Blocklist Help: (66.238.175.30)

[GSTVHenry]

Sometime on Wednesday, we got block listed by several companies including Spamcop. Senderbase report for 66.238.175.30 states:

Magnitude Vol Change vs. Last Month

Last day 3.7 337%

Last month 3.1

Below are the steps taken in an attempt to resolve the issue:

- Blocked smtp traffic on all machines except the MS 2003 SBS server. I tested that only the server that hosts exchange can get out on port 25.

- Logs on the Cisco ASA do not reveal anything relevant.

- Ran Spybot S&D, Malware Bytes, and Microsoft's Malware tool on all applicable machines (Macs and PCs). A few had a virus or 2 but nothing significant.

- Updated servers to the latest patches.

- We're not an open relay.

CBL states the following:

IP Address 66.238.175.30 is currently listed in the CBL.

It was detected at 2009-03-06 15:00 GMT (+/- 30 minutes), approximately 4 hours, 30 minutes ago.

It has been relisted following a previous removal at 2009-03-06 02:43 GMT

ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.

ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL eventually stop letting you delist it and you will have to contact us directly.

This is identified as the Ozdok/Mega-D spambot

You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers. Please see our recommendations on NAT firewalls

What perplexes me is that if I've blocked smtp traffic, how could a bot/trojan still continue to spam out?

Thanks in advance, I apologize for if I am lacking any detail. Thanks in advance...

[Derek T]

- Updated servers to the latest patches.

- We're not an open relay.

CBL states the following:

What perplexes me is that if I've blocked smtp traffic, how could a bot/trojan still continue to spam out?

Thanks in advance, I apologize for if I am lacking any detail. Thanks in advance...

Seems that you, or someone has manually de-listed this IP without solving the problem. IPis still spamming.

Report History:

Submitted: Fri, 06 Mar 2009 02:20:22 GMT:

Is it right that you won't come?

* 3918763291 ( 66.238.175.30 ) To: abuse[at]xo.com

Submitted: Wed, 04 Mar 2009 17:07:17 GMT:

Jimmy disappeared, any ideas why?

* 3915760034 ( 66.238.175.30 ) To: abuse[at]xo.com

Suggest you hire someone who has a clue, as you obviously don't.

[GSTVHenry]

I am aware that we are still having issues and this wasn't a request to remove me from the blocklist. I was merely hoping someone in the community would have an idea where I should continue the search for a solution. After making the changes above, I requested delisting, prematurely as I now see. Derek, I agree, I may not be the best person for the job but I desperately need assistance and anything would help.

[StevenUnderwood]

I am aware that we are still having issues and this wasn't a request to remove me from the blocklist. I was merely hoping someone in the community would have an idea where I should continue the search for a solution. After making the changes above, I requested delisting, prematurely as I now see. Derek, I agree, I may not be the best person for the job but I desperately need assistance and anything would help.

If you have confirmed that only the mail server can send mail from that address, have you checked that server for virii, malware, etc.?

The following is good since this is a dynamic host that should not be sending email direct to SMTP.

220 smtp.gstv.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at

Fri, 6 Mar 2009 18:24:50 -0500

helo underwood.spamcop.net

250 smtp.gstv.com Hello [68.116.173.51]

mail from: <underwood[at]spamcop.net>

250 2.1.0 underwood[at]spamcop.net....Sender OK

rcpt to: <thisisatest[at]gstv.com>

550 5.7.1 68.116.173.51 has been blocked by zen.spamhaus.org

rcpt to: <underwood[at]spamcop.net>

550 5.7.1 68.116.173.51 has been blocked by zen.spamhaus.org

quit

221 2.0.0 smtp.gstv.com Service closing transmission channel

Connection to host lost.

[GSTVHenry]

Thanks Steve,

I ran Malwarebytes, Spybot S&D, and Microsoft Malicious Tool on all our servers and the worst I found was a few cookies. Is anyone aware of a Mac spambot or Mac spambot checker? We run Sophos antivirus on the macs and everyone is up to date and clean. Something else of interest, the blocking of port 25 on the firewall occured [at] 11PM EST 3/05. The time in the evidence posted by Derek would fall around ~9:20PM EST 3/05. I also noticed that we have significantly dropped on Senderbase's score.

