mtsupport Posted January 27, 2009 Share Posted January 27, 2009 Got blocklisted, checked all the servers. Updated security patches, definition lists, spamware, spyware. Any assistance or details on how to fix would be greatly appreciated. Link to comment Share on other sites More sharing options...
Miss Betsy Posted January 27, 2009 Share Posted January 27, 2009 Spamcop bl is automatic - as long as no more spam is reported, this IP address will delist in 9 hours. * DNS error: 38.104.99.170 is mediatec-publishing-inc.demarc.cogentco.com but mediatec-publishing-inc.demarc.cogentco.com has no DNS information Because of the above problems, express-delisting is not available I am not a server admin, but I assume that this will mean something to you. I am not sure what you mean by 'how to fix' - are you satisfied that you have found the source of the spam? Or are you asking what else you can do? Otherwise, you will be delisted automatically. You cannot use the express delisting because of the DNS error. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted January 27, 2009 Share Posted January 27, 2009 Got blocklisted, checked all the servers. Updated security patches, definition lists, spamware, spyware. Any assistance or details on how to fix would be greatly appreciated. Nothing said about any research done on your part at all. Nothing said about anything "found" after all that patching and updating. Nothing said about just what tools/hardware are in use. Nothing said about firewalls, for instance, to include any logs. Noting about any network details, if this is an e-mail server for you or a thousand users, etc. etc. etc. Nothing said about checking out the FAQ or reading any of the Pinned items, specifically, the Why am I Blocked? entries. http://www.spamcop.net/w3m?action=checkblo...p=38.104.99.170 Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week Both situations suggest a number of things )see the FAQ entry) DNS error: 38.104.99.170 is mediatec-publishing-inc.demarc.cogentco.com but mediatec-publishing-inc.demarc.cogentco.com has no DNS information .... suggests other work needs to be done or explanations offered In the past 3.6 days, it has been listed 2 times for a total of 2.2 days ... says it was on the list, came off the list, got back on the list .... was this because your server was down for a period, but brought back on-line while still in a spewing mode .. or some other storyline involved? http://www.senderbase.org/senderbase_queri...g=38.104.99.170 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 3.4 .. 196% Last month .. 3.0 No idea how 'old' these numbers are at this point, but the obvious question is .. can you go along with the numbers and the increase in traffic flow? Link to comment Share on other sites More sharing options...
mtsupport Posted January 27, 2009 Author Share Posted January 27, 2009 My apologies, you are absolutely correct. We have 6 Windows 2003 SBS Servers behind a single linksys firewall rv016. One of them is running Exchange 2003 SP2 I did automatic updates on all the servers. There were 17 security updates installed. Ran updates on Mcafee Virus and Spamkiller Server definition and signature lists current. Ran Malwarebytes, it detected some tracking cookies, but nothing else. Can you guys check to see if your traps are still seeing things from 38.104.99.170. I'm assuming there's trojan or bot that might be causing this. We are just trying to run a nice clean mail server. BTW, this is the first time this server has been listed. ( twice ) Thanks, Link to comment Share on other sites More sharing options...
agsteele Posted January 27, 2009 Share Posted January 27, 2009 Can you guys check to see if your traps are still seeing things from 38.104.99.170. We're all users of SpamCop so have only limited access to data. In fact you can see pretty much everything we can see except for content of the spam that has been reported (for those of us who are paying users). If you have a trojan on your net then your best bet is to start logging traffic through the firewall/router and identify the source machine. Andrew Link to comment Share on other sites More sharing options...
mtsupport Posted January 27, 2009 Author Share Posted January 27, 2009 Thanks Andrew, I was under the assumption that the admin in this forum could actually check the status of a blocklisted ip. I read a previous thread replying to a blocked user saying they could still see spam coming from their server. I just want to be sure everything is in order, so that 9 hours later we are not still blocklisted. Any advice will be helpful. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 27, 2009 Share Posted January 27, 2009 I was under the assumption that the admin in this forum could actually check the status of a blocklisted ip. I read a previous thread replying to a blocked user saying they could still see spam coming from their server. I just want to be sure everything is in order, so that 9 hours later we are not still blocklisted. Any advice will be helpful. SpamCopAdmin stops by from time to time, and he has that access. The Forum Admin does not. BTW, I assume you are aware you are posting from the same IP that is listed. Any machine behind that IP could be affecting the listing. These are the reports available to paid customers: Submitted: Monday, January 26, 2009 22:30:24 -0500: Try Viagara Free 3818911302 ( 38.104.99.170 ) To: abuse[at]cogentco.com --------------------------------------------------------- Submitted: Tuesday, January 06, 2009 20:42:18 -0500: Diversity & Inclusion contact person & info request 3771639926 ( 38.104.99.170 ) To: abuse[at]cogentco.com ------------------------------------------------------- Submitted: Tuesday, January 06, 2009 20:42:16 -0500: Diversity & Inclusion contact person & info request 3771639880 ( 38.104.99.170 ) To: abuse[at]cogentco.com Link to comment Share on other sites More sharing options...
