Jump to content
Sign in to follow this  
mark.perkins

New to Spamcop...big problem

Recommended Posts

Hello...I am the SysAdmin at a Japanese BioChemical Co. in Missouri. Somehow we have been blacklisted by SpamCop and it is causing a major disruption to our business. I have went through the steps to get my IP removed but it hasn't helped at all.

I run Exchange 2000 and we have never been an open relay or a spammer. I even hired a third party to come in and audit my systems and they found no security holes.

We are hosted by an ISP in St. Louis but I maintain my own mailserver. I recently had them make a Reverse Look Up entry but SpamCop is not seeing my DNS data.

Can anyone help me get unblocked. I don't know how SpamCop got our information or why.

Thanks,

Mark

Share this post


Link to post
Share on other sites

What is the IP address of your server that you believe has been listed?

Without knowing the IP address I can only suggest that you take a look at your logs and look for suspect activity. Exchange servers have been the target of spammers looking to compromise weak passwords specifically on role and default accounts. You'll want to make sure *ALL* your user passwords are non-trivial.

Edited by Chris Parker

Share this post


Link to post
Share on other sites

Please post the allegedly listed IP address or the reject message in full. No-one here can help you without that information. FWIW you'd be amazed at the number of people who come here claiming that their security is watertight only to find that their server really is spewing spam. ATM the SMTP/Auth exploit is the usual culprit. Did you diable that handy (for spammers) default guest account that is a 'feature' of the M$ servers? See Eric23's thread for more info! his case was very typical - at least you didn't come in here all guns blazing, so welcome and good luck in sorting this out.

Share this post


Link to post
Share on other sites
I run Exchange 2000 and we have never been an open relay or a spammer.  I even hired a third party to come in and audit my systems and they found no security holes.

Still, it might be worth your time to look at SC FAQ item 372.

Share this post


Link to post
Share on other sites

Your message did not reach some or all of the intended recipients.

Subject: Cartridge Numbers...

Sent: 6/1/2004 12:39 PM

The following recipient(s) could not be reached:

Kevin Rhoads (E-mail) on 6/1/2004 12:39 PM

The destination system is currently not accepting any messages. Please retry at a later time. If that fails, contact your system administrator.

<galaxy.biokyowa.com #5.3.0 smtp;553 5.3.0 <krhoads[at]insight.com>... Rejected - Forward error to your tech team or call your Insight contact - See http://spamcop.net/w3m?action=checkblock&ip=216.114.75.99 to fix your mail server.>

Share this post


Link to post
Share on other sites
Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 216.114.75.99 is galaxy.biokyowa.com but galaxy.biokyowa.com has no DNS information

Listing History

In the past 16.1 days, it has been listed 11 times for a total of 11.2 days

Other hosts in this "neighborhood" with spam reports

216.114.74.102

Those spamtrap hits are bad news. Email deputies <at> spamcop <dot> net for further information. We mere mortals are not privy to this.

Share this post


Link to post
Share on other sites

Here are some headers (lightly munged) from a spam posted to news.admin.net-abuse.sightings dated May 31, 2004:

From imagesavogadro[at]comcast.net  Mon May 31 10:29:15 2004
Return-Path: &lt;imagesavogadro[at]comcast.net&gt;
X-Original-To: x
Received: by kalyani.oryx.com (Postfix, from userid 1005)
   id 0A3D51BDE7C; Mon, 31 May 2004 10:29:15 +0200 (CEST)
Received: from galaxy.biokyowa.com (unknown [216.114.75.99])
   by kalyani.oryx.com (Postfix) with ESMTP id A48311BDE23
   for &lt;x&gt;; Mon, 31 May 2004 10:29:13 +0200 (CEST)
Received: from mermaid ([61.11.53.6]) by galaxy.biokyowa.com with Microsoft SMTPSVC(5.0.2195.6713);
    Mon, 31 May 2004 03:29:09 -0500
From: "Etta Lee" &lt;imagesavogadro[at]comcast.net&gt;
To: x
Subject: CIAL`1S &amp; LEVI`TRA is the  ANT1-Imp0tence drug to win apprOval from the U.S.A F0Od and Drug ADM1NISTRAT10N
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: &lt;GALAXYI9YVl3V55pRoW0005995d[at]galaxy.biokyowa.com&gt;
X-OriginalArrivalTime: 31 May 2004 08:29:12.0047 (UTC) FILETIME=[59C2A7F0:01C446E9]
Date: 31 May 2004 03:29:12 -0500

Edited by Spambo

Share this post


Link to post
Share on other sites

Looks like the server is sending mail to spam traps.

Are you currently running AV software on the server. You'll want to disable virus notification if it's on. Most current virus send from forged email addresses so notifications of infection don't actually go to those infected.

I'm guessing that some account has been compromised. Check your logs.

Share this post


Link to post
Share on other sites
Received: from mermaid ([61.11.53.6]) by galaxy.biokyowa.com with Microsoft SMTPSVC(5.0.2195.6713);

   Mon, 31 May 2004 03:29:09 -0500

Yikes! 61.11.53.6 is a pretty nasty little machine.

