Jump to content

Logs and tests show no open relay, but still spams


JBradford

Recommended Posts

Hello,

We recently discovered that our newly moved (to a new IP address) mailserver was being used as an open relay to send out spams. Thousands of them.

This past Friday we were alerted to the issue and immediatly closed that gaping hole.

However, even though all of our logs since Friday are showing thousands of attempts at sending spam through our server - and every one of those attempts showing a 'We do not Relay' message before disconnection from the sending source - the spams are still going through.

I have my server set to require POP authentication to send a message.

My only relay is through the local server itself and no other IP addresses.

I have the server set to reject all incoming mail that cannot provide a rDNS lookup

I have the server set to reject all incoming mail from hostnames that have no MX record

Every time I have checked the various 'Open Relay Checkers' online, my system passes with flying colors. None of them show me as being an open relay.

So, if I'm not an open relay and I have all of the previously mentioned security procedures in place.. how is it that spam is still going out with my IP address plastered all over it as the sender?

I am using Visnetic Mailserver v.5

My IP Address is 71.142.25.66

Here is a short exerpt from my recent log file:

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:03 -0700 Connected

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:03 -0700 >>> 220 mail.emrsystem.com ESMTP VisNetic.MailServer.v5.0.2.3; Wed, 02 Nov 2005 20:20:03 -0700

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 <<< EHLO euroseek.com

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 >>> 250-mail.emrsystem.com Hello euroseek.com [127.0.0.1], pleased to meet you.

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 <<< MAIL FROM: <fakesender[at]mail2Carolyn.com>

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:04 -0700 >>> 250 2.1.0 <fakesender[at]mail2Carolyn.com>... Sender ok

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 <<< RCPT TO: <intended_recipient[at]adni.net>

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 >>> 550 5.7.1 <intended_recipient[at]adni.net>... we do not relay <fakesender[at]mail2Carolyn.com>

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 <<< RCPT TO: <second_recipient[at]adni.net>

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 >>> 550 5.7.1 <second_recipient[at]adni.net>... we do not relay <fakesender[at]mail2Carolyn.com>

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 <<< RCPT TO: <third_recipient[at]adni.net>

127.0.0.1 [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 >>> 550 5.7.1 <third_recipient[at]adni.net>... we do not relay <fakesender[at]mail2Carolyn.com>

SYSTEM [0001B9B4] Wed, 02 Nov 2005 20:20:05 -0700 Disconnected

I changed the actual sender and reciever email address names, but left the domain names in tact. Other than that, nothing at all was changed.

I plainly see 'we do not relay' in every instance of an email attempt. Every one of the thousands of lines in my logs (that are not legitimate mails going out or coming in) have 'we do not relay'.

Going back through all logs until last Friday shows the same message.

Am I reading it wrong?

Thanks for any help anyone can give me. I have contacted Visnetic to see if they can assist me, but haven't heard back from them for a day.

J. Bradford

CTO EMRSystem Inc.

(frustrated mailserver admin)

Link to comment
Share on other sites

Report History shows the following:

Submitted: Wednesday, November 02, 2005 23:34:27 -0500:

-- spam -- Pre-approved Application #lmypL87350

    * 1546277776 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Wednesday, November 02, 2005 21:50:08 -0500:

jacobean some sugar the perky see borderland not

    * 1546225808 ( http:/ /edkrqh.net.rlmpyxtpzvegvj.vitamingood.com ) To: mole[at]devnull.spamcop.net

    * 1546225807 ( 71.142.25.66 ) To: mole[at]devnull.spamcop.net

Submitted: Wednesday, November 02, 2005 20:47:28 -0500:

spam: olin it rod a lessor a claude or

    * 1546190579 ( 71.142.25.66 ) To: spamcop[at]imaphost.com

    * 1546190575 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Wednesday, November 02, 2005 18:44:03 -0500:

RE: MAINTAIN your weight loss

    * 1546125984 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Wednesday, November 02, 2005 10:02:58 -0500:

