209.12.205.10 blacklisted, stumped.

[sesblacklisted]

I've been trying to pin down what is going on. We have a sonicwall firewall and we don't have an open relay so I am stumped. Any help would be appreciated.

[ SpamCop Summary Report ]

-- See footer for key to columns and notes about this report --

IP_Address Start/Length Trap User Mole Simp Comments

RDNS

209.12.205.10 Aug 2 15h/5 31 2 0 0 blocklisted

mail.cpa-ws.com

209.12.205.10 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

* System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 6.1 days, it has been listed 2 times for a total of 4.3 days

[Merlyn]

NO mystery here. You have an infected machine behind your firewall sending greeting card spam trying to infect more machines.

FYI: probably the Storm Worm

[Wazoo]

I've been trying to pin down what is going on. We have a sonicwall firewall and we don't have an open relay so I am stumped. Any help would be appreciated.

the why am I Blocked? faq and Pinned entry was of no value? The fact that both spamtrap hits and user complaints exist suggests some of the things to start looking at / for.

Additional potential problems

(these factors do not directly result in spamcop listing)

* System administrator has already delisted this system once

not a good sign, trying to take a shortcut, but not actually resolving the real problem ....

http://www.senderbase.org/senderbase_queri...g=209.12.205.10

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 3.1

I sure wouldn't want to conjecture that someone tried to solve the problem by simply moving the e-mail server to a new IP Address .... that would only be another short-term solution if the actual problem hasn't been found and taken care of ....

Some of the Report history;

Submitted: Monday, August 06, 2007 6:45:36 PM -0500:

You've received a postcard from a School-mate!

2425029249 ( 209.12.205.10 ) To: abuse[at]twtelecom.net

-------------------------------------------

Submitted: Monday, August 06, 2007 12:19:18 PM -0500:

2424577452 ( 209.12.205.10 ) To: relays[at]admin.spamcop.net

2424577443 ( 145.42.87.54 ) To: nomaster[at]devnull.spamcop.net

------------------------------------------

Submitted: Thursday, August 02, 2007 7:04:37 PM -0500:

offer

2418779022 ( 209.12.205.10 ) To: postmaster[at]cpa-ws.com

2418778967 ( 209.12.205.10 ) To: postmaster[at]mail.cpa-ws.com

[Wazoo]

at the time of this post;

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 4.2 .. 977%

Last month ... 3.2

[sesblacklisted]

at the time of this post;

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 4.2 .. 977%

Last month ... 3.2

We have about 30 machines in the network, is there any quick solution on finding the compromised machine other than going to each machine and checking it individually?

[Telarin]

Yes, check your firewall logs for traffic originating inside your network, to any IP address outside your network on port 25. The only traffic that meets this criteria, should be from your mail server. Anything else indicates a problem.

[Farelf]

You haven't mentioned what network monitoring tools you have at your disposal. You might like to check out the relevant parts of the List of lists if your current 'arsenal' is a little light.

[sesblacklisted]

Yes, check your firewall logs for traffic originating inside your network, to any IP address outside your network on port 25. The only traffic that meets this criteria, should be from your mail server. Anything else indicates a problem.

I have a Sonicwall TZ 170 Standard firewall and from the looks at it I don't think i have the ability to do that. So far I spent a lot of time on this so I really am trying.

You haven't mentioned what network monitoring tools you have at your disposal. You might like to check out the relevant parts of the List of lists if your current 'arsenal' is a little light.

What program do you suggest in finding out what computer is using SMTP 25 to send out spam?

[turetzsr]

Telarin [at] Aug 9 2007, 11:30 AM]Yes, check your firewall logs for traffic originating inside your network, to any IP address outside your network on port 25. The only traffic that meets this criteria, should be from your mail server. Anything else indicates a problem.

I have a Sonicwall TZ 170 Standard firewall and from the looks at it I don't think i have the ability to do that.

<snip>

...Looks like it is possible: http://forum.spamcop.net/forums/index.php?...&qpid=58357. Perhaps you could call Sonicwall to ask how. See http://www.sonicguard.com/ContactUs.asp.

[Merlyn]

We have about 30 machines in the network, is there any quick solution on finding the compromised machine other than going to each machine and checking it individually?

If you cannot find one machine then you probably cannot protect any of them.

[sesblacklisted]

If you cannot find one machine then you probably cannot protect any of them.

alright, thanks for the help. ;(

[turetzsr]

If you cannot find one machine then you probably cannot protect any of them.

alright, thanks for the help. ;(

...Sorry you are unappreciative but, after all, this is not a Forum for teaching people how to be server admins (although lots of helpful and knowledgeable people do chime in with some frequency with what appears to me to be valuable information) -- we are simply users of the SpamCop.net toolset. If you need serious help plugging security holes in your system, you really need to find a knowledgeable friend with plenty of spare time or, better yet, hire someone who knows how to do it.

...Good luck!

[Farelf]

I have a Sonicwall TZ 170 Standard firewall ... What program do you suggest in finding out what computer is using SMTP 25 to send out spam?

I have no experience in this area, your guess is as good as mine. Looking through the tools at the suggested link (in firewall logging tools) I came across http://www.linklogger.com/support.htm however the link to the SonicWall tool doesn't seem to go anywhere. You could contact LinkLogger for an update or there are many other tools to look at (including those in other, related, sections). Suggest you try a more specialized group if you need greater exposure to experienced network admins/network security people.

