Jump to content
Sign in to follow this  
paulp

Can router be source of spam?

Recommended Posts

My mailserver suddenly had 22000 mails in its outbox. I uncoupled it immediately from the Internet, deleted the 22000 mails and connected to the Internet again. A few seconds later there were again some 100 spams in my outbox.

Every spam has the following received line:

Received: from chiwan[at]xxx.be ( [10.1.1.254])

10.1.1.254 is the IP of my router.

Could somebody explain what is happening?

As far as I can see my mailserver is not an open relay.

The mailserver has been checked for viruses, malware etc, but nothing found.

Edited by paulp

Share this post


Link to post
Share on other sites

Hi Paulp!

You have provided some information but probably not enough to give you anything more than some guesses as to what may be wrong.

But it is quite possible to abuse a mailserver without it being an open relay. For example, Microsoft Exchange servers were notorious for being breached and misused by spammers. Mostly Exchange boxes are now better secured. You have checked for malware but that does not, typically, abuse your server's mail sending function. The FAQs have some helpful information that may assist.

Meanwhile, since you don't seem to be reporting a blocklist issue I anticipate that a moderator may move the thread to The Lounge.

Tell us more about your configuration and what type of network you are operating and someone may be able to give a better indication.

Andrew

Share this post


Link to post
Share on other sites
Every spam has the following received line:

Received: from chiwan[at]xxx.be ( [10.1.1.254])

10.1.1.254 is the IP of my router.

Could somebody explain what is happening?

No other internal / non-routable Ip Addresses involved?

Define / describe this router. For example, certain models can have their firmware replaced/modified. Is there a password set for administrating this router?

Actually wondering why you didn't mention checking the configuration of said router and if anything had been changed from what it was supposedly configured for.

You also didn't bother to mention whether this is a wired or wireless router. If wireless, is any security in place, i.e., WEP, WAP, etc.?

Does this router also provide DHCP? If so, have you looked at the DHCP table to see what machines are connected and only those machines that are supposed to be connected are on that list?

The mailserver has been checked for viruses, malware etc, but nothing found.

But you say nothing about checking all the machines that are connected to the router ...??? This seems to be a pretty strange omission.

As Andrew points out, this has nothing to do with the SpamCopDNSBL. Your Topic is being moved to the Lounge area, despite your Subject / Title that suggests that you really wanted to talk about a Hardware Technical Issue which is yet another specific Forum section.

Share this post


Link to post
Share on other sites

Thanks for trying to help me out!

No other internal / non-routable Ip Addresses involved?

No. Only one Received line, looking like this:

Received: from msg-g09pmirpcam ( [10.1.1.254])

by xxx.be with ESMTP (Mailtraq/2.6.1.1688) id ESPR7E87E5A6;

Sat, 10 May 2008 23:21:35 +0200

Define / describe this router. For example, certain models can have their firmware replaced/modified. Is there a password set for administrating this router?

Yes, rather complicated password set, and it is still intact. Router is Sitecom 54G, firmware 1.45

Actually wondering why you didn't mention checking the configuration of said router and if anything had been changed from what it was supposedly configured for.

I've checked the configuration, and noticed nothing unusual.

You also didn't bother to mention whether this is a wired or wireless router. If wireless, is any security in place, i.e., WEP, WAP, etc.?

It is both. The wireless part has WPA-PSK.

Does this router also provide DHCP? If so, have you looked at the DHCP table to see what machines are connected and only those machines that are supposed to be connected are on that list?

No, all clients have fixed IP. There is a small range of dynamic IP addresses, but in order to connect the MAC address of the computers should be entered in the router.

But you say nothing about checking all the machines that are connected to the router ...??? This seems to be a pretty strange omission.

Are being checked again, with no "luck" so far ...

Share this post


Link to post
Share on other sites

I am not a server admin and only have a vague idea of what has already been discussed.

However, there were two other long topics with other people who could not find anything, but it turned out to be something to do with the wireless router. I would concentrate troubleshooting on that.

The other area where sometimes admins would find things is by looking at the firewall logs (though that hasn't happened in a long time) and it wouldn't hurt for the OP to state the obvious that he is aware of MS Exchange exploits and has taken the appropriate measures. It is like telling another kind of repairman, yes the machine is plugged in!

Miss Betsy

Share this post


Link to post
Share on other sites

What kind of mail server are we talking about? It is possible that if you are using NAT, some mailservers may see the IP address of the router as the connecting address for connections originating outside, though this is not the preferred behavior for most application.

Share this post


Link to post
Share on other sites
I am not a server admin and only have a vague idea of what has already been discussed.

However, there were two other long topics with other people who could not find anything, but it turned out to be something to do with the wireless router. I would concentrate troubleshooting on that.

The other area where sometimes admins would find things is by looking at the firewall logs (though that hasn't happened in a long time) and it wouldn't hurt for the OP to state the obvious that he is aware of MS Exchange exploits and has taken the appropriate measures. It is like telling another kind of repairman, yes the machine is plugged in!

Thanks. We've just decided to install a new router with more configuring facilities. This could be part of the problem.

Anyway, the spam flood has ceased now. This could mean the spammer went to another server. But I want to make sure that he, or his esteemed colleagues, can't come back. Your tips and those of Wazoo helped me a lot in "configuring" my thoughts!

What kind of mail server are we talking about?

Mailtraq, version 2.6.1.1688. It has been working fine without any intrusion for many years. So I cannot complaint ...

Share this post


Link to post
Share on other sites

By the way, this spammer, using our mailserver, has sent spams also to our own spamtraps, giving such Spamcop-reports:

<<

0: Received: from 87-248-177-148.starnet.md ( [10.1.1.254]) by xxx.be with ESMTP (Mailtraq/2.6.1.1688) id ESPR7EDA3F68 for pault[at]xxx.be; Wed, 14 May 2008 10:55:47 +0200

Internal handoff at xxx.be

error:Mailhost configuration problem, identified internal IP as source Mailhost:

Please correct this situation - register every email address where you receive spam

error:No IP found>>

Share this post


Link to post
Share on other sites

By the way, this spammer, using our mailserver

Obvious first step... stop this capability.

Share this post


Link to post
Share on other sites
0: Received: from 87-248-177-148.starnet.md ( [10.1.1.254]) by xxx.be

Doesn't that just mean that your router IP is being used as a spoofed IP address?

Share this post


Link to post
Share on other sites

Doesn't that just mean that your router IP is being used as a spoofed IP address?

Not when it is the only Received line and that is put there by his mail server... it indicates that is where his server got the message.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×