Jump to content

Still listed after 48 hours, only "spamtrap"


docsmooth

Recommended Posts

All I'm seeing coming out of my server is valid email, and NDRs.

We send order status notifications to people who place orders on our webservers (reciept of order placed), but have no listserves. how do I get removed - I've waited the appropriate 48 hours.

Postmaster[at]aivia.com

[edit]

IP: 208.195.234.178, if you don't want to do the work figuring it out from the email address. :)

Link to comment
Share on other sites

Apparently, you must have greatly misunderstood all the words found in the Why am I Blocked FAQ. You even include one of the most obvious problem scenarios of generating spamtrap hits. The 48 hours is a maximum, but that clock only starts ticking after certain conditions are met. Take umbrage if you will, but instead of sitting back and twiddling your thumbs while watching the clock, you just might want to take a few minutes and take a shot at reading the FAQ and see which parts of it pertain to your situation.

And seeing that you edited your post while I was typing, I'll also change mine ... can you explain the increase in traffic as depicted at http://www.senderbase.org/?searchBy=ipaddr...208.195.234.178 ....????

Link to comment
Share on other sites

The problem is almost certainly those NDRs, if it is done after the SMTP transaction. You are probably responding to spam or virus-generated mail using the return envelope. This is a very bad idea - see the first sentence of the first item in the FAQ.

Link to comment
Share on other sites

Take umbrage if you will, but instead of sitting back and twiddling your thumbs while watching the clock, you just might want to take a few minutes and take a shot at reading the FAQ and see which parts of it pertain to your situation.

Exchange with SMTP AUTH enabled is probably a good place to start.

Link to comment
Share on other sites

Your IP has been listed in the PSBL nine times since the beginning of August:

http://psbl.surriel.com/listing?ip=208.195.234.178

That's the Passive spam Block List, and they also have "spamtrap" addresses. Here are two of the recent spams, both for "pharmaceuticals" (Cialis, Levitra, etc.):

From hoseexposure[at]juno.com Tue Aug 24 00:36:49 2004

Delivery-date: Tue, 24 Aug 2004 00:36:49 -0400

Received: from [208.195.234.178] (helo=smtp.aivia.com)

by mail.victim.example with esmtp (Exim 4.41)

id 1BzT3B-0005Wb-FK

for psbltrap[at]kernelnewbies.nl; Tue, 24 Aug 2004 00:36:49 -0400

Received: from adrienne ([222.183.27.83] RDNS failed) by smtp.aivia.com with Microsoft SMTPSVC(6.0.3790.0);

Mon, 23 Aug 2004 23:39:25 -0500

From: "jenyl "<hoseexposure[at]juno.com>

To: psbltrap[at]kernelnewbies.nl

Subject: AI|| NATURA1lI!

Mime-Version: 1.0

Date: 23 Aug 2004 23:39:26 -0500

From acknowledgerpoured[at]pacbell.net Fri Aug 20 11:11:22 2004

Delivery-date: Fri, 20 Aug 2004 11:11:22 -0400

Received: from [208.195.234.178] (helo=smtp.aivia.com)

by mail.victim.example with esmtp (Exim 4.22)

id 1ByAty-0006o8-He

for psbltrap[at]kernelnewbies.nl; Fri, 20 Aug 2004 11:01:58 -0400

Received: from postman ([200.89.50.94] RDNS failed) by smtp.aivia.com with Microsoft SMTPSVC(6.0.3790.0);

Fri, 20 Aug 2004 10:04:24 -0500

From: "Vincent Mullick"<acknowledgerpoured[at]pacbell.net>

To: psbltrap[at]kernelnewbies.nl

Subject: Y0UR COMMUN|CAT|10N

Mime-Version: 1.0

Date: 20 Aug 2004 10:04:27 -0500

Looks like your mail server is NOT secure!

DT

Link to comment
Share on other sites

Apparently, you must have greatly misunderstood all the words found in the Why am I Blocked FAQ.  You even include one of the most obvious problem scenarios of generating spamtrap hits.  The 48 hours is a maximum, but that clock only starts ticking after certain conditions are met.  Take umbrage if you will, but instead of sitting back and twiddling your thumbs while watching the clock, you just might want to take a few minutes and take a shot at reading the FAQ and see which parts of it pertain to your situation.

And seeing that you edited your post while I was typing, I'll also change mine ... can you explain the increase in traffic as depicted at http://www.senderbase.org/?searchBy=ipaddr...208.195.234.178 ....????

