fix spam problem

[dave12345]

Hi,

I had a problem yesterday being put on a few blacklist. Somebody had opened a DMZ on the router and I also found some spyware that might be causing the problem. I removed the spyware and disabled the DMZ and was able to remove myself from a bunch of lists. Then today a user gets a bounce and sure enough we are still listed on a few sites. I don't have a report but I have this:

65.82.245.22 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam about 20 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

In the past 15.9 days, it has been listed 3 times for a total of 13.8 days

Do you think it has not had time to be removed from the list? Do you know of a website that I can test the IP and tell me what the problem is? Can you point me to any resources on securing a Microsoft Small Business Server 2000?

Any help would be greatly appreciated.

[StevenUnderwood]

Do you think it has not had time to be removed from the list? Do you know of a website that I can test the IP and tell me what the problem is?

The bl can take up to 48 hours (depending on many factors) to be removed from the list.

The web site http://www.spamcop.net/bl.shtml allows you to enter the IP in question and get the information you pasted above.

To get any information about the spamtraps, email deputies<at>spamcop.net.

To get information about the other reports, contact abuse[at]bellsouth.net. Htey would have received the spam reports on this IP.

Good luck

[dave12345]

Thanks! I will send out the e-mails and cross my fingers.

[Miss Betsy]

Can you point me to any resources on securing a Microsoft Small Business Server 2000?

Any help would be greatly appreciated.

Many people will tell you to put a Linux box in front of it.

However, you might get more help and answers if you post a query in spamcop.geeks newsgroup (sign up for spamop newsgroup NTTP on the web page and it comes with that - I am not technically fluent so I can't explain it better).

Miss Betsy

[Merlyn]

First off I am only being straightforward and this is not personal.

Your problem started before yesterday and it looks as if you still have a problem.

If this is a staic IP then your machine is in need of a doctor

Either you "are" a spammer or spammers are using your open proxy which is caused probably due to some malware on your confuser.

Why don't you use your providers SMTP to send mail?

In any event if you are innocent then you should reformat your machine - reload your os - reload your software - update everything - secure everything and only then plug that little rj45 cable back in.

I am surprised bellsouth hasn't terminated you yet.

This is you (I left out the ones you don't need to worry about):

-------------------------------------------------------------------------------

+ CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.82.245.22

--------------------------------------------------------------------------------

+ SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2

Blocked - see http://www.spamcop.net/bl.shtml?65.82.245.22

--------------------------------------------------------------------------------

+ RSL VISI.com Relay Stop List : relays.visi.com -> 127.0.0.2

Mail from 65.82.245.22 refused -- see http://relays.visi.com/lookup.cgi?ipaddr=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ DSBLLIST Distributed Sender Boycott List: single-stage relays tested by trusted users: list.dsbl.org -> 127.0.0.2

http://dsbl.org/listing?ip=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ DSBLUNCONFIRMED Distributed Sender Boycott List: single-stage relays, multihop relays and listings by anonymous users: unconfirmed.dsbl.org -> 127.0.0.2

http://dsbl.org/listing?ip=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2

Your mailserver hit a spamtrap, see http://psbl.surriel.com/listing?ip=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ UUINTRUDERS local bl at Uppsala University: intruders.docs.uu.se -> 127.0.0.2

--------------------------------------------------------------------------------

+ AHBL The Abusive Hosts Blocking List: dnsbl.ahbl.org -> 127.0.0.3

Open Proxy - http://www.ahbl.org/tools/lookup.php?ip=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ CSMA-SBL McFadden Associates, IPs of mailservers that send spam once in a short timefram: sbl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=65.82.245.22

--------------------------------------------------------------------------------

+ SORBS spam and Open Relay Blocking System: Aggregate zone: dnsbl.sorbs.net -> 127.0.0.2 -> 127.0.0.3

SOCKS Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=65.82.245.22

HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ SORBSHTTP List of Open HTTP Proxy Servers.: http.dnsbl.sorbs.net -> 127.0.0.2

HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ SORBSSOCKS List of Open SOCKS Proxy Servers.: socks.dnsbl.sorbs.net -> 127.0.0.3

