mkern Posted October 7, 2004 Share Posted October 7, 2004 207.43.104.17 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) Listing History In the past 250.1 days, it has been listed 11 times for a total of 38.0 days I have been having on again off again problems with being tossed in this blacklist, I have been trying to verify any open relay issues I might have and following through FAQ's and procedures to secure the mail server. From basic testing it appears to not be relaying. I am trying to nail down what exactly my system is sending causing the spam traps to go off, I checked the increase in usage in the report and it seems today alone has gone up. What exactly can I do to verify that the relay is closed and find out exactly what is causing me to be on this blacklist. Any help is appreciated, as this is starting to be a pain. Upon some further testing it appears the server may be accepting relays. Im getting mixed responces on testing. I followed the exchange 5.5 guides to closing the relay. Does anyone have any further info that might help? Link to comment Share on other sites More sharing options...
turetzsr Posted October 7, 2004 Share Posted October 7, 2004 Hi, mkern, ...Welcome, and thanks for trying to address this problem. ...Here are some references that may (or may not; I'm not an Exchange admin, myself) help you: SpamCop FAQ: But my Exchange 2000 server is secured against relay... Windows & .NET Magazine: A New Kind of Attack Windows & .NET Magazine: Exchange Server SMTP AUTH Attacks ...As far as the "spam Traps" are concerned, only the SpamCop deputies have detailed information about that. You can reach them by sending an e-mail to deputies <at> spamcop <dot> net. ...Good luck! Link to comment Share on other sites More sharing options...
GraemeL Posted October 7, 2004 Share Posted October 7, 2004 Upon some further testing it appears the server may be accepting relays. Im getting mixed responces on testing. I followed the exchange 5.5 guides to closing the relay. Does anyone have any further info that might help? I tried to connect to the box, but it looks like you took it offline as it's currently refusing port 25 connections. Good initial solution to limit the damage. As it's Exchange, you may be vulnerable to the SMTP AUTH exploit. If you don't need remote users to authenticate to the server to send mail, then disable SMTP AUTH. If you do require it to be available, then disable all unused local accounts (guest, test, info...) on the box. Change the passwords on all other local accounts to be on the safe side. If you're reading the pinned FAQ threads, then you're heading in the right direction. Link to comment Share on other sites More sharing options...
mkern Posted October 7, 2004 Author Share Posted October 7, 2004 I tried to connect to the box, but it looks like you took it offline as it's currently refusing port 25 connections. Good initial solution to limit the damage. As it's Exchange, you may be vulnerable to the SMTP AUTH exploit. If you don't need remote users to authenticate to the server to send mail, then disable SMTP AUTH. If you do require it to be available, then disable all unused local accounts (guest, test, info...) on the box. Change the passwords on all other local accounts to be on the safe side. If you're reading the pinned FAQ threads, then you're heading in the right direction. 18451[/snapback] I took it offline just a few mintutes ago to reboot the server. I applied an exchange 5.5 patch. It will be back online shortly. I have about 5-6 users in the field that require pop3 remote access. I have disabled guest and looked through the user accounts and did not notice any others outstanding that needed to be disabled. Is there a way to identify log wise which accounts might be being used to transmit mail, if that is in case the problem. After looking through some of the logs it does seem that mail is getting spammed through the queues. Im not sure where/who it is originating from. There is 50-60+ users on the domain so changing every email account password is a quite lengthy process. Would be easier and more efficient if there was a way I could identify the user. I have read through the faqs and microsoft articles and have done what they suggested but it doesn't see to fix the problem. I will let you know when the server is back online so that you can possible assist further. Link to comment Share on other sites More sharing options...
Wazoo Posted October 7, 2004 Share Posted October 7, 2004 I.m just so curious why all these types of posts of late all start with "my server doesn't relay" ... anyway, taking one more step from the SpamCopBL page and heading over to SenderBase land http://www.senderbase.org/?searchBy=ipaddr...g=207.43.104.17 ... one sees data that suggests the more standard (these days) of the SMTP/AUTH hack going on ... (primarily based on the "first seen" date being so long ago, ruling out the "new server" scenario) Report on IP address: 207.43.104.17 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.2 ... 127% Last 30 days .. 3.5 ... 426% Average ........ 2.8 Link to comment Share on other sites More sharing options...
