I am at my wits end....keep getting listed

[sesblacklisted]

I've scanned every computer on my network for maliciousness, combed through the FAQ's here, spent countless hours tweaking our mail server and I still can't figure out where our problem is. I've even shut down the outbound mail on our Exchange 2003 server for a the night and we are still being listed. Is there any possible way I can pinpoint where the problem is orginating from? I mean if it's a machine inside our network, how do you tell which one it is? we are running Exchange 2003 with the latest patches, our server is mail.cpa-ws.com

[Telarin]

mail.cpa-ws.com = 209.12.205.10

Checking the SCBL:

209.12.205.10 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 3 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 91.5 days, it has been listed 14 times for a total of 11.5 days

So you have both spam trap hits and user reports.

One of the paying spamcop members may be kind enough to post the details of those user reports for us.

Some things you can check in the mean time:

If you are using a virus scanner on your inbound email, make sure you are not sending a notification to the sender in the event a virus is found. Viruses ALWAYS forge the from address, so you will always be sending the notification to an unrelated 3rd party, sometimes to a spamtrap.

Make sure you have at least SP1 installed on Exchange 2003 as it contains important security fixes. Better yet, install the new SP2 as it has some very nice enhancements to IMF.

Under Global Settings->Message Delivery, on the Recipient Filtering tab check "Filter recipients who are not in the Director", otherwise exchange will generate NDRs for these messages rather than rejecting them during SMTP.

Make sure you have relaying turned off for anything other than your local network.

Some additional notes.

Senderbase shows a daily magnitude of 3.8, this is about 6300 messages per day being sent from that IP address, does this sound about right for your organization? A compromised or exploited machine will usually show a magnitude of 5+ as the controller tries to spew out as much spam as possible before it is closed, so it is unlikely you have an open relay or virus sending spam.

Also Google abuse groups show no recent reported abuse, the last thing listed is from 2004, which makes the "Backscatter" scenario more likely.

[Merlyn]

Looks like someone is using your server to spam illegal drugs:

Submitted: Thursday, June 15, 2006 2:39:47 PM -0400:

Our store is your cureall!

1796680102 ( 209.12.205.10 ) To: spamcop[at]imaphost.com

1796680083 ( 209.12.205.10 ) To: netabuse[at]xspedius.com

--------------------------------------------------------------------------------

Submitted: Friday, June 02, 2006 7:42:14 PM -0400:

***spam*** Drugs for confidents! Great offers!

1776630720 ( 209.12.205.10 ) To: spamcop[at]imaphost.com

1776630717 ( 209.12.205.10 ) To: netabuse[at]xspedius.com

--------------------------------------------------------------------------------

Submitted: Saturday, May 06, 2006 2:39:23 PM -0400:

***spam*** Viagra Soft Tabs

1741172375 ( 209.12.205.10 ) To: spamcop[at]imaphost.com

1741172349 ( 209.12.205.10 ) To: netabuse[at]xspedius.com

---------------------------------------------------------------------------------

Listed here also:

UCEPROTECT-Network Level 1:

IP 209.12.205.10 is actually blacklisted at UCEPROTECT Level 1

This means spam came from this IP directly.

You did send spam or your machine was compromised by someone else and abused for spamming.

Hope this helps......

[sesblacklisted]

Under Global Settings->Message Delivery, on the Recipient Filtering tab check "Filter recipients who are not in the Director", otherwise exchange will generate NDRs for these messages rather than rejecting them during SMTP.

Make sure you have relaying turned off for anything other than your local network.

Some additional notes.

Senderbase shows a daily magnitude of 3.8, this is about 6300 messages per day being sent from that IP address, does this sound about right for your organization? A compromised or exploited machine will usually show a magnitude of 5+ as the controller tries to spew out as much spam as possible before it is closed, so it is unlikely you have an open relay or virus sending spam.

