ben Posted May 19, 2004 Posted May 19, 2004 Servers in my mail cluster are getting blacklisted. 216.116.190.102 is still blacklisted, albiet for less than 24 hours; 216.116.190.90 and 216.116.90.92 have already been removed. I understand that these things happen, because we push about 4 gigs of mail a day through them. However, our stats say of 216.116.190.102 that "this system has been reported less than 10 times by less than 10 users" . That doesn't seem to be a whole lot to me. Now, I receive several abuse reports daily from SpamCop, as I read abuse and hostmaster for a pretty wide block of IP address space. But I have not received any for -my- mail servers, that is, the ones above. I understand that customers with virii are likely sending mail through it, but why is my server blacklisted before I have received complaints? I sent an email to the address in the FAQ and still await a response. thanks, ben
Derek T Posted May 19, 2004 Posted May 19, 2004 Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 106.8 days. It has been listed for less than 24 hours. * In the past week, this system has: Been detected sending mail to spam traps * Been witnessed sending mail about 400 times It's the spamtrap thing that is fatal. Only the deputies can help you with this as we mere mortals are not privy to this info. If you have cut off the compromised users (and can prove it) the deputies may get you de-listed sooner. OTOH if your servers have been configured to bounce worm poop to the 'from' field then you have only yourself to blame.
Merlyn Posted May 19, 2004 Posted May 19, 2004 Are sending warning, Non Delivery Notices or returns to the "From" address using virus software? If you are then turn it off as all "From" addresses are fake in those and that is one of the largest causes of the problem you are experiencing.
ben Posted May 19, 2004 Author Posted May 19, 2004 Those servers don't bounce mail for worm activity, those 3 do not scan (Marketing! Fah!). The more likely case is a compromised or infected user sending mail via the server, which I can and will take care of, but I need to see header files so I can find the offending user in the log files. They are probably the ones hitting the spam traps. It's not the blacklisting, but the blacklisting before I received a complaint, that bothers me. Thanks for the info, though. ben
Merlyn Posted May 19, 2004 Posted May 19, 2004 Actually if a user is infected most worms/viri have their own smtp engine. If this is a mail server then is it possible it has been affected by an SMTP Auth Hack and is being abused? You have log files?
ben Posted May 19, 2004 Author Posted May 19, 2004 If it's an SMTP/Auth hack, it's not published for this mail server. Furthermore, even if most virii have their own SMTP engines, I'd still put it to a bad user--our customers get hacked often enough, and we all know spammers are generally not above using trojaned machines. ben
Miss Betsy Posted May 19, 2004 Posted May 19, 2004 It's not the blacklisting, but the blacklisting before I received a complaint, that bothers me. Blame the spammers again. They were using spamcop reports from spamtraps to dodge listing which is why there is no evidence either. I don't like it either. But so far no one has come up with a solution. The worm engines use different ports than the usual and, it seems, admins find the spoor in the firewall logs (IIRC). Miss Betsy
Derek T Posted May 19, 2004 Posted May 19, 2004 It's not the blacklisting, but the blacklisting before I received a complaint, that bothers me. Yes, I undserstand that that may seem unfair. In case it's not clear from previous answers, the spamtrap reports are automatic and the evidence is seen only by the deputies. It used to reported to the admin like human-generated stuff and made public on the checkblock page, and the human-reported stuff used to be much less munged but, as Merelyn said, spammers were using it to avoid being blocked. So now spamtrap reports are 'silent' and 'weighted'. As you probably know, they are addys that have never been used to send mail and should never receive it: they are hidden in web-pages as bait for the address harvesters. AIUI you have already e-mailed deputies <at> spamcop.net:I'm afraid you will hav to wait till you reach the top of their pile - the are usually pretty prompt. Noone but them can help you in these circs. (and we seem to have eliminated the most common causes).
ben Posted May 19, 2004 Author Posted May 19, 2004 I had emailed the blacklist address before; I've emailed the deputies now. This is all quite depressing, and frustrating. Thanks for your help. ben
turetzsr Posted May 20, 2004 Posted May 20, 2004 Hi, ben! I had emailed the blacklist address before; I've emailed the deputies now. This is all quite depressing, and frustrating. Thanks for your help. ben ...Yes, spammers spoil it for all of us!
WB8TYW Posted May 20, 2004 Posted May 20, 2004 If it's an SMTP/Auth hack, it's not published for this mail server. ben Spamhaus SMTP Auth information If your mail server has the ability to do SMTP auth, it is vulnerable to this exploit. This is a weak password configuration issue, not a platform specific vulnerability. No operating system is immune, although some may make it harder to make this configuration error. Microsoft systems may have two (or more) authentication databases that need to be checked. If the password to a privileged account is guessed, usually the first thing that an attacker will do is install several backdoors. So if a privileged account is compromised, a full security audit is required, and the recommended procedure is to rebuild the server from known good sources. -John Personal Opinion Only
Derek T Posted May 20, 2004 Posted May 20, 2004 This is all quite depressing, and frustrating. Thanks for your help. Chin up, I checked this morning (UK time) and you're de-listed now.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.