Hoodia - Reduce 1,000 Calories a Day

    * 1545790956 ( http:/ /www.go2zl.info/r ) To: abuse[at]hkabc.net

    * 1545790955 ( http:/ /www.go2zl.info ) To: abuse[at]hkabc.net

    * 1545790951 ( 71.142.25.66 ) To: spamcop[at]imaphost.com

    * 1545790944 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Tuesday, November 01, 2005 16:21:42 -0500:

Forget wilma

    * 1545227178 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Tuesday, November 01, 2005 05:31:32 -0500:

Account has been created

    * 1544799683 ( 71.142.25.66 ) To: spamcop[at]imaphost.com

    * 1544799681 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Tuesday, November 01, 2005 01:29:24 -0500:

[spam] FW: Shed extra pounds with Hoodia

    * 1544674788 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Tuesday, November 01, 2005 00:46:53 -0500:

Re: Shopping and Survey Cash 10.31.2005

    * 1544695885 ( 71.142.25.66 ) To: spamcop[at]imaphost.com

    * 1544695884 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Sunday, October 30, 2005 01:12:41 -0400:

[JunkMail] Remember the old days?

    * 1543060775 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Friday, October 28, 2005 22:10:09 -0400:

x

    * 1542215601 ( 71.142.25.66 ) To: spamcop[at]imaphost.com

    * 1542215600 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

Submitted: Friday, October 28, 2005 16:43:54 -0400:

You have been prequalfied

    * 1542060113 ( 71.142.25.66 ) To: abuse[at]sbcglobal.net

One of those Reports (1543060775) was for an email that ended up in my Held Mail mailbox/Folder. Its Tracking URL http://www.spamcop.net/sc?id=z821225592z6e...448af9804a2d89z does not reveal any plausible source but your server's IP Address 71.142.25.66. Please check your firewall logs and scour that server (and any other systems on your network that could send mail using that IP Address) for proxies, adware, spyware, viruses, and worms. Thanks!
Link to comment
Share on other sites

Please also ask postmaster[at]pbi.net to give your server (host) rdns ("Add the reverse IN-ADDR entry for each host address in the appropriate zone files for each network the host in on."), as required by the "Adding a host" instructions on Page 11 of RFC 1033 DOMAIN ADMINISTRATORS OPERATIONS GUIDE. Thanks!

Link to comment
Share on other sites

Thanks for the assistance.

Here's another tidbit of information that I thought of.. dont know if it means anything or not, but I dont want to leave any stone unturned..

When our system was showing up as an 'open relay', it was obviously being abused by some type of spamming entity or software.

When we appeared on the blocked lists (AOL was the first one to actually show up in our log files that even hinted about being blocked) our 'outgoing message queue' exploded with messages awaiting transmission to AOL.. then there were a lot of them from Yahoo listed on the queue.

Then I changed our server settings and stopped our open relay. I deleted all of the messages in the outgoing queue.. and have never seen another one in there since.

So.. if being on a blocked list keeps those mails from being sent.. thus they get held up in our outgoing list.. and we are still on those blocked list but the messages never make it to the queue.. Why does that NOT tell me that the messages are not going through our server any more?

Additionally, I still need to know what kind of stupid I am. Apparantly I am misreading our log files.

As I see it now, since every single email that has attempted to be sent through our system gets nothing but a 'we do not relay' message - that's telling me that my server is not sending them.

I even checked some of the reported spams that I can actually read online.. the one's that are being blamed on my server for their transmission. When I cross reference those emails, based on time/sender/reciever, my logs tell me that the mail was not sent. They say 'we do not relay'.

So.. am I misreading the 'we do not relay' part of my logs? Does that not mean what I think it means?

I think it means the message came knocking, my server did it's validation on the sender, found out that the sender address was not listed among my authorized accounts list, and the message was turned away.. it was never sent.

