TMG Posted October 13, 2005 Share Posted October 13, 2005 I discovered we had been listed on spamcops DNS blacklist when some of our emails were returned with a message stating so. We run our own mail server. We did not receive any notification emails from Spamcop as I believe they were sent to an address for our ISP who owns our IP address: 202.130.197.246 We were first listed a couple of days ago, when I checked it out the report said we would be removed in 24 hours. We did get removed but within 12 hours were back on again? I am trying to find out why we are being listed, we only send out one bulk email list but I dont believe this has been sent in the last 2 days so I cant see how this could be the cause if we have been listed again in the last few hours? Is it possible that a virus infected PC on our LAN could be the culprit? Can we get the original spamcop notification emails resent to myself so I have a little info to go with? cheers... Link to comment Share on other sites More sharing options...
dbiel Posted October 13, 2005 Share Posted October 13, 2005 202.130.197.246 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) No notifications are sent out regarding spam trap hits. Looks like you need to clean up your list and/or make sure you are not bouncing mail back to forged addresses. Also you had better take a long look at your mail logs sender base shows a huge increase in mail in the last day http://www.senderbase.org/?searchBy=ipaddr...202.130.197.246 Magnitude Vol Change vs. Average Last day 4.5 7854% Last 30 days 3.1 219% Average 2.6 Link to comment Share on other sites More sharing options...
TMG Posted October 13, 2005 Author Share Posted October 13, 2005 Also you had better take a long look at your mail logs sender base shows a huge increase in mail in the last day http://www.senderbase.org/?searchBy=ipaddr...202.130.197.246 Magnitude Vol Change vs. Average Last day 4.5 7854% Last 30 days 3.1 219% Average 2.6 34100[/snapback] ...yeah I did see that, which made me wonder if one of our network client PC's may have been infected by a virus which is sending out these emails? The mail server logs show no sign of the increased email traffic? Link to comment Share on other sites More sharing options...
Wazoo Posted October 13, 2005 Share Posted October 13, 2005 The mail server logs show no sign of the increased email traffic? 34102[/snapback] Assumption made that the traffic noted would be "playing by your rules" .... firewall, router, 'active' user/process listing .... something that's supposed to be 'handling' that traffic that wouldn't be playing 'correctly' ..???? 220 macnotes01.macservice.com.au ESMTP Service (Lotus Domino Release 6.0.2CF1) ready at Thu, 13 Oct 2005 14:04:19 +1000 help 214-Enter one of the following commands: 214-HELO EHLO MAIL RCPT DATA RSET NOOP QUIT 214 HELP VRFY ETRN I didn't feel like going any further .... but the appearance is ..... nice & friendly ... Link to comment Share on other sites More sharing options...
Jeff G. Posted October 13, 2005 Share Posted October 13, 2005 I see you don't have EXPN enabled, but lots of paranoid admins also disable VRFY as a security precaution - they don't want J. Random Spammer doing a dictionary or brute force attack with VRFY to glean a list of their users' email addresses, which almost always is also a list of their users' first or last names or a combination of them. Link to comment Share on other sites More sharing options...
