Please Help ... Exchange Blacklisted

[muhammad.awais]

I m using Exchange 2003 as my E-mail server since last 6 months. From last weak I m facing problems in sending mails to all the domains.

The message cannot be delivered due to a configuration error on the server. Please contact your Administrator.

<domain name #5.3.0 smtp;553 5.3.0 spam blocked see: http://spamcop.net/bl.shtml?58.65.154.201>

I have checked server using Antispywares, Malwares etc and found no problem. I have delisted my server once from SPAMCOP but it is now listed again.

Please help its urgent.

[edited to fix link by taking R angle bracket out of URL span - no way of knowing whether or not the link was corrupted in the message as received by the poster but if it was, and if this happens with notifications generally, that might explain why the useful information at the SC location given in some server 5xx notifications often seems to have been overlooked by people posting in these pages. But I suspect it is just an artifact of posting to these pages. Ref later query by dbiel.]

[dbiel]

A few questions:

Is the IP address (58.65.154.201) shown in the link the IP address of your Exchange server?

If it is your IP address, then that is your problem.

That IP address does not appear to be registered.

If that is not your IP address, then we need to know what IP address you are using.

Also a copy of the full headers used by your Exchange server to send mail would be very helpful.

The full headers from the message that contained the link you pasted into your post might also provide some insight to help.

Without more information, there is not much we can do from here.

Did you set up your Exchange server yourself? If so, you need to get some professional help setting it up correctly. If not, you need to contact the person who did set it up for you.

[SpamCopAdmin]

<domain name #5.3.0 smtp;553 5.3.0 spam blocked see:

http://spamcop.net/bl.shtml?58.65.154.201>

58.65.154.201 is sending a lot of spam. It sent spam to our system less than an hour ago.

Here is a snippet from the headers of the spam that hit our trap:

Received: from elan.com.pk (HELO [58.65.154.201]) ([58.65.154.201])

by [our trap server] with ESMTP; 05 Nov 2008 04:xx:xx -0800

Received: from [58.65.154.201] by mx2.InternetCrusade.com; Wed, 05 Nov West Asia Standard Time

Message-ID: <x[at]htkrckpxomab>

From: <forgery>

To: <x>

Subject: Check it!

Date: Wed, 05 Nov

http://www.spamcop.net/sc?id=z2386501510z9...a975c447b45e15z

http://www.spamcop.net/sc?id=z2386450409z1...95af924220c16fz

You can use those links to review examples from earlier user reports. The "View entire message" link will show you the full headers and text.

58.65.154.201 resolves to elan.com.pk

elan.com.pk resolves to 205.209.126.55

205.209.126.55 has no rDNS

58.65.154.201 appears to belong to Micronet Broadband (Pvt) Ltd. in Pakistan

205.209.126.55 appears to belong to Hostdepartment.com in New Jersey

The contact addresses for 58.65.154.201 appear to be sohail[at]dsl.net.pk and jahanzeb[at]dsl.net.pk

The contact address for 205.209.126.55 appears to be abuse[at]he.net or possibly abuse[at]hostdepartment.com (not verified) or maybe support[at]hostdepartment.com (not verified).

Here is the standard boilerplate info for infected systems:

I'm sorry to report that the server is sending spam to our spamtraps. We know for a fact that our trap servers accurately record the source IP when they get mail. A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. We guard our traps like gold for fear of revealing the email addresses, which is why we don't send any reports about the spam they get, so I'm afraid there aren't many details I can share with you.

These days, the most common problem is backdoor spam sending spyware that has been installed by a Trojan or Worm. The server may be suffering from an open proxy port exploit, or has been compromised by some other means. The reason the mail doesn't show up in your logs is because the spammer uses his own SMTP engine to send the mail after he connects to the open port. If you block outgoing port 25 so that all mail has to go through your server, you can identify and prevent the traffic.

There are three very common spammer exploits. You should take a hard look for open proxy ports, backdoor malware installed by trojans/worms, and compromised passwords on accounts like "test" or "guest" or any account that might be still on the system from the original install.

If you have Exchange Server, these FAQs specifically apply:

http://www.spamcop.net/fom-serve/cache/372.html

http://www.winnetmag.com/article/articleid/42406/42406.html

http://www.winnetmag.com/article/articleid/41094/41094.html

http://www.winnetmag.com/article/articleid/41456/41456.html

http://www.winnetmag.com/article/articleid/40507/40507.html

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

http://www.slipstick.com/exs/relay.htm

http://www.msexchange.org/tutorials/Preven..._Server_55.html

The presence of SMTPSVC(5.0.2195.6713) in the headers is the mark of a hacked "guest" account.

