jase Posted March 5, 2004 Share Posted March 5, 2004 Hi, I have an mailserver blocked on 144.139.33.146 for sending mail to mailtraps. The ip address that is blocked is not a static ip. There's nothing in ordb etc about the ip being blocked. (It can't be relay, it has no externally reachable smtp service) I fixed open relays before, but maybe I don't understand this....it seems pretty silly right now. Jase Link to comment Share on other sites More sharing options...
jase Posted March 5, 2004 Author Share Posted March 5, 2004 Help & Feedback Site Map Statistics Query bl.spamcop.net - 144.139.33.146 DNS error: 144.139.33.146 has no reverse dns Just as additional info: (Help) (Trace IP) (Senderbase lookup) 144.139.33.146 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been listed for 34 hours. In the past week, this system has: Been detected sending mail to spam traps Other hosts in this "neighborhood" with spam reports: 144.139.33.3 144.139.33.31 144.139.33.52 144.139.34.31 144.139.34.101 Link to comment Share on other sites More sharing options...
Spambo Posted March 5, 2004 Share Posted March 5, 2004 Hi, I have an mailserver blocked on 144.139.33.146 for sending mail to mailtraps. The ip address that is blocked is not a static ip. There's nothing in ordb etc about the ip being blocked. (It can't be relay, it has no externally reachable smtp service) I fixed open relays before, but maybe I don't understand this....it seems pretty silly right now. Jase You don't give a lot of information but I agree that a Deputy or admin might ought to look into this since in addition to 144.139.33.146 the following nearby IPs (which I found as links on the 144.139.33.146 & subsequent SCBL output pages) have rather suspicious listings. As of this writing [1] all are apparently listed only because of spamtrap hits: 144.139.31.110 144.139.31.181 144.139.33.3 144.139.33.31 144.139.33.52 144.139.34.101 144.139.34.31 144.139.33.146 In addition 144.139.31.210 is listed but there are no examples or mention of spamtraps. Only one of the "nearby" IP links showed any evidence other than just spamtraps -144.139.32.22l. [1] The SCBL output page is dynamic and is not updated in "real time", as such evidence (other than spamtrap hits) may be available after I post my comments. Finally, although this isn't a SpamCop issue, you really should take care of your RFC-Ignorant listing while you're in the "clean-up mood". Link to comment Share on other sites More sharing options...
Merlyn Posted March 5, 2004 Share Posted March 5, 2004 Why are you running a mail server on a dynamic IP? Many administrators will not accept mail from a dynamic IP. Use your ISP's mail server. There is no proper reverse dns setup it's dynamic and email is being sent to spamtraps. No one should accept email from this machine. You probably have a compromised machine or an open proxy instead of an open relay. Link to comment Share on other sites More sharing options...
Ellen Posted March 5, 2004 Share Posted March 5, 2004 Whatever or whoever was connected to 144.139.33.146 was definitely sending spam on 3/3 -- looks like a compromised machine behind a nat box. Looking at 144.139.33.31 it also looks like a compromised machine altho not necessarily the same machine that was spamming on .146 Link to comment Share on other sites More sharing options...
jase Posted March 6, 2004 Author Share Posted March 6, 2004 Why are you running a mail server on a dynamic IP? Many administrators will not accept mail from a dynamic IP. Use your ISP's mail server. There is no proper reverse dns setup it's dynamic and email is being sent to spamtraps. No one should accept email from this machine. You probably have a compromised machine or an open proxy instead of an open relay. Merlyn -> I'm using dynamic while I'm waiting for a static to be allocated. I have no open proxy on that machine. (as I have no proxy on that machine). There is no malware on the PC's connect to that mailserver. Only the internal side has access to the mailserver, and they have whitelisted internet access only. I can see why you believe no-one should accept mail from that server. But I don't agree. Sorry. Cheers for the RFC wakeup Spambo, I'll probably leave that till the static is done though. I greatly appreciate your comments. There's still very little info on this actual block. I get concerned when blacklist blocks get made with grey. Where can I find out more about the "spamtraps"? Link to comment Share on other sites More sharing options...
Wazoo Posted March 6, 2004 Share Posted March 6, 2004 Where can I find out more about the "spamtraps"? Google just came back with over 35,900 hits. First page included people that use them, people that want to declare war on them, and people that explain them. That you're playing from a non-static IP has you screwed from the viewpoint that you'ne no idea who had it last. So the issue may not be you at all (but of course, "we" have no idea of the timing involved .... No accusations, but you won't believe the people that have barged in and said "ain't no way my system/network is screwed up" only to find that yep, there was a Trojanized computer in the sales office, yep, the super-secure e-mail app was actually 17 revisions away from current due to hacking issues, yep, some idiot had re-installed some major package and left all thje default passwords in place .... it just would have been nicer to see the words "to the best of my knowledge" in your last .... Link to comment Share on other sites More sharing options...
jase Posted March 6, 2004 Author Share Posted March 6, 2004 Where can I find out more about the "spamtraps"? Google just came back with over 35,900 hits. First page included people that use them, people that want to declare war on them, and people that explain them. That you're playing from a non-static IP has you screwed from the viewpoint that you'ne no idea who had it last. So the issue may not be you at all (but of course, "we" have no idea of the timing involved .... No accusations, but you won't believe the people that have barged in and said "ain't no way my system/network is screwed up" only to find that yep, there was a Trojanized computer in the sales office, yep, the super-secure e-mail app was actually 17 revisions away from current due to hacking issues, yep, some idiot had re-installed some major package and left all thje default passwords in place .... it just would have been nicer to see the words "to the best of my knowledge" in your last .... Yep, Wazoo, reading it, I can see how it sounds. I'm too used to being the one getting asked the dumb questions.....I'm sure you know how that is. I forgot the count in the left column has me at less than 5 posts. I did do a search on google before I asked the question....What I meant was can I see the logs etc of my supposed breach in relation to a mailtrap? Link to comment Share on other sites More sharing options...
