New to Spamcop...big problem

[Merlyn]

Good Luck.

Depending on how insecure your machine was before it was hacked it "might" work but that machine has been compromised and you do not know what password was compromised. That machine could be under his control more than yours. What will stop him from logging in as a user? Then it would be local to that machine and under his power to do with what he wants.

That machine needs every user audited and you should turn off all services that can be used over the web/TCP.

In essence you really don't know how they got in or are getting in.

If this is a corporate machine then you should order a new machine, load what you need on it, get the latest patches secure it and secure it good, then replace the users one at a time and check to see the user is actually part of your network then replace your hacked aninmal.

Lack of security got you into this position, you should have learned your lesson and if you have not learned anything then the next time it will be worse.

This is not a sit and "wait and see what happens" episode.

[Richard W]

Okay spoke too soon.  Was unblacklisted this morning and now I am blacklisted again.  This is getting ridiculous.  I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

I forced all users to change passwords and enforced password complexity.

216.114.75.99 delisted on Wednesday morning and then relisted Wednesday afternoon because more spam was relayed to traps.

As someone else mentioned, see http://www.spamcop.net/fom-serve/cache/372.html. According to dsbl.org, they relayed through your server authenticating as "administrator". You probaby have/had a weak, default or non-existant password on that account.

We've seen no new spam for 27 hours, so I trusted your shutting down authentication has solved the problem. Based on that, I've delisted your server.

If you turn authentication back on, make sure to check your administrator and all default accounts and make sure the guest account is disabled.

Richard

[Merlyn]

Okay spoke too soon.  Was unblacklisted this morning and now I am blacklisted again.  This is getting ridiculous.  I thought I had the problem solved and just when I was giving the good news to my users, I got the beat down!

I forced all users to change passwords and enforced password complexity.

216.114.75.99 delisted on Wednesday morning and then relisted Wednesday afternoon because more spam was relayed to traps.

As someone else mentioned, see http://www.spamcop.net/fom-serve/cache/372.html. According to dsbl.org, they relayed through your server authenticating as "administrator". You probaby have/had a weak, default or non-existant password on that account.

We've seen no new spam for 27 hours, so I trusted your shutting down authentication has solved the problem. Based on that, I've delisted your server.

If you turn authentication back on, make sure to check your administrator and all default accounts and make sure the guest account is disabled.

Richard

Like I said having administrator privledges to this machine it cannot be trusted. No telling what has been done to this server.

[mark.perkins]

Everything here is looking good so far. Just for the record I didn't not have a weak Administrative password (12 chars complex password). I have, however, had the same admin password for a long period of time. It was probably a brute force attack that eventually guessed my password that allowed the SMTP/Auth hack. I have since changed my admin password.

I did configure my Exchange server to only allow users on my LAN to send mail and it seems to have corrected the problem.

My outgoing mail queues are clean. My bad mail folder is empty. I'm not on the blacklist and the hard drive LED's on my mail server are no longer lit up like a Christmas tree.

It's time for a Corona!

This has been a great learning experience for me regarding mail security. Thanks to everyone who helped me. I really appreciate it. I hope everyone out there has a spam free day!

Mark

[Richard W]

Like I said having administrator privledges to this machine it cannot be trusted. No telling what has been done to this server.

Just because they authenticated a mail transmission as "administrator" does not mean they gained administrator access to the machine. The account "administrator" in Exchange and "administrator" in W2000/XP are not the same account and are not accessed the same way and does not necessarily allow them to create users and do other nefarious deeds in the guts of the system.

Richard

[mark.perkins]

Sorry about the double-negative in my last post. I didn't proof read it before I posted it.

Mark

[Merlyn]

Here is a small hint for you.

You are still compromised

[mark.perkins]

Merlyn,

Please give me more details. You seem adamant that I am still compromised. How could I check? What clues should I look for?

Thanks,

Mark

[Richard W]

Merlyn,

Please give me more details.  You seem adamant that I am still compromised.  How could I check?  What clues should I look for?

There has been no new spam from your IP in the last three days. My opinion is that you are secure.

Richard

[integrate]

I am confident that I was the victim of an SMTP/AUTH hack.  I have forced a company wide password change and implemented complex passwords.  I also deleted all unnecessary accounts.  My mail server seems to be working more normally and my badmail folder is not filling up like it was.

I didn't think I was relaying spam and was really pissed at first that my IP was blacklisted, but this service has helped me immensely by forcing me to look at issues I would have normally overlooked. 

I never thought I would say this, but "thanks, Spamcop."

Mark Perkins, M.S., MCSE, A+

Sys Admin

BioKyowa, Inc.

This response should be pinned at the top of the forum as a reference for bullheads and trolls who try to blame the natural consequences of their own security leaks on Spamcop rather than -- as this sysadmin has done -- accepting responsobility for their own shortcomings, fixing them, and thanking Spamcop for its role in alerting them the leak (even if the alert involved the gentle application of a 2 X 4 to forehead).

I am often astonished at the immaturity of many of the people who come here whining -- how did they ever get prpmoted to system admin or mail admin? The guy who started this thread is a role model for how the job SHOULD be done.

[Wazoo]

This response should be pinned at the top of the forum

Though agreeing with the sentiment, the Pinned FAQ issue is something that's being looked at for a better alternative. How about taking a look at a Topic in the Lounge asking for input on changing the configutation of this thing and perhaps come up with a place to slide in a few accolades such as this. "spam Victim of the Month" doesn't seem like a title some would want to wear <g>