If that's not what it means, then I need to know what I DO need to look for in my logs. If I think 'we do not relay' means what it says, then obviously I need to set my goal at some other message in my log file.

From what I can see in my logs - my server is not doing the sending. I suppose there is one way to test that theory.. shut it off for a day and see if it's still happening. I'm doubting that's going to work, because I'm not debating whether or not my server is actually sending these.. I just need to know how I can know for sure that I finally got it fixed.

When every tester system on the internet tells me that my system is not allowing unauthorized emails through it's gates.. having a spam list tell me otherwise is just confusing.

A bit more help and I can probably figure this out. I'll be doing virus scans and trojan scans out the wazoo tommorrow (nearly midnight here now and I've been at this since 7am). I'll also see about getting that rDNS problem fixed.

Also.. what's with the spamcop addresses getting spammed by my server? I dont run lists of any kind. We've got 3 guys who work here with 6 email addresses between them.. and we mostly just email between ourselves? We dont 'bulk email' anything because we have no need for it. Our server is just for our own personal use.

One thing I find intereresting.. and then I'll sit back and hope for a reply..

I changed ISP's about a week and a half ago. The only thing that I thought I'd have to do is swap the IP addresses on the server NIC and be done with it.

Same server I've had up for 2 years now... with no spam problems at all.

Within 20 minutes of me onlining the server with the new IP address.. all this spam started.

No new programs were added. No modifications to any program. No operating system updates. No patches for any software. Just a new IP address.

Kind of makes me wonder how anyone could have found my mailserver so quick, when it had just barely managed to propogate the net to it's new IP address that same day.. and the mailserver was off for most of that day. 20 minutes, I kid you not.. that's all it took for this thing to start flinging spam like it was candy to kids on halloween.

Any theories on that one? Or do I just have lousey luck?

Thanks again for the advice.. I'll be hittin that first thing. Until then, I'm going to manually shut down my mailserver for the evening to test a theory :P

Kudos,

JB

Link to comment
Share on other sites

I think it means the message came knocking, my server did it's validation on the sender, found out that the sender address was not listed among my authorized accounts list, and the message was turned away.. it was never sent.

The key is how are you rejecting this messages and where are these reject notices being sent? If they are going back to the "reply to" address then you are in trouble. Those addresses are almost always forgered when dealing with spam. If you are returning the to the IP address you received them from then you are OK.

What firewall do you have in place to stop email from going out using your IP address but not going through you email server. These would never show up on your server logs.

Link to comment
Share on other sites

Kind of makes me wonder how anyone could have found my mailserver so quick, when it had just barely managed to propogate the net to it's new IP address that same day.. and the mailserver was off for most of that day. 20 minutes, I kid you not.. that's all it took for this thing to start flinging spam like it was candy to kids on halloween.

Any theories on that one? Or do I just have lousey luck?

The most likely cause is a virus on the server or on one of the computers connected to the server network. It only takes clicking on one virus laden email to destroy an entire network.
Link to comment
Share on other sites

The key is how are you rejecting this messages and where are these reject notices being sent?  If they are going back to the "reply to" address then you are in trouble. Those addresses are almost always forgered when dealing with spam.  If you are returning the to the IP address you received them from then you are OK.

There seems to be nothing in the Visnetic Mailserver program to allow me to determine whether the reject notices go to the address or the IP.

I cant find any answers online at the Visnetic site (deerfield.com), nor do I get any answers from my forum requests for assistance there.

I've shut the server down for the evening.. gonna have a few ticked off people callin me tommorrow morning.. early.. so I've unplugged the phones :)

And I still have no clue if I am interpreting the log file correctly or not.. since that's really the only 'instant' information I can get out of my server as to what's going on, I'm hoping someone can explain to me why 'we do not relay' is a bad thing.

