Happy Thanksgiving! I am the server administrator for a small hosting company and recently our server, 66.135.33.231, has been listed on SpamCop's blacklist serveral times over the last couple weeks. I have taken several steps to secure the mail server, Running Mail Enable software, but I am still seeing SPAM sent out and we are still getting listed.

I believe the problem is a trojan sending out mail but was looking for any other info or advice the community can provide. My reason to belive it is a trojan is because sample spam I am seeing sent is not coming from any customers on the server and I can't find a history of it in the SMTP activity logs.

I am using SPF, relays are closed, Reverse DNS lookups, and authenticated senders must be sending from a valid domain. The amount of junk mail coming from the server has been greatly reduced but I am still having problems being listed...

I am in the process of changing passwords and setting up a firewall (I know a firewall should have always been there... I am new to this and trying my best to learn).

Any other advice, suggestions is greatly appreciated. I fully support what SpamCop is doing and I hate that I may inadvertently be contributing to SPAM!!!!

Thanks in advance!

Neal - idesign

501 Your domain does not seem to be valid. Could not find MX record for your domain

Your server (if not infected) is not stamping the IP source from where the email came
http://www.spamcop.net/sc?id=z1087964718z8...c974068e18a468z
IP 211.27.248.13 is my computer If an email server is competently set-up SpamCop will only block the source computer not an email server after it

Your server is bouncing (joe jobbing email addresses) to SpamCop Spamtraps which are better than bank security to guess
Spam samples reported from/through your email server
Submitted: Tuesday, 21 November 2006 2:01:58 AM +1100:
[***SPAM*** Score/Req: 11.3/8.0] Poised to Make a Big Move?,Michael Miller
2027177523 ( 66.135.33.231 ) To: spamcop[at]imaphost.com
2027177497 ( 66.135.33.231 ) To: abusespamcop[at]tickets.serverbeach.com

--------------------------------------------------------------------------------

Submitted: Sunday, 19 November 2006 9:54:42 PM +1100:
Squawk Box Stock Alert,MICHIO TAMAKI
2025169400 ( 66.135.33.231 ) To: spamcop[at]imaphost.com
2025169345 ( 66.135.33.231 ) To: abusespamcop[at]tickets.serverbeach.com

--------------------------------------------------------------------------------

Submitted: Sunday, 19 November 2006 10:36:14 AM +1100:
Stock Player Emerging Equity Report,Marian Nardini
2024420685 ( 66.135.33.231 ) To: abusespamcop[at]tickets.serverbeach.com

Thanks for the quick reply. A couple questions regarding your post...

What does the 501 error refer to? I do have MX records for the valid domains setup on the server. What domain did you check that returned that error?

You also mentioned that my server, if not infected, is not properly stamping the source URL where the email came from. I believe that the proper settings are in place to track the referring URL. How can I test this?

Also, I searched the SMTP log for Nov. 21st, I looked for the address [at] imaphost.com and there is no record of any message being sent to that address. To me that means I am probably infected... Is that a safe assumption?

Sorry if these questions seem basic... Trying to learn and take the best approach to fix the issue.

Neal - idesign.

Might help if we new what type (and version) of server you are using. There are faqs here about the SMTP/AUTH hack. Does your server stamp the IP of the originating compuer in the headers? If so, the SpamCop algorithm will list that IP rather than your mailserver.

No, not a safe assumption. The addresses listed are the asdresses that reports went to. To get mote information on those reports, you should contact the people at: abusespamcop[at]tickets.serverbeach.com

(1) Just checked if your email server to see if it was OPEN (It is secure) However a warning was
"501 Your domain does not seem to be valid. Could not find MX record for your domain"
I believe this means the/an IP can/maybe "Spoofed"

(2) Send yourself an email to Hotmail (free throw-away account and look)

(3) Can you have Symantec check that IP for both Virus and trojan? Its free

(4) You need to look for SUBJECT
IMAP @ is where SpamCop sends secondary reports (secondary reports often are then used to contact criminal agencies)

Look for SUBJECTS such as

"Poised to Make a Big Move?,Michael Miller"

"Squawk Box Stock Alert,MICHIO TAMAKI"

You can also contact "abusespamcop[at]tickets.serverbeach.com"

Thank you for the advice so far. Unfortunately, my Thanksgiving holiday and supposed "break" has been spent trying to solve my IP SPAM issues and I don't think I'm making much headway...

Here is what I have done in the last few days, but it doesn't look like it has been much help. Any more advice is GREATLY appreciated...

1. As suggested, I have sent myself a message to Hotmail, and all headers are included below. From what I can tell the server is stamping the IP's correctly.

From : <nstclair[at]idesignbusiness.com>
Sent : Friday, November 24, 2006 11:39 AM
To : <nstclair78[at]hotmail.com>
Subject : Email Test


MIME-Version: 1.0
Received: from mail.idesignbusiness.com ([66.135.33.231]) by bay0-mc10-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 24 Nov 2006 11:43:51 -0800
Received: from 71.130.213.4 ([71.130.213.4]) by idesignbusiness.com with MailEnable WebMail; Fri, 24 Nov 2006 11:39:28 -0800
X-Message-Info: txF49lGdW43OLNgW/qhd6jSTprYU8Ia6MpJKPFkiY2A=
X-Mailer: MailEnable Web Mail 1.1
X-Read: 0
Return-Path: nstclair[at]idesignbusiness.com
X-OriginalArrivalTime: 24 Nov 2006 19:43:51.0440 (UTC) FILETIME=[DE071900:01C71000]

2. I ran a full system scan using the Symantec link above. It did find a couple viruses, specifically, Hackbox, and the two infected files were deleted from the system. That was the only thing found.