Merlyn Posted October 13, 2005 Share Posted October 13, 2005 Here is something from your server sent to another spamtrap: From commemorate[at]zbinden.com Tue Oct 11 20:15:31 2005 Delivery-date: Tue, 11 Oct 2005 20:15:31 -0400 Received: from [202.130.197.246] (helo=mail.macservice.com.au) by mail.victim.example with smtp (Exim 4.43) id 1EPUHL-0007Mc-7l for xxxxxxx[at]xxxxxxxxx.xx; Tue, 11 Oct 2005 20:15:31 -0400 Received: from papered (unknown [192.168.217.38]) by mail.macservice.com.au with SMTP; Wed, 12 Oct 2005 11:14:50 +1100 To: xxxxxxxxx[at]xxxxxxxxxxxxxxxx.xx From: Winston Rankin <commemorate[at]zbinden.com> Subject: Re: News Breaking news alert issue - big news coming. Allixon International Corporation A X C P . P K We give it to you again as a gift. This company is doing incredible things. They have cash and have made great strategic aquisitions. Current price is $4.70. Short term projection is $8. This company has dropped big new's in the past. Who's to say they don't have another big one. RESIDENT, adj. Unable to leave. My father was often angry when I was most like him. MERCY, n. An attribute beloved of detected offenders. If I can't have too many truffles, I'll do without truffles. So little time, so little to do. God invented whiskey to keep the Irish from ruling the world. Change your thoughts and you change your world. The problem with the cutting edge is that someone has to bleed. The first and great commandment is: Don't let them scare you. A gentleman is a man who can play the accordion but doesn't. Chance fights ever on the side of the prudent. Freedom is just Chaos, with better lighting. We can never tell what is in store for us. Practice random kindness and senseless acts of beauty. To be positive: To be mistaken at the top of one's voice. When anger rises, think of the consequences. Never fight an inanimate object. Gratitude is merely the secret hope of further favors. Every law is an infraction of liberty. History never looks like history when you are living through it. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 13, 2005 Share Posted October 13, 2005 ...yeah I did see that, which made me wonder if one of our network client PC's may have been infected by a virus which is sending out these emails? The mail server logs show no sign of the increased email traffic? 34102[/snapback] Are all of your network PC's hiding (NAT) behind that one IP address? If so, then that is a possible cause. Otherwise, it is coming from that mail machine using that specific IP address. It is possible your mail server itself is infected. Not likely a virus would use the official server when it can run and control it's own (i.e. no logs). Link to comment Share on other sites More sharing options...
Jeff G. Posted October 13, 2005 Share Posted October 13, 2005 Thus, the problem appears to be a machine on TMG's internal network at IP Address 192.168.217.38. It should be taken off the net, tested, and fixed, and TMG should pay more attention to its firewall logs with an eye towards restricting port 25 access to the outside world for all but authorized machines like mail servers. Link to comment Share on other sites More sharing options...
Derek T Posted October 14, 2005 Share Posted October 14, 2005 Thus, the problem appears to be a machine on TMG's internal network at IP Address 192.168.217.38. It should be taken off the net, tested, and fixed, and TMG should pay more attention to its firewall logs with an eye towards restricting port 25 access to the outside world for all but authorized machines like mail servers. 34137[/snapback] Oh dear, Senderbase dropped to 900% a few hours ago and I thought the problem might have been solved. Now back up to 5800% - looking like a zombied machine or an SMTP/Auth hack. Definitely something awry. Can server be disconnected from internet until problem identified and rectified? Link to comment Share on other sites More sharing options...
Farelf Posted October 15, 2005 Share Posted October 15, 2005 Almost timed out of latest listing. Those are (surely) fairly rare timezones in the sample Merlyn pulled? Not sure if it has relevance to anything, just intrigued. Link to comment Share on other sites More sharing options...
TMG Posted October 17, 2005 Author Share Posted October 17, 2005 Ok, sorry I havent been back to check this forum for a few days but we are listed again now. So it appears it could be a virus infected machine on the network which could be causing this? Our mail server is Linux running Notes/Domino 6 so I would be extremely suprised if it was infected by a virus. I have had issues with one machine on our network being infected the last week or so. I thought I had fixed it though, I will take it off the network and see if it resolves the problem. All our internal IP's are in the 10.0.0 range though and we use NAT on our firewall so I dont know where that 192.168.217.38 address came from? I will check out port 25 on our firewall and see if I can restrict internal usage to just our mail server. I'm the only network admin here and we arent a large organisation. My main job is application development so I'm no mail server/network admin guru. but I know enough to get myself into trouble! Thanks very much for the help so far guys, I will check out the suggestions here reply back if it doesnt resolve the problem. Link to comment Share on other sites More sharing options...
dbiel Posted October 17, 2005 Share Posted October 17, 2005 Do you have remote SMTP enabled? A common source of the problem. Most companies do not need it enabled as remote users can use the SMTP server of the service they log into the net with. If your remote users log directly into your servers using dialup or private boadband, rather than using local internet access, then you will probably not be able to disable it. Also consider checking the usage by all registered accounts and consider requiring all users to change their passwords. Remember any system can be hacked with the right username and password. Default user names and simple passwords make it easy for hackers to get in. Link to comment Share on other sites More sharing options...
