I am at my wits end....keep getting listed

[Miss Betsy]

But if a machine was compromised and used its own SMTP capabilities would it not show some other url instead of ours?

IIUC, it uses a different port than Port 25 to send email. That's why looking at firewall logs identifies the machine - the one who has a lot of use on some other port. I am not a server admin so I may not be explaining it the technically correct way. That's also why making machines on your network use Port 25 (which I think was a previous suggestion) may help to stop that illicit kind of usage since then you can catch it before it goes out - though I am not sure about that.

Miss Betsy

[sesblacklisted]

If by "some other url" you mean "some other IP address", we are working on the assumption (unanswered question, I believe) that you had multiple machines hiding behind the IP address that is listed, including your mail server. If this is not the case and your mail server is on it's very own IP address, then IF it is a virus causing this, THEN it would have to be a virus on your server, which you have already scanned.

Further explanation: With NAT, you can have one public IP address and multiple local IP addresses (192.168.x.x, 10.x.x.x, etc) hading behind that public IP. You would setup your firewall/gateway device to direct all incoming port 25 traffic to your mail server, all port 80 traffic to your web server, etc. Connections to the internet from any of your machines would show up only as the single public IP address.

Sorry yes, I meant ip address. I did state earlier that we are on a NAT with several machines acting on a single IP address, sorry for confusion.

[Merlyn]

You should be able to set your firewall to monitor all inbound and outbound traffic.

[Telarin]

Received from Ellen:

The spam stopped which is good but this is what we were seeing:

Received: from mail.cpa-ws.com [209.12.205.10] by MUNGED SERVER with SMTP;

MUNGED TIMESTAMP

Message-ID: <0000______________________007f[at]elia>

From: "Alexander" <john[at]positive-id.biz>

To: <x>

Subject: Our store is your cureall!

Date: MUNGED TIMESTAMP

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="------------ms020502050004000808040403"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

X-SmarterMail-spam: SPF_None

It's hard to trust X-headers since they do get forged of course.

If you post those headers on the forum please munge the "by" server and the timestamps ... just because the forum is public. I looked at all the samples and they all have the the Outlook Express and MimeOLE X-headers BTW ....

Hard to say if the spam is smarthosting or direct-to-mx. He needs to close 25 in and out to everything other than the mailserver. The spam started 5/22 and continued thru 6/16.

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

line tells me that it is possible the email is coming through your Exchange server. We can confirm this by checking which version of exchange you have installed as it is fairly unlikely that a forged X-Header would exactly match the version of exchange you have.

Edit: Actually, I noted you said Exchange 2003. That should show up as V6.5x in the X header, which means if you are running Exchange 2003 these spams most likely DID NOT originate from the actual Exchange Server.

You should also be able to search your exchange logs using the unmunged portion of the Message ID. That might also tell us quite a bit. You should be able to find it using the Message Tracking branch in the Exchange System Manager.

But if a machine was compromised and used its own SMTP capabilities would it not show some other url instead of ours?

Here is what you would see in most firewall logs, IPs may vary, but generally:

From: 192.168.1.100 (or whatever your internal IP address is) 1234 (some port, generally not 25 even for the actual SMTP server on the From side)

To: 1.2.3.4 (receiving mailserver) 25 (MUST send to port 25 for mail to be delivered)

So you are looking for log entries going TO port 25, and FROM any internal IP address other than your mailserver. If you can find any entries like that, you should be able to check your DHCP leases to find out exactly what machine it is.

[Wazoo]

So you are looking for log entries going TO port 25, and FROM any internal IP address other than your mailserver. If you can find any entries like that, you should be able to check your DHCP leases to find out exactly what machine it is.

Successful or not, good work involved here. Thanks for the time, effort, and knowledge offered.

[sesblacklisted]

You should also be able to search your exchange logs using the unmunged portion of the Message ID. That might also tell us quite a bit. You should be able to find it using the Message Tracking branch in the Exchange System Manager.

Yes, thanks again to everyone that has helped me, hopefully this record will help others as well.

I'm not sure what "the unmunged portion of the Message ID" means, can you please elaborate? At this point I feel stupid anyways.

I am not seeing hardly any port 25 transactions from the exhange logs. I seem to unlisted, can some check to see if I am still sending spam out? I've tried a couple of things so I need to know if it worked. Thanks in advance.

[dbiel]

I'm not sure what "the unmunged portion of the Message ID" means, can you please elaborate?

See the following:

Message-ID: <0000______________________007f[at]elia>

the underscore represents the munged portion of the message ID, the part that remains is the unmunged portion. Hope that this helps.

