Jump to content

Servers incorrectly identified as spam source


TomMynar

Recommended Posts

OK, here's the scenario: A computer gets infected with a BOT, it reads the user's computer and sends out spam claiming to be from a 3rd party. This 3rd party is then reported to SPAMCOP as being a SPAMMER and inserted into the SPAMCOP database.

When IN FACT, the 3rd party server is NOT a SPAMmer.

So, how do we fix this ? Must I check (as the server admin) your database every 2 hours of the day to make sure someone hasn't submitted me (incorrectly) so that I can make a request to remove it in the next 2 hours ?

Come on guys, I'm running a legitimate business here with THREE users and you are blocking ALL of his emails to Belgium.

I would appreciate a response.

Tom

Link to comment
Share on other sites

Please try again .. after looking at any of the How to ask a GOOD question entries, some Pinned, some in the FAQs .... take a look at any number of the thousands of existing Topics to see the types of information needed, used, discussed, referenced, etc. The point is, you provided absolutly nothing for anyone to work with, your Subject Title and actual posting detail suggest that you are confused about just what the SpamCopDNSBL is, how it is used (and by whom) .....

OK, here's the scenario: A computer gets infected with a BOT, it reads the user's computer and sends out spam claiming to be from a 3rd party. This 3rd party is then reported to SPAMCOP as being a SPAMMER and inserted into the SPAMCOP database.

Suspicions here include that you are not talking about the SpamCopDNSBL, which only deals with the IP Address of the source .... you seem to be trying to talk about a 'spamvertised URL' (see the Glossary, Dictionary, Wiki for a definition) .... SpamCop.net does not build a database of spamvertised URLs.

When IN FACT, the 3rd party server is NOT a SPAMmer.

"3rd partry server" ..??? see above, or provide a better definition and example of what you are actually trying to talk about.

So, how do we fix this ? Must I check (as the server admin) your database every 2 hours of the day to make sure someone hasn't submitted me (incorrectly) so that I can make a request to remove it in the next 2 hours ?

And where did you come up with this "request to remove every two hours" scenario? SpamCop.net has nothing that works like that.

Come on guys, I'm running a legitimate business here with THREE users and you are blocking ALL of his emails to Belgium.

As provided and described in numerous FAQ entries, numerous Wiki entries, thousands of prior posted Topics, queries, and discussions, SpamCop.net cannot block anything. The use of the SpamCopDNSBL is available to anyone, how it is used is up to those that choose to implement it.

BTW: Hormel would much appreciate you not using the phrase "spam" as that is a Registered Trademark for a specific food product. Yet again, information found in the SpamCop FAQ as found here, the Wiki, on and on ....

Link to comment
Share on other sites

What is the error message you are receiving? Whoever is in Belgium is the one who is blocking the email from you.

If the IP address is in the spamcop blocklist, then the spam did, indeed, come from your computers - perhaps, as you suggest, from an infected computer.

A remote possibility is that your website has been included in a spam and the person who is blocking email is blocking it based on your website, but using the spamcop message. Some server admins do use spamvertised sites as filters though I don't believe they usually block them to avoid missing good mail from a legitimate site that has been used by the spammers to lend authenticity to the spam. However, there are always people who run servers who don't understand what they are doing and it is a possibility.

Miss Betsy

Link to comment
Share on other sites

<snip>

BTW: Hormel would much appreciate you not using the phrase "spam" as that is a Registered Trademark for a specific food product.

<snip>

...To which end I have taken the liberty of editing the topic title of this Forum thread.
Link to comment
Share on other sites

  • 2 weeks later...

Please understand my frustration. We (the industry) are using IP addresses in databases to stop CRAPemail (OK, I won't use the four letter word that is imbedded in your site name since you feel I am using it against some copyright laws of Hormel, not sure why it is OK for you to use it inside of your name...).

I don't think that using that technique is working very well. When CRAPemail servers were located off-shore and would send bulk CRAP, they were easy to find, easy to block. But now, the FBI reported that last year over 15 MILLION home PCs are infected with BOTs. So, you (pluaralized definition: SPAMCOP type databases) use the IP addresses. So, the BOT writers have changed to now pretend to be someone else in their efforts to cause havic. Depending on the sophistication of organizations "like" SPAMCOP.NET, some valid IPs are being reported incorrectly.

My question is, why do we use an unreliable method of tracking IP addresses (which can be spoofed) to stop spam ?

In my particular instance, I have discovered a software package with an apparent bug (Argosoft MailPro) which is allowing a rough PC to send email CRAP. My complaint is that email servers (I have 3) that were NOT the one causing the problem were being wrongfully accused and subsiquently blocked. Since all 3 servers (the bad one plus the 2 good ones) run on the same router-they transmit on the same IP address (21.70.129.249).