Look for an open SOCKS or HTTP proxy, or maybe there's an open wingate/connection sharing/analogx or PHP type problem. Look for a recently-added account which is running a CGI proxy.

A free Unix port scanner is available from: http://www.insecure.org/nmap/

Windows portability for Nmap: http://www.insecure.org/nmap/nmap_portability.html

http://news.zdnet.co.uk/story/0,,t269-s2122679,00.html

http://www.spamcop.net/fom-serve/cache/278.html

http://www.spamcop.net/fom-serve/cache/269.html

http://www.spamcop.net/fom-serve/cache/363.html

http://www.spamcop.net/fom-serve/cache/372.html

http://www.socks.permeo.com/

Backdoor Malware is becoming more widespread. Check for spyware and trojans/worms.

Trend Micro HouseCall: http://www.trendmicro.com/en/home/us/personal.htm

McAfee AVERT Stinger: http://vil.nai.com/vil/stinger/

Ad-aware: http://www.lavasoftusa.com/software/adaware/

Spybot - Search & Destroy: http://www.safer-networking.org/index.php?page=spybotsd

If your logs show a lot of recent smtp/auth hits, it could be a spammer has guessed a password and now has access. Spammers are using brute force to find a username/password combo that works, and with an amazingly high success rate.

http://www.tinyurl.com/r6or

http://www.spamhaus.org/rokso/evidence.las...okso_id=ROK2669

http://www.spamcop.net/fom-serve/cache/372.html

http://seclists.org/lists/bugtraq/2002/Mar/0051.html

PHP-Nuke webmail modules are being exploited at an increasing rate. "X-Mailer: RLSP Mailer" is the mark of the exploit. The developers of PHP-Nuke recommend removing the webmail module as the only fix. There is no patch available or planned, and the latest version comes without the webmail module.

It seems that virtually all PHP versions prior to 5.1 are vulnerable to email header injection, and the spamming community has figured this out. A spammer can inject valid email headers into the "address" (or any other field of the form) and create a valid, deliverable mail with thousands of Bcc recipients. If your web server has an MTA, it will fly.

http://www.nyphp.org/phundamentals/email_h...r_injection.php

http://www.phpit.net/article/php-security-...ample-exploits/

http://us3.php.net/manual/en/ref.mail.php#59012

You can get the latest version of PHP-Nuke without a webmail module here:

http://phpnuke.org/modules.php?name=Downlo...nload&cid=1

There are still unsecured Formmail scripts in use.

A secure edition of Formmail by Ronald F. Guilmette can be found here:

ftp://ftp.monkeys.com/pub/formmail/1.9s/

http://www.monkeys.com/anti-spam/formmail-advisory.pdf

- Don D'Minion - SpamCop Admin -

.

[dbiel]

Thanks Don for the posted information. A question:

Why does the post link resolve to the following answer: 58.65.154.201> is not a routeable IP address (if it is sending spam, it is surely routeable, I would think)

from the following link http://spamcop.net/w3m?action=blcheck&....65.154.201> found on the following page: http://spamcop.net/bl.shtml?58.65.154.201>

[Farelf]

...Why does the post link resolve to the following answer: 58.65.154.201> is not a routeable IP address (if it is sending spam, it is surely routeable, I would think)...

http://www.spamcop.net/w3m?action=checkblo...p=58.65.154.201 - just lose the angle bracket.

[Telarin]

Is the posted IP used by the exchange server only, or is it a NAT situation where that IP address is shared between the exchange server and other computers on the LAN? If the IP is shared, it is quite possible that any one of the computers using that IP could have caused the listing by sending spam.

[dbiel]

http://www.spamcop.net/w3m?action=checkblo...p=58.65.154.201 - just lose the angle bracket.

Thanks for the information. Since the link was posted by a user there is no way of knowing how the ">" became part of the hyperlink. So there is not anything that can be fixed. Just another piece of the puzzle to be learned. Thanks again.

[Farelf]

Thanks for the information. Since the link was posted by a user there is no way of knowing how the ">" became part of the hyperlink. So there is not anything that can be fixed. Just another piece of the puzzle to be learned. Thanks again.

I see where you're coming from - notes added to the initial post (and link corrected).

Is the posted IP used by the exchange server only, or is it a NAT situation where that IP address is shared between the exchange server and other computers on the LAN? If the IP is shared, it is quite possible that any one of the computers using that IP could have caused the listing by sending spam.

Will's query bumped to keep it proximate.

[StevenUnderwood]

I see where you're coming from - notes added to the initial post (and link corrected).

I have seen quite a few links in DNSBL rejections that include additional characters. I believe it is usually just poor testing on the part of the person creating the error message. So common, I automatically look at the URL bar and fix it without thinking any longer.