Jump to content
Sign in to follow this  
sesblacklisted

I am at my wits end....keep getting listed

Recommended Posts

I thank you for any help that is needed. All I am trying to do is fix this problem and stop us from sending out spam to others. At this point I am not sure what direction to go as I have followed almost every suggestion given.
Try this test, it may prove informative or it may be a waste of time.

Address an email in a non-existant name at each of your domains. Be sure to use a from/reply to address that will send the mail to a server other than the one you are actually sending the message from. Send it and find out what happens.

Is it received by your server.

Is it bounce by your server.

If it is bounced, does the bounce go to the IP address it was sent to or to the from/reply to address contained in the message.

If the bounce is going to the reply to address then you have found your problem.

Be sure to test each and every domain you control, just incase they are not set up exactly the same.

Share this post


Link to post
Share on other sites

i tried using Mozilla's Thunderbird to set the email address but every time I try to send an email it gives me a 5.7.1 server response; unable to relay for xxxx[at]cpa-ws.com. So really we must be doing something right if people can not relay from another address.

Share this post


Link to post
Share on other sites

That adds the the favorable side of things for outbound mail, but does not address the possible server bouce issue. Try sending from a yahoo or hotmail account or even have a friend do it for you. As long as the orginal message does not go out through you server. You need to know exactly how your server handles mail address to your domain but not addresses to a real user.

It is true that some of this has already been done per notes earlier in this thread, but with the changes made to the server, and not knowing if any other domains are involved it may still be worth the effort.

Share this post


Link to post
Share on other sites

Looks like you removed yourself from the CBL at 2006-07-14 21:49 GMT

If you keep doing this without fixing your problem you will get added without the option to remove it.

HTH

Share this post


Link to post
Share on other sites

We only have a single domain and it seems that our bounces are done the correct way. Once again I am at my wits end.

One of the problem with public forums is "trust".

One of the problems of providing help is the need for information.

You say you are at your wits end, but you do not trust us with the information to be able to help you.

That is you call, but it limits our ability to help.

You say "it seems that our bounces are done the correct way." May be yes, maybe know. We need to see the bounce before we can say it is not the problem.

At this point it is all guess work.

When you really get to your wits end, then post a complete copy of the bounced message.

Also remember you get what you pay for. Here at the SpamCop Forums you get a whole lot more than you pay for. Keep that in mind when you are asking for help.

Share this post


Link to post
Share on other sites
Also remember you get what you pay for. Here at the SpamCop Forums you get a whole lot more than you pay for. Keep that in mind when you are asking for help.

That's a nice way of saying that if you need more help than has been given you here (considering the lack of data), then maybe you had better hire someone who knows what s/he is doing to fix your problem.

Miss Betsy

Share this post


Link to post
Share on other sites

That's a nice way of saying that if you need more help than has been given you here (considering the lack of data), then maybe you had better hire someone who knows what s/he is doing to fix your problem.

Miss Betsy

No one could have said it better! :rolleyes:

Share this post


Link to post
Share on other sites

Looks like you removed yourself from the CBL at 2006-07-14 21:49 GMT

If you keep doing this without fixing your problem you will get added without the option to remove it.

HTH

It's a catch 22, I am putting considerable amount of time in trying to fix this (just look at the length of these posts) and yet I have to be able to conduct my business. thanks for the zinger however, this makes it even more painful. All I am trying to do is get some answers and figure out what the problem is, coming to these forums I thought I would get that, as most of the forums I participate in we exchange knowledge and lend a hand as much as possible.

As far as trust, sure I can post the bounced message. I sent this from my Roadrunner account to a ficticious address on our server, this is the message I got back.

