GSTVHenry Posted March 6, 2009 Share Posted March 6, 2009 Sometime on Wednesday, we got block listed by several companies including Spamcop. Senderbase report for 126.96.36.199 states: Magnitude Vol Change vs. Last Month Last day 3.7 337% Last month 3.1 Below are the steps taken in an attempt to resolve the issue: - Blocked smtp traffic on all machines except the MS 2003 SBS server. I tested that only the server that hosts exchange can get out on port 25. - Logs on the Cisco ASA do not reveal anything relevant. - Ran Spybot S&D, Malware Bytes, and Microsoft's Malware tool on all applicable machines (Macs and PCs). A few had a virus or 2 but nothing significant. - Updated servers to the latest patches. - We're not an open relay. CBL states the following: IP Address 188.8.131.52 is currently listed in the CBL. It was detected at 2009-03-06 15:00 GMT (+/- 30 minutes), approximately 4 hours, 30 minutes ago. It has been relisted following a previous removal at 2009-03-06 02:43 GMT ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans. ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL eventually stop letting you delist it and you will have to contact us directly. This is identified as the Ozdok/Mega-D spambot You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately. If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers. Please see our recommendations on NAT firewalls What perplexes me is that if I've blocked smtp traffic, how could a bot/trojan still continue to spam out? Thanks in advance, I apologize for if I am lacking any detail. Thanks in advance... Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.