
the ISPs mailserver. Could be an idea to check this out on the public lists
if this is incorrect.
Some additional info about your domain mail.egynet.com.eg:
egynet.com.eg. 86400 IN NS ns222.egynet.com.eg. <<----
connection timeout
egynet.com.eg. 86400 IN NS ns.ripe.net. <<---- returns
refused!
egynet.com.eg. 86400 IN NS ns2.egynet.com.eg.
egynet.com.eg. 86400 IN NS ns22.egynet.com.eg.
Some additional info about your reverse zone 139.62.in-addr.arpa:
139.62.in-addr.arpa. 86400 IN NS ns.ripe.net. <<---- returns
refused!
139.62.in-addr.arpa. 86400 IN NS ns2.egynet.com.eg.
139.62.in-addr.arpa. 86400 IN NS ns22.egynet.com.eg.
Some suggestions:
* Add reverse dns. Like AX7SHD.dsl.egynet.com.eg and smtp.egynet.com.eg
* Fix the authorative nameservers
* Block the spambots, in any way you want as long as they don't spam
anymore, as soon as you can.
* Move "legit spam" servers to its own netblock. At least dont change ips.
People don't like that and will block a larger piece of netblock instead.
* If you are using dhcp/radius/dynamic ip allocation, perhaps increasing the
lease time would help reducing IP address changes if that is a problem. That
way spambots will keep using the same IP for a longer period of time
reducing the amount of listings.
Remember that your ips got listed in the first place due to spamming. You
can't get them delisted if they keep spamming. Some might list the entire
/16 if the spam/ip-ratio gets high enough. This is a problem indeed, but
professional/serious blocklists don't do that.
So I would still recommend collecting error messages and ips from customers
and take it from there. Maybe even some of the customers are also unaware
running spambots. An ip is usually listed because spamming is going on you
know...
j
Joergen Hovland ENK
----- Original Message -----
From: "Eng.Sherif A.Gurguis" sgurguis@localhost
To: "J�rgen Hovland" jorgen@localhost
Sent: Sunday, July 03, 2005 9:08 PM
Subject: Re: [anti-spam-wg@localhost] I really need your help!
Hi J
Thanx for your fast response.
I do not want to remove a specific IP from spam lists, but rather, I
need to remove the whole block so that if a single IP or even subnet
has become a spammer, it would not affect the others.
Regards
On 7/3/05, J�rgen Hovland jorgen@localhost wrote:
Hi
I would suggest you ask the customer(s) for the actual error message, and
if possible also the specific ip address from the /16 that was being used.
j
-----Opprinnelig melding-----
Fra: anti-spam-wg-admin@localhost [] P�
vegne av Eng.Sherif A.Gurguis
Sendt: 3. juli 2005 20:54
Til: anti-spam-wg@localhost
Emne: [anti-spam-wg@localhost] I really need your help!
Hello everybody
I am from EgyNet (AS:20858), and we are assigned the following
IP blocks: 62.139.0.0/16 and 84.36.0.0/16. Recently, we have been
receiving complaints from some of our customers in the first block
that they are facing problems in sending emails as their recepients'
anti-spam systems reject emails as the source is identifed as a
spammer. I tried to lookup in the spammer databases available on the
Web, such as (http://www.rbls.org), but I could not reach any solid
point. Thus, I really need your help to discover if my 62.139.0.0/16
block is actually identified as a source of spams or not; and if yes,
how can I remove this block from the spam lists?
Thanx for your help
Best regards
==========================================
Eng. Sherif A. Gurguis
Senior Network Operations Engineer - Routing Department
Egyptian Company For Networks (EgyNet)
==========================================
--
===========================================
Eng. Sherif A. Gurguis
Senior Network Operations Engineer - Routing Department
Egyptian Company For Networks (EgyNet)
Mob.: (201)-06008589
===========================================