NAT Listed - 220.127.116.11 (How does Pop3 effect this)
Posted 25 January 2007 - 11:11 AM
Posted 25 January 2007 - 12:02 PM
So I guess the obvious follow up question is this:
What SMTP server are your remote users sending through? If they are using SMTP to connect to your mail server and send mail, then yes, those messages are going to reflect on your IP address. On the other hand if they have their ISPs mail server setup for outbound mail, then messages they send will reflect on those servers.
Currently that address is not showing as listed, so there is no way for me to know if it was listed for spamtrap hits only, or if there are reports available for it. I'm certain a paying member will be by shortly and be able to post any actual user reports against that address.
An IP Trace on 18.104.22.168 shows that any reports are being routed to abuse[at]uslec.com. Are you receiving copies of these reports? If not, have you contacted the person responsible for this address to find out why you are not receiving copies of these reports?
Senderbase shows current traffic around 1000 outgoing messages per day, does this sound about right?
Do any of your users INSIDE your network use port 25 to connect to offsite SMTP servers? If not, then you should configure your firewall to block all outgoing traffic on port 25 except that which originates from one of your mailservers, as workstations should never be trying to send mail directly to a destination server, it should always be relayed through a mail server of some type.
Edited by Telarin, 25 January 2007 - 12:04 PM.
Galveston Insurance Associates
Posted 25 January 2007 - 12:30 PM
You are, though, listed in cbl.abuseat.org
I can only identify one user report for today:
Submitted: Thu, 25 Jan 2007 08:11:37 GMT:
Software At Low Pr1ce
Certainly looks like spam. I know your Network Admins say the system is secure but there are many things it could be that you haven't mentioned. For example, a common exploit for Exchange servers is the SMTP AUTH exploit (See http://www.spamcop.n.../cache/372.html ).
So there could be other avenues to investigate.
All comments in these forums are from users offering help to other users unless the user explicitly identifies themselves as SpamCop staff.
To contact SpamCop staff Email service[at]admin.spamcop.net
Posted 25 January 2007 - 01:00 PM
Thanks for the input guys.
A common exploit for Exchange servers is the SMTP AUTH exploit (See http://www.spamcop.n.../cache/372.html ).
As of 12:40PM today we are not on a blacklist. I used http://www.mxtoolbox.com to search for our IP and it has been coming back clean. (I also checked the CBL site) However, this happened at times during the last two business days and we always seem to end up back a list at some point. (CBL, Spamhaus or SpamCop).
At the moment, I am running McAfee's Stringer + Pandasoftware's free online scanner on the local Exchange servers even though we have Symantec Mail Security and Symantec Antivirus running. Shot in the dark but maybe Symantec is unable to detect the virus/mailer locally.
I am also looking into the SMTP exploits.
Our Administrator password is fairly complex but we will look to change this as well.
It is frustrating to me that our network admin is anable to provide me with additional leads. I appreciate any other support or leads you can provide.
Posted 25 January 2007 - 01:25 PM
Galveston Insurance Associates
Posted 25 January 2007 - 01:34 PM
I am downloading the program now and will check back in a while.
Another recent thread was posted by someone experiencing similar problems. They said they used a program called "Ethereal" to monitor traffic and were able to find the problem computer.
Any other input appreciated.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users