Edited by Chris Parker

Share this post


Link to post
Share on other sites
216.114.75.99 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Spamtraps are bad news and will not generate a report to an abuse desk. If you are the administrator for that IP address, you will need to contact deputies<at>spamcop.net to get details about what is hitting the spamtrap addresses. Usual problems are auto replies, virus notifications or non-delivery notifications sent to the easily forgable envelope sender. Other possiblities are an undetected security problem.

Reports for normal spam reports would go to the following addresses. They should have information on some of the problems.

Reporting addresses:

postmaster[at]primary.net

abuse[at]primary.net

Third parties interested in reports:

abuse[at]savvis.net

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 216.114.75.99 is galaxy.biokyowa.com but galaxy.biokyowa.com has no DNS information

It is not the rDNS with the problem, it is the forward DNS (name to IP) that is not resolving. Many servers worldwide will reject mail from this server becuase of this problem.

Listing History

In the past 16.1 days, it has been listed 11 times for a total of 11.2 days

This shows there is definitely something going on with that IP address.

Share this post


Link to post
Share on other sites

Well spam with the subject "CIAL1_S & LEVIT_RA : DOCT0R & FDA a'pproval !" was sent through your server. So if you are not selling illegal meds then someone has hacked your server.

You should close the loopholes on your sever.

Whoever looked at it missed something. Most likely someone actually logging in to the Gueat account to send/relay their mail or hacked a user password.

Probably an SMTP Auth Hack.

You are getting listed in other blocklists also.

Share this post


Link to post
Share on other sites

I am confident that I was the victim of an SMTP/AUTH hack. I have forced a company wide password change and implemented complex passwords. I also deleted all unnecessary accounts. My mail server seems to be working more normally and my badmail folder is not filling up like it was.

I didn't think I was relaying spam and was really pissed at first that my IP was blacklisted, but this service has helped me immensely by forcing me to look at issues I would have normally overlooked.

I never thought I would say this, but "thanks, Spamcop."

Mark Perkins, M.S., MCSE, A+

Sys Admin

BioKyowa, Inc.

Share this post


Link to post
Share on other sites
I never thought I would say this, but "thanks, Spamcop."

And many the world-wide would now say "Thank You!" What a wonderful conclusion to this situation.

Share this post


Link to post
Share on other sites

Okay spoke too soon. Was unblacklisted this morning and now I am blacklisted again. This is getting ridiculous. I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

I forced all users to change passwords and enforced password complexity.

I am running Symantec Antispam for Exchange 2000.

I turned off NDR's and virus reports.

We are virus free.

What else???

Please help.

I can now see why Ironport/Spamcop is getting sued. This stifles commerce for a lot of ligitimate businesses. And it should work like our justice system...it's better for one hundred guilty to go free than to put one innocent man in jail.

Spamcop has busted a cap in my ass,

Mark

(Yes, Kyowa is a great company!)

Share this post


Link to post
Share on other sites

You need to find out why you are blacklisted. Have you emailed deputies<at>spamcop.net? Have you received any replies?

If it is an SMTP/AUTH hack, it is very possible the hacker/spammer opened back doors into your system.

I have forced a company wide password change and implemented complex passwords.

Have all of the passwords been changed already? Have you confirmed they are different?

Can you monitor port 25 coming from that machine to see what is coming through the machine?

These are just some of the things you need to do. Perhaps hire a quilified security company to do a complete audit on your system, and mention the blacklisting.

How you can praise spamcop when you are no longer listed and slam them again because the same thing happened again is beyond me.

Share this post


Link to post
Share on other sites
Okay spoke too soon.  Was unblacklisted this morning and now I am blacklisted again.  This is getting ridiculous.  I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

I forced all users to change passwords and enforced password complexity.

I am running Symantec Antispam for Exchange 2000.

I turned off NDR's and virus reports.

Could possibly just be a late report coming in from someone. I'd suggest that you drop a note to deputies <at> spamcop.net before jumping to any conclusions.

I can now see why Ironport/Spamcop is getting sued.  This stifles commerce for a lot of ligitimate businesses.  And it should work like our justice system...it's better for one hundred guilty to go free than to put one innocent man in jail.

You should look at the reputation of the person who filed the complaint. A well known spammer.

What stiffles commerce is when I have to deal with (without filtering) 1000's of spam messages a day. If the ratio were 1:100 then I would agree with you. The ratio of false positives to spam that I see on the mail servers that I manage are in the neighborhood of 1:100,000.

Share this post


Link to post
Share on other sites
... I thought I had the problem solved ...

Noted, you "thought" the problem was under control but your tone suggests you're unsure.

I can now see why Ironport/Spamcop is getting sued.  This stifles commerce for a lot of ligitimate businesses.  And it should work like our justice system...it's better for one hundred guilty to go free than to put one innocent man in jail.

First, your server is not innocent. Your server HAS been used to spam people.