The original message was received at Mon, 17 Jul 2006 09:27:24 -0500 (CDT)

from [10.93.38.36]

----- The following addresses had permanent fatal errors -----

<spammers[at]cpa-ws.com>

(reason: 550 5.1.1 User unknown)

----- Transcript of session follows -----

... while talking to mail.cpa-ws.com.:

>>> DATA

<<< 550 5.1.1 User unknown

550 5.1.1 <spammers[at]cpa-ws.com>... User unknown

<<< 503 5.5.2 Need Rcpt command.

Edited by sesblacklisted

Share this post


Link to post
Share on other sites

It's a catch 22, I am putting considerable amount of time in trying to fix this (just look at the length of these posts) and yet I have to be able to conduct my business. thanks for the zinger however, this makes it even more painful.

It was not meant to be a zinger. Just letting you know you may have made things harder on yourself by removing yourself from lists before understanding what caused the problem in the first place.

As someone else here has stated, if you do not feel confident giving us the information we need to help you, perhaps it is time to hire someone you do trust.

Share this post


Link to post
Share on other sites

Ok, lets go over what has been done so far, as this topic is getting long and I see things being suggested that have already been tried.

I contacted Ellen and posted headers here. At the time, what was coming out was definitely actual spam. The email had exchange headers in it, but they didn't appear to be the correct version. This could be confirmed by sending an email through the exchange server to another email address and comparing the X header lines.

Since exchange is responsible for adding those headers, if the version listed in the headers is not correct, then the email is probably not really moving through the exchange server.

Have you had any success checking your firewall logs, or adjusting your firewall settings to block port 25 traffic to machines other than the server? Does your ISP provide you with just a single IP address, or do you have more that you can use?

You might also want to contact Ellen again (deputies[at]admin.spamcop.net) to get a fresh set of headers. It is possible that the original problem was fixed and we are dealing with a new problem.

What else has been done?

Share this post


Link to post
Share on other sites

It was not meant to be a zinger. Just letting you know you may have made things harder on yourself by removing yourself from lists before understanding what caused the problem in the first place.

As someone else here has stated, if you do not feel confident giving us the information we need to help you, perhaps it is time to hire someone you do trust.

It's not really a trust issue, I am providing you what you are asking. Maybe I need to just post things that aren't asked?

Ok, lets go over what has been done so far, as this topic is getting long and I see things being suggested that have already been tried.

I contacted Ellen and posted headers here. At the time, what was coming out was definitely actual spam. The email had exchange headers in it, but they didn't appear to be the correct version. This could be confirmed by sending an email through the exchange server to another email address and comparing the X header lines.

Since exchange is responsible for adding those headers, if the version listed in the headers is not correct, then the email is probably not really moving through the exchange server.

Have you had any success checking your firewall logs, or adjusting your firewall settings to block port 25 traffic to machines other than the server? Does your ISP provide you with just a single IP address, or do you have more that you can use?

You might also want to contact Ellen again (deputies[at]admin.spamcop.net) to get a fresh set of headers. It is possible that the original problem was fixed and we are dealing with a new problem.

What else has been done?

Thank you for your response Telarin.

Here is a recent email I have sent from my account on cpa-ws.com to a completely different server.

Content-Class: urn:content-classes:message

Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C6A9AE.9B3A05B4"

Date: Mon, 17 Jul 2006 08:38:01 -0600 [08:38:01 AM MDT]

Delivery-date: Mon, 17 Jul 2006 08:33:07 -0600

Envelope-to: xxxxx[at]browseelpaso.com

From: XXXXX<xxxxx[at]cpa-ws.com>

MIME-Version: 1.0

Message-ID: <2D588D03F7C48D42B13C19F0B6F8B5AC690070[at]server1.cpa-ws.internal>

Received:

* from browseel by box30.bluehost.com with local-bsmtp (Exim 4.52) id 1G2U9U-00081f-Dk for xxx[at]browseelpaso.com; Mon, 17 Jul 2006 08:33:06 -0600