[Wazoo]

I'm not sure what "the unmunged portion of the Message ID" means, can you please elaborate? At this point I feel stupid anyways.

This is technically scary .. Message-ID: is a standard item in an e-mail header ... "mung" means to "mung until no good" ... which as in the example offered up in Ellen's response, the middle of that string has been munged so as not to "show" the entire Message-ID: string.

I am not seeing hardly any port 25 transactions from the exhange logs. I seem to unlisted, can some check to see if I am still sending spam out? I've tried a couple of things so I need to know if it worked. Thanks in advance.

Links have already been offered in this discussion for the sources "we" look at .... for starters ...

http://www.spamcop.net/w3m?action=checkblo...p=209.12.205.10

http://www.senderbase.org/?searchBy=ipaddr...g=209.12.205.10

The SpamCop FAQ here contains other links for help with an Exchange server .. have you been there yet? The link to SlipStick for instance (under Other Places) .. lots of great data there ....

[Telarin]

sesblacklisted,

As dbiel pointed out, the message ID listed in the headers is:

Message-ID: <0000______________________007f[at]elia>

The ___________ portion of that would contain other characters, but since we have a date and time, the partial message-id that is left should be sufficient to find this message if it exists in the Exchange logs.

In Exchange System Manager:

Expand Tools

Click "Message Tracking Center"

Put in the good portion of the Message ID: "007f[at]elia" note to replace the [at] with the actual at symbol as these forums munge it to prevent people from posting harvestable email addresses.

Put your server name in the "Server" box. This should just be the local network name "mailserver" or whatever you might be using for the netbios name.

Change the Logged Between dates and times to as wide as possible to make sure you don't miss anything.

Click "Find Now". after a few minutes you should have a list of all messages containing that partial "Message-ID". Find the one with the matching subject, and go from there.

[sesblacklisted]

sesblacklisted,

As dbiel pointed out, the message ID listed in the headers is:

Message-ID: <0000______________________007f[at]elia>

The ___________ portion of that would contain other characters, but since we have a date and time, the partial message-id that is left should be sufficient to find this message if it exists in the Exchange logs.

In Exchange System Manager:

Expand Tools

Click "Message Tracking Center"

Put in the good portion of the Message ID: "007f[at]elia" note to replace the [at] with the actual at symbol as these forums munge it to prevent people from posting harvestable email addresses.

Put your server name in the "Server" box. This should just be the local network name "mailserver" or whatever you might be using for the netbios name.

Change the Logged Between dates and times to as wide as possible to make sure you don't miss anything.

Click "Find Now". after a few minutes you should have a list of all messages containing that partial "Message-ID". Find the one with the matching subject, and go from there.

I searched based on the instructions you presented and nothing showed up. Thanks for doing that, however. Is there a more recent message I can track? It seems I am spewing spam again.

One note, I had a couple of computers infected with a trojan about a month ago, I clean them off, but do you think it's possible that their log ins and passwords were compromised?

[dbiel]

One note, I had a couple of computers infected with a trojan about a month ago, I clean them off, but do you think it's possible that their log ins and passwords were compromised?

That's always a posibility. It would not be a bad idea to require all users to change their passwords. Many companies require it on a regular basis.

[sesblacklisted]

That's always a posibility. It would not be a bad idea to require all users to change their passwords. Many companies require it on a regular basis.

Yes we do it routinely, but I may have to make a special implementation in this case. Even still, I am finding it hard to pin down which machine it is that is compromised. I'd really like to find out in case this comes up again and for the benefit of others who may have this problem.

[dbiel]

You may want to try tightening up your SMTP server requirementS. Require users to log into the server (user name and password) when sending mail Note: this can be an automated process so that it is transparent to the user except for initial client setup. Then make sure that the SMTP server adds the connection information to the headers making it easy to track back any message to the source. If you do not need remote SMTP access, turn it off. External users can normally send mail via the ISP they connect to the internet with, or require them to log into your servers first rather than simply accessing the SMTP server directly.

[sesblacklisted]

You may want to try tightening up your SMTP server requirementS. Require users to log into the server (user name and password) when sending mail Note: this can be an automated process so that it is transparent to the user except for initial client setup. Then make sure that the SMTP server adds the connection information to the headers making it easy to track back any message to the source. If you do not need remote SMTP access, turn it off. External users can normally send mail via the ISP they connect to the internet with, or require them to log into your servers first rather than simply accessing the SMTP server directly.

