NAT Listed - 207.8.188.174 (How does Pop3 effect this)

[Hobbs13]

Our NAT address has been blacklisted. For the last 3 days we have manage to get ourselves de-listed only to reappear on spam cop after a few hours. We have been working very hard here to search for viruses/Trojans but so far we have not been able to pinpoint an offending machine...

We would LOVE to configure our NAT to prohibit connections to the Internet on port 25 except from real mail servers...BUT we can't as we have multiple sites using POP3 to connect to their mailboxes. If we block Port 25 we would lose connectivity for those users correct?

Our Network admin claims that no suspicious traffic is being sent when monitoring port 25 on the firewall. She says traffic is from the exchange servers. (Windows 2000/Exchange 2000 Front End/Backend)

I have already had a consultant from Microsoft verify our Exchange settings are correct. We are confident this is not an exchange server issue. We were hoping that firewall port 25 monitoring would show find local machines using this port and pinpoint them for virus/spyware cleaning. This has not been the case...

Here is what scares me.

A user outside our domain connecting to our exchange server using Pop3 mail…

Are we safe because this user connects to the internet via a 3rd party ISP first or does mail from a home user reflect our NAT Address even though the machine is not physically located on our network?

Furthermore, if the mail still looks like it is coming through our NAT (since pop3 setup authenticates the user) could our problem be ANY Pop3 account?? This would expand our search from domain connected machines to ANY machine with pop3!!!

It is a scary thought to think that any home user’s machine could have a virus installed that could be effecting us like this.

This is all very confusing and although I have tried reading the forums pressure from my superiors is getting intense. I need some information so please try and play nice and point me to possible solutions and tools I can use to speed the discover process.

Thanks All...

[Telarin]

Your POP3 claim is a bit confusing. POP3 generally uses Port 110, not Port 25 as SMTP does. POP3 is also only used for transferring mail from a mail server to a mail client, never the other way around.

So I guess the obvious follow up question is this:

What SMTP server are your remote users sending through? If they are using SMTP to connect to your mail server and send mail, then yes, those messages are going to reflect on your IP address. On the other hand if they have their ISPs mail server setup for outbound mail, then messages they send will reflect on those servers.

Currently that address is not showing as listed, so there is no way for me to know if it was listed for spamtrap hits only, or if there are reports available for it. I'm certain a paying member will be by shortly and be able to post any actual user reports against that address.

An IP Trace on 207.8.188.174 shows that any reports are being routed to abuse[at]uslec.com. Are you receiving copies of these reports? If not, have you contacted the person responsible for this address to find out why you are not receiving copies of these reports?

Senderbase shows current traffic around 1000 outgoing messages per day, does this sound about right?

Do any of your users INSIDE your network use port 25 to connect to offsite SMTP servers? If not, then you should configure your firewall to block all outgoing traffic on port 25 except that which originates from one of your mailservers, as workstations should never be trying to send mail directly to a destination server, it should always be relayed through a mail server of some type.

[agsteele]

207.8.188.174 is not currently listed in the SCBL.

You are, though, listed in cbl.abuseat.org

I can only identify one user report for today:

Submitted: Thu, 25 Jan 2007 08:11:37 GMT:

Software At Low Pr1ce

Certainly looks like spam. I know your Network Admins say the system is secure but there are many things it could be that you haven't mentioned. For example, a common exploit for Exchange servers is the SMTP AUTH exploit (See http://www.spamcop.net/fom-serve/cache/372.html ).

So there could be other avenues to investigate.

Andrew

[Hobbs13]

A common exploit for Exchange servers is the SMTP AUTH exploit (See http://www.spamcop.net/fom-serve/cache/372.html ).

Thanks for the input guys.

As of 12:40PM today we are not on a blacklist. I used http://www.mxtoolbox.com to search for our IP and it has been coming back clean. (I also checked the CBL site) However, this happened at times during the last two business days and we always seem to end up back a list at some point. (CBL, Spamhaus or SpamCop).

At the moment, I am running McAfee's Stringer + Pandasoftware's free online scanner on the local Exchange servers even though we have Symantec Mail Security and Symantec Antivirus running. Shot in the dark but maybe Symantec is unable to detect the virus/mailer locally.

I am also looking into the SMTP exploits.

Our Administrator password is fairly complex but we will look to change this as well.

It is frustrating to me that our network admin is anable to provide me with additional leads. I appreciate any other support or leads you can provide.

[Telarin]

Another recent thread was posted by someone experiencing similar problems. They said they used a program called "Ethereal" to monitor traffic and were able to find the problem computer. I am not familiar with the program itself, but it seems to have done the trick for them in locating the culprit. Might be worth googling or sending a PM to that OP for some more info.

[Hobbs13]

Another recent thread was posted by someone experiencing similar problems. They said they used a program called "Ethereal" to monitor traffic and were able to find the problem computer.

I am downloading the program now and will check back in a while.

Any other input appreciated.

http://www.ethereal.com