adminu Posted October 7, 2009 Share Posted October 7, 2009 Dear Forum members, With a matter of high concern we would like to inform you that our ip-address 61.16.152.210 has been blocked. Understandably, we'd like to know the root-cause of the problem. We have been analyzing, researching, hearing and part of the problem you can attribute to lack of our security experience. What we have done so far >>> Understood possible problem causes a.) Our system is sending mail to SpamCop spam traps in the past week. b.) Some friends are saying the blockage could be due to virus in workstations. c.) Some mentioned that it was due to SpamAssassin's high score which needs to be brought down to be below 5.0. (For e.g. writing 'Dear' in message body etc. This is how the message reads in spam email 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [blocked - see <http://www.spamcop.net/bl.shtml?61.16.152.210>] 1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [61.16.152.210 listed in dnsbl.sorbs.net] Open-questions Q.) What should we infer with this? http://www.projecthoneypot.org/ip_61.16.152.210 Q.) What should we infer with this? http://www.senderbase.org/senderbase_queri...g=61.16.152.210 Q.) Inference with this ? http://www.spamcop.net/w3m?action=checkblo...=61.16.152.210+ Need urgent help. What set of steps apart from delisting request need to be taken? Link to comment Share on other sites More sharing options...
Derek T Posted October 7, 2009 Share Posted October 7, 2009 Dear Forum members, Need urgent help. What set of steps apart from delisting request need to be taken? 1. Fix the problem 2. Wait - delisting is entirely automatic when the spam stops. Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted October 7, 2009 Share Posted October 7, 2009 I'm sorry to report that 61.16.152.210 is sending spam to our spamtraps. We know for a fact that our trap servers accurately record the source IP when they get mail. A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. We guard our traps like gold for fear of revealing the email addresses, which is why we don't send any reports about the spam they get, so I'm afraid there aren't many details I can share with you. Received: from del-static-210-152-16-61.direct.net.in ([61.16.152.210]) by [our trap server] with ESMTP; 07 Oct 2009 05:xx:xx -0700 From: "Merrie Postlethwait" <x[at]x> Subject: How can I do this? Date: Wed, 7 Oct 2009 05:xx:xx -0700 (PDT) Received: from del-static-210-152-16-61.direct.net.in ([61.16.152.210]) by [our trap server] with ESMTP; 06 Oct 2009 22:xx:xx -0700 From: "Jeanmarie Uodafqej" <x[at]x> Date: Wed, 7 Oct 2009 11:xx:xx +05-30 Subject: Help configuring These days, the most common problem is backdoor spam sending spyware that has been installed by a Trojan or Worm. The server may be suffering from an open proxy port exploit, or has been compromised by some other means. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 7, 2009 Share Posted October 7, 2009 Dear Forum members, With a matter of high concern we would like to inform you that our ip-address 61.16.152.210 has been blocked. Understandably, we'd like to know the root-cause of the problem. We have been analyzing, researching, hearing and part of the problem you can attribute to lack of our security experience. What we have done so far >>> Understood possible problem causes a.) Our system is sending mail to SpamCop spam traps in the past week. b.) Some friends are saying the blockage could be due to virus in workstations. c.) Some mentioned that it was due to SpamAssassin's high score which needs to be brought down to be below 5.0. (For e.g. writing 'Dear' in message body etc. This is how the message reads in spam email 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [blocked - see <http://www.spamcop.net/bl.shtml?61.16.152.210>] 1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [61.16.152.210 listed in dnsbl.sorbs.net] Open-questions Q.) What should we infer with this? http://www.projecthoneypot.org/ip_61.16.152.210 Q.) What should we infer with this? http://www.senderbase.org/senderbase_queri...g=61.16.152.210 Q.) Inference with this ? http://www.spamcop.net/w3m?action=checkblo...=61.16.152.210+ Need urgent help. What set of steps apart from delisting request need to be taken? Your 3 open questions are all pointing to unauthorized emails being sent from your IP address. The listings are NOT caused by SpamAssassin. SpamAssassin might be using the BL's to raise the score, however. Is that IP address only your email server or does it hide your entire network behind it? Do you have firewall logs to determine if mail is going our directly from infected workstations? It could also be misdirected bounces from your server going to the honeypots and spamtraps. You can email deputies[at]admin.spamcop.net and they might give you a hint as to what it looks like or one of them might post here. •Too many delisting requests were made. Next request might be allowed after 5.7 days Because of the above problems, express-delisting is not available This line means you tried the express delisting before the issue was resolved. Note: This is also new wording. It used to be that you had only one chance to delist. It appears that option returns now after a "penalty phase". UPDATE: A deputy did respond while I was preparing this message. Link to comment Share on other sites More sharing options...