* from mail.cpa-ws.com ([209.12.205.10] helo=server1.cpa-ws.internal) by box30.bluehost.com with esmtp (Exim 4.52) id 1G2U9R-00080X-Rq for xxxxx[at]browseelpaso.com; Mon, 17 Jul 2006 08:32:50 -0600

* from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 08:38:03 -0600

Return-path: <xxxxx[at]cpa-ws.com>

Subject: test

Thread-Topic: test

To: xxxxxx[at]browseelpaso.com

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830

X-OriginalArrivalTime: 17 Jul 2006 14:38:03.0640 (UTC) FILETIME=[9C2F7F80:01C6A9AE]

X-spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on box30.bluehost.com

X-spam-Level:

X-spam-Status: No, score=0.3 required=5.0 tests=AWL,HTML_MESSAGE autolearn=ham version=3.1.3

thread-index: AcaprpswXnvaEZgTSTa0XHWdrVFnOg==

Edited by sesblacklisted

Share this post


Link to post
Share on other sites

Your server appears to be kicking back a 550 error for unknown users, which is exactly what it should do, so I don't think that is the problem.

As I said, when I checked with Ellen before she told me that it all looked like real spam, and all had headers similar to what I posted here. Try this:

Using every method that your users would use to submit mail (both local and remote, just in case the headers are different), send yourself a message at an outside email address and post the headers here (feel free to munge the addresses, as we are mostly interested in the X-headers at this point). That way we can compare it with the headers on the spam to see if it is really coming from the exchange server, or from a Zombied PC somewhere on the network.

What kind of AV software are you running on your network PCs? Are they all up to date? Do you have any users that might be using personal laptops on the network, or to access their emails? Do you have a way of checking those for viruses and trojans?

Many companies won't allow users to use their personal computers to access the company network at all other than through internet facing websites like Outlook Web Access, you might want to considers something like this (at least for the time being) until we get this sorted out.

Have you loaded Exchange Service Pack 2 on your server? This fixed several possible security issues and exploits. It also updated IMF (Intelligent Message Filtering) to version 2 and may help with incoming spam as well.

Do you enforce a strong password policy on your users, and do you require them to change their passwords periodically? You might want to consider expiring all passwords on the network and requiring your users to change them immediately just in case a hacker has "guessed" one of the passwords and is using it to access the network through legitimate means.

Thats all I can think of right now, but I will post any other ideas I have on the matter as I come up with them.

Edit: Ok, you replied with more data while I was in the process of composing this book, so lets look at it.

The headers you posted contains:

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830

While the headers I posted before contains:

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

chances are you have loaded some patches since then, so that could account for the slight difference in versions. If that is the case, then I would suspect that the mail is definitely moving through the exchange server. While a zombie can certainly forge the X-lines, it would be extremely unlikely that it would happen to have the correct Exchange version if it was forged, considering the number of different revisions of Exchange in production environments.

Check in the system manager under: Servers->Servername->Protocols->Default SMTP Server (properties)

Access tab->Relay

Under the Select which computer may relay through this virtual server:

You should have "Only the list below"

Computers:

127.0.0.1

You might also have your private IP block listed, for instance: 192.168.1.0 (255.255.255.0) if you were using 192.168.1.x locally.

There should not be any public IP addresses listed here.

Click the "Users" button on this same page:

Authenticated Users should have Submit Permission, and nothing else.

No other users should be listed.

Have you tried using the Message Tracking Center to pull up the message that Ellen gave us the headers for? We might be able to tell something from that. You might also want to search your exchange logs (c:\program files\exchsrvr\logging\servername.log by default) for the partial message ID listed in those headers. I don't know how long you have it set to retain logs, so you might have to contact Ellen for fresh headers.

This will generally give you an idea where the messages are being submitted from. You might also want to contact your ISP and find out why the abuse reports are not being forwarded to you, as the headers from those reports would be very helpful, and you could also possible figure out when these emails are actually going out.