Second complaint-Yahoo and Hotmail (who are listed as the top CRAPers in the SPAMCOP.NET statistics page) are NOT being blocked. Here I am, with 1 user with CRAP BOTs running on his PC is causing innocent servers to be blocked because I can't afford to take legal action against SPAMCOP.NET, where Yahoo and Hotmail or huge MAILhouses can.

Because of the work of Ellen at SPAMCOP.NET (who instead of ignoring my requests like others in the organization), helped me figure out where the REAL trouble was coming from (not just a generic IP address number).

Thanks for letting me vent on this. I've moved the user OFF of ArgoSoft MailPro and onto an Exchange 2003 server and the last 24 hours have seemed to stop the CRAP. Although, COX.NET is now telling HIM that HIS IP address is now being blocked, even from WebMail....but that's a project to fix next week.

Thanks

Tom

Link to comment
Share on other sites

For the most part, IP addresses cannot be spoofed, only the FROM addresses. While it is technically possible to spoof certain IP addresses in certain situations, most first tier providers can easily detect and drop these packets as invalid. I believe you are not understanding how SpamCop works. It lists based off the actual IP address used to send the message, as this is the only reliable piece of information contained in an email, it is NOT based off the usually forged FROM or REPLY TO addresses contained in the header.

Link to comment
Share on other sites

Hi, Tom!

Please understand my frustration. We (the industry) are using IP addresses in databases to stop CRAPemail (OK, I won't use the four letter word that is imbedded in your site name since you feel I am using it against some copyright laws of Hormel, not sure why it is OK for you to use it inside of your name...).

<snip>

...You seem to have misunderstood. What is copyrighted is the use of the four-letter word in all capitals. Hormel has no copyright on the word SpamCop or other words that include "spam."

...Oh, and by the way, having changed the word "spam" to "crap" in this sentence, you did not follow through and do that in all cases throughout the remainder of your post. :) <g>

So, the BOT writers have changed to now pretend to be someone else in their efforts to cause havic. Depending on the sophistication of organizations "like" SPAMCOP.NET, some valid IPs are being reported incorrectly.
...Why do you claim that they are being reported incorrectly? I would claim otherwise. The infected computers (or the servers through which they transmit to the internet) are the sources of the spam. Their IP addresses are being correctly reported as spam sources, it seems to me.
<snip>

Second complaint-Yahoo and Hotmail (who are listed as the top CRAPers in the SPAMCOP.NET statistics page) are NOT being blocked.

...The SpamCop blocklist does not list every server that sends spam, nor every server owned by all e-mail providers that send spam, only the ones that meet the criteria (see SpamCop FAQ entry "What is on the list?").
<snip>

causing innocent servers to be blocked because I can't afford to take legal action against SPAMCOP.NET, where Yahoo and Hotmail or huge MAILhouses can.

...IANAL, but since SpamCop is not doing the blocking, it is unlikely that even if you had the resources you would be able to successfully sue SpamCop. The folks who are doing the blocking are other ISPs or e-mail providers and since it's their resources, they can set whatever rules they want for accepting or not accepting incoming mail, even if it is to block based on the SpamCop blacklist (which SpamCop itself recommends against).
Because of the work of Ellen at SPAMCOP.NET (who instead of ignoring my requests like others in the organization), helped me figure out where the REAL trouble was coming from (not just a generic IP address number).

<snip>

...Well done, finding a SpamCop admin for help. You realize, I hope, that, unlike Ellen, those of us here with whom you are communicating here are not SpamCop admins, only users?
Link to comment
Share on other sites

Yes, we all can understand your frustration!

However, in order to combat spam, the use of IP address blocking lists are the internet's way of ignoring those who are not mannerly in using the internet. If I understand you correctly, the infected computer was connected to the other computers in such a way that only /your/ IP address was given to the receiving computer. spam sending can only by stopped by the *sending* end. If, in your case, it is not intentional, then being blocked alerts you to a problem which only /you/ can fix. You did disconnect the user who had somehow gotten infected which is what spamcop is all about - alerting ISPs to fix spam problems and only blocking that IP address while spam is coming from it.

