VigilantIT Posted September 27, 2007 Share Posted September 27, 2007 Hi All, One of our outgoing mail servers was listed. IP : 59.167.235.170 . It is a Windows 2003 SBS server with service pack 2 installed and Microsoft Exchange also is running Service Pack 2. The server is running Microsoft ISA Firewall 2004 and has CA eTrust Antivirus software running on it. I have also run an additional scan using trend micro's sysclean utility and no viruses have been reported and the machine is not showing any visible signs of an infection. I have also run Microsoft Exchange Best Practices Analyser & Microsoft’s Baseline Security Analyser which both list the server as having no error's. All clients on the network are have CA eTrust Antivirus installed on them and are also running windows defender. Both report no virus or spyware activity and again there are no visible signs on any of the machines of this being the case. But we are currently running additional scanning software on these. Also the mail server is currently delivering mail for two distinct domain names , the reverse lookup can only be allocated to one of these. Could this be a possible issue ? This is the info provided by spam cops. 59.167.235.170 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours. Causes of listing • System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) • SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) • System administrator has already delisted this system once We originally had the IP delisted as we were thinking this was in error but we were re listed. This is the info that we were provided with at that time. Received: from unknown (192.168.1.108) by [trap servername] with QMQP; 26 Sep 2007 10:xx:xx -0000 Received: from mail.qexecutive.com.au (59.167.235.170) by [trap servername] with SMTP; 26 Sep 2007 10:xx:xx -0000 Date: Wed, 26 Sep 2007 20:xx:xx +1000 Any help to get this issue resolved would be greatly appreciated. Cheers. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 27, 2007 Share Posted September 27, 2007 The following information is available to paid users of the reporting system. Can you explain these messages? Report History: Last week -------------------------------------------------- Submitted: Wednesday, September 26, 2007 20:10:20 -0400: Are you strong man? 2523690141 ( 59.167.235.170 ) To: aunic[at]internode.com.au --------------------------------------------------- Submitted: Wednesday, September 26, 2007 06:25:21 -0400: Men like V 2522540246 ( 59.167.235.170 ) To: aunic[at]internode.com.au ------------------------------------------------ Submitted: Wednesday, September 26, 2007 03:53:34 -0400: He is strong in bedroom 2522883206 ( 59.167.235.170 ) To: aunic[at]internode.com.au ---------------------------------------------- Submitted: Tuesday, September 25, 2007 20:24:11 -0400: Yes, I can help you 2521885821 ( 59.167.235.170 ) To: aunic[at]internode.com.au Link to comment Share on other sites More sharing options...
Wazoo Posted September 27, 2007 Share Posted September 27, 2007 http://www.spamcop.net/w3m?action=checkblo...=59.167.235.170 59.167.235.170 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. Hmmmm, still climbing .... Had you looked at the Why am I Blocked? FAQ and stand-alone Pinned entry, you;'d have noted that the combination of both spamtrap hits and user reports has some signficance. also listed on cbl.abuseat.org It was detected at 2007-09-26 19:00 GMT (+/- 30 minutes), approximately 7 hours, 30 minutes ago. http://www.senderbase.org/senderbase_queri...=59.167.235.170 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 0.0 .. N/A Last month .. 1.8 Not sure if this another one of thos SenderBase server mis-matches or if "you" decided to switch over to a server at another IP address ...?? I see StevenUnderwood pulled up some history while I was doing this bit of reseach. As I stated above, the flow has yet to stop. Link to comment Share on other sites More sharing options...
petzl Posted September 27, 2007 Share Posted September 27, 2007 Hi All, One of our outgoing mail servers was listed. IP : 59.167.235.170 . [sNIP] Received: from unknown (192.168.1.108) by [trap servername] with QMQP; 26 Sep 2007 10:xx:xx -0000 Received: from mail.qexecutive.com.au (59.167.235.170) by [trap servername] with SMTP; 26 Sep 2007 10:xx:xx -0000 Date: Wed, 26 Sep 2007 20:xx:xx +1000 Any help to get this issue resolved would be greatly appreciated. Cheers. SpamCop is reluctant to list a mail server (IP 59.167.235.170 is not a mail server?) Your "mail server" is also not stamping the IP source (the computer that sends the email) This IP has also been listed as a zombie by CBL Link to comment Share on other sites More sharing options...
VigilantIT Posted September 27, 2007 Author Share Posted September 27, 2007 Hi, Much thanks for your speedy reply as your expert advice is very much appreciated. I had read the Why am I Blocked? post but clearly missed the important information. So after a careful re inspection of our client machines we to our surprise / ignorance we realized that port 25 was not blocked for these machines at the firewall. This has now been corrected at the firewall and confirmed on the client that this is no longer accessible. We are still currently running more spyware / virus scans on the client machines and have so far found 1 piece of spyware on a client machine that could have been the culprit. What is the best way to now tell if the flow of unsolicited mail traffic has stopped ? Not sure if this another one of thos SenderBase server mis-matches or if "you" decided to switch over to a server at another IP address ...?? Hi Wazoo , The ip address for this mail server has been up for around 3 - 4 months. Many Thanks Link to comment Share on other sites More sharing options...
Farelf Posted September 27, 2007 Share Posted September 27, 2007 ...What is the best way to now tell if the flow of unsolicited mail traffic has stopped ?...Good to hear you're making progress. When the flow has stopped you will progressively time down out of the SCBL - which can be seen at http://www.spamcop.net/w3m?action=checkblo...=59.167.235.170 as has been mentioned. Usually you could see the declining stats for the IP address at SenderBase but that is useless in this instance for reasons that are presently unclear. The other things often mentioned 'here' are firewall logs, if you have them and can interpret them. Dunno, I'm not an admin but others with a clue or two may drop by should you have tech questions, log extracts to discuss, etc. Link to comment Share on other sites More sharing options...
Telarin Posted September 27, 2007 Share Posted September 27, 2007 Firewall logs are an excellent place to start. Now that you have port 25 blocked, you will most likely notice a machine with connection attempts being rejected on that port. That should quickly lead you to your infected machine. Corporate networks can be tricky. If you have multiple IPs, and your router will support it, I would recommend putting your mail server on its own dedicated IP address, rather than behind NAT with the rest of your machine. Unfortunately, I know this is not always feasible, depending on what equipment you are using, and other factors, especially since NAT with only specific ports forwarded provides one more layer of protection that is often very welcome. If you have wireless access to your network, I would also very carefully examine the security on those access points, as the infected machine could potentially be someone next door "piggy backing" on your wireless network for free internet acccess. I've seen this happen more than once. You should also check with your ISP to find out why they didn't forward the reports that spamcop sent to aunic[at]internode.com.au as those would have provided you with early warning, and you could potentially have corrected the problem before a listing ever occurred. Link to comment Share on other sites More sharing options...
VigilantIT Posted September 28, 2007 Author Share Posted September 28, 2007 Hi All , We have now been delisted and a test email has been sent and received. I will be investigating why we were not forwarded emails that were sent to aunic[at]internode.com.au to provide us with some sort of early warning. Thanks to everyone who provided help. Cheers ! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 28, 2007 Share Posted September 28, 2007 We have now been delisted and a test email has been sent and received. I will be investigating why we were not forwarded emails that were sent to aunic[at]internode.com.au to provide us with some sort of early warning. Thanks to everyone who provided help. Thank you for cleaning up your little corner of hte internet and for keeping at it when you thought you had checked everything. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.