Edited by Telarin

Share this post


Link to post
Share on other sites

It's not really a trust issue, I am providing you what you are asking. Maybe I need to just post things that aren't asked?

We need the complete bounce message, including the headers.

Parsing some information from that message shows your mail server is not currently accepting any commands I could find so I could not confirm that your bounces do not go to forged headers:

C:\>nslookup

Default Server: kopdc01.kopin.com

Address: 10.1.75.11

> mail.cpa-ws.com

Server: kopdc01.kopin.com

Address: 10.1.75.11

Non-authoritative answer:

Name: mail.cpa-ws.com

Address: 209.12.205.10

C:\> telnet 209.12.205.10 25

220 ****************************************************************************

*******************************************

helo underwood.spamcop.net

500 5.3.3 Unrecognized command

help

500 5.3.3 Unrecognized command

?

500 5.3.3 Unrecognized command

list

500 5.3.3 Unrecognized command

Share this post


Link to post
Share on other sites

Using every method that your users would use to submit mail (both local and remote, just in case the headers are different), send yourself a message at an outside email address and post the headers here (feel free to munge the addresses, as we are mostly interested in the X-headers at this point). That way we can compare it with the headers on the spam to see if it is really coming from the exchange server, or from a Zombied PC somewhere on the network.

I sent myself a message by logging into the Web Access:

Microsoft Mail Internet Headers Version 2.0

Received: from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC;

Mon, 17 Jul 2006 08:58:08 -0600

x-pp-smtpvs:1

x-pp-sclvalue:-1

X-MimeOLE: Produced By Microsoft Exchange V6.5

Content-class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: application/ms-tnef;

name="winmail.dat"

Content-Transfer-Encoding: binary

Subject: test

Date: Mon, 17 Jul 2006 08:58:07 -0600

Message-ID: <2D588D03F7C48D42B13C19F0B6F8B5AC01FD73[at]server1.cpa-ws.internal>

X-MS-Has-Attach:

X-MS-TNEF-Correlator: <2D588D03F7C48D42B13C19F0B6F8B5AC01FD73[at]server1.cpa-ws.internal>

Thread-Topic: test

Thread-Index: AcapsWnkaDDYSrsYQIWYfWOmcUARfg==

From: "xxxx" <xxxx[at]cpa-ws.com>

To: "xxxxx" <xxxxx[at]cpa-ws.com>

X-OriginalArrivalTime: 17 Jul 2006 14:58:08.0859 (UTC) FILETIME=[6A8D52B0:01C6A9B1]

Here is a message I sent a completely independent email address of mine from a machine on the network:

Return-path View brief message headers<xxxx[at]cpa-ws.com>

Received from ms-mta-03 (ms-mta-03-eri0.texas.rr.com [10.93.46.17]) by ms-mss-06.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J00M66YWFZF[at]ms-mss-06.texas.rr.com> for xxxx[at]elp.rr.com; Mon, 17 Jul 2006 09:57:51 -0500 (CDT)

Received from hrndva-mx-07.mgw.rr.com (hrndva-mx-07.mgw.rr.com [24.28.204.26]) by ms-mta-03.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J006ONYWBCS[at]ms-mta-03.texas.rr.com> for xxxxx[at]elp.rr.com (ORCPT xxxx[at]elp.rr.com); Mon, 17 Jul 2006 09:57:51 -0500 (CDT)

Received from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) by hrndva-mx-07.mgw.rr.com with ESMTP; Mon, 17 Jul 2006 10:57:42 -0400

Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600

Date Mon, 17 Jul 2006 09:02:44 -0600

From xxxx <xxxx[at]cpa-ws.com>

Subject test

To xxxxx[at]elp.rr.com

Message-id <2D588D03F7C48D42B13C19F0B6F8B5AC690073[at]server1.cpa-ws.internal>

MIME-version 1.0

X-MIMEOLE Produced By Microsoft MimeOLE V6.00.3790.1830

Content-type multipart/alternative; boundary="----_=_NextPart_001_01C6A9B2.0F0FA356"