Magnitude Vol Change vs. Last Month

Last day 3.2 34%

Last month 3.1

[StevenUnderwood]

Sounds like you are on the right track... Are you able to see the firewall logs to determine if the machine is still trying to send?

[SpamCopAdmin]

It has been about nine hours since spam from 66.238.175.30 = smtp.gstv.com hit our system.

There are no internal hops at gstv.com in the headers. 66.238.175.30 is delivering the spam directly to us.

- Don D'Minion - SpamCop Admin -

.

[GSTVHenry]

Thank you SCadmin,

A friend who is a CCNP told me to alter my firewall rule around the same time because I had the source port 25.

Henry – you may want to change the ACL a bit to have the source port be any, with destination port 25:

Traffic should be sourced on a random port to a destination SMTP port; either way, you won’t need to get that specific if you’re trying to block outbound SMTP requests.

I understand that my goal should be finding the offending machine and it most definately is, I just wanted to close any other holes while I'm at it. The firewall change and the reasoning behind it has been added to my knowledgebase. Have any of you experienced Mac spambots, 60% of the company is macs and 75% of them are very ... inexperienced with the OS and safety measures? I don't want to overlook anything.

Thanks again all...

[turetzsr]

<snip>

Suggest you hire someone who has a clue, as you obviously don't.

...Huh? GSTVHenry looks to me (admittedly no expert!) like one of the most clueful, conscientious victimized admins who has posted here! Seems to me if he were as clueless as you suggest, Derek, there would be a lot more "try this obvious step" suggestions posted here than there have been. What gave you the impression otherwise?

[Miss Betsy]

If he can understand the advice from his friend, he is not entirely clueless! To me, it is one those sentences that is pure techie and totally unintelligible to anyone not a techie.

Since he still hasn't found the source, I am going to ask about a wireless router which has often been the culprit when everything else seems ok.

That's all I can offer.

Miss Betsy

[Derek T]

...Huh? GSTVHenry looks to me (admittedly no expert!) like one of the most clueful, conscientious victimized admins who has posted here! What gave you the impression otherwise?

The fact that de-listing had been requested in two BL's without first solving the problem. OK I was wrong and apologise as later postings show him/her to be much more clueful than the initial evidence suggested.

[SpamCopAdmin]

OK I was wrong and apologise as later postings show him/her to be much more clueful than the initial evidence suggested.

Just so there is no confusion...

The apology should be for making the rude and unnecessary comment in the first place, not for having been mistaken about the user's relative cluefulness.

- Don D'Minion - SpamCop Admin -

.

[Lking]

[sarcasm]Oh good[/sarcasm] we're going to have an other food fight among supporters of spamcop. Just what we need.

[Farelf]

[sarcasm]Oh good[/sarcasm] we're going to have an other food fight among supporters of spamcop. ...

No Lou, just some light relief. The whole notion of Don instructing Derek on good manners is simply too ludicrous for words.

[Miss Betsy]

Actually, IMHO, telling someone that they should hire someone is very good advice in some instances, although in this case it wasn't necessary.

People who run servers, like people who drive cars, should take lessons or should hire someone to drive them. People don't like to hear that they are clueless - particularly those who don't have the common sense to take lessons - and, often, have a defensive, angry attitude when their problem is not easily solved. Nevertheless, sometimes it is a good idea to call in an expert if one can admit that one is in over one's head.

Occasionally, we have had posters who were really clueless, but who haven't minded hearing that they were, explaining that their boss won't hire someone and is making them be the server admin. They are grateful for help.

This poster was obviously just using all the resources he could find, which is always a good thing. I hope he found the offending computer. I really have a lot of empathy with him because you can't predict what 'very...inexperienced' people might do! I wish I could tell him if there were botnets directed at Macs or how to guard against their inattention to security.

