[Resolved] listed IP 209.19.30.4 ms1.cs1.camincargo.net

[mremotti]

Dear Spamcop Forum Members

I am the Systems Administrator of Camin Cargo Control whom you have listed under IP 209.19.30.4 ms1.cs1.camincargo.net and need some assistance from your side to get this problem resolved.

I notice our server being listed yesterday and started looking for possible causes not finding yet the one that may have created the listing.

Your services indicate this 209.19.30.34 server has sent messages to one of your traps, and also gave me some recommendations as to where to look for problems or security holes.

Unfortunatelly I just lost my network admin tech person and are limited in resources and technical knwoledge in thsi area, therefore I ask you for some help.

The company is currently suffering tremendously since our product is information sent via email to our customers, I need to get this listing lifted as soon as possible.

Our company has a private WAN with a firewall Cisco PIX 515 public IP 209.19.30.34 to the internet and a back end MS Exchange 2000 Server with a public IP 209.19.30.45, that is why you get this :

209.19.30.34 PTR record: ms1.cs1.camincargo.net. [TTL 86400s] [A=209.19.30.45] *ERROR* A record does not point back to original IP.

All our smtp traffic is sent via the Exchange server's smtp to the firewall and then to th einternet, teherefore our mail is always going out as 209.19.30.34 but incoming traffic must go to 209.19.30.45 who is listening for messages and has a tunnel to a front server on the DMZ who performs Virus/Anti_spam scanning running GFI Mail Essentials to screen for spam, and GFI MailSecurity with 5 antivirus engines for virus checking, then relaying to our Inside Exchange Server who also is running Symantec Mail Security on the stores and smtp traffic.

Our workstations (100+) are using Symantec Anti-virus Corporate Edition and managed via a centralized console, all signatures up to date and last scan as of today came clean.

Our server logs do not show any abnormal behaviour.

I had the Cisco Tech Support person logged to my firewal but we can't find any malicious connection to the firewall or abnormal traffic out to the internet. All open ports are authorized web pages or Yahoo IM for example.

We also installed a sniffer without any visible indications of offending traffic.

We have checked repeatedly for spyware and virus like activity and could not pinpoint the offending machine, without much information from your side it is very difficult for just one person to tackle this without shutting down my company entirely.

If there any information or guidance like an inside IP, date time, text of messages, etc you can give me to help find a faster resolution please let me know. At this point I am not sure whether the problem is inside or was reported by another source.

Thanks

Marcelo Remotti

mremotti[at]camincargo.com

-----Original Message-----

From: SpamCop robot [mailto:summaries[at]admin.spamcop.net]

Sent: Tuesday, October 18, 2005 1:25 AM

To: Marcelo E Remotti

Subject: [spamCop summary report]

[ SpamCop V1.493 Summary Report ]

-- See footer for key to columns and notes about this report --

IP_Address Start/Length Trap User Mole Simp Comments

RDNS

209.19.30.34 Oct 13 19h/4 19 0 0 0 blocklisted

ms1.cs1.camincargo.net

[Derek T]

First of all welcome and thank you for all the details - sometimes it's like drawing teeth!

If all you are hitting is SpamTraps then the two most common causes are:

1) Blow-back: are you bouncing undeliverable messages after the event instead of rejecting them at the SMTP stage

2) are your mailing lists all CONFIRNED OPT-IN, if not someone may have polluted your lists with spamtrap addresses.

Moderator action: entire quote of the previous removed from this post

[Wazoo]

First of all .. several Topics/Discussions exist from just the last couple of days from other ISPs with a spam spew problem .. both of those appear to be resolved .. Suggest you do some readng while waiting.

Second ... hard to see how some traffic could not be located ...

http://www.senderbase.org/?searchBy=ipaddr...ng=209.19.30.34

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.2 .. 2555%

Last 30 days .. 2.9 ..... 34%

Average ........ 2.7

There are a number of entries in the SpamCop FAQ (here) on the problems and issues of using an Exchange server .... there are a number of spammers that love tapping into them ( though one just made the headlines ) ....

SpamTrap data is (as you noted) not for public consumption ... even the history reports have been whittled down to next to nothing due to spammers "working the system" with the data once found there ... The "Why am I Blocked" FAQ entry "here" has much data, contact points are found in the "How do I contact a SpamCop representative" entry (again, the SpamCop FAQ 'here') ...

The company is currently suffering tremendously since our product is information sent via email to our customers, I need to get this listing lifted as soon as possible.

One should also note that SpamCop itself blocks nothing. The "interference" you see is only found when attempting to send e-mail to another ISP that has chosen to use the SpamCopDNSBL as a "blocking" tool in their incoming anti-spam arsenal. This is not a universal scenario .. suggestion being that there is probably only a portion of your outgoing e-mail hitting this snag. Note that some spammer delight in doing just this (getting your system into a BL to 'demonstrate' that BLs are 'bad' ... but that simply overlooks that the spammer tapped into "your" system, is sucking "your" bandwidth, and as seen here, wasting even more of "your" time to clean up the mess ... yeah, blame the BLs for that!)

