Jump to content

Chris Parker

Membera
  • Posts

    196
  • Joined

  • Last visited

Contact Methods

  • AIM
    spamcoper
  • Website URL
    http://www.dsis.net
  • ICQ
    0
  • Yahoo
    spamcoper

Profile Information

  • Location
    Some Place
  • Interests
    Current interesting project: http://www.dnsbl.info

Chris Parker's Achievements

Advanced Member

Advanced Member (3/6)

0

Reputation

  1. Visit www.versiontracker.com and search for spamcop. There are several options available. I've been using the spamcop 1.3.2 plugin from Subsume for some time and it's worked great.
  2. What's the IP address or addresses of the servers in question? Are they properly processing messages without butchering the headers?
  3. Your server appears to have been sending to spam traps either directly or by bouncing, autoresponding, etc. See: CBL based on Senderbase report of mailing increasing by 5600% in the last 24 hours I'd guess that your server has been compromised. Maybe an SMTP AUTH hack. Check your logs. SpamCop's stats are not real-time because spammers abused the listing details. You may want to send an email to deputies <at> spamcop <dot> net.
  4. You need to fix the problem, not just put a band-aid on it. They could just inject from a different IP....
  5. Since it appears that the machine itself has been compromised it may not actually be an account within your mail server software package. You'll want to look at your firewall logs. You do have a firewall, right?
  6. I suggest that you unplug the network cable from the back of the machine until you figure out how to secure your machine. The block will be removed no more than 48 hours after your machine stops sending spam. Research indicated that the machine as been compromised with "Backdoor.Xibo" See also: SORBS and PSBL Sample Header from messages: (Evidence) -- Looks like your machine is sending eBay Phishing scams... From anonymous[at]alicia.netpivotal.com Mon Oct 11 17:35:28 2004 Delivery-date: Mon, 11 Oct 2004 17:35:28 -0400 Received: from [66.216.122.76] (helo=alicia.netpivotal.com) by mail.victim.example with esmtp (Exim 4.41) id 1CH7pI-0006fa-0x for psbltrap[at]kernelnewbies.nl; Mon, 11 Oct 2004 17:35:28 -0400 Received: (qmail 15002 invoked by uid 48); 11 Oct 2004 21:29:22 -0000 Date: 11 Oct 2004 21:29:22 -0000 To: psbltrap[at]kernelnewbies.nl Subject: Important Notice From eBay inc. From: eBay Billing <aw-confirm[at]eBay.com> Reply-To: aw-confirm[at]eBay.com MIME-Version: 1.0
  7. It looks like it's been compromised... Sample: Google is your friend
  8. Doesn't look like your routing configuration worked. You'll want to look at your firewall logs (you have a firewall, right?) You'll want to look at your mail server logs... If properly configured it will show all the mail that it's been sending. In the mean time you'll want to make sure that there is a non-trivial password for EVERY account on the server. I suggest that you disable the admin, test, guest, etc accounts. Here's some evidence that I was able to dig up... Subject: PENI||S EN1lIARGEMENT Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 12:56:49 -0700 Subject: |NCREASE YOUR PEN1lS SIZE! Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 13:33:36 -0700 Subject: MAX|MUM EXP0OSURE Received: from micro (200.5.234.3 [200.5.234.3]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 23:44:42 -0700
  9. Please secure your server. Looks like an SMTP AUTH Hack issue on your Exchange server. You'll need to kill all the unused account (guest, test, etc) and then make sure that all existing accounts have non-trivial passwords.
  10. Sometime the details run behind reality. Check out: http://www.senderbase.org/?searchBy=ipaddr...g=209.58.200.92 10000% increse in mail from that IP address in the last day. Looks like you are running Exchange. Chaces are you're victim of an SMTP AUTH HACK. Please read the FAQ: http://www.spamcop.net/fom-serve/cache/372.html
  11. You'll be removed within 48 hours of the last reported incident of spamming from that IP address. If the problem is solved the block will go away automatically. If the problem is not fixed and that IP address continues to send out spam that people report, it will remain listed here and likely get listed in some not so friendly block lists.
  12. Interesting domain name info on the host name your mail server is claiming to be... Based on the 1400% increase in mail from that sever I'd guess that it's been compromised. Check your logs!
  13. It appears that your machine has been compromised either by a virus/trojan or that the mail server itself has been compromised (SMTP AUTH HACK?) Disabling the guest account is a good start, however you really should disable any accounts that are not currently being used. For all accounts that are being used you should change *ALL* the passwords to something that is non-trivial. Unless someone who uses that mail server needs to access it from outside of your LAN I'd suggest than you disable all remote sending capabilities. A full virus/trojan scan of the machine should also be in order. If the machine has been compromised by a virus/trojan it would be in your best interest to format the drive and rebuild the machine taking all the proper security measues. Thanks for your desire to resolve the core problem leading to the listing of your server. You may also want to send an email to deputies <at> spamcop <dot> net who may provide you some additional information as to what is happening.
×
×
  • Create New...