Jump to content

[Resolved] Listed by spamtrap twice - not sure why?


TMG

Recommended Posts

I discovered we had been listed on spamcops DNS blacklist when some of our emails were returned with a message stating so.

We run our own mail server.

We did not receive any notification emails from Spamcop as I believe they were sent to an address for our ISP who owns our IP address: 202.130.197.246

We were first listed a couple of days ago, when I checked it out the report said we would be removed in 24 hours. We did get removed but within 12 hours were back on again?

I am trying to find out why we are being listed, we only send out one bulk email list but I dont believe this has been sent in the last 2 days so I cant see how this could be the cause if we have been listed again in the last few hours?

Is it possible that a virus infected PC on our LAN could be the culprit?

Can we get the original spamcop notification emails resent to myself so I have a little info to go with?

cheers...

Link to comment
Share on other sites

202.130.197.246 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

No notifications are sent out regarding spam trap hits.

Looks like you need to clean up your list and/or make sure you are not bouncing mail back to forged addresses.

Also you had better take a long look at your mail logs sender base shows a huge increase in mail in the last day http://www.senderbase.org/?searchBy=ipaddr...202.130.197.246

Magnitude Vol Change vs. Average 
Last day       4.5        7854% 
Last 30 days   3.1         219% 
Average        2.6 

Link to comment
Share on other sites

Also you had better take a long look at your mail logs sender base shows a huge increase in mail in the last day http://www.senderbase.org/?searchBy=ipaddr...202.130.197.246

Magnitude Vol Change vs. Average 
Last day       4.5        7854% 
Last 30 days   3.1         219% 
Average        2.6 

34100[/snapback]

...yeah I did see that, which made me wonder if one of our network client PC's may have been infected by a virus which is sending out these emails? The mail server logs show no sign of the increased email traffic?

Link to comment
Share on other sites

The mail server logs show no sign of the increased email traffic?

34102[/snapback]

Assumption made that the traffic noted would be "playing by your rules" .... firewall, router, 'active' user/process listing .... something that's supposed to be 'handling' that traffic that wouldn't be playing 'correctly' ..????

220 macnotes01.macservice.com.au ESMTP Service (Lotus Domino Release 6.0.2CF1) ready at Thu, 13 Oct 2005 14:04:19 +1000

help

214-Enter one of the following commands:

214-HELO EHLO MAIL RCPT DATA RSET NOOP QUIT

214 HELP VRFY ETRN

I didn't feel like going any further .... but the appearance is ..... nice & friendly ...

Link to comment
Share on other sites

I see you don't have EXPN enabled, but lots of paranoid admins also disable VRFY as a security precaution - they don't want J. Random Spammer doing a dictionary or brute force attack with VRFY to glean a list of their users' email addresses, which almost always is also a list of their users' first or last names or a combination of them.

Link to comment
Share on other sites

Here is something from your server sent to another spamtrap:

From commemorate[at]zbinden.com Tue Oct 11 20:15:31 2005

Delivery-date: Tue, 11 Oct 2005 20:15:31 -0400

Received: from [202.130.197.246] (helo=mail.macservice.com.au)

by mail.victim.example with smtp (Exim 4.43)

id 1EPUHL-0007Mc-7l

for xxxxxxx[at]xxxxxxxxx.xx; Tue, 11 Oct 2005 20:15:31 -0400

Received: from papered (unknown [192.168.217.38])

by mail.macservice.com.au with SMTP; Wed, 12 Oct 2005 11:14:50 +1100

To: xxxxxxxxx[at]xxxxxxxxxxxxxxxx.xx

From: Winston Rankin <commemorate[at]zbinden.com>

Subject: Re: News

Breaking news alert issue - big news coming.

Allixon International Corporation

A X C P . P K

We give it to you again as a gift. This company is doing

incredible things. They have cash and have made great

strategic aquisitions. Current price is $4.70.

Short term projection is $8. This company has dropped

big new's in the past. Who's to say they don't have

another big one.

RESIDENT, adj. Unable to leave.

My father was often angry when I was most like him.

MERCY, n. An attribute beloved of detected offenders.

If I can't have too many truffles, I'll do without truffles.

So little time, so little to do.

God invented whiskey to keep the Irish from ruling the world.

Change your thoughts and you change your world.

The problem with the cutting edge is that someone has to bleed.

The first and great commandment is: Don't let them scare you.

A gentleman is a man who can play the accordion but doesn't.

Chance fights ever on the side of the prudent.

Freedom is just Chaos, with better lighting.

We can never tell what is in store for us.

Practice random kindness and senseless acts of beauty.

To be positive: To be mistaken at the top of one's voice.

When anger rises, think of the consequences.

Never fight an inanimate object.

Gratitude is merely the secret hope of further favors.

Every law is an infraction of liberty.

History never looks like history when you are living through it.

Link to comment
Share on other sites

...yeah I did see that, which made me wonder if one of our network client PC's may have been infected by a virus which is sending out these emails? The mail server logs show no sign of the increased email traffic?