Jeff G. Posted October 17, 2005 Share Posted October 17, 2005 Per http://www.spamcop.net/w3m?action=blcheck&ip=202.130.197.246, the problem does appear to be with sending mail to SpamCop spamtraps - please contact deputies[at]spamcop.net to request more details, and review FAQ Entry: Am I Running Mailing Lists Responsibly? (which I have just updated) while you wait. Thanks! Link to comment Share on other sites More sharing options...
TMG Posted October 17, 2005 Author Share Posted October 17, 2005 We do have remote mail access enabled but AFAIK Notes uses its own routing protocol from the Notes client to the server. I will investigate if SMTP remote access is enabled as well but I dont think it is. Our users log into our mail server remotely but via their own ISP connections and only using the Notes client. If someone managed to hack a users login to our mail server, wouldnt the extra email traffic show in the email server logs? Senderbase showed a -100% traffic decrease in the last 24 hours (its Monday here). The mail server is on 24/7 but our network client PC's are all switched off over the weekend so is this another clue pointing towards a hijacked LAN client machine causing the problem? I have removed a suspect client machine from the LAN and to the best of my knowledge have restricted outgoing port 25 traffic to just the 2 Linux servers, so we will see what happens in the next couple of days? Link to comment Share on other sites More sharing options...
Jeff G. Posted October 17, 2005 Share Posted October 17, 2005 Those are (surely) fairly rare timezones in the sample Merlyn pulled? Not sure if it has relevance to anything, just intrigued.34240[/snapback] Not really. It's currently 02:15 EDT -0400, which means it is also 06:15 UTC -0000, 14:15 +0800 in Sydney (Western Australia, where Farelf posts from), and 17:15 +1100 in Melbourne (Eastern Australia, where TMG posts from). Looks entirely consistent to me, but serves as a reminder to hit the sack. Night all! Link to comment Share on other sites More sharing options...
Farelf Posted October 17, 2005 Share Posted October 17, 2005 Not really. ... 34325[/snapback] Um, I'm in Perth - Sydney is about as close to here as London is to Moscow or Miami is to Lima but the distance here is all east-west. Yep, Perth is UTC +0800 but Melbourne, Sydney, Brisbane & Hobart (the "Eastern States" capitals) are +1000 (not summer yet). AFAIK, +1100 is the Solomons and assorted scraps of coral, maybe Japan or Siberia on daylight saving (in October?) But -0400, of course, I was turned around (dyslexia rules, KO?) thanks. There's no +1000 in that sample and I thought maybe there should be, given a scenario of a small company operating out of Melbourne (presumably not that widely distributed in terms of hardware). Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 17, 2005 Share Posted October 17, 2005 I have had issues with one machine on our network being infected the last week or so. I thought I had fixed it though, I will take it off the network and see if it resolves the problem. All our internal IP's are in the 10.0.0 range though and we use NAT on our firewall so I dont know where that 192.168.217.38 address came from? 34321[/snapback] I notice you are posting from that same address. Do you have only 1 public IP that all traffic is hiding behind or are you posting from the mail server? Also, this listing as also only from spamtrap hits, no human reports are seen at this point. If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) And I just did one other test (you may see it in your fitrewall logs) to see if you accept and bounce messages (which it seems you don't, at least for invalid users: telnet 202.130.197.246 25 220 macnotes01.macservice.com.au ESMTP Service (Lotus Domino Release 6.0.2CF1) ready at Tue, 18 Oct 2005 05:35:31 +1000 helo x.kopin.com 250 macnotes01.macservice.com.au Hello x.kopin.com ([199.79.137.84]), pleased to meet you mail from: <y[at]spamcop.net> 250 y[at]spamcop.net... Sender OK rcpt to: <tester[at]macservice.com.au> 550 tester[at]macservice.com.au... No such user quit 221 macnotes01.macservice.com.au SMTP Service closing transmission channel Link to comment Share on other sites More sharing options...