3. I did receive an email from abusespamcop[at]tickets.serverbeach.com and I have included the headers of one of the SPAM email below:

[ Offending message ]
Return-path: <wjxyex[at]midwayproducts.com>
Envelope-to: x
Delivery-date: Sun, 26 Nov 2006 17:25:04 -0800
Received: from avcon2 by corvus.lunarpages.com with local-bsmtp (Exim 4.52)
id 1GoVEy-0000Kk-RB
for x; Sun, 26 Nov 2006 17:25:04 -0800
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
corvus.lunarpages.com
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.8 required=7.5 tests=BAYES_99,INVESTMENT_ADVICE,
RCVD_IN_BL_SPAMCOP_NET,UNPARSEABLE_RELAY autolearn=no version=3.1.7
X-Spam-Report:
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
* lines
* 3.7 INVESTMENT_ADVICE BODY: Message mentions investment advice
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?66.135.33.231>]
Received: from [66.135.33.231] (helo=idesignbusiness.com)
by corvus.lunarpages.com with smtp (Exim 4.52)
id 1GoVEy-0000Ka-Et
for x; Sun, 26 Nov 2006 17:25:00 -0800
Received: from root by idesignbusiness.com (Postfix) with SMTP id T3vIOhYQOwtM for <x>; Sun, 26 Nov 2006 17:19:05 -0800
X-BrightmailFiltered: true
X-Brightmail-Tracker:DJKSD==
X-IronPort-AV:i="1.43,321,2118149489";
d="scan'219"; a="3728321:sNHT843912823"
Message-ID: <05Jb________________________LVG1[at]midwayproducts.com>
From: chad a wilson <wjxyex[at]midwayproducts.com>
To: convert <x>
Subject: [j_100] *****SPAM***** The SmallCapInvestor,Mr Geoff Smith
Date: Sun, 26 Nov 2006 17:09:22 -0800
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-AIMC-AUTH: wjxyex
X-AIMC-MAILFROM: wjxyex[at]midwayproducts.com
X-Spam-Prev-Subject: The SmallCapInvestor,Mr Geoff Smith

4. I am running MailEnable Pro on a Windows 2000 Server and today I installed MEFilters which is their advanced filtering software. The filters I am using include:

- SPAM Filter - Stopping messages with specific phrases found in the subject and body

- SPF Filter - I am stopping all messages with a "NONE" SPF, Soft Fail, or Fail SPF

- Authentication is Required, Relay is Closed

- Authenticated Senders must send from a valid domain on the server

- Reverse DNS, PTR is enabled

Since I setup the new filters approx. 12 hours ago the SPAM filter has stopped ~80 messages, SPF ~ 1200.

BUT... with all these actions in place I am repeatedly being listed in SpamCop. It actually has gotten worse in the last couple days not better...

Is it really this hard to stop this malicious action? I have invested so much time in this but I am close to giving up and begin the arduous process of moving all my client domains to another hosting provider and getting out of this all together...

Any more help or tips out there?

Neal

Hi Neal, you found no trace of the origin of that message? Or the others, subjects of which petzl quoted? Hopefully a server admin will give you some advice next time one wanders past. Yes, it does seem to be getting worse - noting from http://www.dnsstuff.com/tools/ip4r.ch?ip=66.135.33.231 appearance on a number of other blocklists. On the positive side, these provide yet more data for your search for how this stuff is coming from your address - such as http://bl.csma.biz/cgi-bin/listing.cgi?ip=66.135.33.231

Fri Nov 3 22:13:22 2006 Received - New Breed of Stock Trader,Mary Lou Begg
Sat Nov 4 10:54:11 2006 Received - The Bull is Back in Select Small Caps,L M McCarthy
Fri Nov 17 22:09:42 2006 Received - Stock Maven Newsletter,Hussein Dossaji
Sun Nov 19 12:21:08 2006 Received - Addicted to Growth Stocks?,Earl E West jr

Good luck.

Neal,

I can certainly appreciate the frustration you are facing.

Earlier in the thread Derek T asked if you would say which software you are using for your mail server. I'd expand that a little.

Could you describe how your outgoing Email is processed including telling us which SMTP server you are using for outgoing including ip addresses where appropriate.

A description would help me, at least, to understand how your mail is being distributed.

Andrew

1. As suggested, I have sent myself a message to Hotmail, and all headers are included below. From what I can tell the server is stamping the IP's correctly.

SpamCop correctly parses this and identifies IP 71.130.213.4 as the source of message
http://www.spamcop.net/sc?id=z1148117337z6...cea34496badbcfz
SpamCop would not list your email server

2. I ran a full system scan using the Symantec link above. It did find a couple viruses, specifically, Hackbox, and the two infected files were deleted from the system. That was the only thing found.

You need to ALSO do the "security scan" not only the virus one

3. I did receive an email from abusespamcop[at]tickets.serverbeach.com and I have included the headers of one of the SPAM email below:

In this case SpamCop identifies the email server as the source
http://www.spamcop.net/sc?id=z1148137281z6...b39417c1d559bdz
You are probable bouncing email to spamtraps which means you are getting listed on other blocklists Many Companies ISP's do not disclose their blocklists and just bitbin email

4. I am running MailEnable Pro on a Windows 2000 Server and today I installed MEFilters which is their advanced filtering software.

Since I setup the new filters approx. 12 hours ago the SPAM filter has stopped ~80 messages, SPF ~ 1200.
Any more help or tips out there?

Neal

For starters stop bouncing undeliverable email
http://www.spamcop.net/fom-serve/cache/329.html

He might be blocking it coming in but he is not stopping any from going out. A lot reported just today.