Also Google abuse groups show no recent reported abuse, the last thing listed is from 2004, which makes the "Backscatter" scenario more likely.

I am running the following version of exchange: Exchange System

Microsoft Corporation Version: 6.5.7638.1, and I have Filter recipients who are not in the Directory check marked.

As far as the senderbase, 6300 message a day is just way too much for this server. At most it should be 1500. This is what I am trying to locate, who is sending the messages?

I appreciate everyones help as I don't like to be a spewer of spam, especially illegal durgs.

[Miss Betsy]

I appreciate everyones help as I don't like to be a spewer of spam, especially illegal durgs.

I am not a server admin, but it sounds to be as though you have a trojan somewhere. The place to look for where the trojan is sending out spam is not in your regular logs, but in your firewall logs, I think. The trojans don't use the same ports as regular email.

Hope you find the problem soon since you don't want to be a spewer of spam!

Miss Betsy

[StevenUnderwood]

I am running the following version of exchange: Exchange System

Microsoft Corporation Version: 6.5.7638.1, and I have Filter recipients who are not in the Directory check marked.

As far as the senderbase, 6300 message a day is just way too much for this server. At most it should be 1500. This is what I am trying to locate, who is sending the messages?

I appreciate everyones help as I don't like to be a spewer of spam, especially illegal durgs.

You are correct that you are rejecting invalid addresses...good start:

220 server1.cpa-ws.internal Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830

ready at Fri, 16 Jun 2006 19:07:19 -0600

helo underwood.spamcop.net

250 server1.cpa-ws.internal Hello [66.168.115.246]

mail from: <underwood+test[at]spamcop.net>

250 2.1.0 underwood+test[at]spamcop.net....Sender OK

rcpt to: <test01234567890[at]cpa-ws.com>

550 5.1.1 User unknown

The 6300 messages are only those seen by the senderbase network so is likely only a percentage of the mail going out. I know our mail server rarely shows any traffic on senderbase.

"No address list shown since no email was detected from 199.79.137.0/24. "

[Merlyn]

Most likley an SMTP Auth Hack or a guest account hack.

[Snowbat]

Have you enabled message tracking and logging?

http://www.msexchange.org/tutorials/Exchan...ng-Logging.html

Exchange doesn't even do basic logging by default?

[agsteele]

Most likley an SMTP Auth Hack or a guest account hack.

Or possibly a zombied machine on the IP.??

Andrew

[Merlyn]

Or possibly a zombied machine on the IP.??

Andrew

Yes!

[sesblacklisted]

Have you enabled message tracking and logging?

http://www.msexchange.org/tutorials/Exchan...ng-Logging.html

Exchange doesn't even do basic logging by default?

Yes I have had that on for some time now. As I comb throught he logs I don't see a lot of emails being sent out by a particular user. On most of the spam emails it should have been sent by "Postmast[at]cpa-ws.com", but when I look at the logs the "Postmaster" account is hardly had any action on it.

[sesblacklisted]

You are correct that you are rejecting invalid addresses...good start:

220 server1.cpa-ws.internal Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830

ready at Fri, 16 Jun 2006 19:07:19 -0600

helo underwood.spamcop.net

250 server1.cpa-ws.internal Hello [66.168.115.246]

mail from: <underwood+test[at]spamcop.net>

250 2.1.0 underwood+test[at]spamcop.net....Sender OK

rcpt to: <test01234567890[at]cpa-ws.com>

550 5.1.1 User unknown

The 6300 messages are only those seen by the senderbase network so is likely only a percentage of the mail going out. I know our mail server rarely shows any traffic on senderbase.

"No address list shown since no email was detected from 199.79.137.0/24. "

Thanks for the replay Steven.

I think I have the correct settings on the server, I've gone through a lot of the FAQ's and researched a bit. I fear that I may have a rogue computer on this network as I can't seem to figure out where the emial is coming from.

[Derek T]

Thanks for the replay Steven.

