Got blocklisted, checked all the servers. Updated security patches, definition lists, spamware, spyware. Any assistance or details on how to fix would be greatly appreciated.

Spamcop bl is automatic - as long as no more spam is reported, this IP address will delist in 9 hours.

* DNS error: 38.104.99.170 is mediatec-publishing-inc.demarc.cogentco.com but mediatec-publishing-inc.demarc.cogentco.com has no DNS information

Because of the above problems, express-delisting is not available

I am not a server admin, but I assume that this will mean something to you.

I am not sure what you mean by 'how to fix' - are you satisfied that you have found the source of the spam? Or are you asking what else you can do?

Otherwise, you will be delisted automatically. You cannot use the express delisting because of the DNS error.

Miss Betsy

Nothing said about any research done on your part at all. Nothing said about anything "found" after all that patching and updating. Nothing said about just what tools/hardware are in use. Nothing said about firewalls, for instance, to include any logs. Noting about any network details, if this is an e-mail server for you or a thousand users, etc. etc. etc. Nothing said about checking out the FAQ or reading any of the Pinned items, specifically, the Why am I Blocked? entries.

http://www.spamcop.net/w3m?action=checkblo...p=38.104.99.170
Causes of listing
* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
* SpamCop users have reported system as a source of spam less than 10 times in the past week

Both situations suggest a number of things )see the FAQ entry)

DNS error: 38.104.99.170 is mediatec-publishing-inc.demarc.cogentco.com but mediatec-publishing-inc.demarc.cogentco.com has no DNS information
.... suggests other work needs to be done or explanations offered

In the past 3.6 days, it has been listed 2 times for a total of 2.2 days
... says it was on the list, came off the list, got back on the list .... was this because your server was down for a period, but brought back on-line while still in a spewing mode .. or some other storyline involved?

http://www.senderbase.org/senderbase_queri...g=38.104.99.170
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 3.4 .. 196%
Last month .. 3.0

No idea how 'old' these numbers are at this point, but the obvious question is .. can you go along with the numbers and the increase in traffic flow?

My apologies, you are absolutely correct.

We have 6 Windows 2003 SBS Servers behind a single linksys firewall rv016.

One of them is running Exchange 2003 SP2

I did automatic updates on all the servers. There were 17 security updates installed.

Ran updates on Mcafee Virus and Spamkiller Server definition and signature lists current.

Ran Malwarebytes, it detected some tracking cookies, but nothing else.

Can you guys check to see if your traps are still seeing things from 38.104.99.170.

I'm assuming there's trojan or bot that might be causing this. We are just trying to run a nice clean mail server. BTW, this is the first time this server has been listed. ( twice )

Thanks,

We're all users of SpamCop so have only limited access to data. In fact you can see pretty much everything we can see except for content of the spam that has been reported (for those of us who are paying users).

If you have a trojan on your net then your best bet is to start logging traffic through the firewall/router and identify the source machine.

Andrew

Thanks Andrew,

I was under the assumption that the admin in this forum could actually check the status of a blocklisted ip. I read a previous thread replying to a blocked user saying they could still see spam coming from their server.

I just want to be sure everything is in order, so that 9 hours later we are not still blocklisted.

Any advice will be helpful.

SpamCopAdmin stops by from time to time, and he has that access. The Forum Admin does not.

BTW, I assume you are aware you are posting from the same IP that is listed. Any machine behind that IP could be affecting the listing.

These are the reports available to paid customers:

Submitted: Monday, January 26, 2009 22:30:24 -0500:
Try Viagara Free
3818911302 ( 38.104.99.170 ) To: abuse[at]cogentco.com
---------------------------------------------------------
Submitted: Tuesday, January 06, 2009 20:42:18 -0500:
Diversity & Inclusion contact person & info request
3771639926 ( 38.104.99.170 ) To: abuse[at]cogentco.com
-------------------------------------------------------
Submitted: Tuesday, January 06, 2009 20:42:16 -0500:
Diversity & Inclusion contact person & info request
3771639880 ( 38.104.99.170 ) To: abuse[at]cogentco.com

Steven,

I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now.

Is there any utility or tool you would recommend to see whats coming from 38.104.99.170. I need to be absolutely sure that this is fix by morning. It could mean my job.

Thanks for everyones input.

PS I did not know there was a paid membership option.

...Sounds like a good start. But IANASA (I am not a server admin) so my suggestions should be taken with a large grain of salt....Wazoo earlier mentioned firewall logs. Perhaps you could check the logs to try to find some of the verbiage presented earlier by StevenUnderwood (noting, again, that IANASA)....No reason you should. This is a reporting membership option and (I assume) you have not registered as a SpamCop reporter. <g>

The timer has not been reset on the SpamCopDNSBL listing (now showing 4 hours remaining) .. The SenderBase number has come down slightly. At least there's the hint that something good happened, perhaps that single machine.

To actually "see" what's going out, a network/packet sniffer would be required. In all honesty, there's probably not enough time left in the day to learn how to use one of those and gather any good/specific data. If the " linksys firewall rv016" is programmable, can you limit Port 25 output to be limited to those authorized servers? (and there's the question as to whether or not that appliance offers enough detail in its logs to show traffic coming from non-authorized systems, again, focusing in on Port 25 outgoing?)

SpamCop Reporting Accounts
and more specifically, ISP Account or How can I get SpamCop reports about my network?

Wazoo,

Thanks for the words of encouragement. I've used packet sniffers before. SnifferPro. I just want to monitor or listen to that external ip. I have VLANs and switched networks, even with a promiscuous card I have trouble seeing all traffic. May need to install 4 port hub at the WAN port.

I just don't want this to happen again, it has been a total nightmare.