Merlyn Posted October 7, 2004 Share Posted October 7, 2004 You should check for the SMTP AUTH hack. You should also get some professional help setting your server up. On the 10 domains you are hosting so far some are very insecure. directories on erased are wide open and scipts are available to the public For example: dump.c 11-Dec-2000 16:15 2.3K examples/ 13-Apr-2003 18:30 - man.c 20-Jan-2001 00:38 1.5K melangex.c 25-Apr-2003 00:42 9.5K su-ex.c 15-Jun-2001 19:09 769 super-ex.c Why would anyone want to have example exploit scripts ? asmexp.s 23-Jul-2002 04:30 1.1K asmvuln.c 23-Jul-2002 04:31 482 awk-ex.c 15-Mar-2002 12:07 936 elm.c 21-Jun-2001 16:43 1.0K format_remote_ex.c 13-Apr-2003 18:30 7.3K format_remote_vuln.c 11-Apr-2003 16:44 1.8K remote_ex.c 05-Dec-2001 17:59 4.5K remotevuln.c 05-Dec-2001 18:00 2.1K There are some other problems with your system also. You should secure this machine and set it up properly before exposing to the public. Hope this helps. Link to comment Share on other sites More sharing options...
GraemeL Posted October 7, 2004 Share Posted October 7, 2004 Is there a way to identify log wise which accounts might be being used to transmit mail, if that is in case the problem. After looking through some of the logs it does seem that mail is getting spammed through the queues. Im not sure where/who it is originating from. There is 50-60+ users on the domain so changing every email account password is a quite lengthy process. Would be easier and more efficient if there was a way I could identify the user. The last link supplied by truetzsr has directions on how to find the compromised account: To determine which account the spammer is using to relay email, you first need to turn up logging on your Exchange Server. Open ESM and go to Organization, Administrative Groups, Organizational Unit, Servers and right-click Server Name, Properties, and click the Diagnostics Logging tab. In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level to maximum for all of the categories: Routing Engine, Categorizer, Connection Manager, Queuing Engine, Exchange Store Driver, SMTP protocol, and NTFS store driver. Check the event log; you should see an event with the Auth command and User ID when anyone authenticates to the mail server. I have read through the faqs and microsoft articles and have done what they suggested but it doesn't see to fix the problem. I will let you know when the server is back online so that you can possible assist further. My own tests aren't as comprehensize as the spammers seem to be performing. I test a list of around 10 userids with the default, username or null as the password. SO even if I do test it, I probably only get a spammer compromised server to relay for me around 50% of the time. I'll run some tests when I see the box online, but logging is your best bet. Link to comment Share on other sites More sharing options...
mkern Posted October 7, 2004 Author Share Posted October 7, 2004 I.m just so curious why all these types of posts of late all start with "my server doesn't relay" ... anyway, taking one more step from the SpamCopBL page and heading over to SenderBase land http://www.senderbase.org/?searchBy=ipaddr...g=207.43.104.17 ... one sees data that suggests the more standard (these days) of the SMTP/AUTH hack going on ... (primarily based on the "first seen" date being so long ago, ruling out the "new server" scenario) Report on IP address: 207.43.104.17 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.2 ... 127% Last 30 days .. 3.5 ... 426% Average ........ 2.8 18453[/snapback] Well doing the basic testing it appears not to relay, then doing various other testing it appears that it could. I have done everything I can read up on via the articles and there pretty basic things. Click this click that. SHould be fixed do this and it is or isn't. Then you do it and it appears fine by microsoft then further testing from various open relay testers give all sorts of mixed results. The only blacklist that seemed to include me was spamcop, I looked it up and it says its possible that autoresponders (assuming the virus detection/out of office reply's) were causing it. I disabled those and the problem seemed to go away then lately a few users had reported not being able to send mail to certain people. In the past the kick back was bl.spamcop.net etc. However lately its been user uknown even when its a legit user. Come to find out thats how alot of email servers are kicking the error back as that. So now that it seems to be more of an issue and work stopping related I did more research on it. If it is in case the smtp/auth hack, and there are passwords being manipulated is there any way to actually find out what user is being used? Link to comment Share on other sites More sharing options...