I think I have the correct settings on the server, I've gone through a lot of the FAQ's and researched a bit. I fear that I may have a rogue computer on this network as I can't seem to figure out where the emial is coming from.

From other people's experience (I am mot an admin) that info is more likely to come from your firewall logs than your server logs: trojanned machines don't use the 'usual' ports. To eleminate the SMTP/Auth hack disable all 'vanilla' accounts, change all your usewrs passwords to 'strong' ones, disable AUTH unless you really need it.

[Telarin]

Is the IP address in question dedicated to ONLY the server, or is it running through a NAT enabled router servicing your whole network and just redirecting port 25 traffic to the server?

If it is your only IP on a NAT network, than any computer could be causing the problem. If you have a wireless access point anywhere on the network, it might not even be one of your computers!

One thing you might try doing, depending on the capabilities of your firewall, is to block outgoing traffic destined for port 25 from any computer except your mail server (there is really no reason a PC should ever be sending traffic out to the internet on port 25 unless you are sending mail through your ISPs SMTP server).

Many routers (the Linksys BEF series comes to mind) have a free downloadable utility you can use to monitor traffic moving through the router. I have found these utilities absolutely invaluable for tracking down rogue computers. Get it fired up and watch for outgoing traffic on Port 25 from any source other than your server.

Let us know what make/model firewall you are using, and we'll see if we can't find a little more detail information.

Don't know if you did anything, but Senderbase is now showing a Daily Magnitude of 2.5 (around 300 messages per day). This could just be coincidence, but could also be a very promising sign.

[sesblacklisted]

From other people's experience (I am mot an admin) that info is more likely to come from your firewall logs than your server logs: trojanned machines don't use the 'usual' ports. To eleminate the SMTP/Auth hack disable all 'vanilla' accounts, change all your usewrs passwords to 'strong' ones, disable AUTH unless you really need it.

We have eliminated vanilla accounts many months ago. Our AUTH setting needs to be abled.

Is the IP address in question dedicated to ONLY the server, or is it running through a NAT enabled router servicing your whole network and just redirecting port 25 traffic to the server?

If it is your only IP on a NAT network, than any computer could be causing the problem. If you have a wireless access point anywhere on the network, it might not even be one of your computers!

One thing you might try doing, depending on the capabilities of your firewall, is to block outgoing traffic destined for port 25 from any computer except your mail server (there is really no reason a PC should ever be sending traffic out to the internet on port 25 unless you are sending mail through your ISPs SMTP server).

Don't know if you did anything, but Senderbase is now showing a Daily Magnitude of 2.5 (around 300 messages per day). This could just be coincidence, but could also be a very promising sign.

Thanks for your reply. We are running a NAT with no wireless involved. Some of our PCs use the SMTP server because they are outside of the internal network from time to time using laptops. Thanks for the tip on the Port 25, I will see if that can be filtered. Other than that I guess I will have to go to each machine and run diagnostics and update their security software.

[Telarin]

Ahh, so you have people outside the network sending stuff using your SMTP server? That could be part of the problem if the authentication is not setup right. I would recommend requiring people offsite to either use the Outlook Web Access, or setting up RPC over HTTP and letting them use Outlook as they would in the office. RPC over HTTP actually works out much better because it means they can use all the features of Outlook just like they were directly connected to the Exchange server.

Here is some more info on setting it up:

Exchange Server 2003 RPC over HTTP Deployment Scenarios

[Telarin]

Another thought here

[at]Merlyn: Can you actually access the headers of the messages that were reported or is what you posted all you can see? If you can, see if they have a "X-MimeOLE: Produced By Microsoft Exchange V6.5" line in the headers. If so, then the spams are coming through the Exchange server. If not, then they are most likely originating from another computer on the network and the Exchange server is not involved at all.