34102[/snapback]

Are all of your network PC's hiding (NAT) behind that one IP address? If so, then that is a possible cause. Otherwise, it is coming from that mail machine using that specific IP address. It is possible your mail server itself is infected. Not likely a virus would use the official server when it can run and control it's own (i.e. no logs).
Link to comment
Share on other sites

Thus, the problem appears to be a machine on TMG's internal network at IP Address 192.168.217.38. It should be taken off the net, tested, and fixed, and TMG should pay more attention to its firewall logs with an eye towards restricting port 25 access to the outside world for all but authorized machines like mail servers.

Link to comment
Share on other sites

Thus, the problem appears to be a machine on TMG's internal network at IP Address 192.168.217.38.  It should be taken off the net, tested, and fixed, and TMG should pay more attention to its firewall logs with an eye towards restricting port 25 access to the outside world for all but authorized machines like mail servers.

34137[/snapback]

Oh dear, Senderbase dropped to 900% a few hours ago and I thought the problem might have been solved. Now back up to 5800% - looking like a zombied machine or an SMTP/Auth hack. Definitely something awry. Can server be disconnected from internet until problem identified and rectified?

Link to comment
Share on other sites

Ok, sorry I havent been back to check this forum for a few days but we are listed again now.

So it appears it could be a virus infected machine on the network which could be causing this? Our mail server is Linux running Notes/Domino 6 so I would be extremely suprised if it was infected by a virus.

I have had issues with one machine on our network being infected the last week or so. I thought I had fixed it though, I will take it off the network and see if it resolves the problem. All our internal IP's are in the 10.0.0 range though and we use NAT on our firewall so I dont know where that 192.168.217.38 address came from?

I will check out port 25 on our firewall and see if I can restrict internal usage to just our mail server.

I'm the only network admin here and we arent a large organisation. My main job is application development so I'm no mail server/network admin guru. but I know enough to get myself into trouble!

Thanks very much for the help so far guys, I will check out the suggestions here reply back if it doesnt resolve the problem.

Link to comment
Share on other sites

Do you have remote SMTP enabled? A common source of the problem.

Most companies do not need it enabled as remote users can use the SMTP server of the service they log into the net with. If your remote users log directly into your servers using dialup or private boadband, rather than using local internet access, then you will probably not be able to disable it.

Also consider checking the usage by all registered accounts and consider requiring all users to change their passwords. Remember any system can be hacked with the right username and password. Default user names and simple passwords make it easy for hackers to get in.

Link to comment
Share on other sites

Per http://www.spamcop.net/w3m?action=blcheck&ip=202.130.197.246, the problem does appear to be with sending mail to SpamCop spamtraps - please contact deputies[at]spamcop.net to request more details, and review FAQ Entry: Am I Running Mailing Lists Responsibly? (which I have just updated) while you wait. Thanks!

Link to comment
Share on other sites

We do have remote mail access enabled but AFAIK Notes uses its own routing protocol from the Notes client to the server. I will investigate if SMTP remote access is enabled as well but I dont think it is. Our users log into our mail server remotely but via their own ISP connections and only using the Notes client.

If someone managed to hack a users login to our mail server, wouldnt the extra email traffic show in the email server logs?

Senderbase showed a -100% traffic decrease in the last 24 hours (its Monday here). The mail server is on 24/7 but our network client PC's are all switched off over the weekend so is this another clue pointing towards a hijacked LAN client machine causing the problem?

I have removed a suspect client machine from the LAN and to the best of my knowledge have restricted outgoing port 25 traffic to just the 2 Linux servers, so we will see what happens in the next couple of days?

Link to comment
Share on other sites

Those are (surely) fairly rare timezones in the sample Merlyn pulled?  Not sure if it has relevance to anything, just intrigued.

34240[/snapback]

Not really. It's currently 02:15 EDT -0400, which means it is also 06:15 UTC -0000, 14:15 +0800 in Sydney (Western Australia, where Farelf posts from), and 17:15 +1100 in Melbourne (Eastern Australia, where TMG posts from). Looks entirely consistent to me, but serves as a reminder to hit the sack. Night all! :)
Link to comment
Share on other sites

Not really.  ...

34325[/snapback]

Um, I'm in Perth - Sydney is about as close to here as London is to Moscow or Miami is to Lima but the distance here is all east-west. Yep, Perth is UTC +0800 but Melbourne, Sydney, Brisbane & Hobart (the "Eastern States" capitals) are +1000 (not summer yet). AFAIK, +1100 is the Solomons and assorted scraps of coral, maybe Japan or Siberia on daylight saving (in October?) But -0400, of course, I was turned around (dyslexia rules, KO?) thanks. There's no +1000 in that sample and I thought maybe there should be, given a scenario of a small company operating out of Melbourne (presumably not that widely distributed in terms of hardware).