mkern Posted October 7, 2004 Author Share Posted October 7, 2004 Merlyn,Oct 7 2004, 03:12 PM] You should check for the SMTP AUTH hack. You should also get some professional help setting your server up. On the 10 domains you are hosting so far some are very insecure. directories on erased are wide open and scipts are available to the public For example: dump.c 11-Dec-2000 16:15 2.3K examples/ 13-Apr-2003 18:30 - man.c 20-Jan-2001 00:38 1.5K melangex.c 25-Apr-2003 00:42 9.5K su-ex.c 15-Jun-2001 19:09 769 super-ex.c There are various different servers being ran on those domains. Some controlled by myself some by others. If you could be more specific under which domains/servers you located a problem I could look into what you found further. The specific server in question is 207.43.104.3 (the actual mail server) the ip that gets logged is 207.43.104.17 which is a linux machine sitting in between the mail server and the internet. Im not sure which servers/server you noticed the problem with, it could be that the issue you noticed is with a specific server which could be totally unrelated to the issue at hand but still a problem. Maybe you could PM me or post here the specfics. Why would anyone want to have example exploit scripts ? asmexp.s 23-Jul-2002 04:30 1.1K asmvuln.c 23-Jul-2002 04:31 482 awk-ex.c 15-Mar-2002 12:07 936 elm.c 21-Jun-2001 16:43 1.0K format_remote_ex.c 13-Apr-2003 18:30 7.3K format_remote_vuln.c 11-Apr-2003 16:44 1.8K remote_ex.c 05-Dec-2001 17:59 4.5K remotevuln.c 05-Dec-2001 18:00 2.1K There are some other problems with your system also. You should secure this machine and set it up properly before exposing to the public. Any reason I would have anything like that would be fore internal testing purposes to verify if the interal machines are vuln to said exploits. I have another admin handle any linux testing like that. They look quite old so its possible they were from past issues. Were these from a website or somethign a user is hosting or were you able to get into the system somehow via an insecure ftp maybe. It sounds like there is another server other than the one being discussed that has serious issues. If you could give more information to what you found I can then assess that more carefuly. Thanks for the input in general. Link to comment Share on other sites More sharing options...
mkern Posted October 7, 2004 Author Share Posted October 7, 2004 The last link supplied by truetzsr has directions on how to find the compromised account: To determine which account the spammer is using to relay email, you first need to turn up logging on your Exchange Server. Open ESM and go to Organization, Administrative Groups, Organizational Unit, Servers and right-click Server Name, Properties, and click the Diagnostics Logging tab. In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level to maximum for all of the categories: Routing Engine, Categorizer, Connection Manager, Queuing Engine, Exchange Store Driver, SMTP protocol, and NTFS store driver. Check the event log; you should see an event with the Auth command and User ID when anyone authenticates to the mail server. My own tests aren't as comprehensize as the spammers seem to be performing. I test a list of around 10 userids with the default, username or null as the password. SO even if I do test it, I probably only get a spammer compromised server to relay for me around 50% of the time. I'll run some tests when I see the box online, but logging is your best bet. 18456[/snapback] The box is online and i have turned logging on to maximum. Let me know what you find out and I will check logging as well to see if I can iron out which users are being manipulated. Link to comment Share on other sites More sharing options...
GraemeL Posted October 7, 2004 Share Posted October 7, 2004 The box is online and i have turned logging on to maximum. Let me know what you find out and I will check logging as well to see if I can iron out which users are being manipulated. $ telnet 207.43.104.17 25 Trying 207.43.104.17... telnet: connect to address 207.43.104.17: Connection refused Link to comment Share on other sites More sharing options...