TMG Posted October 17, 2005 Author Share Posted October 17, 2005 I notice you are posting from that same address. Do you have only 1 public IP that all traffic is hiding behind or are you posting from the mail server? Yes that is correct. One public IP and I use port mapping from the firewall to direct mail etc to the correct internal addresses. We only have approx 25 users on the network. Also, this listing as also only from spamtrap hits, no human reports are seen at this point. If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours. Yes but we have been on and off the list about 4 or 5 times in the last week. So as soon we are removed we are back on again within 12-24 hrs? And I just did one other test (you may see it in your fitrewall logs) to see if you accept and bounce messages (which it seems you don't, at least for invalid users: 34355[/snapback] Yep that is correct, we reject anything that does not match a valid address on our system. We get a lot of spam attempting to be delivered to invalid usernames on our system. I just got in this morning and checked senderbase again and our volume change is back up at 1435%!? I was hoping I had fixed the problem yesterday? Link to comment Share on other sites More sharing options...
Wazoo Posted October 17, 2005 Share Posted October 17, 2005 Notes/Domino 6 & 7 Forum : Some sources of information Will also add to the FAQ here in a bit - done, but saw some interesting links off of this page ... Point is, take a look at some of this to help isolate whether it's your Lotus Domino server at issue .. or spew that's bypassing that server ... Link to comment Share on other sites More sharing options...
TMG Posted October 17, 2005 Author Share Posted October 17, 2005 ...actually I just had a thought, seeing that the traffic down -100% yesterday after the weekend, could the 1435% increase shown by senderbase be normal for us moving from sunday with no one on the system to Monday when everyone is back at work sending email? Link to comment Share on other sites More sharing options...
Wazoo Posted October 17, 2005 Share Posted October 17, 2005 ...actually I just had a thought, seeing that the traffic down -100% yesterday after the weekend, could the 1435% increase shown by senderbase be normal for us moving from sunday with no one on the system to Monday when everyone is back at work sending email? 34364[/snapback] Only you know the size of your customerbase and the "normal" traffic generated ... but approximately 10 thousand e-mails from 25 users seems just a tad high???? Monday morning or not <g> However, take a look at NEW! SenderBase's "Magnitude" Explained to get a 'feel' for the numbers displayed ... (see post http://forum.spamcop.net/forums/index.php?...indpost&p=34348 for an example of another ISP's apparently successful spew stoppage today) Data point - 1912 -5 GMT http://www.senderbase.org/?searchBy=ipaddr...202.130.197.246 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.9 .. 1426% Last 30 days .. 3.2 ... 281% Average ........ 2.6 Data point - 18 Oct 2005 0944 -5GMT Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.8 .. 1261% Last 30 days .. 3.2 .... 284% Average ........ 2.6 Data Point - 18 Oct 2005 1817 -5GMT Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.1 .. 115% Last 30 days .. 3.2 .. 271% Average ........ 2.7 Data Point - 20 Oct 2005 2110 -5GMT Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 2.7 .. -34% Last 30 days .. 3.2 .. 280% Average ........ 2.7 Link to comment Share on other sites More sharing options...
dbiel Posted October 18, 2005 Share Posted October 18, 2005 Or put another way, your Monday mail run is over 14 times higher than your historical average. So unless you can support that increase in traffic, it looks like you still have some more work cut out for you to locate the additional spam sources and who or what is pushing that volume of mail through your IP address. It seems that you did find a large part of it, just not all of it; or someone found still a different way to access your IP address for sending mail. Link to comment Share on other sites More sharing options...
dbiel Posted October 18, 2005 Share Posted October 18, 2005 If you can get away with it, you may want to try to cut off all remote access and log all attempts to gain access and then selectively add access as needed requiring the use of secure passwords for remote users. Note, this will not deal with internal machines that may have already been compromised. Another thing you could try is to require all users to change their passwords and require authentication on all outbound traffic. Good luck in hunting down the cause / multiple causes / of the problem. Link to comment Share on other sites More sharing options...
TMG Posted October 18, 2005 Author Share Posted October 18, 2005 Ok, this morning Senderbase is reporting traffic is back down to 115% for the last 24hrs and so far we havent re-appeared on the list. I'll keep and eye on it over the next few days to make sure I've fixed the problem. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 19, 2005 Share Posted October 19, 2005 Ok, this morning Senderbase is reporting traffic is back down to 115% for the last 24hrs and so far we havent re-appeared on the list. I'll keep and eye on it over the next few days to make sure I've fixed the problem. 34435[/snapback] Please post any details you can release about what the problem was and how you found/addressed it. It could be a help to the next person in your shoes. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.