The Doll Forum

This afternoon I was replying to a post and received the message
Your IP 188.30.207.57 has been blocked because it is blacklisted. For details please see http://www.spamhaus.org/query/bl?ip=188.30.207.57.

This is an accesspoint from the Three mobile internet service in the UK. I live at the end of the long unreliable telephone line so use line ADSL broadband as well as the mobile service, so was simply able to change to the line based service - but the use of Spamhaus may cause problems to people.

One of the Spamhaus sources is http://cbl.abuseat.org/lookup.cgi?ip=188.30.207.57 which says that it should only be used in connexion with inbound mail.

The problem has not been experienced before but will no doubt cause some problems to others in the future.

Best wishes

Harem

To be clear, TDF doesn't use spamhaus. This is your ISP blocking certain IP addresses.

Edit: I'm checking about TDF ...

It's very bizarre . . . !


There are circumstances in which components of the information chain can include things of which we're entirely unaware and can surprise us!

Luckily I've got the second ISP available but this is an oddity.

Best wishes

Harem

Nescio50 wrote:To be clear, TDF doesn't use spamhaus. This is your ISP blocking certain IP addresses.

Is our bbs coding in-house or do we use a third party vendor? It is possible that a software patch or update introduced it to the network? Or is it possible that TDF's isp has started using spamhaus and we need to disable it?

Sorry old computer troubleshooter here. Just trying to throw out some ideas since it looks like from his picture that it may be server side.

In my experience, Spamhaus is quite accurate, especially since they have consolidated the PBL, SBL, XBL, CBL and pretty much everything else into the zen site.

Harem,

If you're using a Windows PC, double-check things on your end (ie: do thorough scans for viruses, trojans, malware, spambots, etc.) and make sure your PC is not broadcasting botnet CnC traffic, or something like conficker. People have been getting hit hard with these things as of late, which has been making my job[0] very "pain-in-the-assy" lately.

One of my colleagues recently wound up with CryptoLocker on his work laptop. He lost about three years of research data as a result.[1]

I'm so glad I use GNU/Linux.[3] Haven't been a Windows user in about 21 years. I'd rather chew concertina wire.

[0] Network security engineer.
[1] No matter how much you harp on people to back up their data, they never do it, until something bad happens.
[3] Initially Slackware and FreeBSD (not Linux, but still a cool OS). Converted to Debian about three years ago.

Oh, and before someone says, "Oh, I don't go to bad/porn/hacking sites, so I can't be infected," I have three words for you:

Search Engine Poisoning.

Be careful out there!

karpos wrote:

Nescio50 wrote:To be clear, TDF doesn't use spamhaus. This is your ISP blocking certain IP addresses.

Is our bbs coding in-house or do we use a third party vendor? It is possible that a software patch or update introduced it to the network? Or is it possible that TDF's isp has started using spamhaus and we need to disable it?

Sorry old computer troubleshooter here. Just trying to throw out some ideas since it looks like from his picture that it may be server side.

Looking at Harem's picture, well that's strange, maybe I was wrong and there's something I didn't know. I'll ask ...

Interesting thoughts and interesting questions . . .

Many things of which to be curious . . .

Thanks for thoughts and making head feel itchy . . .

Best wishes

Harem

Nescio50 wrote:

karpos wrote:

Nescio50 wrote:To be clear, TDF doesn't use spamhaus. This is your ISP blocking certain IP addresses.

Is our bbs coding in-house or do we use a third party vendor? It is possible that a software patch or update introduced it to the network? Or is it possible that TDF's isp has started using spamhaus and we need to disable it?

Sorry old computer troubleshooter here. Just trying to throw out some ideas since it looks like from his picture that it may be server side.

Looking at Harem's picture, well that's strange, maybe I was wrong and there's something I didn't know. I'll ask ...

Hi Nescio50,

It's not unusual for sites, especially forums to use a DNSBL service, and Spamhaus is kind of the standard these days. Is dollforum.com hosted behind a firewall? If so, it should have been caught there first.