Merlyn Posted October 7, 2004 Share Posted October 7, 2004 The only blacklist that seemed to include me was spamcop, I looked it up and it says its possible that autoresponders (assuming the virus detection/out of office reply's) were causing it.18457[/snapback] You are also in the PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2 Listed in PSBL, see http://psbl.surriel.com/listing?ip=207.43.104.17 spam from a couple days ago and it is not an autoresponder, it is spam..... here are example headers: From satinborderland[at]prodigy.net Sun Oct 03 21:08:17 2004 Delivery-date: Sun, 03 Oct 2004 21:08:17 -0400 Received: from [207.43.104.17] (helo=acg5.acg) by mail.victim.example with esmtp (Exim 4.41) id 1CDPKK-0000Aq-Ow for psbltrap[at]kernelnewbies.nl; Fri, 01 Oct 2004 11:28:13 -0400 Received: from hydrophobic (192.168.0.17 [192.168.0.17]) by acg5.acg with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SCP3AFYA; Fri, 1 Oct 2004 10:31:44 -0500 From: "Massis Bayot"<satinborderland[at]prodigy.net> To: psbltrap[at]kernelnewbies.nl Subject: BUY MED AT VERY |0W|1lY PRl|CE Mime-Version: 1.0 Link to comment Share on other sites More sharing options...
GraemeL Posted October 7, 2004 Share Posted October 7, 2004 I decided that we were seeing this problem too much. I now have a perl scri_pt that tests for the SMTP AUTH exploit. It uses a list of 17 users and 23 passwords gathered from various sources. Link to comment Share on other sites More sharing options...
Merlyn Posted October 8, 2004 Share Posted October 8, 2004 I decided that we were seeing this problem too much. I now have a perl scri_pt that tests for the SMTP AUTH exploit. It uses a list of 17 users and 23 passwords gathered from various sources. 18468[/snapback] I assume that is without passwords also??? Link to comment Share on other sites More sharing options...
GraemeL Posted October 8, 2004 Share Posted October 8, 2004 I assume that is without passwords also??? Of course. It also embeds the username being tested in several. <aside> The guy with the null administrator password a few days ago still hasn't fixed it. </aside> Link to comment Share on other sites More sharing options...
dbiel Posted October 8, 2004 Share Posted October 8, 2004 As it's Exchange, you may be vulnerable to the SMTP AUTH exploit. If you don't need remote users to authenticate to the server to send mail, then disable SMTP AUTH. If you do require it to be available, then disable all unused local accounts (guest, test, info...) on the box. Change the passwords on all other local accounts to be on the safe side.Your reply seems to indicate a lack of understanding of what is requiredI have about 5-6 users in the field that require pop3 remote access. POP3 is use to access mail only, not to send mail. SMTP is used to send mail. For example, SpamCop's email service does not allow for external SMTP accesses. but permits complete POP3 and IMAP access. Link to comment Share on other sites More sharing options...
Merlyn Posted October 8, 2004 Share Posted October 8, 2004 mkern, If or when you ever come back you should go into your IIS snap in and uncheck directory browsing under the home directory tab for the two out of the ten sites that are still up and running. Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 $ telnet 207.43.104.17 25 Trying 207.43.104.17... telnet: connect to address 207.43.104.17: Connection refused 18462[/snapback] Email server is 207.43.104.3. Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 You are also in the PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2 Listed in PSBL, see http://psbl.surriel.com/listing?ip=207.43.104.17 spam from a couple days ago and it is not an autoresponder, it is spam..... here are example headers: From satinborderland[at]prodigy.net Sun Oct 03 21:08:17 2004 Delivery-date: Sun, 03 Oct 2004 21:08:17 -0400 Received: from [207.43.104.17] (helo=acg5.acg) by mail.victim.example with esmtp (Exim 4.41) id 1CDPKK-0000Aq-Ow for psbltrap[at]kernelnewbies.nl; Fri, 01 Oct 2004 11:28:13 -0400 Received: from hydrophobic (192.168.0.17 [192.168.0.17]) by acg5.acg with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SCP3AFYA; Fri, 1 Oct 2004 10:31:44 -0500 From: "Massis Bayot"<satinborderland[at]prodigy.net> To: psbltrap[at]kernelnewbies.nl Subject: BUY MED AT VERY |0W|1lY PRl|CE Mime-Version: 1.0 18465[/snapback] Thanks for more info, I also got an email back from the spamcop people with a evidence email, Im trying to figure out which user it is originating from now. Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 Your reply seems to indicate a lack of understanding of what is requiredPOP3 is use to access mail only, not to send mail. SMTP is used to send mail. For example, SpamCop's email service does not allow for external SMTP accesses. but permits complete POP3 and IMAP access. 18472[/snapback] I just misread what you said. I see what you're saying now. Sorry for the misundestanding. I read remote users and access. Overlooking the fact of them needing to send outbound via us (SMTP). As it is right now the pop3 users are generally not using our smtp server to send mail out there using there ISP's outbound smtp. I will look into where SMTP AUTH is being enabled and start from there. Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 mkern, If or when you ever come back you should go into your IIS snap in and uncheck directory browsing under the home directory tab for the two out of the ten sites that are still up and running. 18473[/snapback] There should not be 10 sites being hosted on this server, the only actual site is the acg-us.com web access. However you may be referring to other sites hosted on other servers in the office. They would be running Apache. If that is the case I will need to adjust the setting in that. Which domains are you referring to? Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 I went through a few guides on how to disable SMTP AUTH in exchange 5.5 and they all referred me to a protocol in a section that did not have what they were referring to. However by disabling all rerouting of SMTP would this in turn resolve the issue at hand? EDIT: Well that deffinately doesn't work by disabling the rerouting section because it now prevents all mail incoming from outside sources. Link to comment Share on other sites More sharing options...
