kevin@miscorp.com Posted July 29, 2004 Share Posted July 29, 2004 My e-mail server is being "blocked" by SpamCop. None of the open relay testers have shown it to be an open relay, nor have I been able to get any kind of a message through it myself. But more than 48hrs later, it is STILL being listed and I am still getting messages blocked. I would really like to know why this is still being listed, and where SpamCop is getting its information that I should be blocked? Link to comment Share on other sites More sharing options...
Merlyn Posted July 29, 2004 Share Posted July 29, 2004 You are not an open relay. Your machine has been hacked. Google for "Exchange SMTP Auth Hack" Some spammer has more control of your machine than you do. Unplug it from the net and fix it before you plug it back in Link to comment Share on other sites More sharing options...
turetzsr Posted July 29, 2004 Share Posted July 29, 2004 You are not an open relay. Your machine has been hacked. Google for "Exchange SMTP Auth Hack" Some spammer has more control of your machine than you do. Unplug it from the net and fix it before you plug it back in 14215[/snapback] Hi, Merlyn, ...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?! Link to comment Share on other sites More sharing options...
kevin@miscorp.com Posted July 29, 2004 Author Share Posted July 29, 2004 Hi, Merlyn, ...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?! 14216[/snapback] Yeah, I would like to know that myself. That seems to be a rather generic answer (I have seen you make that exact statement else where, word for word). I am only listed on SpamCop, so I don't think it is quite as you say. I would like some real help on this, not generic blanket statements, thanks. Link to comment Share on other sites More sharing options...
Chris Parker Posted July 29, 2004 Share Posted July 29, 2004 mail.miscorp.com.->miscorp13.miscorp.com.->209.157.165.159 (you've got some DNS issues that need to be resolved) http://www.senderbase.org/?searchBy=ipaddr...209.157.165.159 ...indicates a huge increase in mail... Telnet to 209.157.165.159:25 indicates that it's running Exchange. All those factors point to Exchange SMTP AUTH hack... (you could also send an email to deputies ( at ) spamcop.net and they may provide some additional information.) Check your Exchange logs to see what accounts have been sending mass quantities of mail. Make sure that all accounts have strong passwords. Disable any unused role accounts. Link to comment Share on other sites More sharing options...
Merlyn Posted July 29, 2004 Share Posted July 29, 2004 Hi, Merlyn, ...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?! 14216[/snapback] You want me to give away all my secrets??? As Holmes would say, It's right under your nose my dear Mr. Watson! Link to comment Share on other sites More sharing options...
turetzsr Posted July 29, 2004 Share Posted July 29, 2004 Hi, Merlyn, ...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?! You want me to give away all my secrets???...Sure, then you'll have more help replying sensibly to people needing help!! <big g> As Holmes would say, It's right under your nose my dear Mr. Watson!14255[/snapback] ...Ah, well there's my problem: I'm Jewish and have the nose to prove it! <g> ...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us.... Link to comment Share on other sites More sharing options...
Merlyn Posted July 29, 2004 Share Posted July 29, 2004 You want me to give away all my secrets???...Sure, then you'll have more help replying sensibly to people needing help!! <big g> ...Ah, well there's my problem: I'm Jewish and have the nose to prove it! <g> ...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us.... 14258[/snapback] I took the wmail addy he was using as his name: miscorp.com miscorp.com to 209.157.165.182 to 209.157.165.183 to 10.13.11.10 to 209.157.165.180 to 209.157.165.181 miscorp.com has 2 MX records puncheon.miscorp.com.(30) mail.miscorp.com.(5) Resolved mail.miscorp.com to miscorp13.miscorp.com. to 209.157.165.159 SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?209.157.165.159 Which also happened to hit a spamtrap at NOMOREFUNN the local bl at moensted.dk Then I checked the email server SMTP - 25 220 miscorp13.miscorp.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 29 Jul 2004 14:52:22 -0700 POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (miscorp13.miscorp.com) ready. And if you want more info: FTP - 21 Error: ConnectionRefused HTTP - 80 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 29 Jul 2004 21:52:22 GMT Connection: Keep-Alive Content-Length: 1270 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACBDSRS=KHHNNPFDLEAHHJFNDFEGFFAI; path=/ Cache-control: private NNTP - 119 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed Then Looking at their email version I maybe went too far but assumed due the version which has a strange quality of getting itsef into troube guessed it was an SMTP AUTH hack. There are patches they did not apply and if they did they were still suspect to it. If he asked for help about his server and this one matched perfectly. Link to comment Share on other sites More sharing options...
turetzsr Posted July 29, 2004 Share Posted July 29, 2004 ...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....14258[/snapback] I took the wmail addy he was using as his name: miscorp.com ...Okay, that's what I was afraid of (see quote from me, above). <g> Link to comment Share on other sites More sharing options...
Merlyn Posted July 30, 2004 Share Posted July 30, 2004 I took the wmail addy he was using as his name: miscorp.com...Okay, that's what I was afraid of (see quote from me, above). <g> 14261[/snapback] Oops, I should have just said yes Link to comment Share on other sites More sharing options...
Ellen Posted July 30, 2004 Share Posted July 30, 2004 ...Sure, then you'll have more help replying sensibly to people needing help!! <big g> ...Ah, well there's my problem: I'm Jewish and have the nose to prove it! <g> ...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us.... 14258[/snapback] I took the wmail addy he was using as his name: miscorp.com miscorp.com to 209.157.165.182 to 209.157.165.183 to 10.13.11.10 to 209.157.165.180 to 209.157.165.181 miscorp.com has 2 MX records puncheon.miscorp.com.(30) mail.miscorp.com.(5) Resolved mail.miscorp.com to miscorp13.miscorp.com. to 209.157.165.159 SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?209.157.165.159 Which also happened to hit a spamtrap at NOMOREFUNN the local bl at moensted.dk Then I checked the email server SMTP - 25 220 miscorp13.miscorp.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 29 Jul 2004 14:52:22 -0700 POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (miscorp13.miscorp.com) ready. And if you want more info: FTP - 21 Error: ConnectionRefused HTTP - 80 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 29 Jul 2004 21:52:22 GMT Connection: Keep-Alive Content-Length: 1270 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACBDSRS=KHHNNPFDLEAHHJFNDFEGFFAI; path=/ Cache-control: private NNTP - 119 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed Then Looking at their email version I maybe went too far but assumed due the version which has a strange quality of getting itsef into troube guessed it was an SMTP AUTH hack. There are patches they did not apply and if they did they were still suspect to it. If he asked for help about his server and this one matched perfectly. 14259[/snapback] Yes looks like the exchange smtp-auth hack. Link to comment Share on other sites More sharing options...
Merlyn Posted July 30, 2004 Share Posted July 30, 2004 Yes looks like the exchange smtp-auth hack. 14266[/snapback] Wow, thanks Ellen <Panic> Wipes sweat from his brow </Panic> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.