Karpos,

The IP address in the message is different than what dollforum.com resolves to, and it's indicative that the forum code is performing a lookup on the client IP - likely to make sure the client is not coming from an known source of spam, virii, injectors, etc.

haremlover wrote:Interesting thoughts and interesting questions . . .

Many things of which to be curious . . .

Thanks for thoughts and making head feel itchy . . .

Best wishes

Harem

To give your PC a thorough lookover, you might consider trying Bitdefender. It's a live DVD which can elminate LOTS of virii, trojans, etc., and it's free software (free as in freedom, not free as in beer). I'm not saying your PC is infected. I would just recommend CheckingToMakeSure(tm) in light of this event.

EDIT: Oh, BTW, please do let me know if you wish to do this, and require assistance with it.

EDIT: Here is the link to the live CD: http://download.bitdefender.com/rescue_cd/

Thanks guys, it seems I'm learning didn't know about Spamhaus blocking IPs. Regarding TDF, I'll have to check this with our techie guys ...

I did check Harem's IP at StopForumSpam and CleanTalk, but it's not listed there.

Edit: to check your PC, I also recommend MalwareBytes: www.malwarebytes.org

Nescio50 wrote:Thanks guys, it seems I'm learning didn't know about Spamhaus blocking IPs. Regarding TDF, I'll have to check this with our techie guys ...

I did check Harem's IP at StopForumSpam and CleanTalk, but it's not listed there.

Edit: to check your PC, I also recommend MalwareBytes: http://www.malwarebytes.org

It's showing up in several different lists according to Spamhaus:
--
188.30.207.57 is listed in the SBL, in the following records:

SBLCSS

188.30.207.57 is listed in the PBL, in the following records:

PBL394068

188.30.207.57 is listed in the XBL, because it appears in:

CBL

If there are multiple users behind the AP Harem uses, it's very possible that someone else behind said AP is causing this unwittingly.


Malwarebytes is a stellar piece of software, but one must be careful. Some trojans are smart enough to determine that they are being removed, or quarantined, and in some case, removal from a live OS can trigger truly awful things, like destroying partition maps, infecting other files, corrupting filesystems, etc.

If possible, a post-infected scan should only be done from a live CD/DVD when the filesystem is not active.

It is an Access Provider IP used by many people. I've put the sim card into a different modem . . . and it will be interesting to see if it's connected over a different IP . . . but nevertheless some blocking seems to be happening through the server software.

The relevance of this is not merely personal inconvenience but the forum being blocked inadvertently to people on swathes of IP numbers subject to email viral botnets irrelevant to the forum.

Best wishes

Harem

PS Having put the sim chip into a different modem posting has not been blocked apparently having connected on a different IP

You can do an IP release and renew on your other machine so that it connects with a different IP. It depends which version of Windows you are running so let me know which version and I can walk you through it. It is very easy just different depending on your version.

karpos wrote:You can do an IP release and renew on your other machine so that it connects with a different IP. It depends which version of Windows you are running so let me know which version and I can walk you through it. It is very easy just different depending on your version.

This might or might not help. For one, if Spamhaus is blocking the entire network range for some reason, he will likely receive a DHCP lease from the same pool within the same network. Also, reprovisioning DHCP on his PCs won't help unless he's directly connected to the ISP's drop or has a bridged connection (which isn't very common these days), because he'll still be NATted to the same WAN IP upstream.

Harem, is/are your PC/PCs behind a router/firewall? If so, you might need to have your ISP kill your DHCP lease table entry (some ISPs allow DHCP entries to live for days, even weeks (which is seriously != good)). In other words, you'll need to call them, and ask them to release your DHCP lease, if putting a new DHCP lease on your PC or router/firewall will make a difference. There is no guarantee that it will.

The main problem is that most DHCP servers are configured by default to issue the same IP address to the previous MAC (ie: Media Access Control, not Macintosh) address which received said IP address whenever possible. The reason for this is it makes security audits much easier (ie: finding troublemakers on an ISP's network).