I wish someone from spamcop.net would relay some feedback. I've been on this for 13 hours straight.

Thanks again.

I have a question for everyone. Are there any early warning tools or utilities to get jump start on this before it escalates?

Thanks, for all the help.

That "someone" is active in the forums this afternoon, but perhaps he hasn't had a chance to respond here or get in touch with you (not sure if he ever uses the PM system or not...I'm guessing not). Maybe he'll post or get in touch.

DT

Still counting down, that's good. Note 38.104.99.170 is also on dnsbl-1.uceprotect -

H:\>nslookup 170.99.104.38.dnsbl-1.uceprotect.net
...
Name: 170.99.104.38.dnsbl-1.uceprotect.net
Address: 127.0.0.2

Unfortunately they don't seem to give detail on the cause(s) of listing, admitting I don't know their site and may have missed something there.

Just a little...which can be obtained by using their query tool, at:

http://www.uceprotect.net/en/rblcheck.php



So...IPs stay on that BL for 7 days...it's not a good source of realtime info regarding your status.

DT

Tools and utilities - I will leave that to others but you might browse thedatalist - http://lists.thedatalist.com/index.html commented on at http://forum.spamcop.net/forums/index.php?showtopic=8241

As you may have noticed in an earlier post, SC reports go to abuse[at]cogentco.com as the nominal abuse handler for that IP address. They should contact you when they get a report. In the case of a spamtrap hit there is no report (and immediate listing) otherwise (member reports) it might give some notice. You may be able to register on an ISP account which would give you direct access. Wazoo's earlier post had the link about that.

This is a really good forum. I will frequent it often. I'm sure the Spamcop admin have their hands full. Anyways, you guys are a wealth of information. Do you belong to any other forums or groups?

Any recommendations on a good server anti-spam application, I hear GFI is pretty good. Anyone have experiences with SpamTitan?

Thanks David.

For the O/P - when we had problems with our server I made a habit of checking the comprehensive BL listings - the Robtex one is good http://www.robtex.com/ip/38.104.99.170.html - gives a listing summary near the top of the page, hit the "blacklists" tab for the complete run-down of coverage. Some of those BLs might happen to pick up a spam hit (or other problems) in time for you to fix things and stay off other lists. That's one of the strengths of the SCBL - an early notification.

http://www.cisco.com/en/US/docs/routers/cs...0_UG_NC-WEB.pdf (an absolutely horrible and massive PDF of a bad scan job) seems to suggest that services (SMTP in this case) can be configured in, both as allowed/denied activities, and as a log specific ... though admitting it looks a bit painful for the first go-through. Of course, that probably also depends on whether you've got your networked devices (e-mail servers for sure) set on dedicated IP Addresses .... everything accepting DHCP assignments would probably really make the above a total waste of time.

http://spamcop.net/w3m?action=checkblock;ip=38.104.99.170
38.104.99.170 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...g=38.104.99.170
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 0.0 ... N/A
Last month .. 3.0

Hopefully, things are still working and this isn't simply due to a change of the IP Address in use ...????

Later Edit: ... as of 0420 GMT -6
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 1.8 .. -94%
Last month .. 3.0

Just to note that the paid reporter options are also available to Email account subscribers. That can be a more economical approach for some.

Andrew

One other thing you might consider doing if you haven't already. Since you are using an RV016, which has the ability to configure firewall rules, you might consider adding a rule to block any traffic originating from your land that is destined for port 25 unless it is coming from your mail server. That way even if one of your workstations does get infected and start spewing spam again, it will be blocked at the firewall before it can leave your network. You might also try configuring one-to-one NAT so that your Exchange server is using a different IP from your workstations, although I have never been able to get that to work as it is supposed to on the RV series routers.

Thanks for everyone's feedback. Everything is back online. There seems to be some residual effects of the blocklist. ATT and sbcglobal.net are still showing blocks.

I have modified the firewall to only allow port 25 traffic from the mail server as suggested.

I've install enterprise virus management software, so I can see which machine get infected.

I have inventoried all the machines, assigned asset tags and documented their LAN IPs.

Ran auto updates on all the servers.

Downloaded the firewall access log, excel ran out of space, I'll review later to identify the spam output.

Otherwise things aren't too bad. I'm sure I will have an interesting discussion with by boss, hopefully i'm still employed.

Thanks again guys, you are all a great teem!

You might point out that if instead of using a windows server and windows PCs behind it, they had all been running (free) linux, then none of this would have happened

Except that if everyone ran linux, that would simply become the new OS of choice for hackers and virus writers.

Too true. The corporate world used to instinctively incline to 'herd behavior' now they use risk analysis (of the 'bigger picture' variety) to justify staying squarely in the mainstream. Anyone dealing with corporates 1997/98 who had a 'text only' e-mail application/client would have had that forcibly brought home when HTML e-mail became the 'norm' virtually overnight. That would have been the advent of Outlook, I guess. And where the corporate world leads, the 'private' follows - tax effective employee assistance schemes facilitating/encouraging group PC purchases in the 70s and 80s being one of the factors (so the masses could get up to speed in their own time, no harm done to the bosses stock portfolios either ).

But Linux servers aren't exactly a great leap into the unknown these days. Certainly worth putting on the table if it comes to that, IMO. [on edit] Not that Linux servers are anything like bulletproof. Seem to recall reading somewhere that the majority of hacked servers were Linux? Anyway, Google says

QUOTE

about 146,000 for compromised server linux

... which is indicative that such things happen (but not quite as many hits as 'compromised server windows').

data point
http://spamcop.net/w3m?action=checkblock;ip=38.104.99.170
38.104.99.170 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...g=38.104.99.170
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ....... 3.1 .. 36%
Last month ... 3.0