Jump to content
Sign in to follow this  
kevin@miscorp.com

Blocked E-mail?

Recommended Posts

My e-mail server is being "blocked" by SpamCop. None of the open relay testers have shown it to be an open relay, nor have I been able to get any kind of a message through it myself. But more than 48hrs later, it is STILL being listed and I am still getting messages blocked. I would really like to know why this is still being listed, and where SpamCop is getting its information that I should be blocked?

Share this post


Link to post
Share on other sites

You are not an open relay. Your machine has been hacked.

Google for "Exchange SMTP Auth Hack"

Some spammer has more control of your machine than you do.

Unplug it from the net and fix it before you plug it back in

Share this post


Link to post
Share on other sites
You are not an open relay.  Your machine has been hacked.

Google for "Exchange SMTP Auth Hack"

Some spammer has more control of your machine than you do.

Unplug it from the net and fix it before you plug it back in

14215[/snapback]

Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?! :unsure:

Share this post


Link to post
Share on other sites
Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?!  :unsure:

14216[/snapback]

Yeah, I would like to know that myself. That seems to be a rather generic answer (I have seen you make that exact statement else where, word for word). I am only listed on SpamCop, so I don't think it is quite as you say. I would like some real help on this, not generic blanket statements, thanks.

Share this post


Link to post
Share on other sites

mail.miscorp.com.->miscorp13.miscorp.com.->209.157.165.159

(you've got some DNS issues that need to be resolved)

http://www.senderbase.org/?searchBy=ipaddr...209.157.165.159

...indicates a huge increase in mail...

Telnet to 209.157.165.159:25 indicates that it's running Exchange.

All those factors point to Exchange SMTP AUTH hack...

(you could also send an email to deputies ( at ) spamcop.net and they may provide some additional information.)

Check your Exchange logs to see what accounts have been sending mass quantities of mail. Make sure that all accounts have strong passwords. Disable any unused role accounts.

Edited by Chris Parker

Share this post


Link to post
Share on other sites
Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?!  :unsure:

14216[/snapback]

You want me to give away all my secrets???

As Holmes would say, It's right under your nose my dear Mr. Watson!

Share this post


Link to post
Share on other sites
Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?!

You want me to give away all my secrets???
...Sure, then you'll have more help replying sensibly to people needing help!! :D <big g>

As Holmes would say, It's right under your nose my dear Mr. Watson!

14255[/snapback]

...Ah, well there's my problem: I'm Jewish and have the nose to prove it! :) <g>

...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

Share this post


Link to post
Share on other sites

You want me to give away all my secrets???

...Sure, then you'll have more help replying sensibly to people needing help!! :D <big g>

...Ah, well there's my problem: I'm Jewish and have the nose to prove it! :) <g>

...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

14258[/snapback]

I took the wmail addy he was using as his name: miscorp.com

miscorp.com to 209.157.165.182 to 209.157.165.183 to 10.13.11.10 to 209.157.165.180 to 209.157.165.181

miscorp.com has 2 MX records puncheon.miscorp.com.(30) mail.miscorp.com.(5)

Resolved mail.miscorp.com to miscorp13.miscorp.com. to 209.157.165.159

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?209.157.165.159

Which also happened to hit a spamtrap at NOMOREFUNN the local bl at moensted.dk

Then I checked the email server

SMTP - 25 220 miscorp13.miscorp.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 29 Jul 2004 14:52:22 -0700

POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (miscorp13.miscorp.com) ready.

And if you want more info:

FTP - 21 Error: ConnectionRefused

HTTP - 80 HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Thu, 29 Jul 2004 21:52:22 GMT

Connection: Keep-Alive

Content-Length: 1270

Content-Type: text/html

Set-Cookie: ASPSESSIONIDCACBDSRS=KHHNNPFDLEAHHJFNDFEGFFAI; path=/

Cache-control: private

NNTP - 119 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed

Then Looking at their email version I maybe went too far but assumed due the version which has a strange quality of getting itsef into troube guessed it was an SMTP AUTH hack.

There are patches they did not apply and if they did they were still suspect to it.

If he asked for help about his server and this one matched perfectly.

Share this post


Link to post
Share on other sites
...You're not relying on the OP's handle, are you?  For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

14258[/snapback]

I took the wmail addy he was using as his name: miscorp.com

...Okay, that's what I was afraid of (see quote from me, above). :) <g>

Share this post


Link to post
Share on other sites

I took the wmail addy he was using as his name: miscorp.com

...Okay, that's what I was afraid of (see quote from me, above). :) <g>

14261[/snapback]

Oops, I should have just said yes :D

Edited by Merlyn

Share this post


Link to post
Share on other sites

...Sure, then you'll have more help replying sensibly to people needing help!! :D <big g>

...Ah, well there's my problem: I'm Jewish and have the nose to prove it! :) <g>

...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

14258[/snapback]

I took the wmail addy he was using as his name: miscorp.com

miscorp.com to 209.157.165.182 to 209.157.165.183 to 10.13.11.10 to 209.157.165.180 to 209.157.165.181

miscorp.com has 2 MX records puncheon.miscorp.com.(30) mail.miscorp.com.(5)

Resolved mail.miscorp.com to miscorp13.miscorp.com. to 209.157.165.159

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?209.157.165.159

Which also happened to hit a spamtrap at NOMOREFUNN the local bl at moensted.dk

Then I checked the email server

SMTP - 25 220 miscorp13.miscorp.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 29 Jul 2004 14:52:22 -0700

POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (miscorp13.miscorp.com) ready.

And if you want more info:

FTP - 21 Error: ConnectionRefused

HTTP - 80 HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Thu, 29 Jul 2004 21:52:22 GMT

Connection: Keep-Alive

Content-Length: 1270

Content-Type: text/html

Set-Cookie: ASPSESSIONIDCACBDSRS=KHHNNPFDLEAHHJFNDFEGFFAI; path=/

Cache-control: private

NNTP - 119 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed

Then Looking at their email version I maybe went too far but assumed due the version which has a strange quality of getting itsef into troube guessed it was an SMTP AUTH hack.

There are patches they did not apply and if they did they were still suspect to it.

If he asked for help about his server and this one matched perfectly.

14259[/snapback]

Yes looks like the exchange smtp-auth hack.

Share this post


Link to post
Share on other sites
Yes looks like the exchange smtp-auth hack.

14266[/snapback]

Wow, thanks Ellen :D

<Panic>

Wipes sweat from his brow :blink:

</Panic>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×