Unfortunately, as you point out, too many ISPs out there just can't seem to explain to their customers why they can't get email from their mom or boyfriend or best friend who is using yahoo or hotmail so they won't block those mail servers that belong to yahoo or hotmail. The blocklists kind of do a part block by identifying the IP addresses that connect to yahoo to send spam so that the ISPs customers don't get the spam delivered to their customers. I once read a post by a server admin who had a computer which was not a mail server (I think it was used to screen for viruses), but since it never received mail, he didn't care if it was always blocked. So he let all the users on his network who had infected computers to connect to this computer to send their spam. (I am not technically fluent so I can't explain exactly how that works. It has something to do with ports, I believe)

On the other hand, in spite of your frustration with this particular situation, you probably would have stopped the user from using a computer that was infected - if you had known that you were allowing spam to be sent to other people since you hate it so much yourself. I don't know how you were alerted - sometimes people get on the spamcop blocklist via spam to spam traps that don't send reports - but you should be glad that you were alerted and that you found the problem. There are lots of other blocklists besides spamcop and almost every ISP now employs them to filter spam. Spamcop is more aggressive and so lists IP addresses sooner than others, but if you hadn't found the problem and corrected it, you would soon be on many other lists. None of them automatically delist when spam stops and it is a real hassle to get off all the lists, not to mention all the private blocklists that would simply drop any email from your IP address.

So, I hope you can look back in a short while and thank your lucky stars that you found out via the spamcop blocklist that a computer under your control was spewing spam.

Miss Betsy

Link to comment
Share on other sites

"I guess I am not understanding how spamcop works." :blink:

Yes, you are correct. I don't understand how my Exchange 2003 server is being blamed for crapping. It is not sending crap, it is sending what the client is sending. JUST LIKE HOTMAIL, EARTHLINK, etc. The "server" or "operating system" is NOT infected. How do I prove that to parties that can't listen (servers I'm sending legitimate mail to) who use spamcop information to base traffic on ?

For those of you who know (or care): I turned off all outbound SMTP traffic on the 2 servers. I monitored SMTP traffic on the router. It ALL stopped (or practically, there was some small noise-I think inbound requests to connect). That PROVES the server is NOT sending crap. It proves that MY inside network is NOT sending crap. Otherwise, the SMTP traffic on the router would have continued to flow. I turn outbound back on, hum-a couple hours later my IP is reported as a crapper.

So WHY is the IP address blocked ? I still have not heard from the "users" why this needs to be done. What is it that spamcop is preventing ? It is NOT stopping the CAUSE of the problem (him), just affecting me (or, my servers).

"other people use the information, it is not spamcop's fault". OK, I guess this goes with the flawed philosophy "people kill people, guns don't".

If what I believe to be inaccurate information is being spread (let's say, weapons of mass destruction reports) and someone is using that information to base a decision on (I won't put the implied example here), then is it the fault of the person making the decision or the person collecting the information OR BOTH ?

Now, here I am the 3rd party being affected by what spamcop is doing. SO WHO ELSE DO I TALK TO SINCE MY EMAILS TO DIGITALRIVER ARE BEING BLOCKED SUCH THAT I CAN'T COMPAIN THAT THEY ARE BEING BLOCKED. <_<

"there are other companies doing the same thing, eventually you will get into those lists also." OK, when ? I haven't for the last 2 weeks that I've been working on this issue with spamcop ? So, that sounds to me like spamcop is TOO sensitive to determining who is and who isn't an abuser. Otherwise, the "other guys" would have listed me LONG ago.

So guess what guys/gals ? I'm listed again this morning. Everything was fine this weekend (I got delisted on Sunday), the "guy" gets into work today, starts up his Outlook-and boom. I'm listed. I change the outbound IP address of my router, an hour later-that IP is listed. I'm trying to get out to his site and work on his computer, but he lives 80 miles from me. Not an easy place to get to.

PLEASE GIVE ME SOME ASSISTANCE IN MAKING THIS STOP. Just because I "fix" one computer, it only takes a busy little teenager to download something on a laptop and he'll be back in business spreading the crap. I need a LONG TERM solution. Spamcop is NOT that.

Thanks for the discussion.

Sorry I didn't quote the messages directly from the thread, I don't know how to do that with this blogging software.

Tom

Link to comment
Share on other sites

Forgive me, but I am going to start off with the assumption that the problem is on your end, not with SpamCop, and try to troubleshoot from there, rather than just assuming spamcop is wrong.

SpamCop lists by IP address, which if you are behind a NAT router, may be shared with multiple computers. Now you have said that you turned off outgoing mail and still saw "background" traffic at your router. Was this background traffic incoming or outgoing packets? If they are incoming packets with a destination of port 25, then as you suspect, these are most likely just connection attempts to send you mail. On the other hand, if these are outgoing packets headed to port 25 somewhere, then there is indeed an infected machine somewhere on your network.

I would recommend configuring the firewall on your router to only allow port 25 traffic to and from your mailserver. This will eliminate the possiblity of any infected computers on your network, however unlikely, from sending out mail.

