Jump to content

Can router be source of spam?

paulp

By paulp
in SpamCop Lounge

Recommended Posts

paulp Member

paulp

Posted
Posted

My mailserver suddenly had 22000 mails in its outbox. I uncoupled it immediately from the Internet, deleted the 22000 mails and connected to the Internet again. A few seconds later there were again some 100 spams in my outbox.

Every spam has the following received line:

Received: from chiwan[at]xxx.be ( [10.1.1.254])

10.1.1.254 is the IP of my router.

Could somebody explain what is happening?

As far as I can see my mailserver is not an open relay.

The mailserver has been checked for viruses, malware etc, but nothing found.

Link to comment
Share on other sites
agsteele Been There

agsteele

Posted
Posted

Hi Paulp!

You have provided some information but probably not enough to give you anything more than some guesses as to what may be wrong.

But it is quite possible to abuse a mailserver without it being an open relay. For example, Microsoft Exchange servers were notorious for being breached and misused by spammers. Mostly Exchange boxes are now better secured. You have checked for malware but that does not, typically, abuse your server's mail sending function. The FAQs have some helpful information that may assist.

Meanwhile, since you don't seem to be reporting a blocklist issue I anticipate that a moderator may move the thread to The Lounge.

Tell us more about your configuration and what type of network you are operating and someone may be able to give a better indication.

Andrew

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
Every spam has the following received line:

Received: from chiwan[at]xxx.be ( [10.1.1.254])

10.1.1.254 is the IP of my router.

Could somebody explain what is happening?

No other internal / non-routable Ip Addresses involved?

Define / describe this router. For example, certain models can have their firmware replaced/modified. Is there a password set for administrating this router?

Actually wondering why you didn't mention checking the configuration of said router and if anything had been changed from what it was supposedly configured for.

You also didn't bother to mention whether this is a wired or wireless router. If wireless, is any security in place, i.e., WEP, WAP, etc.?

Does this router also provide DHCP? If so, have you looked at the DHCP table to see what machines are connected and only those machines that are supposed to be connected are on that list?

The mailserver has been checked for viruses, malware etc, but nothing found.

But you say nothing about checking all the machines that are connected to the router ...??? This seems to be a pretty strange omission.

As Andrew points out, this has nothing to do with the SpamCopDNSBL. Your Topic is being moved to the Lounge area, despite your Subject / Title that suggests that you really wanted to talk about a Hardware Technical Issue which is yet another specific Forum section.

Link to comment
Share on other sites
paulp Member

paulp

Posted
  • Author
Posted

Thanks for trying to help me out!

No other internal / non-routable Ip Addresses involved?

No. Only one Received line, looking like this:

Received: from msg-g09pmirpcam ( [10.1.1.254])

by xxx.be with ESMTP (Mailtraq/2.6.1.1688) id ESPR7E87E5A6;

Sat, 10 May 2008 23:21:35 +0200

Define / describe this router. For example, certain models can have their firmware replaced/modified. Is there a password set for administrating this router?

Yes, rather complicated password set, and it is still intact. Router is Sitecom 54G, firmware 1.45

Actually wondering why you didn't mention checking the configuration of said router and if anything had been changed from what it was supposedly configured for.

I've checked the configuration, and noticed nothing unusual.

You also didn't bother to mention whether this is a wired or wireless router. If wireless, is any security in place, i.e., WEP, WAP, etc.?

It is both. The wireless part has WPA-PSK.

Does this router also provide DHCP? If so, have you looked at the DHCP table to see what machines are connected and only those machines that are supposed to be connected are on that list?

No, all clients have fixed IP. There is a small range of dynamic IP addresses, but in order to connect the MAC address of the computers should be entered in the router.

But you say nothing about checking all the machines that are connected to the router ...??? This seems to be a pretty strange omission.

Are being checked again, with no "luck" so far ...

Link to comment
Share on other sites
Miss Betsy T-shirt wearing out

Miss Betsy

Posted
Posted

I am not a server admin and only have a vague idea of what has already been discussed.

However, there were two other long topics with other people who could not find anything, but it turned out to be something to do with the wireless router. I would concentrate troubleshooting on that.

The other area where sometimes admins would find things is by looking at the firewall logs (though that hasn't happened in a long time) and it wouldn't hurt for the OP to state the obvious that he is aware of MS Exchange exploits and has taken the appropriate measures. It is like telling another kind of repairman, yes the machine is plugged in!

Miss Betsy

Link to comment
Share on other sites
Telarin Advanced Member

Telarin

Posted
Posted

What kind of mail server are we talking about? It is possible that if you are using NAT, some mailservers may see the IP address of the router as the connecting address for connections originating outside, though this is not the preferred behavior for most application.

Link to comment
Share on other sites
paulp Member

paulp

Posted
  • Author
Posted
I am not a server admin and only have a vague idea of what has already been discussed.

However, there were two other long topics with other people who could not find anything, but it turned out to be something to do with the wireless router. I would concentrate troubleshooting on that.

The other area where sometimes admins would find things is by looking at the firewall logs (though that hasn't happened in a long time) and it wouldn't hurt for the OP to state the obvious that he is aware of MS Exchange exploits and has taken the appropriate measures. It is like telling another kind of repairman, yes the machine is plugged in!

Thanks. We've just decided to install a new router with more configuring facilities. This could be part of the problem.

Anyway, the spam flood has ceased now. This could mean the spammer went to another server. But I want to make sure that he, or his esteemed colleagues, can't come back. Your tips and those of Wazoo helped me a lot in "configuring" my thoughts!

What kind of mail server are we talking about?

Mailtraq, version 2.6.1.1688. It has been working fine without any intrusion for many years. So I cannot complaint ...

Link to comment
Share on other sites
paulp Member

paulp

Posted
  • Author
Posted

By the way, this spammer, using our mailserver, has sent spams also to our own spamtraps, giving such Spamcop-reports:

<<

0: Received: from 87-248-177-148.starnet.md ( [10.1.1.254]) by xxx.be with ESMTP (Mailtraq/2.6.1.1688) id ESPR7EDA3F68 for pault[at]xxx.be; Wed, 14 May 2008 10:55:47 +0200

Internal handoff at xxx.be

error:Mailhost configuration problem, identified internal IP as source Mailhost:

Please correct this situation - register every email address where you receive spam

error:No IP found>>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...