Farelf Posted October 7, 2009 Share Posted October 7, 2009 ... Q.) What should we infer with this? http://www.senderbase.org/senderbase_queri...g=61.16.152.210 ... At the time of this post, SenderBase monitoring indicates your daily e-mail volume had suddenly increased 88% (SenderBase will only be 'seeing' a part of your total but it looks to be an indicative sample). If you find the source of that increase you will most likely find the source of your problem. Other information on that SendrBase page shows your IP address appears on the abuseat Composite Blocking List. The link provided is http://cbl.abuseat.org/lookup.cgi?ip=61.16.152.210 and that apparently confirms "this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans. ... This is the cutwail spamBOT. You MUST patch your system and then fix/remove the trojan." - and further advice is provided there. Typically your situation will continue to deteriorate until you remove the trojan, as spam will be picked up by more and more blocklists in the meantime. Robtex will show the current situation for a large selection of these: http://www.robtex.com/ip/61.16.152.210.html#blacklists Further information about the spam received or other problems with your IP may be available from the organisations running those lists, also their de-listing procedures once you have fixed your problems (SpamCop is automatic, few others are). Link to comment Share on other sites More sharing options...
adminu Posted October 7, 2009 Author Share Posted October 7, 2009 I'm sorry to report that 61.16.152.210 is sending spam to our spamtraps. We know for a fact that our trap servers accurately record the source IP when they get mail. A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. We guard our traps like gold for fear of revealing the email addresses, which is why we don't send any reports about the spam they get, so I'm afraid there aren't many details I can share with you. Received: from del-static-210-152-16-61.direct.net.in ([61.16.152.210]) by [our trap server] with ESMTP; 07 Oct 2009 05:xx:xx -0700 From: "Merrie Postlethwait" <x[at]x> Subject: How can I do this? Date: Wed, 7 Oct 2009 05:xx:xx -0700 (PDT) Received: from del-static-210-152-16-61.direct.net.in ([61.16.152.210]) by [our trap server] with ESMTP; 06 Oct 2009 22:xx:xx -0700 From: "Jeanmarie Uodafqej" <x[at]x> Date: Wed, 7 Oct 2009 11:xx:xx +05-30 Subject: Help configuring These days, the most common problem is backdoor spam sending spyware that has been installed by a Trojan or Worm. The server may be suffering from an open proxy port exploit, or has been compromised by some other means. Dear Spamcop Admin, Can you please recommend a set of steps that we need to follow now? Do we need to scan each and every workstation in our network, which applications should we use for scanning? What steps should we follow with the mail server? Link to comment Share on other sites More sharing options...
adminu Posted October 7, 2009 Author Share Posted October 7, 2009 Dear Farelf, Thank you for the quick reply. Yes, we are planning a high level audit for tomorrow. In that we'll be doing a thorough scan of all the workstations and machines in the network. Just re-iterating the question again, what according to you is the root cause of this problem? Secondly, which all applications do you recommend we should use to fight this spam? I have already downloaded Microsoft Windows Malicious Software Removal Tool. What else do we need to take into account? Link to comment Share on other sites More sharing options...