And a second to Derek T's comment .. thanks for providing the data in your first post! An exceedingly rare atrion.

Data Point - 19 Oct 2005 0316 -5GMT

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.7 .. 773%

Last 30 days ... 2.9 ... 31%

Average ......... 2.8

Data Point - 19 Oct 2005 1624 -5GMT

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.6 .. 600%

Last 30 days .. 2.9 .... 34%

Average ........ 2.8

Data Point - 20 Oct 2005 1708 -5GMT

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ....... 2.9 .. 10%

Last 30 days . 2.9 .. 31%

Average ....... 2.8

[mremotti]

Hi Derek T

No we are sending NDR from the smtp and we don't run mailing lists.

We don't allow automatic replies, forwards or OOF.

Also our AntiSpam software GFI Mail Essentials does not send any NDR's

Traffic on our smtp's virtual servers appears to be valid and normal.

thanks

[Derek T]

camincargo.com,Oct 18 2005, 10:54 PM]Hi Derek T

No we are sending NDR from the smtp and we don't run mailing lists.

We don't allow automatic replies, forwards or OOF.

Also our AntiSpam software GFI Mail Essentials does not send any NDR's

Traffic on our smtp's virtual servers appears to be valid and normal.

thanks

34425[/snapback]

OK, not backscatter then, but difficult to square your 'we send product details to customers' with 'we don't run mailing lists', but I guess that means that no-one can just sign someone else up for your info.

Wazoo points out a 255-fold increase in traffic in the last 24hrs - difficult to square that with 'valid and normal'.

Usual causes:

1) Zombied machine on network or

2) SMTP/Auth hack (q.v.) have you got remote access enabled? does it really need to be? are all the default username/password combinations disabled? (see FAQ for potential Exchange problems)

[Wazoo]

Maybe too much info, but ..

220 ms1.cs1.camincargo.net Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713

ready at Tue, 18 Oct 2005 18:16:54 -0400

help

214-This server supports the following commands:

214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY

I went no further ....

[mremotti]

never enough info, just looking at that topic in the FAQ.

Remember I wasn't the one seetin gup the Exchange (he's gone) and I coping with the consequences, not fully MS Exchange versed... any changes I make can create a bigger disaster...

[mremotti]

Derek T

when I disable the Anonymous Access Authentication option on the SMTP Access Control I get no incoming messages at all...

[Derek T]

Derek T

when I disable the Anonymous Access Authentication option on the SMTP Access Control I get no incoming messages  at all...

34431[/snapback]

Sorry, I'm no Exchange expert. But I'm sure someone with much better knowledge than me will be along soon...

I was just pointing out the 'usual suspects'! From previous threads I understand that unless your users really need to be able to send thru your SMTP remotely it is better to let only those on your network send mail from you. That's about the extent of my knowledge, but there are many gurus who run servers around here. My network consists of two machines and an ADSL router!

[dbiel]

Don't mean to sound uncaring, but you are dealing with an atomic bomb without the skills to do it safely. I strongly suggest that you bring in an exchange expert (short term) to help you fix the problem. Microsoft may make it seem that anyone can administer exchange, but that is far from the truth, unless of course you consider the type of problems you have having to be acceptable. As you have already found, changing one setting can cause other problems. The entire configueration should be rethought and possibly rebuilt.

I do wish you sucess in your endeavours and I would like to add my thanks for doing some homework first and for posting useful information with your request.

I wish I could be more helpful, but not being an exchange expert I need to withdraw.

[Wazoo]

The reason I went no further .... Version: 5.0.2195.6713 .... more than half the links I have floating around are 404 ... Secunia (a database of warnings, explots, patches seems to have dropped the Exchange 5 listings (stopping with "all" known exploits are patched) .. though noting several 5.5 exploits still critical ... would I/should I bring up the word "upgrade" on top of all your other/current woes?

Gads, even Outlook & Exchange Solutions Center appears to stop at 5.5 ......

Build numbers and release dates for Exchange Server

[mremotti]

My ms1 server is version 6.0 Build 6249.4:SP3 ???

are we talking same server?

[Wazoo]

My ms1 server is version 6.0 Build 6249.4:SP3  ???

are we talking same server?

34438[/snapback]

See my post (#8) in this discussion .... the Microsoft listing referenced in my last makes no mention of a "Version 6" ..... (for the Exchange Server) ????

Example of a worst-case scenario (I think it's an ancient discussion in here somewhere, but relying on memory here) .... Admin account was hacked/owned ... spammer came in during the wee hours ... planted a scri_pt file, ran the crap out of it for a few hours, deleted the file and log entries, left the area .... went on for quite some time, only "found" when (real) Admin was doing an all-nighter and noted some strange "processes" running on the server .... basically, the issue was due to a "weak" Admin password ... symptoms were massive traffic from that server (not showing up in the (e-mail) server logs (as that wasn't used by the scri_pt) ... and again, all done in the wee hours and tracking data deleted prior to spammer logging off .... night after night ....