Next, make sure that Exchange is not configured to send NDRs to the (almost always) forged FROM or REPLY TO addresses on incoming undeliverable mail. Note that this was the default for exchange 5.5 and earlier, and required downloading a hotfix from Microsoft to correct. Newer versions of exchange should not have this problem by default.

The next item is to make sure you aren't relaying spam for a spammer somewhere else. If you have your Exchange server configured to relay for authenticated accounts (default configuration), make sure that those accounts that have permission to relay have secure passwords that haven't been guessed. It wouldn't hurt to expire all the passwords on the server and make the users pick all new passwords every few months to just keep problems like this from popping up often. Also make sure that anonymous relaying is disabled (I believe it is by default on 2003, but not sure about earlier versions).

You may also want to make sure that you don't have somebody in marketing that decided to buy a list of 40-million opt-in names to send an email to. I know that sounds obvious, but you might be surprised how often an IT person tracks this kind of problem back to a clueless marketing exec.

Last, you may want to post your IP address here, that way one of the paying members can look at the report history and see if we are dealing with user reports or just spamtrap hits. If just spamtrap hits, you will want to contact deputies[at]admin.spamcop.net to find out what kind of spam traffic they are seeing. If it is user reports, someone will be able to post the subjects and other information for you, it may help track down the origin of these unwanted messages.

Edit - One additional suggestion, if your ISP has given you multiple IP addresses, you may want to use something like the one-to-one NAT router offered on many mid-range routers (like the Linksys RV series for example) to map your mail server to its own dedicated IP address, that way if you main NAT ip gets listed because someone downloaded something they shouldn't have, it won't affect your mail server.

Link to comment
Share on other sites

...Last, you may want to post your IP address here, that way one of the paying members can look at the report history and see if we are dealing with user reports or just spamtrap hits. If just spamtrap hits, you will want to contact deputies[at]admin.spamcop.net to find out what kind of spam traffic they are seeing. If it is user reports, someone will be able to post the subjects and other information for you, it may help track down the origin of these unwanted messages. ...
An IP address of 21.70.129.249 was quoted but that seems to be incomplete. I'm thinking that may have been 216.70.129.249 ( mpowercom.net domain, not listed) or even 216.70.129.251 (pacwesttech domain, reports to ip-abuse[at]mpowercom.net - listed, with reports as well as spamtrap hits, express delisting not available). Apart from that there are a number of MPOWER COMMUNICATIONS CORP "candidates", with quite different numbers, such as 208.57.82.44, most/all of which seem to be listed with CBL as well. It's all just a guessing game at this stage but maybe someone can look at 216.70.129.251? Though if Ellen has already been involved ...?
Link to comment
Share on other sites

216.70.129.249 has had reports about the time the thread opened.

An IP address of 21.70.129.249 was quoted but that seems to be incomplete. I'm thinking that may have been 216.70.129.249 ( mpowercom.net domain, not listed)

Report History:

24 hours 48 hours Last week Last 30 days Last 90 days

----------------------------------------------------------

Submitted: Tuesday, March 25, 2008 12:04:39 AM -0400:

70% pharmaceuticals discount. Code #yFnJ

2965485188 ( 216.70.129.249 ) To: ip-abuse[at]mpowercom.net

-------------------------------------------------------

Submitted: Friday, March 21, 2008 10:25:07 AM -0400:

75% pills discount. Coupon #seyA

2955991213 ( 216.70.129.249 ) To: ip-abuse[at]mpowercom.net

Link to comment
Share on other sites

I am not a server admin so I can't give technical advice, but from a layman's reading of your post, there is definitely a problem on your end. One of the things that has helped other server admins to find the problem is to read the firewall logs (rather than the email logs) because the spambot is sending out the email through other ports than port 25.

Spamcop is not likely to make a mistake (reporters sometimes do make mistakes, but although I haven't re-read the whole thread, I think the evidence is pretty much against any mistake here.) There is spam coming from the IP addresses which you either control or share with others and it can be documented.

The reason the IP address is blocked is because others want to filter out the spam that is coming from this IP address. No one can stop a spammer from sending his spew - except the owner of the computer he is sending it through. As someone mentioned, spammers have exploited, and thereby make them spam sources, the automatic reply, such as out of office replies and emails to notify of non-delivery.

No receiver has to receive spam if he can find the sources of spam and either block that IP address or use it as a criterion in filters. Most receivers do not use the spamcop blocklist to reject spam (although some do). However, the rest do use it to filter email to a spam folder.