[Telarin]

You could also take the "blunt hammer" approach, and simply configure your firewall to block all outgoing port 25 traffic except that originating from your mail server. You would still have an infected machine somewhere on your network, but it would solve the problem of you sending spam and getting on blocklists.

[sesblacklisted]

alright, thanks for the help. ;(...Sorry you are unappreciative but, after all, this is not a Forum for teaching people how to be server admins (although lots of helpful and knowledgeable people do chime in with some frequency with what appears to me to be valuable information) -- we are simply users of the SpamCop.net toolset. If you need serious help plugging security holes in your system, you really need to find a knowledgeable friend with plenty of spare time or, better yet, hire someone who knows how to do it.

...Good luck!

no, the help is appreciated but the comment by Merlyn wasn't either beneficial to anyone nor did was it helpful in any shape or form. There is no need to add stab at someone in these situations, it's stressfull enough already. This is the "SpamCop Blocklist Help" forum. If one doesn't want to help then there really is no need to comment. All the other members that have posted here i appreciate the help, the ones that don't add anything can just no comment as far as I am concerned, nobody needs the nastiness.

You could also take the "blunt hammer" approach, and simply configure your firewall to block all outgoing port 25 traffic except that originating from your mail server. You would still have an infected machine somewhere on your network, but it would solve the problem of you sending spam and getting on blocklists.

I've don't that approach in intervals trying to pin it down. I've tracked down one machine but I think there is another that is compromised. Thanks for this tips, you've been very helpful. I just wish there was an easier way to pin down these things. maybe I will write an FAQ on my specific situation and hardware.

I have no experience in this area, your guess is as good as mine. Looking through the tools at the suggested link (in firewall logging tools) I came across http://www.linklogger.com/support.htm however the link to the SonicWall tool doesn't seem to go anywhere. You could contact LinkLogger for an update or there are many other tools to look at (including those in other, related, sections). Suggest you try a more specialized group if you need greater exposure to experienced network admins/network security people.

I've done a lot of research and there seems to be a good open source sniffer that will do what I think I need, I will post results when I have solved the problem.

[StevenUnderwood]

I've done a lot of research and there seems to be a good open source sniffer that will do what I think I need, I will post results when I have solved the problem.

According to the Administrators Guide for the TZ170 ( http://www.sonicwall.com/downloads/SonicWA...ators_Guide.pdf ), you should already have the tools available to log (Part 11, Page 307) and possibly track SMTP access (limit bandwidth for SMTP traffic to only your server, Chapter 31, Page 178). This was all with about 15 minutes of research.

[GraemeL]

I've done a lot of research and there seems to be a good open source sniffer that will do what I think I need, I will post results when I have solved the problem.

Once you've finished fighting fires, you should take some time and configure your network in a secure manner. With a network of half a dozen machines, allowing them to talk directly to the internet using NAT is OK. When you have 30 machines on your network, it's just a disaster waiting to happen.

You should set up a web proxy and then configure all of your desktop machines to use that proxy. Once you've done that, modify your firewall so that only the machines that need to talk to the internet (web server, proxy, mail server...) are allowed to do so. All other machines should be blocked by the firewall and generate log entries if they try to talk to anything off of your internal net. Then firewall, mail server and proxy logs will make it a lot easier to track down any future problems.

With 30 boxes on your network, you should also look into getting a corporate virus protection solution that can be centrally managed. This makes it easier to be sure that all definitions are kept up to date and lets you see all problems from a central location.

[turetzsr]

If you cannot find one machine then you probably cannot protect any of them.

alright, thanks for the help. ;(

...Sorry you are unappreciative but, after all, this is not a Forum for teaching people how to be server admins (although lots of helpful and knowledgeable people do chime in with some frequency with what appears to me to be valuable information) -- we are simply users of the SpamCop.net toolset. If you need serious help plugging security holes in your system, you really need to find a knowledgeable friend with plenty of spare time or, better yet, hire someone who knows how to do it.

...Good luck!

no, the help is appreciated but the comment by Merlyn wasn't either beneficial to anyone nor did was it helpful in any shape or form. There is no need to add stab at someone in these situations, it's stressfull enough already. This is the "SpamCop Blocklist Help" forum. If one doesn't want to help then there really is no need to comment. All the other members that have posted here i appreciate the help, the ones that don't add anything can just no comment as far as I am concerned, nobody needs the nastiness.

<snip>

...Sorry, but I humbly disagree with you. I also apologize for not being clear about what I meant by "unappreciative" -- I meant unappreciative of Merlyn's reply. As I tried to point out, I believe he way saying that you seem (by virtue of your inability to find the machine sending the spam) to need more help than you could reasonably expect to be able to get here. Yes, he was a bit terse and, perhaps trying to be more polite than I, less than totally explicit as to what he meant but I believe his comment was serious and understandable. I believe it was also less a "stab" at you than an evaluation of your ability as a network security administrator, at which not of all of us (including you) can be expected to be expert. What does no one any good is to take offense at a reasonable conclusion made by someone in a forum to which you are posting about your inability to do something that takes very special talent and training. I commend you for not expressing such rage at the equally (IMHO) "stabbing" comment by StevenUnderwood (linear post 16, above), "This was all with about 15 minutes of research." <g>

...Anyway, it seems as if you are now much closer to fixing your problem, thanks to Telarin and Farelf (not to mention StevenUnderwood and GraemL, to whom you have not yet replied), who have (as they have done many times before for others) gone far beyond what they could reasonably have been expected to do to help you out. Good luck!