I just spent most of my Thurs and Fri cleaning and securing all the network machines. I then changed the passwords and guess what......Spamcop says I am still sending spam. This is most frustrating. Why is it so hard to tell where the spam is coming from?

[turetzsr]

I just spent most of my Thurs and Fri cleaning and securing all the network machines. I then changed the passwords and guess what......Spamcop says I am still sending spam. This is most frustrating. Why is it so hard to tell where the spam is coming from?

...Have you looked at your firewall logs?

...Note: I'm not a server or e-mail admin, so I will not be able to be of much help to you.

[dbiel]

I just spent most of my Thurs and Fri cleaning and securing all the network machines. I then changed the passwords and guess what......Spamcop says I am still sending spam. This is most frustrating. Why is it so hard to tell where the spam is coming from?

First, what data source are you using to state that "SpamCop says I am still sending spam?

A reply email message

A bounce message

A web site that states a specific IP address is being blocked.

We need more data from you to better help you.

We need to see the full headers of any message you receive as well as the full headers of any attached original message.

One prime source (which you might not consider spam) but which has now fallen into the spam catagory are bounces that your users may be sending out such as vacation notices which happen to be automatic replys to spam that has been received, with the bounce being sent to the forged address contained in the spam message. They use to be good, and still are IF you are able to filter out the spam messages prior to sending out the bounces. Bouncing spam to any address other than the IP address you received it from is a very bad practice and causes you to be labled a spammer espically by those who happen to unfortunate enought to receive thousands of bounce messages in a single day because some idiot spammer happen to use their address as a forged reply address in the crap they are flooding the internet with. And some poor server admin who happens to be using a catch all address, it is not impossible to receive 100,000+ bounces in a single day. What a time waster that is to have to sort though all that junk to find the few good messages that happened to be sent to misspelled addresses in one of their domains.

Many admins have been forced to turn off their catch all because of spam and its bounces.

Anyway, without the headers of messages considered to be spam (some times the content will provide a hint to what the source may be) it is impossible to tell where the spam is coming from.

Checking the SpamCop records:

209.12.205.10 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 19 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 51.3 days, it has been listed 11 times for a total of 11.1 days

Would tend to support bounces as being the main problem.

[Farelf]

...Would tend to support bounces as being the main problem.

Nothing recent in Google Abuse Groups which is a further indication this might be the case - http://groups.google.com/groups?scoring=d&...0+group:*abuse*

[Merlyn]

Nothing recent in Google Abuse Groups which is a further indication this might be the case - http://groups.google.com/groups?scoring=d&...0+group:*abuse*

I saw that also but that was from Aug 9 2004, I would go with a trojanned machine inside the network ??????????

[Wazoo]

sesblacklisted .. I was going to send an e-mail on your behalf ... but I can't really get to a comfort zone. Yes, it would appear you're trying to solve a problem, but .... and this may feed into your alleged lack of responses from the small collection of paid staff ....

Bottom line .. you registered here with a Yahoo address ... and as such, there is nothing available here that would tie you to having any affiliation with the Domain / host being discussed ....

Parsing input: 209.12.205.10

host 209.12.205.10 = mail.cpa-ws.com. (cached)

host 209.12.205.10 = mail.cpa-ws.com. (cached)

Routing details for 209.12.205.10

[refresh/show] Cached whois for 209.12.205.10 : netabuse[at]xspedius.com

Using abuse net on netabuse[at]xspedius.com

abuse net xspedius.com = netabuse[at]xspedius.com

Using best contacts netabuse[at]xspedius.com

doesn't appear to be you ...

whois -h whois.networksolutions.com cpa-ws.com ...

Registrant:

Wiener Strickler LLP

201 E. Main, Suite 500

El Paso, TX 79901

US

Domain Name: CPA-WS.COM

Administrative Contact:

Wiener Strickler LLP websales[at]cpa-ws.com

201 E. Main, Suite 500

El Paso, TX 79901

US

915-532-2901

Technical Contact:

Network Solutions, LLC. customerservice[at]networksolutions.com

13200 Woodland Park Drive

Herndon, VA 20171-3025

US

1-888-642-9675 fax: 571-434-4620

Record expires on 19-Feb-2011.

Record created on 19-Feb-2002.

Database last updated on 7-Jul-2006 01:13:30 EDT.

Domain servers in listed order:

NS1.BLUEHOST.COM 209.63.57.200

NS2.BLUEHOST.COM 209.63.57.201

That list of contacts sure leaves a lot to be desired .....

websales seems like an odd contact address when looking at;

<title>Accounting.Tax.Consulting.Technology - Wiener Strickler LLP, your complete business solution - Offline</title>

This looks even worse;

Re-launch of our website is coming! Please check back again soon.