SOCKS Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

PLEASE SEE http://dnsbl.net.au/lookup/?65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ DNSBLAUDSBL Distributed Server Boycott List: dsbl.dnsbl.net.au -> 127.0.0.2

http://dsbl.org/listing?ip=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ DNSBLAUSORBS External Block List - SORBS: sorbs.dnsbl.net.au -> 127.0.0.2

65.82.245.22 See http://www.dnsbl.sorbs.net/cgi-bin/lookup?NAME=65.82.245.22

[removal]

--------------------------------------------------------------------------------

+ DNSBLUCEPN External Block List - UCEPROTECT®-Network Project: ucepn.dnsbl.net.au -> 127.0.0.2

PLEASE SEE http://www.uceprotect.net/

[removal]

--------------------------------------------------------------------------------

+ DRBL-VOTE-INTER Distributed RBL node: inter.ru design studio and its customers: vote.drbl.inter.ru -> 127.0.0.2

blocked

due

spam.

Added

bu

postmaster[at]inter.ru

--------------------------------------------------------------------------------

+ DRBL-VOTE-GREMLIN Distributed RBL node: gremlin.ru: vote.drbl.gremlin.ru -> 127.0.0.2

spam source

--------------------------------------------------------------------------------

+ DRBL-WORK-GREMLIN Distributed RBL node: gremlin.ru: work.drbl.gremlin.ru -> 127.0.0.2

vote.drbl.gremlin.ru[at]ns.gremlin.ru:spam source

[Merlyn]

Also, you are running:

SMTP - 25 220 SERVER01.jdhcapital.local Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Fri, 4 Jun 2004 16:46:06 -0400

POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6487.0 (SERVER01.jdhcapital.local) ready.

Your services are open to abuse, you should apply all security measures.

Google for Microsoft SMTP Auth or someone else here can point you in the right direction.

[dave12345]

Merlyn,

To give you a little background;

This server has been up and running for two years without any problems. It is patched up to date. About two weeks ago the VPN just broke. I had a lot of trouble getting it back up and configured the routing and remote access per Microsoft instructions. Somebody over there set up a DMZ to the router and after I disabled that I was able to get off several blacklist. Spamcop removed the IP from their list but said there was a open socks proxy and a open http proxy. I have been all over the MS websites looking for info on closing them. I have posted in MS newsgroups. As of yet they have not responded on where I can find some info. It is all I can do to keep the spyware off of the user machines. I think this is where the problem is but I can't isolate the problem. I assure you that if I will correct the error as soon as I can figure out how.

[Merlyn]

I wish you much luck but you are in every major blocklist. Hopefully some of the pro's here will pipe in and assist.

I don't believe it is a user machine that has gone bad but this machine itself that is compromised.

[dave12345]

I just wanted to post an update. A deputy told me that I had an open socks proxy and an open http proxy. I found the http proxy in ISA and disabled it. I could not find the socks proxy. I disabled UPnP on my router. I took a look at Shields Up reports and they looked good. I then installed a port scanner on the computer and scanned my computer, the router, and another computer that has a port forwarded from the router. The ports listed by the deputy were not open. I also ran a virus scan on everything. I sent a e-mail to a deputy to ask for the IP to be tested since I can't find any software to test them myself.

Can anybody think of anything else I should do? Microsoft newgroups have not responded and I have web searched through a couple of batteries on my wireless mouse. Any suggestions will be greatly appreciated.

[WB8TYW]

From reading the gmane newsgroup that mirrors the DSBL.ORG mailing list, it appears that they have a number of links that may help.

It also apears that they have a e-mail address that you can send to have a test done on your system to see if it can find any problems.

It appears that there are two message thread with people apparently running the same mail software that have not yet discovered how their servers are being exploited.

-John

Personal Opinion Only

[dave12345]

I was told Sunday afternoon that the server has been spam free for over 30 hours. Hopefully that will be the end of it. I will check out the newsgroup mentioned and continue to research the problem. I am trying to talk the Boss into paying someone to do a security audit. Thanks for the help and understanding.

[Wazoo]

Good news that you've closed something down ... thanks from all of us on the receiving end <g> Keep up that good fight.

[Chris Parker]

I was told Sunday afternoon that the server has been spam free for over 30 hours.  Hopefully that will be the end of it.  I will check out the newsgroup mentioned and continue to research the problem.

You'll want to work to get off a few of the other more high profile lists.

dsbl.org

sorbs.net