[mremotti]

I saw it a second too late, I see you were talking about SMTP version, which is odd since we had upgraded the OS and I thought the WIn 2000 SRV SP3 and Upgrade would have updated that service as well.

WE are downloading the latest SP tomorrow early and will apply asap.

[StevenUnderwood]

No we are sending NDR from the smtp

34425[/snapback]

This part does not appear to be accurate

http://www.spamcop.net/sc?id=z817198712z5c...;action=display

I ran a test (the Tracking URL above) and it does appear you send non-delivery messages to the (possibly forged) return address rather than rejecting it during delivery. If I had used a spamtrap as the sender, you would have had another hit. If you rejected during delivery, I would have received the non-delivery from my SMTP server (charter) not to my spamcop address.

[mremotti]

weird because the Default properties for the Internet message Format have the Advanced tab setting Allow non-delivery reports unchecked...

[Jeff G.]

Please see

http://forum.spamcop.net/forums/index.php?...p=608entry608 and similar posts http://forum.spamcop.net/forums/index.php?...389entry19389 and http://forum.spamcop.net/forums/index.php?...401entry19401, noting that http://www.mail-abuse.com/support/an_sec3r...change%20Server has replaced http://west-pub.mail-abuse.org/tsi/ar-fix.html#exchange. Thanks!

[mremotti]

We had 5 AVirus layers, 1 AntiSpam...and after a lot of scanning, probing, sniffing,,, we found one virus and killed it , although I am not convinced yet it was the one and the only...

One issue brought up in this forum was that my server was sending NDR's when I had it set to NOT but maybe I had not restarted the smtp service ??? Still I don't think that would be a reason to be blacklisted??? I was doing the 'right thing' then.. before spammers made our life a misery right?

We are changing the PRT record with our ISP to point to the correct IP of the mail server not the firewall...

We installed a sniffer in our outgoing firewall port (damage control only because is a freeware and is not realtime)

Unfortunately I can't afford the wait-and-see game so I am still working on re-checking everything I did yesterday and open to suggestions.

Thanks to all and please let me know (in plain-er English please, I'm not a Exchange Guru) what else can I do.

[Derek T]

One issue brought up in this forum was that my server was sending NDR's when I had it set to NOT but maybe I had not restarted the smtp service ??? Still I don't think that would be a reason to be blacklisted??? I was doing the 'right thing' then.. before spammers made our life a misery right?

'Fraid so, one of the commonest reasons for SpamTrap-only listing is 'backscatter'. You are of course right, you were doing the right thing THEN, this is NOW, the right thing has changed in the seven years since your version of Exchange was rolled out! Spammers f*** it up for everybody. NOW undeliverables should only ever be rejected suring the SMTP transaction as the return envelope in spam is ALWAYS forged. If you're not hitting SpamTraps you're hitting some poor b*****'s inbox!

Good luck with the upgrade. Tongue-in-cheek I always maintain that the best upgrade to Exchange is to slap a linux distro in the CD tray and answer 'yes' when prompted 'delete all windows partitions?'

[Derek T]

Data point 1800 UTC sederbase now down to 603%

[mremotti]

yes, thanks. I'm checking every 30 mins/1hr to see how it goes.

[Wazoo]

Have been adding data points to my post #3 in this discussion ... yes, a massive dropoff, but .... still above 'norm' .... TELNET'd in, but version numbers read the same ...??? tinkered a bit, sent a PM to advise that "it was me" ....

[Derek T]

Have been adding data points to my post #3 in this discussion ... yes, a massive dropoff, but .... still above 'norm' ....  TELNET'd in, but version numbers read the same ...???  tinkered a bit, sent a PM to advise that "it was me" ....

34468[/snapback]

What port did u telnet in on Wazoo?

I get AVG proxy server.

[StevenUnderwood]

What port did u telnet in on Wazoo?

I get AVG proxy server.

34477[/snapback]

C:\>telnet 209.19.30.45 25

220 ms1.cs1.camincargo.net Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713

ready at  Thu, 20 Oct 2005 06:34:05 -0400

quit

221 2.0.0 ms1.cs1.camincargo.net Service closing transmission channel

Connection to host lost.

BTW, a second bounce test performed last night returned nothing so that part is patched.

If you have AVG installed on your machine in the default config, you are hitting your machine with that message. That is how AVG intercepts your outgoing messages for scanning.

[Derek T]

If you have AVG installed on your machine in the default config, you are hitting your machine with that message.  That is how AVG intercepts your outgoing messages for scanning.

34479[/snapback]

Light dawns! Thank you for that! What an idiot I am.

Disabled scanning and now see what you see. Thanks. Now where's that embarrassed smiley?

BTW when I typed help to get the supported commands the AVG proxy replied 'RTFM:>' which at least gave me a chuckle.