16141[/snapback]

According to the FAQ, one of the biggest reasons for being listed is "non-secure opt-in listservs". I DON"T RUN A LISTSERV. We have an online ordering system which sends a single order confirmation email. Please contact me privately, and I"ll send you the web addresses.

As for the senderbase information? I've never seen the site before Monday (linked there by spamcop), so I can't tell you much of anything except:

1) I was an open relay from untill 4/16 due to a poorly secured account. Since then I regularly grep tcpdumps for "smtp auth" commands, and manually go through THAT information to find spammers who may be using the same attacks on me.

2) .178 is a relay server, and does not validate usernames - only domains. Probably 90% of my recieved / sent mail are NDRs. As I'm not just the mail admin, I don't have time (unfortuneately) to delete all the NDRs in the queue which are obviously bad. Last week I turned DOWN the rates at which my server tries to resend messages, to lower my traffic levels.

Other than that - I have no idea what they're tracking, to be able to know what they're logging. I'm not sitting back twiddling my thumbs waiting- the first thing I do when I hear of spam reports against me, is I CHECK MY OWN SERVER QUEUES.

Yes, I want this solved, not just unlisted.

Link to comment
Share on other sites

Probably 90% of my recieved / sent mail are NDRs. As I'm not just the mail admin, I don't have time (unfortuneately) to delete all the NDRs in the queue which are obviously bad. Last week I turned DOWN the rates at which my server tries to resend messages, to lower my traffic levels.

Either reject at the time of the SMTP transaction or drop in a bit-bucket. NDRs to the return envelope are a sure and certain way to hit spamtraps and remain forever blocklisted. FFS switch this feature off NOW!

Link to comment
Share on other sites

According to the FAQ, one of the biggest reasons for being listed is "non-secure opt-in listservs".  I DON"T RUN A LISTSERV.

I'm a bit lost. I just re-read http://forum.spamcop.net/forums/index.php?showtopic=972 and I don't actually see the words you cite ...???

We have an online ordering system which sends a single order confirmation email.

But is it an Exchange server? It's beginning to sound like it.

Please contact me privately, and I"ll send you the web addresses.

There is a PM function within this board that could do that, but also noting that the referenced FAQ includes an address to contact someone with the ability to actually check the spamtrap data and possiblt offer some insight into what's actually being seen.

As for the senderbase information?  I've never seen the site before Monday (linked there by spamcop), so I can't tell you much of anything except:

2) .178 is a relay server, and does not validate usernames - only domains.

Julian really doesn't like nailing output servers, but .... perhaps there's something else missing in the headers that's not allowing the parser to see beyond this particular server to find the 'real' source (assumedly one of the other servers outputting through this "relaying" server. Headers of and actual "problem" e-mail would be needed to see any of the needed data there.

Other than that - I have no idea what they're tracking, to be able to know what they're logging.  I'm not sitting back twiddling my thumbs waiting-  the first thing I do when I hear of spam reports against me, is I CHECK MY OWN SERVER QUEUES.

I admit that my response there was a bit rough, but all I had to go on was "I've waited the 48 hours" .... server logs only contain data from traffic passed through that server, whereas others that come in guns ablaze have found that the real evidence was actually over in the firewall logs .. traffic that didn't go through the server ... and in the hacked account scenarion, it was only very close scrutiny or the total traffic analysis that contained the needed clues. General guidelines from folks other than someone hawking Microsoft wares is to only use an Exchange server for internal e-mail distribution but never attach it directly to the 'net' ...

Yes, I want this solved, not just unlisted.

Thanks for that thought and comment. Closing down the source of spew is in everyone's best interest.

Link to comment
Share on other sites

Either reject at the time of the SMTP transaction or drop in a bit-bucket. NDRs to the return envelope are a sure and certain way to hit spamtraps and remain forever blocklisted. FFS switch this feature off NOW!

16149[/snapback]

<insert pissed off yelling at admin who re-enabled the domain guest account>

<insert pissed off grumbling about lack of accountability here>

The ones you posted ALL were authenticated as domain\guest

THANK YOU ALL.

OK, now I get to re-look into dropping NDRs without enabling directory harvest attacks. Any thoughts for IIS6, other than "move to qmail"?

Postmaster[at]aivia.com

Link to comment
Share on other sites

A few more pieces, to fill out Wazoo's curiousity:

IIS6.

