Jump to content
Sign in to follow this  
mark.perkins

New to Spamcop...big problem

Recommended Posts

Good Luck.

Depending on how insecure your machine was before it was hacked it "might" work but that machine has been compromised and you do not know what password was compromised. That machine could be under his control more than yours. What will stop him from logging in as a user? Then it would be local to that machine and under his power to do with what he wants.

That machine needs every user audited and you should turn off all services that can be used over the web/TCP.

In essence you really don't know how they got in or are getting in.

If this is a corporate machine then you should order a new machine, load what you need on it, get the latest patches secure it and secure it good, then replace the users one at a time and check to see the user is actually part of your network then replace your hacked aninmal.

Lack of security got you into this position, you should have learned your lesson and if you have not learned anything then the next time it will be worse.

This is not a sit and "wait and see what happens" episode.

Edited by Merlyn

Share this post


Link to post
Share on other sites
Okay spoke too soon.  Was unblacklisted this morning and now I am blacklisted again.  This is getting ridiculous.  I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

I forced all users to change passwords and enforced password complexity.

216.114.75.99 delisted on Wednesday morning and then relisted Wednesday afternoon because more spam was relayed to traps.

As someone else mentioned, see http://www.spamcop.net/fom-serve/cache/372.html. According to dsbl.org, they relayed through your server authenticating as "administrator". You probaby have/had a weak, default or non-existant password on that account.

We've seen no new spam for 27 hours, so I trusted your shutting down authentication has solved the problem. Based on that, I've delisted your server.

If you turn authentication back on, make sure to check your administrator and all default accounts and make sure the guest account is disabled.

Richard

Share this post


Link to post
Share on other sites
Okay spoke too soon.  Was unblacklisted this morning and now I am blacklisted again.  This is getting ridiculous.  I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

I forced all users to change passwords and enforced password complexity.

216.114.75.99 delisted on Wednesday morning and then relisted Wednesday afternoon because more spam was relayed to traps.

As someone else mentioned, see http://www.spamcop.net/fom-serve/cache/372.html. According to dsbl.org, they relayed through your server authenticating as "administrator". You probaby have/had a weak, default or non-existant password on that account.

We've seen no new spam for 27 hours, so I trusted your shutting down authentication has solved the problem. Based on that, I've delisted your server.

If you turn authentication back on, make sure to check your administrator and all default accounts and make sure the guest account is disabled.

Richard

Like I said having administrator privledges to this machine it cannot be trusted. No telling what has been done to this server.

Share this post


Link to post
Share on other sites

Everything here is looking good so far. Just for the record I didn't not have a weak Administrative password (12 chars complex password). I have, however, had the same admin password for a long period of time. It was probably a brute force attack that eventually guessed my password that allowed the SMTP/Auth hack. I have since changed my admin password.

I did configure my Exchange server to only allow users on my LAN to send mail and it seems to have corrected the problem.

My outgoing mail queues are clean. My bad mail folder is empty. I'm not on the blacklist and the hard drive LED's on my mail server are no longer lit up like a Christmas tree.

It's time for a Corona!

This has been a great learning experience for me regarding mail security. Thanks to everyone who helped me. I really appreciate it. I hope everyone out there has a spam free day!

Mark

Share this post


Link to post
Share on other sites
Like I said having administrator privledges to this machine it cannot be trusted. No telling what has been done to this server.

Just because they authenticated a mail transmission as "administrator" does not mean they gained administrator access to the machine. The account "administrator" in Exchange and "administrator" in W2000/XP are not the same account and are not accessed the same way and does not necessarily allow them to create users and do other nefarious deeds in the guts of the system.

Richard

Share this post


Link to post
Share on other sites

Merlyn,

Please give me more details. You seem adamant that I am still compromised. How could I check? What clues should I look for?

Thanks,

Mark

Share this post


Link to post
Share on other sites
Merlyn,

Please give me more details.  You seem adamant that I am still compromised.  How could I check?  What clues should I look for?

There has been no new spam from your IP in the last three days. My opinion is that you are secure.

Richard

Share this post


Link to post
Share on other sites
I am confident that I was the victim of an SMTP/AUTH hack.  I have forced a company wide password change and implemented complex passwords.  I also deleted all unnecessary accounts.  My mail server seems to be working more normally and my badmail folder is not filling up like it was.

I didn't think I was relaying spam and was really pissed at first that my IP was blacklisted, but this service has helped me immensely by forcing me to look at issues I would have normally overlooked. 

I never thought I would say this, but "thanks, Spamcop."

Mark Perkins, M.S., MCSE, A+

Sys Admin

BioKyowa, Inc.

This response should be pinned at the top of the forum as a reference for bullheads and trolls who try to blame the natural consequences of their own security leaks on Spamcop rather than -- as this sysadmin has done -- accepting responsobility for their own shortcomings, fixing them, and thanking Spamcop for its role in alerting them the leak (even if the alert involved the gentle application of a 2 X 4 to forehead).

I am often astonished at the immaturity of many of the people who come here whining -- how did they ever get prpmoted to system admin or mail admin? The guy who started this thread is a role model for how the job SHOULD be done.

Share this post


Link to post
Share on other sites
This response should be pinned at the top of the forum

Though agreeing with the sentiment, the Pinned FAQ issue is something that's being looked at for a better alternative. How about taking a look at a Topic in the Lounge asking for input on changing the configutation of this thing and perhaps come up with a place to slide in a few accolades such as this. "spam Victim of the Month" doesn't seem like a title some would want to wear <g>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×