Merlyn Posted October 8, 2004 Share Posted October 8, 2004 There should not be 10 sites being hosted on this server, the only actual site is the acg-us.com web access. However you may be referring to other sites hosted on other servers in the office. They would be running Apache. If that is the case I will need to adjust the setting in that. Which domains are you referring to? 18487[/snapback] IP Addresses: 207.43.104.15 IP Country: UNITED STATES Reverse IP Lookup: IP hosts 10 domains 1 ACG-US.COM. 2 AOD.NET. 3 BUTLERCONSTRUCTION.ORG. 4 CTNOWCONCERTS.COM. 5 DANTESPURGATORY.COM. 6 ERASED.ORG. 7 KUYAJAMES.COM. 8 LEESCARPETTECH.COM. 9 MICSNET.COM. 10 RUNYOURSITE.NET. Yesterday at least half said under construction now they need someone to login. Erased.org is setup with directory browsing allowed and there are some very nasty c scripts available. There was problems with a couple others but I am not going through them again. Hope this helps. Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 IP Addresses: 207.43.104.15 IP Country: UNITED STATES Reverse IP Lookup: IP hosts 10 domains 1 ACG-US.COM. 2 AOD.NET. 3 BUTLERCONSTRUCTION.ORG. 4 CTNOWCONCERTS.COM. 5 DANTESPURGATORY.COM. 6 ERASED.ORG. 7 KUYAJAMES.COM. 8 LEESCARPETTECH.COM. 9 MICSNET.COM. 10 RUNYOURSITE.NET. Yesterday at least half said under construction now they need someone to login. Erased.org is setup with directory browsing allowed and there are some very nasty c scripts available. There was problems with a couple others but I am not going through them again. Hope this helps. 18493[/snapback] Yeah all of those are located on a server outside of the one in question regarding the spam issues (except for acg-us.com), while still a noted problem I am working on the issues at hand with that server. Those are all on a linux machine that is obviously allowing directory browsing. I made some modifications to that this morning if you can rerun your testing to verify on your part if they seem resolved. If not then I will need to readdress the issue and see why there allowing something there setup not to do. I think alot of those problems were brought up in a new install of apache awhile back. However the specific server associated to the spam problems are 207.43.104.17 the machine that sits in front of the exchange server and 207.43.104.3 which is the exchange server itself. Thanks, Michael Link to comment Share on other sites More sharing options...
mkern Posted October 8, 2004 Author Share Posted October 8, 2004 I can't seem to find out where in the Internet Mail Service you can disable the SMTP AUTH. All the articles I have read refer to going into the protocol section and disabling certain things under the SMTP protocol. However that is handled in Internet Mail Service. Anyone know how to do this? I have read through the articles but they don't seem to say anything other than clicking a few things to close down relays. EDIT: I enabled some logging and went through the logs and noticed the info account was authenticating smtp which should never happen. That looks like the culprit in the matter. The password has been changed and I guess its just a time will tell by watching the queues/logs and usage reports on whether or not that resolved that issue. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.