Jump to content
Sign in to follow this  
chrisa1967

[Resolved] 80.168.5.22 Blocked

Recommended Posts

We have an Exchange server behind an ISA server and it is the address of the ISA box that is blacklisted.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 80.168.5.22 has no reverse dns

Part of our network is used by computers we have no control over and I suspect one or more of them has a virus. I cannot block SMTP for everything except our mail server because many of these machines mail out directly using SMTP / POP3.

What I am looking for is any help you could offer in tracking down the offending machine(s)

Many thanks.

Share this post


Link to post
Share on other sites
...

What I am looking for is any help you could offer in tracking down the offending machine(s)

Hopefully a paying member will drop in and contribute the headers of the spam which were/was the subject of member report(s). Those (reports), with more detail, would have gone to abuse-noverbose[at]clara.net, can you access them there? Details of the spamtrap hits are not available though those are the ones which do most of the damage in terms of getting an IP address listed.

At this time 80.168.5.22 is due to time out of the bl in 4 hours, no further spam ensuing. Looks like an unusually restricted spam run: http://www.senderbase.org/senderbase_queri...ing=80.168.5.22

Share this post


Link to post
Share on other sites

You might consider getting a separate dedicated IP address for the mail server, especially if you don't have control over other computers sharing the primary IP address.

Share this post


Link to post
Share on other sites

Thanks for the help. We have found the guilty party and we have removed eight trojans from the machine!

I have recently taken on this network and it looks like we need to segregate the bits we don't have control over ASAP.

Cheers!

Share this post


Link to post
Share on other sites

That is an excellent idea. If you have a reasonably high-end network connection, most providers won't have a problem giving you more than a single IP address. I know with my Comcast fiber all I have to do is call and ask and they'll give me another block as long as I can justify it. If nothing else, 1 IP for NAT for the workstations, and one IP for each server that needs to be accessible from the internet should help out a LOT. Just make sure to firewall off those server IPs so only the ports you actually need are open to the internet.

Share this post


Link to post
Share on other sites

Thanks for that Telarin.

It's an interesting scenario because part of our site is office space we rent out. Those users bypass all of our network apart from the ISA box. I think we will probably physically segregate the two parts in the future and operate them as different networks but in the meantime a different IP is now top of my to do list.

We had trouble spotting the spammer because it turns out he was using a laptop and didn't come in until this afternoon. So no serious outbound SMTP traffic until he walked in and then it went bonkers!

Thanks again.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×