mtsupport Posted January 27, 2009 Author Share Posted January 27, 2009 Steven, I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now. Is there any utility or tool you would recommend to see whats coming from 38.104.99.170. I need to be absolutely sure that this is fix by morning. It could mean my job. Thanks for everyones input. PS I did not know there was a paid membership option. Link to comment Share on other sites More sharing options...
turetzsr Posted January 27, 2009 Share Posted January 27, 2009 <snip> I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now. ...Sounds like a good start. But IANASA (I am not a server admin) so my suggestions should be taken with a large grain of salt.Is there any utility or tool you would recommend to see whats coming from 38.104.99.170. <snip> ...Wazoo earlier mentioned firewall logs. Perhaps you could check the logs to try to find some of the verbiage presented earlier by StevenUnderwood (noting, again, that IANASA).PS I did not know there was a paid membership option....No reason you should. This is a reporting membership option and (I assume) you have not registered as a SpamCop reporter. <g> Link to comment Share on other sites More sharing options...
Wazoo Posted January 27, 2009 Share Posted January 27, 2009 I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now. The timer has not been reset on the SpamCopDNSBL listing (now showing 4 hours remaining) .. The SenderBase number has come down slightly. At least there's the hint that something good happened, perhaps that single machine. Is there any utility or tool you would recommend to see whats coming from 38.104.99.170. I need to be absolutely sure that this is fix by morning. It could mean my job. To actually "see" what's going out, a network/packet sniffer would be required. In all honesty, there's probably not enough time left in the day to learn how to use one of those and gather any good/specific data. If the " linksys firewall rv016" is programmable, can you limit Port 25 output to be limited to those authorized servers? (and there's the question as to whether or not that appliance offers enough detail in its logs to show traffic coming from non-authorized systems, again, focusing in on Port 25 outgoing?) PS I did not know there was a paid membership option. SpamCop Reporting Accounts and more specifically, ISP Account or How can I get SpamCop reports about my network? Link to comment Share on other sites More sharing options...
mtsupport Posted January 27, 2009 Author Share Posted January 27, 2009 Wazoo, Thanks for the words of encouragement. I've used packet sniffers before. SnifferPro. I just want to monitor or listen to that external ip. I have VLANs and switched networks, even with a promiscuous card I have trouble seeing all traffic. May need to install 4 port hub at the WAN port. I just don't want this to happen again, it has been a total nightmare. I wish someone from spamcop.net would relay some feedback. I've been on this for 13 hours straight. Thanks again. Link to comment Share on other sites More sharing options...
mtsupport Posted January 27, 2009 Author Share Posted January 27, 2009 I have a question for everyone. Are there any early warning tools or utilities to get jump start on this before it escalates? Thanks, for all the help. Link to comment Share on other sites More sharing options...
DavidT Posted January 27, 2009 Share Posted January 27, 2009 I wish someone from spamcop.net would relay some feedback. I've been on this for 13 hours straight. That "someone" is active in the forums this afternoon, but perhaps he hasn't had a chance to respond here or get in touch with you (not sure if he ever uses the PM system or not...I'm guessing not). Maybe he'll post or get in touch. DT Link to comment Share on other sites More sharing options...
Farelf Posted January 27, 2009 Share Posted January 27, 2009 Still counting down, that's good. Note 38.104.99.170 is also on dnsbl-1.uceprotect - H:\>nslookup 170.99.104.38.dnsbl-1.uceprotect.net ... Name: 170.99.104.38.dnsbl-1.uceprotect.net Address: 127.0.0.2 Unfortunately they don't seem to give detail on the cause(s) of listing, admitting I don't know their site and may have missed something there. Link to comment Share on other sites More sharing options...
DavidT Posted January 28, 2009 Share Posted January 28, 2009 Note 38.104.99.170 is also on dnsbl-1.uceprotect - (snip) Unfortunately they don't seem to give detail on the cause(s) of listing, admitting I don't know their site and may have missed something there. Just a little...which can be obtained by using their query tool, at: http://www.uceprotect.net/en/rblcheck.php What means listed at UCEPROTECT-Level 1? It means spamtraps were hit from IP 38.104.99.170 directly within the last 7 days, and therefore your mail got blocked. Last Impact: 24.01.2009 3:50pm CET +/-10min| Earliest Expiretime: 31.01.2009 4:00pm CET If you are responsible for IP 38.104.99.170: You can easy find out, which UCEPROTECT-Server did list your IP and for what reason. To do this, search your mailservers logs (last 8 days) for following expression: Access denied and blocklisted All you need to know in order to locate the problem should be inside your logfiles. If you can't find that string, you mostly have a trojan with own smtp engine in your lan. How can the IP 38.104.99.170 be removed from UCEPROTECT-Level 1? Level 1 listing will be removed automatically and free of charge, as soon as there is no abusive action seen for 7 days. So...IPs stay on that BL for 7 days...it's not a good source of realtime info regarding your status. DT Link to comment Share on other sites More sharing options...
