Opened 7 months ago

Last modified 7 months ago

#16328 assigned Bug/Something is broken

CLG newsletter IP listed in SORBS blacklist

Reported by: Lori Price Owned by: JaimeV
Priority: High Component: Tech
Keywords: cleveland.mayfirst.org, SORBS Cc: lori@…, southwell.gov@…, Jamie McClelland
Sensitive: no

Description

Hi all,


MXToolBox shows that Cleveland 162.247.75.111/32 is in the SORBS blacklist, with lots of entries. Here's the info: http://www.sorbs.net/lookup.shtml?162.247.75.111.

Summary information for 162.247.75.111/32
Note: Times shown are for the latest entry only!
Found 2 network entries and 0 host/domain entries.
 
Problem Entries, (listings will cause email problems.)
14 "Spam" entries [10:10:01 05 Mar 2021 GMT-05].	
162.247.75.111 - 14 entries [10:10:01 05 Mar 2021 GMT-05].	
 
Usage classification (only important if you run your own mailserver.)
Note: Active "exDUHL" entries mean that the IP/Network has been unblocked for some or all IPs from the DUHL.
 
Problem hostnames/domains (could cause email problems.)
3 "Spamvertised" entries [12:42:40 01 Sep 2018 GMT-04].	
Note:These entries are for URLs or email domains, the IPs that may show up as 'spamvertised' only indicate where the URL/Host was seen being sent from. Listings for IPs that are 'spamvertised' will not usually cause blocking problems unless the email contains the IP address as a URL
Note: For a more detailed view you have to be registered and logged in.
 
Current Listings (active)
Historical Listings (inactive)
Current Listing with an active exception
Current Listing however, listings of these types can help mail delivery rather than cause blocking.

Also, the UCEPROTECTL3 blacklist (that we can't fix without paying ransom) remains:

Blacklist	Reason	TTL	ResponseTime	
 LISTED	SORBS SPAM	162.247.75.111 was listed  Detail	3600	4	Ignore
 LISTED	UCEPROTECTL3	162.247.75.111 was listed  Detail	2100	3	Ignore

Would MayFirst be able to de-list the IP from the SORBS blacklist?

Thank you,

Lori Price
legitgov.org

Change History (8)

comment:1 Changed 7 months ago by Lori Price

Here's the history for 162.247.75.111 on SORBS:

Newest Spam listings for: 162.247.75.111 (Limited to a maximum of 30)
Current status of 162.247.75.111 is Listed
Seen/Created Time	Host/Netblock	Short Description/Identifier	Select
 10:10:01 05 Mar 2021 GMT-05 	 162.247.75.111 	 607*******************************32@***... 	
 10:10:00 05 Mar 2021 GMT-05 	 162.247.75.111 	 607*******************************32@***... 	
 19:36:54 06 Feb 2020 GMT-05 	 162.247.75.111 	 d64***************************f3@*******... 	
 18:57:48 30 May 2019 GMT-04 	 162.247.75.111 	 545*******************************32@***... 	
 18:57:48 30 May 2019 GMT-04 	 162.247.75.111 	 545*******************************32@***... 	
 16:00:24 01 Mar 2019 GMT-05 	 162.247.75.111 	 541*******************************32@***... 	
 12:42:40 01 Sep 2018 GMT-04 	 162.247.75.111 	 525*******************************32@***... 	
 12:42:40 01 Sep 2018 GMT-04 	 162.247.75.111 	 525*******************************32@***... 	
 18:39:15 05 Jun 2018 GMT-04 	 162.247.75.111 	 517*******************************32@***... 	
 17:55:51 31 May 2018 GMT-04 	 162.247.75.111 	 516*******************************32@***... 	
 17:52:10 31 May 2018 GMT-04 	 162.247.75.111 	 516*******************************32@***... 	
 13:46:58 27 Dec 2017 GMT-05 	 162.247.75.111 	 495*******************************32@***... 	
 11:56:10 05 Sep 2017 GMT-04 	 162.247.75.111 	 463***************************1f@*******... 	
 15:57:49 08 May 2017 GMT-04 	 162.247.75.111 	 412*******************************32@***... 	
 17:10:23 26 Apr 2017 GMT-04 	 162.247.75.111 	 411*******************************32@***... 	
 15:02:10 11 Apr 2017 GMT-04 	 162.247.75.111 	 407*******************************32@***... 	

Thank you,

Lori

comment:2 Changed 7 months ago by JaimeV

Cc: Jamie McClelland added
Owner: set to JaimeV
Status: newassigned

Thanks Lori,

Sorbs did not allow me to immediately delist this ip. I have opened tickets with them asking for more information about the two listings from March 5th. Feedback should be sent to jamie's address

comment:3 Changed 7 months ago by Lori Price

Sounds good. Thank you Jaime and Jamie!

Lori

comment:4 Changed 7 months ago by Lori Price

Hi all,

I made an appeal to de-list the IP. It's currently de-listed.

Here's what they wrote:

Hello

Any message sent to a spam trap is spam. The message that caused this listing is spam because it was sent to one or more of our spam traps. If you do not isolate the problem and stop sending messages to our spam traps the ip may not be delisted and if delisted will likely be listed again and again. The only way to stop getting listed is to stop sending messages to our spam traps. Please check your mailing lists for outdated or otherwise invalid email addresses and check for compromised accounts.

As we've seen no further spam occurrences, I've de-listed this IP. In order to assist you in identifying the source of the spam, I've attached the headers for the most recent occurrence. This may point to a compromised or unsecure mail account or mail server, or a computer infected with a spambot, among other possibilities.

Please feel free to open a new request should any of your IPs become listed again.

Headers:
Return-Path: <[Email Address]>
Received: from [Host/Domain Hidden] ([Host/Domain Hidden] [162.247.75.111])
	by smtp-[Host/Domain Hidden].mx (Postfix) with ESMTP id 9F5C51E3E363
	for <[Email Address]>; Fri,  5 Mar 2021 10:09:57 -0500 (EST)
MIME-Version: 1.0
Subject: REGISTER TODAY: Ready to demand your bread and roses, too?
Precedence: bulk
job_id: 6657
From: "It Takes Roots" <[Email Address]>
To: Maddison Holland <[Email Address]>
Content-Type: multipart/alternative;
	boundary="[hidden]"
Date: Fri, 05 Mar 2021 10:09:55 -0500



-- 
Thank You,
SORBS Technical Support
M.

Lori

comment:5 Changed 7 months ago by JaimeV

Wow, great work Lori. They never responded to MY ticket.

Their spam traps are secret e-mail addresses that they insert into to people's sign-up forms. They assume if you allow anonymous sign-ups you must be a spammer. Then if you send your newsletter to their spamtrap e-mail you get banned. Its a setup. LeftRoots must have allowed this at some point and gotten one of those e-mails in their list.

Notice Sorbs haven't told us what the e-mail is. They may have left us with some clues though. I'll see if i can't track this down with LeftRoots.

comment:6 Changed 7 months ago by Lori Price

Hi Jaime,

Thank you! Wow, that would be great, if it could be traced. Yup, SORBS didn't make us aware of the culprit, so it could have been handled in two seconds. Instead, you have to put on your detective hat, lol!

:) -Lori

comment:7 Changed 7 months ago by Jamie McClelland

I was able to find the source from the responsible May first member based on It takes Roots and the name (that was left behind). I've notified the member and also I have access to the database in question and have disabled that address.

comment:8 Changed 7 months ago by Lori Price

That is great, Jamie!

We won't get caught in any more SORBS traps!

Thank you,
:) - Lori

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.