I am consulting for a company that has been added to the spamcop bl. The address is 24.123.103.228 and the domain is whitegoss.com. They have a rather odd setup (IMHO) and have traffic going to redundant connections through time warner and at&t. The bl was listed 16 hours ago according to spam cop though I have recieved no notification that I am aware of. I actually found out when client email started bouncing (its a law office). Anyway according the person I emailed at spamcop it was phishing emails passing through our server. We sit behind a decent firewall and as far as I can find have no open relay's.

This was the reason given:

Phish mails:


Received: from rrcs-24-123-103-228.central.biz.rr.com (HELO
WGEX.domain.com) (24.123.103.228)
[trap servername] with SMTP; 27 Oct 2006 05:xx:xx -0000
Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft
SMTPSVC(6.0.3790.1830);
Thu, 26 Oct 2006 07:xx:xx -0500
Subject: Update your online banking account information.

The 24.108.64.181 traces to the nameserver at iil.com which is according to arin in Canada. Im rather stumped, in the meantime I have an office full of lawyers breathing down my neck for "breaking their email". Any suggestions on what I could start looking for. BTW I am running exchange 2003.

Hope i've provided enough info.

then please go directly to this FAQ page and follow its advice:

http://www.spamcop.net/fom-serve/cache/372.html

Also, since the traffic from that IP has been hitting secret spam trap addresses, you *might* also have a problem with misdirected non-delivery reports. Here's a link to the MS page about that:

http://support.microsoft.com/default.aspx?...kb;en-us;294757

Once you've seen the info there, report back here about whether those issues might be involved with your situation.

DT

Thanks for the quick response, I'll start digging through that now. Figures things would go bad the week my boss leaves town.

The received line is similiar to my Exchange 2003 relay line that it is possible. Alpha1 below is in my allowed relay list.

Received: from alpha1.kopin.com ([192.168.1.62]) by owa.kopin.com with Microsoft SMTPSVC(6.0.3790.1830);
Fri, 27 Oct 2006 07:22:03 -0400

Have you checked to see your relaying rules?
Exchange System Manager
Drill down through Administrative Groups, First Administrative Group, Servers, SERVERNAME, Protocols, SMTP.
Open properties of: Default SMTP Virtual Server
Access Tab, Relay button.

See what the settings are there.


It looks like you do reject, at least for nonexistent addresses. You do allow external AUTH, however, so if there are no open relay IPs, you may have a cracked username/password. I assume you can get who AUTH'd by searching the logs for that message.