Wazoo Posted March 6, 2004 Share Posted March 6, 2004 no, those records are kept pretty much under eyes-only for the SpamCop staff .. but, it's (usually) Ellen that can (and did) take a look at them and try to offer enough to help but not compromise the spamtrap addresses. For example, per her remarks, was the IP she identified in "144.139.33.146 was definitely sending spam on 3/3" under your control that day? This is where she offered that it looked like a compromised machine behind a nat box .... will take a stab in the dark that what that shows is the alleged source was from a normally non-routable address, say 192.168.x.x, which made its exit to the world through the computer sitting at 144.139.33.146 .... another thread had that user stating that the IP in question was the firewall, thus explaining why he couldn't find anything in the e-mail logs .. the compromised machine was using the trojan SMTP engine and just shooting out to the world, totally bypassing the e-mail server. I think Ellen is suggesting that this is what she saw in the sample information she has offered. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 6, 2004 Share Posted March 6, 2004 You could, of course, firewall all outbound SMTP traffic from all addresses except those associated with your authorized SMTP sending systems (like mailservers and system monitors), and watch the firewall logs closely. Link to comment Share on other sites More sharing options...
jase Posted March 7, 2004 Author Share Posted March 7, 2004 Jeff g --> Yep, I agree! (afaik - wazoo ) I have the external interface of the mailserver in the same subnet as the router, and the clients on a seperate subnet (and a second net adapter in the mailserver for the client subnet). The firewall only allows that subnet. Sorry Wazoo (and Ellen) I'm not that familiar with spamtraps. I didn't realise they were not (but can now see why) public knowledge. I have looked through the outbound logs and can't see anything I wouldn't expect. I really just have to wait this out I spose. Link to comment Share on other sites More sharing options...
Wazoo Posted March 7, 2004 Share Posted March 7, 2004 jase - thanks for the extra comment <g> But right now, I'm trying not to cry .. I know you went to the effort to explain your set-up, but .... you started with "my mailserver is blocked" then you have the mailserver and router in the same subnet then the second NIC is "in the mailserver" for the other subnet and somewhere is a firewall that only allows "that subnet" I can't read / decide if you're saying that the firewall in front of the mailserver looking at all traffic (that subnet says no) or after the mailserver and (guessing) on the client side subnet .. but that asks what the heck the router's doing ... or is the router and the mailserver one in the same machine (that two NIC thing) [but still not sure where the fiewall is] .... the firewall between the mailserver and the world wouldn't be described as "that subnet" ... or the firewall is after the mailserver and between the router and clients (or even between the mailserver and the [separate?] router), but if that's so, then the "that subnet" would include letting one of the clients' machines get out ... I'm getting dizzy and that warm fuzzy feeling just isn't there for me ... admitting that it's another one of those long nights and haven't been able to nod off, so maybe I'm just too tired to see the obvious facts you laid out .... Link to comment Share on other sites More sharing options...
jase Posted March 10, 2004 Author Share Posted March 10, 2004 Don't get too confused Wazoo........block is gone now. I'd just like to see some concrete of what caused it in the first place. Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 10, 2004 Share Posted March 10, 2004 I don't know whether Ellen would be able to tell you any more than she did. She has seen a lot of these and if I were you, I would definitely look for a compromised machine before you get blocked again. If it happens again, you can email Ellen at deputies at spamcop.net Miss Betsy Link to comment Share on other sites More sharing options...
Jeff G. Posted March 10, 2004 Share Posted March 10, 2004 Please don't just look at your mailserver's logs of outbound mail traffic (especially including bounces), look also at your firewall's logs of outbound port 25 connections. Thanks! Link to comment Share on other sites More sharing options...
jase Posted March 11, 2004 Author Share Posted March 11, 2004 Thanks JeffG, A good idea. I did a search in the logs of the firewall and compared them to the outbound logs of the smtp service, and they were congruent. I believed (yet to prove) that the ip was soiled prior to me getting it. I'm seeing ALOT of bigpond/telstra IP's in that range showing up. Link to comment Share on other sites More sharing options...
Wazoo Posted March 11, 2004 Share Posted March 11, 2004 Boy howdy, based on the list you provided in another post elsewhere, it seems pretty apparent that Telstra is still not up to speed on solving these types of problems. My sympathies go out to you. Link to comment Share on other sites More sharing options...
jase Posted March 13, 2004 Author Share Posted March 13, 2004 Telstra are highly unlikely to fix this easily either as at some stage during the process they may have to admit fault to someone. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.