Content-class urn:content-classes:message

Thread-topic test

Thread-index Acapsg8KhqdsVKA/Qj6JS3BtbJJSnA==

X-MS-Has-Attach

X-MS-TNEF-Correlator

Original-recipient rfc822;xxxxxx[at]elp.rr.com

X-OriginalArrivalTime 17 Jul 2006 15:02:46.0593 (UTC) FILETIME=[10182B10:01C6A9B2]

What kind of AV software are you running on your network PCs? Are they all up to date? Do you have any users that might be using personal laptops on the network, or to access their emails? Do you have a way of checking those for viruses and trojans?

Some machines are running AVG others are using Trend Micro. All are set for daily scans and updates, this I have made sure, twice! We have several users that have laptops on the network and can access their emails when out of the office using Outlooks Web Access. I have checked for virii and trojans just last week, all were clean.

Have you loaded Exchange Service Pack 2 on your server? This fixed several possible security issues and exploits. It also updated IMF (Intelligent Message Filtering) to version 2 and may help with incoming spam as well.
We had installed SP2, but had a conflict with some of our software at the time. I will look into the problems we've had and research this a little.

Do you enforce a strong password policy on your users, and do you require them to change their passwords periodically? You might want to consider expiring all passwords on the network and requiring your users to change them immediately just in case a hacker has "guessed" one of the passwords and is using it to access the network through legitimate means.

Yes we enforce strong passwords and change them regularly. I just changed them last week in fact.

Share this post


Link to post
Share on other sites

Same old med stuff...............

Submitted: Friday, June 16, 2006 5:51:14 PM -0400:

Discount meds shipping world wide

Submitted: Thursday, June 15, 2006 2:39:47 PM -0400:

Our store is your cureall!

---------------------------------------------------------------

IP Address 209.12.205.10 was not found in the CBL.

It was previously listed, but was removed at 2006-07-17 13:54 GMT

-------------------------------------------------------------------------------

Looks like you just keep removing yourself from the CBL without fixing your trojanned machine but don't worry it will be back on soon.

Share this post


Link to post
Share on other sites

Looks like you just keep removing yourself from the CBL without fixing your trojanned machine but don't worry it will be back on soon.

Seriously, I can do without the cracks, if it's not obvious to you that I am not trying to fix this then feel free to pile it on. I am not the enemy, the spammers are.

Same old med stuff...............

Submitted: Friday, June 16, 2006 5:51:14 PM -0400:

Discount meds shipping world wide

Submitted: Thursday, June 15, 2006 2:39:47 PM -0400:

Our store is your cureall!

June??? That is wll over a month ago.

We need the complete bounce message, including the headers.

Here you go:

Return-path View brief message headers<>

Received from ms-mta-04 (ms-mta-04-eri0.texas.rr.com [10.93.46.18]) by ms-mss-06.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J00MT6XHTZF[at]ms-mss-06.texas.rr.com> for xxxx[at]elp.rr.com; Mon, 17 Jul 2006 09:27:36 -0500 (CDT)

Received from ms-smtp-01.texas.rr.com (ms-smtp-01.texas.rr.com [24.93.47.40]) by ms-mta-04.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J003K1XHXCL[at]ms-mta-04.texas.rr.com> for xxxx[at]elp.rr.com (ORCPT xxx[at]elp.rr.com); Mon, 17 Jul 2006 09:27:33 -0500 (CDT)

Received from localhost (localhost) by ms-smtp-01.texas.rr.com (8.13.6/8.13.6) id k6HERSNY007228; Mon, 17 Jul 2006 09:27:28 -0500 (CDT)

Date Mon, 17 Jul 2006 09:27:28 -0500 (CDT)