Firewall blocks SMTP outbound from everything EXCEPT the mail server.

I have a 5GB Ethereal buffer on a mirror port on my WAN switch watching SMTP (tcp port 25) only. I don't use server logs except to help get timing right - easier to grep server logs for an IP and time, than the tcpdump.

My spam filter only tags things TO my internal domains, so I have to manually watch outbound, or relay, mail.

Did I say I hate the lack of accountability here?

And why don't I want to move to qmail? I'm still a windows guy with only 15 minutes an evening to learn a new OS, so it takes a while. :/

Link to comment
Share on other sites

<snip>Postmaster[at]aivia.com

[edit]

IP: 208.195.234.178, if you don't want to do the work figuring it out from the email address. :)

16140[/snapback]

...Umm ... how do I determine your outbound mail server (that's what SpamCop's BL lists -- outbound mail servers) from your e-mail address? :unsure: <?>
Link to comment
Share on other sites

2) .178 is a relay server, and does not validate usernames - only domains.

16146[/snapback]

Spammers routinely forge domain names. Either you are authenticating based on a restricted set of I.P. addresses, or by username/passwords, or you are wide open, as all a spammer has to do is forge the e-mail address of one of your users, and they can easily relay.

Use of usernames/passwords can use port 587 so port 25 does not need them.

Other than that - I have no idea what they're tracking, to be able to know what they're logging.  I'm not sitting back twiddling my thumbs waiting-  the first thing I do when I hear of spam reports against me, is I CHECK MY OWN SERVER QUEUES.

Yes, I want this solved, not just unlisted.

16146[/snapback]

That is assuming that the spammer / cracker has not compromised the server to the point where they have modified the server queues, logs and administrative programs.

About a year ago, there was a rash of *nix systems that were being used by a spammer that found a vulnerability that allowed them to upload and run a mail server written in perl. They would make the spam run long enough to get a server listed, and then delete all traces of their presence and wait for the server to be delisted.

Nothing showed up in the logs, it was only detected by an external TCP/IP traffic monitor that was on during a spam run.

See http://dsbl.org/programs for tools that allow you to scan your network for spam related security problems.

-John

Personal Opinion Only

Link to comment
Share on other sites

All I'm seeing coming out of my server is valid email, and NDRs.

We send order status notifications to people who place orders on our webservers (reciept of order placed), but have no listserves.  how do I get removed - I've waited the appropriate 48 hours.

Postmaster[at]aivia.com

[edit]

IP: 208.195.234.178, if you don't want to do the work figuring it out from the email address. :)

16140[/snapback]

The headers of the spams indicate that this is the SMTP/AUTH exploit:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

I might also mention that this spammer will use a server til it gets listed and then stop using it for a few days and then start back up so the fact that it has now delisted does not mean that the problem is solved. The likelihood is that he will start using this server again rsn.

Link to comment
Share on other sites

The headers of the spams indicate that this is the SMTP/AUTH exploit:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

I might also mention that this spammer will use a server til it gets listed and then stop using it for a few days and then start back up so the fact that it has now delisted does not mean that the problem is solved. The likelihood is that he will start using this server again rsn.

16222[/snapback]

Ellen - yes, that's what I found yesterday, and stopped (domain\guest had been re-enabled by an internal admin).

Tur - on my network, outbound and inbound are the same. SMTP is only allowed through (in or out) to a single system). But you're right, you wouldn't know that.

WB: I only allow relay from: 1) internal subnet, 2) single external webserver, 3) SMTP AUTH (and I'm slowly pushing users to webmail, so I can turn off SMTP AUTH - the brass are a little slow to change sometimes). I validate domains to determine if the mail is "inbound" or "outbound" in my anti-spam software.

Again, I have stopped the particular SMTP AUTH vector that spammer was using. yes, I'm looking to see if I have others.

Link to comment
Share on other sites

<snip>

Tur - on my network, outbound and inbound are the same.  SMTP is only allowed through (in or out) to a single system).  But you're right, you wouldn't know that.

<snip>

16255[/snapback]

...Rats, I was hoping to learn a new trick! :D <big g> Thanks for taking the time to reply to my inquiry, though. Also, thanks for going through the time and effort to fix the problem and making things tougher for the spammer scum! :D :D <big, big g>
Link to comment
Share on other sites

Just note of clarification (or is it confusion). The 48hour rule is a bit misleading.