Miss Betsy

[GSTVHenry]

Not to interrupt the "food fight", we seem to be off all lists but one, they're asking for 50 pounds to remove us. Most mail is routing but we're still having a few issues with certain recipients:

#5.5.0 smtp;550 #5.7.1 Your access to submit messages to this e-mail system has been rejected.

We have our open 'guest' wireless on Comcast broadband while our corporate wireless is authenticated via WPA-2 using AES on a different ISP.

I remember reading something in the FAQ's that this isn't caused by Spamcop and I'm checking PTR records w/ our ISP. I'm going to check w/ some of the recipients' ISPs also.

Thanks for all the help gang. Derek is right in some points, I have a bit to learn.

[rconner]

Have any of you experienced Mac spambots, 60% of the company is macs and 75% of them are very ... inexperienced with the OS and safety measures? I don't want to overlook anything.

Well, I'll try to wade in, this will be more of a quick brain dump than a comprehensive guide...

I am a long-time Mac user, but I admit I have not worked with Macs in an institutional networking environment (my office is an M$ shop) and have not had to do a lot of hand-holding for Mac users (except occasionally for my Mom). That said, I'm not aware of any mac-specific infestations that work in quite the same way as the garden-variety Windows bot kits. In fact, I'm not aware of any virus-like malware that has managed to thrive "in the wild" on OS X (yes, there are periodic announcements of "proofs of concept," but these never seem to materialize as actual threats). This may be due somewhat to the virtues of Mac OS X (which is based on BSD, a pretty secure OS), but probably mostly to the fact that Macs constitute a small minority of systems online, and would require a significantly different skill set in order to crack.

Weak passwords may be a more significant problem on macs, allowing outside intruders to enter via IP services (FTP, telnet/ssh, etc.). An intruder who is successful would inherit all privileges associated with the account he has cracked. I believe you could set up a password-enforcement mechanism to require users to make up complex passwords and change them often.

Usually, new out-of-the-box Macs do not expose a lot of unnecessary IP ports, but it is possible that users could turn some of these on (e.g., for instant messaging, web sharing with outside computers, etc.). Some systems may have open ports for obscure or obsolete services like AppleTalk.

Macs, like most Unix boxes, keep good logfiles, these may bear occasional examination (particularly the "secure" and "system" logs). This could be done via an administrator ssh connection or the like.

The famous Unix "least-privileges" principle may also apply here. When you set up a new Mac, you first create a single administrator-level user account, but this does not have to be the only account on the box (nor do other accounts have to be given full admin privileges). Users should have their level of access limited to what they actually require in order to do their work, and their access to tools like "sudo" should probably be strictly limited. This way, even if their accounts are compromised by poor password security, the damage can be limited.

Hope this helps,

-- rick

[GSTVHenry]

Thanks Rick,

We set up separate Admin accts from User accts and other than the extreme annoyance of them harassing me for every update, printer install, etc, things are fine there. We also have a default image so if their system is acting up too much, it's reimage time. Now if only M$ gave us a decent email system instead of Entourage I'd be a happy camper.

[rconner]

Now if only M$ gave us a decent email system instead of Entourage I'd be a happy camper.

If the reason you use Entourage is to be compatible with MS Exchange, I think that Apple Mail is also Exchange-compatible at least to some extent.

-- rick

[Farelf]

Not to interrupt the "food fight", we seem to be off all lists but one, they're asking for 50 pounds to remove us. ...

I have been keeping an occasional eye on the 139 (or whatever) BLs reported by Robtex - http://www.robtex.com/ip/66.238.175.30.html - and, apart from SC and CBL never saw you listed in any others according to that extensive source. Which raises two points: whoever is listing you must quite minor, and there has to be a possibility it is simple extortion they are trying (that is, their listing criterion might be no more than keeping an eye open for likely victims appearing on major BLs). I think you should investigate their credentials, could be that law enforcement somewhere might be interested.