From Mail Delivery Subsystem <MAILER-DAEMON[at]ms-smtp-01.texas.rr.com>

Subject Returned mail: see transcript for details

To xxx[at]elp.rr.com

Message-id <200607171427.k6HERSNY007228[at]ms-smtp-01.texas.rr.com>

Auto-submitted auto-generated (failure)

MIME-version 1.0

Content-type multipart/report; report-type=delivery-status; boundary="k6HERSNY007228.1153146448/ms-smtp-01.texas.rr.com"

Original-recipient rfc822;xxx[at]elp.rr.com

Attachments

message/delivery-status 1K

The original message was received at Mon, 17 Jul 2

Share this post


Link to post
Share on other sites

Edit: Ok, you replied with more data while I was in the process of composing this book, so lets look at it.

The headers you posted contains:

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830

While the headers I posted before contains:

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

chances are you have loaded some patches since then, so that could account for the slight difference in versions. If that is the case, then I would suspect that the mail is definitely moving through the exchange server. While a zombie can certainly forge the X-lines, it would be extremely unlikely that it would happen to have the correct Exchange version if it was forged, considering the number of different revisions of Exchange in production environments.

I don't think we've loaded patches since then.

Check in the system manager under: Servers->Servername->Protocols->Default SMTP Server (properties)

Access tab->Relay

Under the Select which computer may relay through this virtual server:

You should have "Only the list below"

Computers:

127.0.0.1

You might also have your private IP block listed, for instance: 192.168.1.0 (255.255.255.0) if you were using 192.168.1.x locally.

There should not be any public IP addresses listed here.

Click the "Users" button on this same page:

Authenticated Users should have Submit Permission, and nothing else.

No other users should be listed.

Yes, that has been done many months ago, I just checked again to make sure and they are the correct settings as you have listed.

Have you tried using the Message Tracking Center to pull up the message that Ellen gave us the headers for? We might be able to tell something from that. You might also want to search your exchange logs (c:\program files\exchsrvr\logging\servername.log by default) for the partial message ID listed in those headers. I don't know how long you have it set to retain logs, so you might have to contact Ellen for fresh headers.

We have logs going back several months, but it's hard to figure out the partial headers. Edited by sesblacklisted

Share this post


Link to post
Share on other sites

First of all, thanks for trying to fix the situation, I realize that it is a real pain.

Trying to review a few points to see if we can narrow down the actual source of the problem.

1) spam has been reported as coming from 209.12.205.10

2) The following is a portion of the header you posted previous which indicate to me something that you should try to fix to be better able to track back messages to their actual source

Received from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) by hrndva-mx-07.mgw.rr.com with ESMTP; Mon, 17 Jul 2006 10:57:42 -0400

Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600

Date Mon, 17 Jul 2006 09:02:44 -0600

From xxxx <xxxx[at]cpa-ws.com>

Subject test

It will have no effect on being listed on not, but will make it easier for you to find out where it is coming from.

hrndva-mx-07.mgw.rr.com received the message from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10])

But where did your server get the message from? Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 does not really tell you much.

Next set to questions which may seem obvious but could lead to wrong answers based on specific assumptions.

The exchange server using IP address 209.12.205.10 is running on what computer? Specifically, are any other services running on that computer and using the same IP address?

Does the computer running Exchange have more that one external routable IP address that could allow for access to the computer by a hacker with out going through exchange first?

Or put another way, are there any backdoors to the computer that is running exchange?

Share this post


Link to post
Share on other sites

First of all, thanks for trying to fix the situation, I realize that it is a real pain.

And thank you for your understanding.

2) The following is a portion of the header you posted previous which indicate to me something that you should try to fix to be better able to track back messages to their actual sourceIt will have no effect on being listed on not, but will make it easier for you to find out where it is coming from.

hrndva-mx-07.mgw.rr.com received the message from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10])

But where did your server get the message from? Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 does not really tell you much.

Yes I agree that is doesn't tell you much which is why I really didn't post my messages to begin with. What steps do I need to take to get more information?