Specificly it states 48hours after the last report is received . Since reports can be submitted for up to 3 days from the date the message was sent, this could extend the time to drop off from the senders point of view.

Also the duration (amount of time) that a site is listed is very very complicated to determine and can be as little as an hour or less extending up to indefinite if reports keep comming in. So if a site is scheduled to be listed for only 2 hours then the 48hour rule is totally meaningless. There is also some doubt in my mind if there is actually a separate 48hour clock that is used or if it is just a approximate amount of time that it generally takes the typical site to delist. Refer to the following FAQ What is on the list? for more information. You will note that reports as old as 1 week (10 days if you include the 3 day filling window) do have a limited effect in caluclating if a site is to be listed and for how long. Granted, the effect is very minor. And taking the fact that the math goes something like this (square this, add that, subtract this, multiply that) it is imposible for anyone except management to determine exactly how long it will take for a site to delist (assuming no new reports are filed or spamtraps hit.)

Link to comment
Share on other sites

Specificly it states 48hours after the last report is received . Since reports can be submitted for up to 3 days from the date the message was sent, this could extend the time to drop off from the senders point of view.

I know that is what the documentation says, but I believe it has been explained (either here or in the newsgroups) that the 48 hours is calculated from the time the alleged spam message was received by the reporter, not when it was actually reported. The 3 day limit does not come into effect here.

Link to comment
Share on other sites

I know that is what the documentation says, but I believe it has been explained (either here or in the newsgroups) that the 48 hours is calculated from the time the alleged spam message was received by the reporter, not when it was actually reported.  The 3 day limit does not come into effect here.

16287[/snapback]

That is correct

Link to comment
Share on other sites

That is correct

16297[/snapback]

Well replying to myself -- but anyway -- I also came across another faq for the exchange problem -- maybe someone posted it here and I scooped it up and so cannot give credit where credit is due cause I don't remember where I came across it ... anyway it's a MS knowledgebase write-up so those of you who are keeping boilerplate might want to add it to your boilerplate:

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

Link to comment
Share on other sites

3) SMTP AUTH (and I'm slowly pushing users to webmail, so I can turn off SMTP AUTH - the brass are a little slow to change sometimes). 

16255[/snapback]

You might want to rethink the web mail, unless you are only offering plain text reading.

Webmail means that the browser is accessing the e-mail, which will usually cause any external links to open. This can be used by spammers to confirm that a human on your network read their spam.

It also means that their browsers probably think that your web site is a "trusted" zone, so they may execute scripts that are imbedded in spam. Some of those scripts have been decoded to download malware.

If they have a vulnerable system that is not behind a firewall, there are known exploits that all the cracker needs to do is get the system to visit a server that they control.

-John

Personal Opinion Only

Link to comment
Share on other sites

Well replying to myself -- but anyway -- I also came across another faq for the exchange problem -- maybe someone posted it here and I scooped it up and so cannot give credit where credit is due cause I don't remember where I came across it ... anyway it's a MS knowledgebase write-up so those of you who are keeping boilerplate might want to add it to your boilerplate:

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

16298[/snapback]

This and other links are in the Why am I Blocked FAQ "here" at http://forum.spamcop.net/forums/index.php?showtopic=972

Link to comment
Share on other sites

I know that is what the documentation says, but I believe it has been explained (either here or in the newsgroups) that the 48 hours is calculated from the time the alleged spam message was received by the reporter, not when it was actually reported.  The 3 day limit does not come into effect here.
That is correct

16297[/snapback]

If that is the case, would it not make sense to change the reporting window to two days instead of 3

So would it be safe to say that the following quote is totally incorrect?

SUBE is weighted by freshness:

The most recently-reported SUBE sites are counted 4:1. Reports 48 hours and older are counted 1:1, with a linear sliding scale between now and 48 hours past. Reports older than one week are ignored.

Link to comment
Share on other sites

If that is the case, would it not make sense to change the reporting window to two days instead of 3

The 3 day thing stems from the spam being sent on Saturday but not being reported until Monday. Now you'd have to really wonder why a spammer would start the spew on a Saturday and "not" continue through the entire weekend ... so that perhaps the complaint may not be enough to get the IP listed, but will definitely add to the weight of the scoring applied. (pointing to the 2% threshold for example)

There was much debate about this over in the newsgroups a while back, really didn't result in much of anything happening. Another factor is that the 3-day thing was from way back in the beginning, whereas the BL is fairly recent.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...