If the IP address continues to send spam, eventually it will be picked up by other blocklists. They are not automatic and to get off those blocklists, you need to do a lot more than stop spam from coming from your IP address. There are hundreds of blocklists available on the internet. Not every server admin uses any or all of them. You can talk to digitalriver and find out why they won't accept your emails. They might give you explicit information.

You can rail against it all you want, but that's the way it works. Server admins use the blocklists that have a good reputation for ascertaining the 'source' IP of the spam in order to protect their users. If you are a server admin, then you have a responsibility to make sure that spammers are not using your static IP address or, if you share an IP address, that you choose one with a good reputation.

Miss Betsy

Link to comment
Share on other sites

PLEASE GIVE ME SOME ASSISTANCE IN MAKING THIS STOP.

Assistance 'here' simply isn't possible as you have yet to offer up any specific data. As I stated in my first post in this Topic, repeated here ....

//Please try again .. after looking at any of the How to ask a GOOD question entries, some Pinned, some in the FAQs .... take a look at any number of the thousands of existing Topics to see the types of information needed, used, discussed, referenced, etc. The point is, you provided absolutly nothing for anyone to work with, your Subject Title and actual posting detail suggest that you are confused about just what the SpamCopDNSBL is, how it is used (and by whom) ..... //

Just because I "fix" one computer, it only takes a busy little teenager to download something on a laptop and he'll be back in business spreading the crap.

??? You started your story as "a legitimate business with three users" .... now complaining about little teenagers ????? Then you turn the story to point to that user - 80 miles awayr

I need a LONG TERM solution. Spamcop is NOT that.

Once again, what does that mean? All I see is that you still haven't learned just what the SpamCopDNSBL is, who uses it, and how it gets used.

Sorry I didn't quote the messages directly from the thread, I don't know how to do that with this blogging software.

This is hardly blogging software ... take a look around, again as suggested in my first post to this Topic, repeated above .... you will find links to all kinds of support data, definitions, examples, other folks' issues, problems, and resolutions.

However, what help you can receive here is based on what data you provide. As noted in numerous places, the core of folks providing help are not paid-staff. You say you had dealings with Ellen and she told you some facts .. I'm having to state the obvious that you provided her more data than you've provided here. So, at best, I can only suggest you continue to talk to Ellen or actually get down to providing some data here such that someone here could try to help you.

Link to comment
Share on other sites

How do I tell which client is sending out crap ? I ran Trend and it discovered nothing. I have 26 client desktops, all running Windows XP SP2.

I isolated the 2nd email server onto its' own router. So I have 1 router (Fortinet 100A) with 1 Exchange server and the clients. If I turn OFF outbound SMTP traffic from Exchange, the only traffic should be the infected client-correct ? So how do I identify that IP ? I installed Winshark on my desktop.

"using other than port 25"

How can a client using something other than port 25 communicate with a conversation through the firewall with another email server (or spambot listener) ? Shouldn't the email server ignore anything except port 25 ? :blink:

Sorry if you feel offended if I call this forum a blog site, not sure what would be the P.C. name to use. :unsure:

The IP address was correctly identified in the 216 area. I've tried moving the outbound IP to get around being blocked, but obviously :excl: I need to find the offending client to fix the problem.

The traffic on the router is very quiet today. But Ellen told me that sometimes the spyware/etc. programs get real smart and go quiet to avoid you finding them for a while.

Feel free to change the thread title to "Confused admin-what is spamcopy telling me". Or something you think is more suitable (probably just the first part).

Thanks

Tom

Link to comment
Share on other sites

"using other than port 25"

How can a client using something other than port 25 communicate with a conversation through the firewall with another email server (or spambot listener) ? Shouldn't the email server ignore anything except port 25 ? :blink:

You are correct, the receiving server would simply ignore SMTP traffic on any port other than 25.

If you setup a port 25 blocking rule on your router, I would assume it would log any packets that it blocked, in which case you would be able to track it down to which IP address is the culprit. At that point you can check you DHCP server to match it to a MAC address. If you have documented all your computers, it should be trivial to find out which it is. If not, then you will need to go around to each computer and figure out which one is using that IP address.

Link to comment
Share on other sites

How do I tell which client is sending out crap ? I ran Trend and it discovered nothing. I have 26 client desktops, all running Windows XP SP2.

I hate having to guess at things unknown. I'll start with that you provided Ellen some data which allowed her to actually look at e-mail received by SpamCop.net. In the analysis of the headers of that e-mail, I'm of the thought that she pointed out which part of your network was involved, probably by pointing to an unroutable IP Address. The point is .. no one here has access to any of that data, other than perhaps some access to a Reporting History against an IP address by a paid-account user. However, you keep talking about changing IP Addresses ...????