rconner Posted October 7, 2009 Share Posted October 7, 2009 Can you please recommend a set of steps that we need to follow now? Do we need to scan each and every workstation in our network, which applications should we use for scanning? What steps should we follow with the mail server? You need to find which machines are spewing and then focus on cleaning them up or cutting them off from your network. Without detailed headers from sample spams, this might be difficult, but if you can contrive to put a packet sniffer somewhere to monitor all outgoing port 25 traffic from your network, this might help. Arguably, you should not be seeing any such traffic except from bona-fide outgoing mail hosts; if you do see it, you may have found your culprit machine(s) by their IP addresses. Unfortunately, the botnet activity is sporadic, so you'll probably be sniffing for awhile. It may also be hidden by innocent port-25 traffic. Another measure that some providers have resorted to is simply blocking outbound port 25 traffic from your network except for your bona-fide mail hosts or other machines that might have a pressing need. In this way, zombie machines are blocked from delivering mail outside their domains. Some of your "power users" will complain about this, no doubt, since they will be unable to send mail through random mail hosts outside your domain. This is very general advice, hard to be more specific without some insight into your operation. If you find this information hard to follow, you may need to put someone more knowledgeable on the job. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted October 7, 2009 Share Posted October 7, 2009 ...Just re-iterating the question again, what according to you is the root cause of this problem? ...The CBL listing states you have been infected by the "cutwail spamBOT". I have no idea how reliable that assertion might be but I recommend you look at anything they offer there in the way of resources and suggestions....Secondly, which all applications do you recommend we should use to fight this spam? I have already downloaded Microsoft Windows Malicious Software Removal Tool. What else do we need to take into account?I have no experience with such infections but if you search the internet for "cutwail spamBOT" you will see what others who have found themselves in exactly your situation have done. Symantec/Norton identify it as Trojan.Pandex. The MSRT is usually part of the initial installation on a Windows PC and is regularly updated. If I understand correctly it quietly runs in the background, intercepting infection vectors. If it has not been previously installed and regularly updated then yes, the CBL site does indicate it might still be of some use and I have heard it is the only effective solution with some particular infections. But I'm no expert. Link to comment Share on other sites More sharing options...
adminu Posted October 7, 2009 Author Share Posted October 7, 2009 Thanks Farelf, on doing a google search for cutwail spamBOT, I could download some tools as well for cleaning this. One is ParetoLogic Anti-Virus. Then I also found wireshark and lastly ExterminateItSetup. Rconner - Thanks for the reply. To find out machines spewing the network, you recommend a normal antivirus or anything in addition to that? Link to comment Share on other sites More sharing options...
Derek T Posted October 7, 2009 Share Posted October 7, 2009 Just re-iterating the question again, what according to you is the root cause of this problem? In a word, Windows. And the fact that 95%+ of all Windows installations in India are pirated copies. The solution? GNU/Linux. Link to comment Share on other sites More sharing options...
rconner Posted October 7, 2009 Share Posted October 7, 2009 Rconner - Thanks for the reply. To find out machines spewing the network, you recommend a normal antivirus or anything in addition to that? Anti-virus tools are not going to do this kind of work; this would be like using a gun-cleaning kit to try to figure out who shot at you. You're going to need to call on someone who understands your network topology behind that affected IP address and can use tools like packet sniffers (e.g., http://www.wireshark.org/) to identify the abusive traffic and trace it to its source. Then, you can deal with the source by yanking its network cable and scrubbing it thoroughly with any antivirus you have on hand. I am not a malware expert, but I do hear that bot kits can be very difficult to remove (by intentional design of the botherder), and often require wiping (or even discarding) the disk and starting over with a fresh load of the operating system. Good luck, -- rick Link to comment Share on other sites More sharing options...
Telarin Posted October 8, 2009 Share Posted October 8, 2009 A good way to cut off the virus while you are trying to track it down would be to configure your router to block all outbound traffic to port 25 from any IP address other than your actual mail server. This would at least cut off the spew while you find the problem machine. If your firewall supports logging, it should also make it quite easy to track down the offending machine as the firewall rule hits should almost immediately show up in the logs. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.