Link to comment
Share on other sites

http://www.spamcop.net/w3m?action=checkblock&ip=71.142.25.66

71.142.25.66 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 71.142.25.66 has no reverse dns

Because of the above problems, express-delisting is not available

Listing History

System has been listed for less than 24 hours.

http://www.senderbase.org/?searchBy=ipaddr...ng=71.142.25.66

Date of first message seen from this address 2005-10-23

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 5.0 .. 5081%

Last 30 days .. 4.3 ... 766%

Average ....... 3.3

Real-time blacklists

list.dsbl.org Boycotted - http://dsbl.org/listing?71.142.25.66

bl.spamcop.net http://spamcop.net/w3m?action=checkblock&ip=71.142.25.66

http://www.visneticmailserver.com/ includes the 'bad' listing of Challenge Response Setup Guide

http://www.deerfield.com/products/visnetic-mailserver/ states The current version of VisNetic MailServer is 8.0.3.1. with Version 8.3 Coming Soon

If you shut the server down, that SenderBase must have been a lot higher a few hours ago? Datapoint set now for a future comparison. That they only offered up the docs in Word or PDF format didn't open the door far enough for me to get all that involved, but that all these docs were for a version over three revisions higher than what you said was in use, figured that they probably weren't all that applicable anyway.

You're focusing on the "open relay" scenario, which though it may be true, there are lots of other ways spew could be getting out. I don't see that you answered at least one query about firewall traffic .. which would hopefully address traffic not actually using your e-mail soerver/software, thus it wouldn't show up in those logs.

3 Nov 2005 0921 -6 GMT

71.142.25.66 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 5.0 .. 4907%

Last 30 days .. 4.3 ... 766%

Average ........ 3.3

3 Nov 2005 1324 -6 GMT

71.142.25.66 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week

SpamCop users have reported system as a source of spam about 10 times in the past week

Apparently, reports are still coming in ...

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 5.0 .. 4872%

Last 30 days .. 4.3 ... 766%

Average ........ 3.3

Not going down very quickly.

And another BL has been added;

Real-time blacklists

list.dsbl.org Boycotted - http://dsbl.org/listing?71.142.25.66

bl.spamcop.net http://spamcop.net/w3m?action=checkblock&ip=71.142.25.66

cbl.abuseat.org http://cbl.abuseat.org/lookup.cgi?ip=71.142.25.66

4 Nov 2005 1006 -6 GMT

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 5.0 .. 3711%

Last 30 days .. 4.3 ... 766%

Average ........ 3.4

4 Niv 2005 1930 -6GMT

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.9 .. 3346%

Last 30 days .. 4.3 ... 766%

Average ........ 3.4

6 Nov 20015 0818 -6GMT

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.9 .. 2773%

Last 30 days .. 4.4 ... 762%

Average ........ 3.4

10 Nov 2005

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ....... 4.8 .. 1771%

Last 30 days . 4.5 ... 772%

Average ....... 3.5

Appears that someone needs to be hired to come in and clean up this mess.

Link to comment
Share on other sites

So.. if being on a blocked list keeps those mails from being sent.. thus they get held up in our outgoing list.. and we are still on those blocked list but the messages never make it to the queue.. Why does that NOT tell me that the messages are not going through our server any more?
It tells you that messages are not being sent "legitimately" through your server any longer. It does not tell you there is not a virus or similar at work sending messages using it's own SMTP engine. Also, the same applies to other machines on your network if they are all sitting behind a shared public IP address.
Link to comment
Share on other sites

Hope this helps

Edit: 2005/11/03 22:25 EST -0500 Jeff G. converted the spam to a Tracking URL - Merlyn has been here long enough to know better.

35451[/snapback]

My Bad! You are absolutely right! Thank you my friend :-)

Looks like this machine is still spewing garbage to the world!