I isolated the 2nd email server onto its' own router. So I have 1 router (Fortinet 100A) with 1 Exchange server and the clients. If I turn OFF outbound SMTP traffic from Exchange, the only traffic should be the infected client-correct ? So how do I identify that IP ? I installed Winshark on my desktop.

Strangely, you didn't mention any of the configuration settings of the router. Your description seems to suggest that you are not aware that the typical spam virus/trojan these days runs its own SMTP engine. But again, I admit to not fully understanding your actual network layout. You talk about changing IP Addresses, those 'new' IP Addresses getting listed, but then only point to your previously wrongly-identified single output address. Your description in this paragraph seems to leave the question open as whether moving a server behind another router may change the IP Address involved.

"using other than port 25"

How can a client using something other than port 25 communicate with a conversation through the firewall with another email server (or spambot listener) ? Shouldn't the email server ignore anything except port 25 ? :blink:

Ouch!!!! That's a configuration issue that only you would/should know. Yes, there are alternative ports such as making us of authenticated e-mail connections ... this isn't even talking about the fact that one could point one's own system to another port internally for some strange reason. And again, I believe you are still overlooking that the typical spam virus/trojan uses its own SMTP engine.

Sorry if you feel offended if I call this forum a blog site, not sure what would be the P.C. name to use. :unsure:

Point is, there is data available in the Forum FAQ and entries posted to the How to use .... SpamCop Forum .. and that's above and beyond the built-in Help. How to use the various QUOTE buttons, how to Reply, how to Search, on and on. What has been referenced is that there are numerous How to ask a GOOD question references, the numerous previous Discussions by other folks with the same or similar problems and how they were worked through, almost all Resolved.

The IP address was correctly identified in the 216 area. I've tried moving the outbound IP to get around being blocked, but obviously :excl: I need to find the offending client to fix the problem.

And again, failing to provide those actual IP Addresses prevents anyone here from attempting to do any research on your problem.

The traffic on the router is very quiet today. But Ellen told me that sometimes the spyware/etc. programs get real smart and go quiet to avoid you finding them for a while.

Yes, that's true of some virii/trojans ... of course, it's also true of some spammers that actually reach in and exploit Exchange issues directly.

http://www.spamcop.net/w3m?action=checkblo...=216.70.129.249

216.70.129.249 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...=216.70.129.249

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 3.4

It woud appear that this discussion isn't about 216.70.129.249 at present ...?????

Link to comment
Share on other sites

...It woud appear that this discussion isn't about 216.70.129.249 at present ...?????
216.70.129.251 seems to fit the profile - similar volumes and having just timed off the bl. But why do we have to guess? The spammer knows the address anyway.

http://www.senderbase.org/senderbase_queri...=216.70.129.251

Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day 3.5 -1%
Last month 3.5
Link to comment
Share on other sites

of course, it's also true of some spammers that actually reach in and exploit Exchange issues directly.

It woud appear that this discussion isn't about 216.70.129.249 at present ...?????

I did some research based on some data here. I'm only going to state publically that the URL provided on a web-page for a Team Login strikes me as particularly scary. It's the 'ht tps;//...../Exchange' path that seems very out of place. Then again, I might be looking at the wrong web-site ..?????

Some Reports against 216.70.129.251

Submitted: Friday, April 11, 2008 6:01:33 PM -0500:

Meds Discount for aboundingly

3016128062 ( 216.70.129.251 ) To: ip-abuse[at]mpowercom.net

---------------------------------------------------------------

Submitted: Tuesday, April 08, 2008 12:38:21 AM -0500:

Meds Discount for tomi

3006516920 ( 216.70.129.251 ) To: ip-abuse[at]mpowercom.net

-------------------------------------------------------------

Submitted: Monday, April 07, 2008 5:44:06 PM -0500:

Pharmacy Coupon for 452d7791.4040604

3005921953 ( 216.70.129.251 ) ( SIMPLE ) To: ip-abuse[at]mpowercom.net

------------------------------------------------------------

Submitted: Monday, April 07, 2008 4:55:26 PM -0500:

Pharmacy Discount for 4fun.tvtuba

3005842557 ( 216.70.129.251 ) ( SIMPLE ) To: ip-abuse[at]mpowercom.net

Not near enough for a SpmCopDNSBL listing, so there must have been a boatload of spamtrap hits. On the other hand, as far as troubleshooting data goes, have you been in contact with mpowercom.net about the Reports that they received? Those reports would contain the e-mails with headers that should allow tracking back to the network (node?) that was generating the spew. (which is what I'm guessing Ellen did for you previously)

http://www.senderbase.org/senderbase_queri...=216.70.129.251

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 2.4 .. -92%

Last month .. 3.5

Perhaps the rogue system has been found/shut-down (again?)