Link to comment
Share on other sites

I have had issues with one machine on our network being infected the last week or so. I thought I had fixed it though, I will take it off the network and see if it resolves the problem. All our internal IP's are in the 10.0.0 range though and we use NAT on our firewall so I dont know where that 192.168.217.38 address came from?

34321[/snapback]

I notice you are posting from that same address. Do you have only 1 public IP that all traffic is hiding behind or are you posting from the mail server?

Also, this listing as also only from spamtrap hits, no human reports are seen at this point.

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

And I just did one other test (you may see it in your fitrewall logs) to see if you accept and bounce messages (which it seems you don't, at least for invalid users:

telnet 202.130.197.246 25

220 macnotes01.macservice.com.au ESMTP Service (Lotus Domino Release 6.0.2CF1) ready at Tue, 18 Oct 2005 05:35:31 +1000

helo x.kopin.com

250 macnotes01.macservice.com.au Hello x.kopin.com ([199.79.137.84]), pleased to meet you

mail from: <y[at]spamcop.net>

250 y[at]spamcop.net... Sender OK

rcpt to: <tester[at]macservice.com.au>

550 tester[at]macservice.com.au... No such user

quit

221 macnotes01.macservice.com.au SMTP Service closing transmission channel

Link to comment
Share on other sites

I notice you are posting from that same address.  Do you have only 1 public IP that all traffic is hiding behind or are you posting from the mail server?

Yes that is correct. One public IP and I use port mapping from the firewall to direct mail etc to the correct internal addresses. We only have approx 25 users on the network.

Also, this listing as also only from spamtrap hits, no human reports are seen at this point.

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours.

Yes but we have been on and off the list about 4 or 5 times in the last week. So as soon we are removed we are back on again within 12-24 hrs?

And I just did one other test (you may see it in your fitrewall logs) to see if you accept and bounce messages (which it seems you don't, at least for invalid users:

34355[/snapback]

Yep that is correct, we reject anything that does not match a valid address on our system. We get a lot of spam attempting to be delivered to invalid usernames on our system.

I just got in this morning and checked senderbase again and our volume change is back up at 1435%!? I was hoping I had fixed the problem yesterday?

Link to comment
Share on other sites

...actually I just had a thought, seeing that the traffic down -100% yesterday after the weekend, could the 1435% increase shown by senderbase be normal for us moving from sunday with no one on the system to Monday when everyone is back at work sending email?

Link to comment
Share on other sites

...actually I just had a thought, seeing that the traffic down -100% yesterday after the weekend, could the 1435% increase shown by senderbase be normal for us moving from sunday with no one on the system to Monday when everyone is back at work sending email?

34364[/snapback]

Only you know the size of your customerbase and the "normal" traffic generated ... but approximately 10 thousand e-mails from 25 users seems just a tad high???? Monday morning or not <g>

However, take a look at NEW! SenderBase's "Magnitude" Explained to get a 'feel' for the numbers displayed ...

(see post http://forum.spamcop.net/forums/index.php?...indpost&p=34348 for an example of another ISP's apparently successful spew stoppage today)

Data point - 1912 -5 GMT

http://www.senderbase.org/?searchBy=ipaddr...202.130.197.246

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.9 .. 1426%

Last 30 days .. 3.2 ... 281%

Average ........ 2.6

Data point - 18 Oct 2005 0944 -5GMT

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.8 .. 1261%

Last 30 days .. 3.2 .... 284%

Average ........ 2.6

Data Point - 18 Oct 2005 1817 -5GMT

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.1 .. 115%

Last 30 days .. 3.2 .. 271%

Average ........ 2.7

Data Point - 20 Oct 2005 2110 -5GMT

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 2.7 .. -34%

Last 30 days .. 3.2 .. 280%

Average ........ 2.7

Link to comment
Share on other sites

Or put another way, your Monday mail run is over 14 times higher than your historical average. So unless you can support that increase in traffic, it looks like you still have some more work cut out for you to locate the additional spam sources and who or what is pushing that volume of mail through your IP address.

It seems that you did find a large part of it, just not all of it; or someone found still a different way to access your IP address for sending mail.

Link to comment
Share on other sites

If you can get away with it, you may want to try to cut off all remote access and log all attempts to gain access and then selectively add access as needed requiring the use of secure passwords for remote users.

Note, this will not deal with internal machines that may have already been compromised.

Another thing you could try is to require all users to change their passwords and require authentication on all outbound traffic.

Good luck in hunting down the cause / multiple causes / of the problem.

Link to comment
Share on other sites

Ok, this morning Senderbase is reporting traffic is back down to 115% for the last 24hrs and so far we havent re-appeared on the list.

I'll keep and eye on it over the next few days to make sure I've fixed the problem.

Link to comment
Share on other sites

Ok, this morning Senderbase is reporting traffic is back down to 115% for the last 24hrs and so far we havent re-appeared on the list.

I'll keep and eye on it over the next few days to make sure I've fixed the problem.

34435[/snapback]

Please post any details you can release about what the problem was and how you found/addressed it. It could be a help to the next person in your shoes.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...