The exchange server using IP address 209.12.205.10 is running on what computer? Specifically, are any other services running on that computer and using the same IP address?

Does the computer running Exchange have more that one external routable IP address that could allow for access to the computer by a hacker with out going through exchange first?

Or put another way, are there any backdoors to the computer that is running exchange?

It it being run on Server1, the name of the computer. We only have 1 external routable IP address. I really don't think there is a backdoor to the computer running exchange.

Share this post


Link to post
Share on other sites

As far as I know, there is know way to get exchange to stamp the "source" computers IP in the header. You should however be able to find this in your logs...

If we look back at the spam header sample I posted, we can search for a number of the values listed. I would recommend doing a search of your logfiles for the subject "Our store is your cureall!". The exchange logs should be located in c:\program files\exchsrvr\logging\server1.log, they are plain text files. I find the easiest way to search through a batch of them is to CD to that directory in a command prompt and enter the following command:

find /i "Our store is your" *.log > results.txt

This will create a file called results.txt with all the messages containing this subject. Post the trimmed contents of this file here, and I will try to go through it in more detail. If this subject does not show up anywhere in those log files, then either the logs don't go back far enough and we will have to get a fresh header sample from Ellen, or the logs are being modified after the fact.

Share this post


Link to post
Share on other sites

Here is one of the results from your instructions:

2006-7-11 8:15:30 GMT 87.7.146.32 friend - SERVER1 192.168.1.1 xxxxxx[at]cpa-ws.com 1024 <000001c6a4c1$6a8e6c80$0100007f[at]j6w6h1> From: "Simon" <john[at]e-zone-defense.biz> To: <xxxx[at]cpa-ws.com> Subject: Our store is your cureall! Date: Tue, 11 Jul 2006 10:10:05 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="------------ms000808020300060500090702" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. --------------ms000808020300060500090702 Content-Type: multipart/alternative; boundary="------------ms020802090404080207020508" --------------ms020802090404080207020508 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable --------------ms020802090404080207020508 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//D

All I find are messages received from spammers to one of the mailboxes on our exchange, I don't see messages being sent that have that subject.

Share this post


Link to post
Share on other sites

I think at this point we may have a problem because we are working with old data. Email Ellen (deputies[at]admin.spamcop.net) and see if you can get a fresh set of headers from her. The one I posted is well over a month old now, so may not even be in those files anymore.

Share this post


Link to post
Share on other sites

I think at this point we may have a problem because we are working with old data. Email Ellen (deputies[at]admin.spamcop.net) and see if you can get a fresh set of headers from her. The one I posted is well over a month old now, so may not even be in those files anymore.

I email Ellen a few days ago and go this:

Partial headers from a spamtrap:

Received: from friend (mail.cpa-ws.com [209.12.205.10])

[trap servername] (Postfix) with ESMTP id x

for <x>; Sat, 15 Jul 2006 22:xx:xx +0000 (GMT)

Subject: Products that can improve you life!

Ellen

SpamCop

I looked through the logs and found nothing on "products that can improve".

Edited by sesblacklisted

Share this post


Link to post
Share on other sites
I email Ellen a few days ago and go this:

Partial headers from a spamtrap:

Received: from friend (mail.cpa-ws.com [209.12.205.10])

[trap servername] (Postfix) with ESMTP id x

for <x>; Sat, 15 Jul 2006 22:xx:xx +0000 (GMT)

Subject: Products that can improve you life!

So what is the result of your log search based on this new data?

Subject: Products that can improve you life! using the posted time stamp as the starting place in the log, checking forwards and backwards from that starting point.

If nothing is found in the logs, then try setting up a firewall between (mail.cpa-ws.com [209.12.205.10]) and the internet and trap anything containing that data stream.

The simple fact is that there is still spam coming from your server going to spamtraps that needs to be stopped and you need to find the source before you can stop it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×