Spamcop has busted a cap in my ass,

SpamCop did NOTHING except CORRECTLY list 216.114.75.99 as the source of spam its users are/were receiving. If you want to blame anyone then blame the spammers - and the admin who allowed the mail server to be used by spammers in the first place.

Share this post


Link to post
Share on other sites
Okay spoke too soon.  Was unblacklisted this morning and now I am blacklisted again.  This is getting ridiculous.  I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

This only implies that the mathematical formula came into play. Your server dropped below the threshold of spam/spamtrap traffic vice "total traffic seen" ... Actual listing runs from a minimum of a half-hour to a maximum of 48 hours "after the spew stops" ... That it's listed again suggests that the spew hasn't stopped.

I forced all users to change passwords and enforced password complexity.

I am running Symantec Antispam for Exchange 2000.

I turned off NDR's and virus reports.

We are virus free.

What else???

Anti-virus software only looks for certain types of issues. You may have a system infected with a Trojan that isn't actually qualified as a "virus" ... as already suggested, you may not have actually shut out the spammer from using your server. Also suggested has been the note to Deputies <at> admin.spamcop.net for possible details of the spamtrap data that may offer a bit more of a clue as to what and where to look for the problem.

I can now see why Ironport/Spamcop is getting sued.  This stifles commerce for a lot of ligitimate businesses.  And it should work like our justice system...it's better for one hundred guilty to go free than to put one innocent man in jail.

You really need to research the players involved. Small clue may be that the same idiot suing IromPort/SpamCOp is also being sued by Microsoft and Yahoo for his spam spew.

Share this post


Link to post
Share on other sites

Sorry guys. I was very frustrated yesterday. I do see the positive side here. I will eventually get my hole patched and ultimately will have to thank SpamCop for helping me increase my security and stop the spam. I just had to vent a little.

I have enabled auditing success on my mail server. Do you think this will help track down the account being used?

Also, I was think maybe I have a trojan somewhere on my network. Is it likely my problem could be an infected workstation?

What back doors could have been opened?

I greatly appreciate everyone's help. Please don't think I am ungrateful.

Mark

Share this post


Link to post
Share on other sites

Well, where to beign??

If your server is 216.114.75.99

Then Alan Ralsky has taken control of it. Very sad because you will be blocked everywhere on the web sooner or later.

You should check further and get legal help after you purge your server. He probably created a bunch of accounts to use.

Here is a spam that went through your system on May 31st

Click here for the spam

If you look up the spamvertised site: http://schemata.mxcnj.com/at

Query : schemata.mxcnj.com

Offical Name = schemata.mxcnj.com

Addresses = 61.233.138.58

You can trace this to Alan Ralsky here:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL15138

or here:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL16037

He must think everyone has a small penis like him because he keep trying to push his penis pills.

Like I stated above your server is compromised and he has more control of it than you do. You might want to call the FBI, after all your system has been hacked. There is plenty of info in google about your hacker/spammer. He is rated as one of the worlds worst spammers.

Keep us posted.

Good Luck.

For more info here is the invalid whois record:

Registrant:

Huang GuiFang

#101 Unit 1 NO.12 Century Garden , Long cheng Str. Shun Cheng district 113006

Administrative Contact:

Huang GuiFang

Huang GuiFang

#101 Unit 1 NO.12 Century Garden , Long cheng Str. Shun Cheng district

Shun Cheng Liaoning 113006

China

tel: 86 413 7480040

fax: 86 413 7480040

huangjack1[at]126.com

Technical Contact:

Huang GuiFang

Huang GuiFang

#101 Unit 1 NO.12 Century Garden , Long cheng Str. Shun Cheng district

Shun Cheng Liaoning 113006

China

tel: 86 413 7480040

fax: 86 413 7480040

huangjack1[at]126.com

Billing Contact:

Huang GuiFang

Huang GuiFang

#101 Unit 1 NO.12 Century Garden , Long cheng Str. Shun Cheng district

Shun Cheng Liaoning 113006

China

tel: 86 413 7480040

fax: 86 413 7480040

huangjack1[at]126.com

Registration Date: 2004-05-20

Update Date: 2004-05-20

Expiration Date: 2005-05-20

Primary DNS: ns1.nicreffer.com 202.104.234.83

Secondary DNS: ns0.nicrefer.com 219.153.1.230

Share this post


Link to post
Share on other sites
Well, where to beign??

Get hold of some linux distro disks and wave goodbye to Exchange once and for all?

;)

Share this post


Link to post
Share on other sites

Hey guys...how about this? After talking to a security expert at a hosting facility, he informed me that pretty much the only way to stop the SMTP AUTH attack is to only allow IP addresses on your internal LAN to send mail. I implemented this and will watch it for a day and if I am still relaying then it has to be coming from inside my network.

Please tell me if I am on the right track, or if anyone has tried this.

Thanks,

Mark

Share this post


Link to post
Share on other sites

I don't run Exchange, so can not comment on more than it seems a logical step to take. The only time you should want external IP's sending email would be travelling users.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×