This is not a responsible way to run a server :o

71.142.25.66 Now Showing at all the local theaters:

-----------------------------------------------------------

CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=71.142.25.66

--------------------------------------------------------------------------------

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2

Blocked - see http://www.spamcop.net/bl.shtml?71.142.25.66

--------------------------------------------------------------------------------

DSBLLIST Distributed Sender Boycott List: single-stage relays tested by trusted users: list.dsbl.org -> 127.0.0.2

http://dsbl.org/listing?71.142.25.66

--------------------------------------------------------------------------------

DSBLUNCONFIRMED Distributed Sender Boycott List: single-stage relays, multihop relays and listings by anonymous users: unconfirmed.dsbl.org -> 127.0.0.2

http://dsbl.org/listing?71.142.25.66

--------------------------------------------------------------------------------

PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2

Listed in PSBL, see http://psbl.surriel.com/listing?ip=71.142.25.66

--------------------------------------------------------------------------------

CSMA McFadden Associates, IPs of mailservers that send spam twice in a short timefram: bl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=71.142.25.66

--------------------------------------------------------------------------------

CSMA-SBL McFadden Associates, IPs of mailservers that send spam once in a short timefram: sbl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=71.142.25.66

--------------------------------------------------------------------------------

UCEPROTECTL1 UCEPROTECT®-Network Project - Level 1: dnsbl-1.uceprotect.net -> 127.0.0.2

Sorry, IP 71.142.25.66 is blacklisted at Level 1 by UCEPROTECT-Network see http://www.uceprotect.net

--------------------------------------------------------------------------------

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

http://dsbl.org/listing?71.142.25.66

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=71.142.25.66

--------------------------------------------------------------------------------

DNSBLAUDSBL Distributed Server Boycott List: dsbl.dnsbl.net.au -> 127.0.0.2

http://dsbl.org/listing?71.142.25.66

--------------------------------------------------------------------------------

DNSBLUCEPN External Block List - UCEPROTECT®-Network Project: ucepn.dnsbl.net.au -> 127.0.0.2

PLEASE SEE http://www.uceprotect.net/

--------------------------------------------------------------------------------

DNSBLAUPROBES Servers currently probing other networks: probes.dnsbl.net.au -> 127.0.0.2

71.142.25.66 see http://www.dnsbl.net.au/probes/

Link to comment
Share on other sites

Looks like this machine is still spewing garbage to the world!

This is not a responsible way to run a server :o

And 3 days since we last heard from him, still spewing spam, picking up more block-list entries, and the OP is nowhere to be seen! His upstream provider should have pulled the plug by now, but then it is sbcglobal :(

Link to comment
Share on other sites

As of 1820 GMT 11/11/05:

Blacklist Name Status Reason TTL Response Time (ms)

CBL Listed LISTED Blocked - see Detail

Return codes were: 127.0.0.2 3595 31

CSMA Listed LISTED Detail

Return codes were: 127.0.0.2 295 31

CSMA-SBL Listed LISTED Detail

Return codes were: 127.0.0.2 295 16

DNSBLNETAUT1 Listed LISTED Detail

Return codes were: 127.0.0.2 2043 16

DSBL Listed LISTED Detail

Return codes were: 127.0.0.2 2043 16

DSBLALL Listed LISTED Detail

Return codes were: 127.0.0.2 2043 31

LASHBACK Listed LISTED Sender has sent to LashBack Unsubscribe Probe accounts

Return codes were: 127.0.0.2 3595 16

PSBL Listed LISTED Listed in PSBL, see Detail

Return codes were: 127.0.0.2 2095 16

SBL-XBL Listed LISTED Detail

Return codes were: 127.0.0.4 3595 16

SORBS-BLOCK Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 16

SORBS-DUHL Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 31

SORBS-HTTP Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 16

SORBS-MISC Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 31

SORBS-SMTP Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 47

SORBS-SOCKS Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 47

SORBS-spam Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 47

SORBS-WEB Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3596 31

SORBS-ZOMBIE Listed LISTED spam Received See: Detail

Return codes were: 127.0.0.6 3595 31

SPAMCOP Listed LISTED Blocked - see Detail

Return codes were: 127.0.0.2 2095 16

Spamhaus-XBL Listed LISTED Detail

Return codes were: 127.0.0.4 3594 16

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...