I can't connect the dots, therefore am also having a problem in working up the warm, fuzzy feeling I'd like to have before sticking my nose into your affairs .....

[sesblacklisted]

First, what data source are you using to state that "SpamCop says I am still sending spam?

A reply email message

A bounce message

A web site that states a specific IP address is being blocked.

We need more data from you to better help you.

We need to see the full headers of any message you receive as well as the full headers of any attached original message.

One prime source (which you might not consider spam) but which has now fallen into the spam catagory are bounces that your users may be sending out such as vacation notices which happen to be automatic replys

I have looked into the autoresponse aspect of this problem, there are a couple of people using this feature, but only for short lengths of time until they get back from out of town. It would seem that this spam problem has been going on for well over a month and half and I really don't think they used it that often.

I saw that also but that was from Aug 9 2004, I would go with a trojanned machine inside the network ??????????

I've scanned and cleaned every computer on our network, twice. I don't think this is the issue as we have antivirus and spyware programs running on every machine.

sesblacklisted .. I was going to send an e-mail on your behalf ... but I can't really get to a comfort zone. Yes, it would appear you're trying to solve a problem, but .... and this may feed into your alleged lack of responses from the small collection of paid staff ....

Bottom line .. you registered here with a Yahoo address ... and as such, there is nothing available here that would tie you to having any affiliation with the Domain / host being discussed ....

There are no dots to connnect, there isn't this "great" conspiracy. I used my yahoo address because...well...its an address I can use so if people were to pick up my address from these forums for spam then it's not big deal. If you want my address for this server, just ask. The contact info for when looking at Whois is basically for the same issue, no need to put my everyday email address that is readily accessible to spammers. As far as the website goes, it is what it is, we are re-launching our website, it will be done shortly. Our previous one was taken down last week and I put up this temporary page while I test the server configurations. Nothing odd about this. I person would have to be crazy to have this much dialogue on this forum just to be pulling some kind of a trick, I'd just assume to go on about my day doing the things that are already piling up on my desk then have to deal with spam issues on our server.

Moderator Edit: the quoting of the preceding posts "in full" is not needed, so some major deletion was performed on sections of stuff quoted in this post.

[Jank1887]

and spyware programs running on every machine.

Aha! There's the problem! (sorry, couldn't resist)

[sesblacklisted]

Aha! There's the problem! (sorry, couldn't resist)

geez.

[Wazoo]

There are no dots to connnect, there isn't this "great" conspiracy.

I was just offering the possibility that the (3) Deputies, whilst trying to run through their 800-1800 e-mails a day, may have run into some of this same data and made the same call ... no way to connect the dots to you being "directly connected" to the system/IP involved.

If I was to send an e-mail, I would provide all peretinent data develped thus far, I would have stated that you had tried to make direct contact but received nothing (of value), and then provide all the specific technical details so as to minimize their search time for answers. I offered all that previous data to show that I couldn't connect the dots with data here, so I sure couldn't put together one of those comprehensive (or convincing) e-mails to them either. My suggestion was meant to state that if you were contacting them the same way, they would have ran into exactly the same questions .... and with another thousand e-mails waiting .....

All that said without knowing how you contacted them in your previous attempts .. perhaps you did contact them from a role-account and I'm just wasting more of your time here .... but I can only work with the data I have.

[sesblacklisted]

I was just offering the possibility that the (3) Deputies, whilst trying to run through their 800-1800 e-mails a day, may have run into some of this same data and made the same call ... no way to connect the dots to you being "directly connected" to the system/IP involved.

I thank you for any help that is needed. All I am trying to do is fix this problem and stop us from sending out spam to others. At this point I am not sure what direction to go as I have followed almost every suggestion given.

[turetzsr]

<snip>

All I am trying to do is fix this problem and stop us from sending out spam to others.

<snip>

...Understood. Wazoo is just saying that the next step is to get the attention of the SpamCop Deputies, who are very busy folk with a huge e-mail backlog. To maximize your chance of getting their attention, you need to ensure that you send them all the information they need and that you are clearly someone who is authorized to represent the server in question. In fact, Wazoo was willing to add his "weight" to your inquiry to the SpamCop Deputies by drafting his own e-mail to them but found that what information he had about you was not consistent with the second of these criteria; if your communication to them was from the Yahoo e-mail address Wazoo sees for you, then it may be that the Deputies have "back-burnered" your request.