Link to comment
Share on other sites

Feel free to change the thread title to "Confused admin-what is spamcopy telling me". Or something you think is more suitable (probably just the first part).

Topic was;

Title: Sites incorrectly identified as spam

Description; There must be a better way

Changed to:

Title: Servers incorrectly identified as spam source

Description: keep getting listed - don't know why

Link to comment
Share on other sites

What spamcop is telling you is that spam is coming from the IP addresses that are listed. Spamcop doesn't offer to fix your problem; it just tells you have a problem. However, users of spamcop who post in this forum want to help you, if they can, to fix your problem.

The server admins posting have given you as much advice as they can without knowing the exact IP addresses involved and, probably a little more about your configurations.

Have you read the links about Exchange server exploits? Can you describe how you have implemented precautions against those exploits? What about some of the suggestions that have been made? Have you changed passwords, for instance?

A difficult problem to track down in a couple of instances was when a wireless router was being used. Even though all the computers were clean, the spam was coming through the wireless router. I don't remember seeing anything where you ran an anti-viral program on the computers involved and made sure that firewalls were in place - that's not to say you didn't mention it, but I just don't recall it now.

The above are guesses about where the problem could be and what you could tell us about your set up that would be helpful in making suggestions about how to fix it. Half of troubleshooting is eliminating possible causes.

Miss Betsy

Link to comment
Share on other sites

"which IP address are we talking about" "moving the IP address"

I have a 5 block subnet from mpower. When .251 would get blocked, I would tell the router to output (from all internal sources) to .250. When that got blocked too, I moved it to .249, etc. Obvously NOT a solution :excl: So, I seperated the two email servers so one used the Fortinet router on .251 and the other used a cheapie router on .249. Then I watched for things to expire in the bl listings. :unsure:

.251 kept getting relisted, the .249 didn't. So, it made me think "what is different ?". On the .249 side (the clients are NOT local) I had what I knew to be infected machines (verified today when I went out there, that was the 80 mile away client). I wiped one machine and upgraded it from Win2K to WinXP Pro w/Trend. I scanned the other machine (XP Pro) and cleaned 1 trojan and several suspicions EXEs.

I then checked the .251 lan and realized I had a Wireless router on the LAN side. I also noticed an employee with an unauthorized laptop sitting under his bench in the warehouse. I unplugged the wireless router (not really in use anyways) this morning. I have seen no more evidence of crap being sent out. I am going to leave it off to make sure the spyware is not just being stealth for a while (that is, not on the suspected laptop).

I am working with Fortinet support to setup the firewall settings to ONLY allow the SERVER to send out port 25 and block all other clients from using 25.

I will then "sniffer" the network and turn the wireless back on and see if the traffic comes in over the wireless IP (we are far enough away from other buildings that it is unlikely someone else is using it). I have to learn how to use the sniffer software though. Not a pleasant task I believe. :o

Oh, Ellen did not give me any further detail of the emails found-just the generic header text which sending IP, domain name, time sent, etc.), so I couldn't find out any forwarding IP's that would be in the ethernet packets that would tell me where the router was to send the packet back to. Of course, my understanding of how a router compiles a packet is that it sends out its' own IP for the return packet trip and has a private area that the receiver is supposed to keep attached where my router embeded the internal LAN IP of the packet it is routing (that took a long breath to say).

"https:..../exchange"

Why is this alarming ? :unsure: Doesn't a simple telnet to port 25 on a domain preceeded with "mail." tell them who they are talking to ? I'll have to go back and test that. I guess I could create some kind of Java applet to give the company employees an sneaker link to the server.

Tom

Link to comment
Share on other sites

  • 2 weeks later...

Mother went into the hospital. Dad and brothers handling that issue while I did the full-time care for a terminally-ill aunt. Am still playing catch-up from that too-long week plus. I see that this Discussion died. Hmmm.

"which IP address are we talking about" "moving the IP address"

I have a 5 block subnet from mpower. When .251 would get blocked, I would tell the router to output (from all internal sources) to .250. When that got blocked too, I moved it to .249, etc. Obvously NOT a solution

http://www.spamcop.net/w3m?action=checkblo...=216.70.129.249

216.70.129.249 not listed in bl.spamcop.net

http://www.spamcop.net/w3m?action=checkblo...=216.70.129.250

216.70.129.250 not listed in bl.spamcop.net

http://www.spamcop.net/w3m?action=checkblo...=216.70.129.251

216.70.129.251 not listed in bl.spamcop.net

Guessing at the remaining two IP Addresses not specifically identified;

http://www.spamcop.net/w3m?action=checkblo...=216.70.129.248

216.70.129.248 not listed in bl.spamcop.net

216.70.129.247 and 216.70.129.252 show no traffic seen at SenderBase, so wondering which might be the 'fifth' IP Address involved.

