Jump to content

Blocked E-mail?

kevin@miscorp.com

Recommended Posts

kevin@miscorp.com Newbie

kevin@miscorp.com

Posted
Posted

My e-mail server is being "blocked" by SpamCop. None of the open relay testers have shown it to be an open relay, nor have I been able to get any kind of a message through it myself. But more than 48hrs later, it is STILL being listed and I am still getting messages blocked. I would really like to know why this is still being listed, and where SpamCop is getting its information that I should be blocked?

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
You are not an open relay.  Your machine has been hacked.

Google for "Exchange SMTP Auth Hack"

Some spammer has more control of your machine than you do.

Unplug it from the net and fix it before you plug it back in

14215[/snapback]

Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?! :unsure:

Link to comment
Share on other sites
kevin@miscorp.com Newbie

kevin@miscorp.com

Posted
  • Author
Posted
Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?!  :unsure:

14216[/snapback]

Yeah, I would like to know that myself. That seems to be a rather generic answer (I have seen you make that exact statement else where, word for word). I am only listed on SpamCop, so I don't think it is quite as you say. I would like some real help on this, not generic blanket statements, thanks.

Link to comment
Share on other sites
Chris Parker Advanced Member

Chris Parker

Posted
Posted

mail.miscorp.com.->miscorp13.miscorp.com.->209.157.165.159

(you've got some DNS issues that need to be resolved)

http://www.senderbase.org/?searchBy=ipaddr...209.157.165.159

...indicates a huge increase in mail...

Telnet to 209.157.165.159:25 indicates that it's running Exchange.

All those factors point to Exchange SMTP AUTH hack...

(you could also send an email to deputies ( at ) spamcop.net and they may provide some additional information.)

Check your Exchange logs to see what accounts have been sending mass quantities of mail. Make sure that all accounts have strong passwords. Disable any unused role accounts.

Link to comment
Share on other sites
Merlyn Been There

Merlyn

Posted
Posted
Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?!  :unsure:

14216[/snapback]

You want me to give away all my secrets???

As Holmes would say, It's right under your nose my dear Mr. Watson!

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
Hi, Merlyn,

...Now, how in the world were you able to discover that when the OP didn't have any reference to the identity of a server at all?!?!

You want me to give away all my secrets???
...Sure, then you'll have more help replying sensibly to people needing help!! :D <big g>

As Holmes would say, It's right under your nose my dear Mr. Watson!

14255[/snapback]

...Ah, well there's my problem: I'm Jewish and have the nose to prove it! :) <g>

...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

Link to comment
Share on other sites
Merlyn Been There

Merlyn

Posted
Posted

You want me to give away all my secrets???

...Sure, then you'll have more help replying sensibly to people needing help!! :D <big g>

...Ah, well there's my problem: I'm Jewish and have the nose to prove it! :) <g>

...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

14258[/snapback]

I took the wmail addy he was using as his name: miscorp.com

miscorp.com to 209.157.165.182 to 209.157.165.183 to 10.13.11.10 to 209.157.165.180 to 209.157.165.181

miscorp.com has 2 MX records puncheon.miscorp.com.(30) mail.miscorp.com.(5)

Resolved mail.miscorp.com to miscorp13.miscorp.com. to 209.157.165.159

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?209.157.165.159

Which also happened to hit a spamtrap at NOMOREFUNN the local bl at moensted.dk

Then I checked the email server

SMTP - 25 220 miscorp13.miscorp.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 29 Jul 2004 14:52:22 -0700

POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (miscorp13.miscorp.com) ready.

And if you want more info:

FTP - 21 Error: ConnectionRefused

HTTP - 80 HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Thu, 29 Jul 2004 21:52:22 GMT

Connection: Keep-Alive

Content-Length: 1270

Content-Type: text/html

Set-Cookie: ASPSESSIONIDCACBDSRS=KHHNNPFDLEAHHJFNDFEGFFAI; path=/

Cache-control: private

NNTP - 119 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed

Then Looking at their email version I maybe went too far but assumed due the version which has a strange quality of getting itsef into troube guessed it was an SMTP AUTH hack.

There are patches they did not apply and if they did they were still suspect to it.

If he asked for help about his server and this one matched perfectly.

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
...You're not relying on the OP's handle, are you?  For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

14258[/snapback]

I took the wmail addy he was using as his name: miscorp.com

...Okay, that's what I was afraid of (see quote from me, above). :) <g>
Link to comment
Share on other sites
Ellen Advanced Member

Ellen

Posted
Posted

...Sure, then you'll have more help replying sensibly to people needing help!! :D <big g>

...Ah, well there's my problem: I'm Jewish and have the nose to prove it! :) <g>

...You're not relying on the OP's handle, are you? For all we know, the OP could really be julian<at>spamcop.net and just used <whatever><at>miscorp<dot>com to play with us....

14258[/snapback]

I took the wmail addy he was using as his name: miscorp.com

miscorp.com to 209.157.165.182 to 209.157.165.183 to 10.13.11.10 to 209.157.165.180 to 209.157.165.181

miscorp.com has 2 MX records puncheon.miscorp.com.(30) mail.miscorp.com.(5)

Resolved mail.miscorp.com to miscorp13.miscorp.com. to 209.157.165.159

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?209.157.165.159

Which also happened to hit a spamtrap at NOMOREFUNN the local bl at moensted.dk

Then I checked the email server

SMTP - 25 220 miscorp13.miscorp.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 29 Jul 2004 14:52:22 -0700

POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (miscorp13.miscorp.com) ready.

And if you want more info:

FTP - 21 Error: ConnectionRefused

HTTP - 80 HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Thu, 29 Jul 2004 21:52:22 GMT

Connection: Keep-Alive

Content-Length: 1270

Content-Type: text/html

Set-Cookie: ASPSESSIONIDCACBDSRS=KHHNNPFDLEAHHJFNDFEGFFAI; path=/

Cache-control: private

NNTP - 119 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed

Then Looking at their email version I maybe went too far but assumed due the version which has a strange quality of getting itsef into troube guessed it was an SMTP AUTH hack.

There are patches they did not apply and if they did they were still suspect to it.

If he asked for help about his server and this one matched perfectly.

14259[/snapback]

Yes looks like the exchange smtp-auth hack.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...