Farelf Posted January 28, 2009 Share Posted January 28, 2009 ...I have a question for everyone. Are there any early warning tools or utilities to get jump start on this before it escalates?...Tools and utilities - I will leave that to others but you might browse thedatalist - http://lists.thedatalist.com/index.html commented on at http://forum.spamcop.net/forums/index.php?showtopic=8241 As you may have noticed in an earlier post, SC reports go to abuse[at]cogentco.com as the nominal abuse handler for that IP address. They should contact you when they get a report. In the case of a spamtrap hit there is no report (and immediate listing) otherwise (member reports) it might give some notice. You may be able to register on an ISP account which would give you direct access. Wazoo's earlier post had the link about that. Link to comment Share on other sites More sharing options...
mtsupport Posted January 28, 2009 Author Share Posted January 28, 2009 This is a really good forum. I will frequent it often. I'm sure the Spamcop admin have their hands full. Anyways, you guys are a wealth of information. Do you belong to any other forums or groups? Any recommendations on a good server anti-spam application, I hear GFI is pretty good. Anyone have experiences with SpamTitan? Link to comment Share on other sites More sharing options...
Farelf Posted January 28, 2009 Share Posted January 28, 2009 Just a little...which can be obtained by using their query tool, at: http://www.uceprotect.net/en/rblcheck.php Thanks David. For the O/P - when we had problems with our server I made a habit of checking the comprehensive BL listings - the Robtex one is good http://www.robtex.com/ip/38.104.99.170.html - gives a listing summary near the top of the page, hit the "blacklists" tab for the complete run-down of coverage. Some of those BLs might happen to pick up a spam hit (or other problems) in time for you to fix things and stay off other lists. That's one of the strengths of the SCBL - an early notification. Link to comment Share on other sites More sharing options...
Wazoo Posted January 28, 2009 Share Posted January 28, 2009 http://www.cisco.com/en/US/docs/routers/cs...0_UG_NC-WEB.pdf (an absolutely horrible and massive PDF of a bad scan job) seems to suggest that services (SMTP in this case) can be configured in, both as allowed/denied activities, and as a log specific ... though admitting it looks a bit painful for the first go-through. Of course, that probably also depends on whether you've got your networked devices (e-mail servers for sure) set on dedicated IP Addresses .... everything accepting DHCP assignments would probably really make the above a total waste of time. Link to comment Share on other sites More sharing options...
Wazoo Posted January 28, 2009 Share Posted January 28, 2009 http://spamcop.net/w3m?action=checkblock;ip=38.104.99.170 38.104.99.170 not listed in bl.spamcop.net http://www.senderbase.org/senderbase_queri...g=38.104.99.170 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 0.0 ... N/A Last month .. 3.0 Hopefully, things are still working and this isn't simply due to a change of the IP Address in use ...???? Later Edit: ... as of 0420 GMT -6 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 1.8 .. -94% Last month .. 3.0 Link to comment Share on other sites More sharing options...
agsteele Posted January 28, 2009 Share Posted January 28, 2009 Just to note that the paid reporter options are also available to Email account subscribers. That can be a more economical approach for some. Andrew Link to comment Share on other sites More sharing options...
Telarin Posted January 28, 2009 Share Posted January 28, 2009 One other thing you might consider doing if you haven't already. Since you are using an RV016, which has the ability to configure firewall rules, you might consider adding a rule to block any traffic originating from your land that is destined for port 25 unless it is coming from your mail server. That way even if one of your workstations does get infected and start spewing spam again, it will be blocked at the firewall before it can leave your network. You might also try configuring one-to-one NAT so that your Exchange server is using a different IP from your workstations, although I have never been able to get that to work as it is supposed to on the RV series routers. Link to comment Share on other sites More sharing options...
mtsupport Posted January 28, 2009 Author Share Posted January 28, 2009 Thanks for everyone's feedback. Everything is back online. There seems to be some residual effects of the blocklist. ATT and sbcglobal.net are still showing blocks. I have modified the firewall to only allow port 25 traffic from the mail server as suggested. I've install enterprise virus management software, so I can see which machine get infected. I have inventoried all the machines, assigned asset tags and documented their LAN IPs. Ran auto updates on all the servers. Downloaded the firewall access log, excel ran out of space, I'll review later to identify the spam output. Otherwise things aren't too bad. I'm sure I will have an interesting discussion with by boss, hopefully i'm still employed. Thanks again guys, you are all a great teem! Link to comment Share on other sites More sharing options...
Derek T Posted January 28, 2009 Share Posted January 28, 2009 Otherwise things aren't too bad. I'm sure I will have an interesting discussion with by boss, hopefully i'm still employed. Thanks again guys, you are all a great teem! You might point out that if instead of using a windows server and windows PCs behind it, they had all been running (free) linux, then none of this would have happened Link to comment Share on other sites More sharing options...
Telarin Posted January 28, 2009 Share Posted January 28, 2009 Except that if everyone ran linux, that would simply become the new OS of choice for hackers and virus writers. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.