[sesblacklisted]

Ahh, so you have people outside the network sending stuff using your SMTP server? That could be part of the problem if the authentication is not setup right. I would recommend requiring people offsite to either use the Outlook Web Access, or setting up RPC over HTTP and letting them use Outlook as they would in the office. RPC over HTTP actually works out much better because it means they can use all the features of Outlook just like they were directly connected to the Exchange server.

Here is some more info on setting it up:

Exchange Server 2003 RPC over HTTP Deployment Scenarios

The users basically log onto the mail server using https: and access their outlook that way. RPC may not work since they always at different places using different networks.

One question remains, If I disable Outbound mail in Exchange, shouldn't that stop the mails from going out or is an infected machine able to send out on its own?

[Merlyn]

Sorry I cannot see the headers

but it is also listed in

209.12.205.10 YES LISTED BY wpbl.dnsbl.net.au --> see http://wpbl.pc9.org/

209.12.205.10 YES LISTED BY ucepn.dnsbl.net.au --> see http://www.uceprotect.net/en/

209.12.205.10 YES LISTED BY t1.dnsbl.net.au --> see http://dnsbl.net.au/t1/

I still think an SMTP Auth Hack like I stated above.

Is the Guest account still active? It should be turned off. If it has been hacked it is probably too late as all users would need new passwords.

spam is still flowing through the machine though.

[StevenUnderwood]

is an infected machine able to send out on its own?

Most (all) recent viruses have their own SMTP engine so they do not use the server. You would need to check your firewall logs for SMTP access from other machines.

[Telarin]

I will email Ellen and see if we can find out anymore about the headers of the email. It would be nice to either confirm or eliminate whether the email is coming from the Exchange Server.

And yes, the RPC over HTTP is specifically designed to be used from anywhere over HTTPs. Thats what we use here for our users on the road to access the exchange server.

[sesblacklisted]

Sorry I cannot see the headers

but it is also listed in

209.12.205.10 YES LISTED BY wpbl.dnsbl.net.au --> see http://wpbl.pc9.org/

209.12.205.10 YES LISTED BY ucepn.dnsbl.net.au --> see http://www.uceprotect.net/en/

209.12.205.10 YES LISTED BY t1.dnsbl.net.au --> see http://dnsbl.net.au/t1/

I still think an SMTP Auth Hack like I stated above.

Is the Guest account still active? It should be turned off. If it has been hacked it is probably too late as all users would need new passwords.

spam is still flowing through the machine though.

No the Guest account has always been disabled. When you meant SMTP Auth Hack are saying that a password has been compromised or are the specific Auth Hacks that can be plugged?

Most (all) recent viruses have their own SMTP engine so they do not use the server. You would need to check your firewall logs for SMTP access from other machines.

But if a machine was compromised and used its own SMTP capabilities would it not show some other url instead of ours?

[turetzsr]

<snip>

When you meant SMTP Auth Hack are saying that a password has been compromised or are the specific Auth Hacks that can be plugged?

...See SpamCop FAQ: But my server is secured against relay....

...Good luck!

[sesblacklisted]

...See SpamCop FAQ: But my server is secured against relay....

...Good luck!

Thanks for tip, I've gone through those previously however and pretty much have had those items under wraps.

[StevenUnderwood]

But if a machine was compromised and used its own SMTP capabilities would it not show some other url instead of ours?

If by "some other url" you mean "some other IP address", we are working on the assumption (unanswered question, I believe) that you had multiple machines hiding behind the IP address that is listed, including your mail server. If this is not the case and your mail server is on it's very own IP address, then IF it is a virus causing this, THEN it would have to be a virus on your server, which you have already scanned.

Further explanation: With NAT, you can have one public IP address and multiple local IP addresses (192.168.x.x, 10.x.x.x, etc) hading behind that public IP. You would setup your firewall/gateway device to direct all incoming port 25 traffic to your mail server, all port 80 traffic to your web server, etc. Connections to the internet from any of your machines would show up only as the single public IP address.