[Resolved] 83.220.45.58 blocked, no reports, spamtrap only

[Den-B]

I am system administrator of 83.220.45.58 (mailserv.mineraltrading.ru).

83.220.45.58 is external interface IP-address of our firewall, our public IP.

This IP was listed about 1 week ago, then unlisted for a few days, and then listed again about 2 days ago.

Spamcop indicates «System has sent mail to SpamCop spam traps in the past week».

Our mail server running on: Windows 2003 Server SP1 + all patches; Exchange Server 2003 SP2 + all patches.

Also we are using ORF as anti-spam software and Symantec Antivirus Corporate Edition for antivirus defence.

Not open relay. SMTP AUTH is turned off.

Delivery and non-delivery reports, out-of-office auto-replyes etc – disabled.

No local accounts (it’s windows domain controller).

Internet gateway running on Windows 2003 Server SP1 + all patches; ISA Server 2004 SP2 + all patches.

No unusual activity and traffic were detected, including on port 25.

I've read most of the FAQ's, was searching on spamcop forum and tried to apply all recommendations, but our address is still blocked.

I need ask for your help and assistance. What am I doing wrong, what is misconfigured?

[Derek T]

I need ask for your help and assistance. What am I doing wrong, what is misconfigured?

This forum is peer-to-peer and we can't see what is hitting the spamtraps. A polite email enquiry (including a pointer to your post) should be sent to deputies[at]spamcop.net. They won't tell you what addresses are being hit but they will tell you what type of thing is hitting them.

Abuse reports would have been sent to:

Reporting addresses:

v.repin[at]garstelecom.ru

s.rykov[at]garstelecom.ru

You may wish to register an abuse address of your own so that you get reports (if any).

[Telarin]

One thing I can suggest checking (since I use a similar configuration) is Symantec Antivirus. If you are using the AV filtering for exchange, the default behavior is to send some type of NDR out to the envelope "FROM" address, which is forged 100% of the time by viruses now days. This will cause all of these to go to uninvolved third parties. I would suggest checking the settings on the SAVFMSE to make sure it is set to NOT send a response to the forged sender address.

The same may be true for your spam filtering, as I have seen several anti-spam packages setup to bounce spam rather than reject it during the SMTP transaction in accorance with best practices.

[Den-B]

A polite email enquiry (including a pointer to your post) should be sent to deputies[at]spamcop.net.

I've done that and deputies show me fragment from one of the spams received at spamtrap.

They supposed that virus infection can take place.

But problem is that I can't find in our network any trace of activity or reason which can cause this situation.

You may wish to register an abuse address of your own so that you get reports (if any).

How can I accomplish this? (If we aren't ISP)

[Den-B]

One thing I can suggest checking (since I use a similar configuration) is Symantec Antivirus. If you are using the AV filtering for exchange, the default behavior is to send some type of NDR out to the envelope "FROM" address, which is forged 100% of the time by viruses now days. This will cause all of these to go to uninvolved third parties. I would suggest checking the settings on the SAVFMSE to make sure it is set to NOT send a response to the forged sender address.

The same may be true for your spam filtering, as I have seen several anti-spam packages setup to bounce spam rather than reject it during the SMTP transaction in accorance with best practices.

We are using Symantec Antivirus Corporate edition, not Enterprise edition, so SAVFMSE isn't used.

And all options like "Send E-mail to sender" in SAV are completely disabled.

I haven't find any settings in ORF (antispam) which can cause spam bounces, only rejecting.

I'm thinking about one idea:

Are there any on-line tests (similar to spamtraps) which can help me to test my configuration?

[Wazoo]

I've done that and deputies show me fragment from one of the spams received at spamtrap.

They supposed that virus infection can take place.

But problem is that I can't find in our network any trace of activity or reason which can cause this situation.

Talk to the person that 'handled' the listing/de-listing seen at http://psbl.surriel.com/listing?ip=83.220....PSBL+list+query .... 'complete' spamtrap hit examples are seen at http://psbl.surriel.com/evidence?ip=83.220...=Check+evidence

Datapoint: 83.220.45.58 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 3 hours.

http://www.senderbase.org/senderbase_queri...ng=83.220.45.58

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0 N/A

Last month 2.4

I'm not going to try to guess as to what the "0" is all about again .. just noting this for a future check for comparison.

[Den-B]

Thanks a lot to ALL!

It was a virus/trojan infection, which my colleague's (!!!) computer was infected.

In contrast to ordinary users he has administrators rights in our LAN.

I was looking for mistake in servers' configuration or users computers

and didn't assume that problem can came from "another side"...

[Wazoo]

Thanks for the feedback. Glad the problem is now resolved. Tagging this Topic as such.

[Telarin]

One thing you might want to do to prevent this in the future. Set a rule on your firewall to deny all outbound traffic on port 25 that does NOT originate from your mail server. Unless of course there is a legitimate reason for one of your users to be using an outside SMTP server, but that it rarely the case in a business environment.