Hostname: lgb-static-216.70.129.249.mpowercom.net

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0 N/A

Last month 3.2

Hostname: lgb-static-216.70.129.250.mpowercom.net

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0 N/A

Last month 3.4

Hostname: pacwesttech.com (216.70.129.251)

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0 N/A

Last month 3.7

Hostname: santw.com (216.70.129.248)

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0 N/A

Last month 3.3

Leaving all to wonder just where the traffic ended up being moved to, seeing as none of the IP Addresses identified and guessed at are showing any signs of traffic. I'm not going to spend any time on trying to chase that data down.

So, I seperated the two email servers so one used the Fortinet router on .251 and the other used a cheapie router on .249. Then I watched for things to expire in the bl listings. :unsure:

.251 kept getting relisted, the .249 didn't. So, it made me think "what is different ?". On the .249 side (the clients are NOT local) I had what I knew to be infected machines (verified today when I went out there, that was the 80 mile away client). I wiped one machine and upgraded it from Win2K to WinXP Pro w/Trend. I scanned the other machine (XP Pro) and cleaned 1 trojan and several suspicions EXEs.

Quick point .. it seems like the IP Addresses have been mixed up in this scenario description ..????

I then checked the .251 lan and realized I had a Wireless router on the LAN side. I also noticed an employee with an unauthorized laptop sitting under his bench in the warehouse. I unplugged the wireless router (not really in use anyways) this morning. I have seen no more evidence of crap being sent out. I am going to leave it off to make sure the spyware is not just being stealth for a while (that is, not on the suspected laptop).

OK, perhaps that explains the 'confusion' in the above paragraph ..???

I will then "sniffer" the network and turn the wireless back on and see if the traffic comes in over the wireless IP (we are far enough away from other buildings that it is unlikely someone else is using it).

???? If the wireless router was "not used" .. allegedly 'unknown' as a network connected device ... why would you 'turn it back on' ...?????

Distance ???? With an appropriate antenna, range can be amazing. There is another Topic here that talks about an end user and ISP/Host being separated by miles .... the interloping computer (assumed to be compromised) was sitting somewhere in-between.

Use of a sniffer would seem to be a bit of overkill for a quick read ... check the router for connected devices for starters. Compare that to the list of 'authorized' computers ... though again, that this router was 'discovered' as a network asset, it would seem that there would be no authorized systems ...????

Oh, Ellen did not give me any further detail of the emails found-just the generic header text which sending IP, domain name, time sent, etc.), so I couldn't find out any forwarding IP's that would be in the ethernet packets that would tell me where the router was to send the packet back to.

???? Again, overkill from the words offered. The headers should show which machine (via the IP Address) actually generated and sent the e-mail. Assumedly you'd be looking for a non-routable IP Address, the issue then would be to isolate the machine assigned that address, assumedly via your internal DHCP server.

Of course, my understanding of how a router compiles a packet is that it sends out its' own IP for the return packet trip and has a private area that the receiver is supposed to keep attached where my router embeded the internal LAN IP of the packet it is routing (that took a long breath to say).

Generically, this is known as NAT .. Network Address Translation is one definition. Another definition to look up would be the description of just how a 'router' works' ....

"https:..../exchange"

Why is this alarming ? :unsure: Doesn't a simple telnet to port 25 on a domain preceeded with "mail." tell them who they are talking to ? I'll have to go back and test that. I guess I could create some kind of Java applet to give the company employees an sneaker link to the server.

I have no idea how or why you managed to drag a telnet connection into this. My concern was having folks log into a system with a URL that used the 'location' of something titled "Exchange" .... The apperances are that you have folks trying to login to the same system that is running your 'Exchange' server. The security issues involved with this would be legion.

Link to comment
Share on other sites

I have no idea how or why you managed to drag a telnet connection into this. My concern was having folks log into a system with a URL that used the 'location' of something titled "Exchange" .... The apperances are that you have folks trying to login to the same system that is running your 'Exchange' server. The security issues involved with this would be legion.

Wazoo: The http(s)://domain/Exchange format is typical for Outlook Web Access (OWA), the "webmail" included with Exchange 2003 (and maybe 2000). I know it was dropped from the 2008 version, causing most people I know not to upgrade. Most people I know would not be advertizing that link on a public web page, however. At my current company, we use a seperate domain just for OWA access.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...