jnyr Posted March 31, 2006 Share Posted March 31, 2006 Hi everyone. I manage an Exchange 2003 server for 3 users and this box keeps getting on various blacklists. I did every single test for open relaying and everything looks fine. I also configured Exchange for no NDRs and auto-reposnders; out of office, etc. Finally, I followed the MS article for SBS to clean up queues, etc. After delisting the server everything was fine for about 2 weeks. Then the server got re-listed. This server especially gets listed on CBL. I have no idea what else to look for. During the first listing, Yahoo also blocked my server. I contacted Yahoo and they "tested" my IP and confirmed that all problems have been resolved and that my server has been unblocked. Any help would be greatly appreciated. IP Address is 205.179.171.6. Link to comment Share on other sites More sharing options...
Merlyn Posted March 31, 2006 Share Posted March 31, 2006 Evidently you didn't check for everything because your machine has been compromised. Either the security is compromised or it has a trojan. Probably both. See http://psbl.surriel.com/evidence?ip=205.17...=Check+evidence for examples. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 31, 2006 Share Posted March 31, 2006 It does sound like you need some professional assistance with this problem. Link to comment Share on other sites More sharing options...
Derek T Posted March 31, 2006 Share Posted March 31, 2006 Hi everyone. I manage an Exchange 2003 server for 3 users and this box keeps getting on various blacklists. I did every single test for open relaying and everything looks fine. I also configured Exchange for no NDRs and auto-reposnders; out of office, etc. Finally, I followed the MS article for SBS to clean up queues, etc. After delisting the server everything was fine for about 2 weeks. Then the server got re-listed. This server especially gets listed on CBL. I have no idea what else to look for. During the first listing, Yahoo also blocked my server. I contacted Yahoo and they "tested" my IP and confirmed that all problems have been resolved and that my server has been unblocked. Any help would be greatly appreciated. IP Address is 205.179.171.6. 41690[/snapback] Herewith the recent report history. Report History: Submitted: 31 March 2006 11:04:12 +0100: Re: news ok * 1705437114 ( 205.179.171.6 ) To: abuse#dsl.net[at]devnull.spamcop.net * 1705437109 ( 205.179.171.6 ) To: postmaster[at]dsl.net Submitted: 30 March 2006 07:33:34 +0100: Re: news ok * 1704386568 ( 205.179.171.6 ) To: abuse#dsl.net[at]devnull.spamcop.net * 1704386567 ( 205.179.171.6 ) To: postmaster[at]dsl.net Are you dsl.net? will postmaster[at]dsl.net reach you? are you getting reports from SpamCop? why is there no registered abuse address for this IP? It looks like EITHER an SMTP/AUTH attack; is AUTH allowed, does it need to be? have all default accounts been disabled? are all passwords strong to avoid dictionary attacks? OR a trojan on that server or one of the mcahines behind it. Does your server stamp all outgoing mail with the originating IP? Just a few leads to follow up: all the above are covered by the FAQs 'here'. Link to comment Share on other sites More sharing options...
Derek T Posted April 1, 2006 Share Posted April 1, 2006 Herewith the recent report history. Just a few leads to follow up: all the above are covered by the FAQs 'here'. 41698[/snapback] Just for the record at 10.50 UTC 1st April Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.7 2422% Last 30 days 3.8 205% Average 3.3 This server should be unplugged from the 'net to stop this spew (100,000 per day and rising) and not reconnected until the problem has been found and fixed. [There is a school of thought that holds that no Exchange server should ever be connected to the internet at all: it's not what it was designed for and inherently open to attack] Also please fix lack of abuse address. Thank you. Link to comment Share on other sites More sharing options...
petzl Posted April 1, 2006 Share Posted April 1, 2006 . IP Address is 205.179.171.6. 41690[/snapback] Looks to me like every thug in this area knows when you are home and when your not! All infomation on that computer is available to any thug who wants I suggest reformat and a Security check for this computer Link to comment Share on other sites More sharing options...
Merlyn Posted April 1, 2006 Share Posted April 1, 2006 I wonder if his company know how bad he is handling their corporate mail system. 205.179.171.6 SMTP - 25 220 plasmion-s02.plasmion.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Sat, 1 Apr 2006 08:01:21 -0500 ----------------------------------------------- Last day 4.7 2430% Last 30 days 3.8 205% -------------------------------------------------------------------------------- CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=205.179.171.6 -------------------------------------------------------------------------------- XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4 http://www.spamhaus.org/query/bl?ip=205.179.171.6 -------------------------------------------------------------------------------- SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?205.179.171.6 -------------------------------------------------------------------------------- PSBL Passive spam Block List: psbl.surriel.com -> 127.0.0.2 Listed in PSBL, see http://psbl.surriel.com/listing?ip=205.179.171.6 Link to comment Share on other sites More sharing options...
Derek T Posted April 1, 2006 Share Posted April 1, 2006 I wonder if his company know how bad he is handling their corporate mail system. 205.179.171.6 SMTP - 25 220 plasmion-s02.plasmion.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Sat, 1 Apr 2006 08:01:21 -0500 41712[/snapback] It appears that he's gone home for the weekend, leaving the spew to continue. I wonder how many more blacklists he'll be on by Monday morning. Link to comment Share on other sites More sharing options...
Derek T Posted April 2, 2006 Share Posted April 2, 2006 Well, well, well. The spew has stopped! At 1207 UTC Sunday 2nd April Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 0.0 -100% Last 30 days 3.8 170% Average 3.3 Let's see what happens tomorrow when the office opens again? Or maybe his upstream pulled the plug? Link to comment Share on other sites More sharing options...
Merlyn Posted April 2, 2006 Share Posted April 2, 2006 Well, well, well. The spew has stopped! At 1207 UTC Sunday 2nd April Let's see what happens tomorrow when the office opens again? Or maybe his upstream pulled the plug? 41733[/snapback] I don't think he will be back here. Link to comment Share on other sites More sharing options...
Wazoo Posted April 2, 2006 Share Posted April 2, 2006 I don't think he will be back here. 41736[/snapback] User has been back, was even reading in this Topic ... apparently took the comments to heart, somehow got something resolved, but ... no post ... Last Active: 1st April 2006 - 04:10 PM Link to comment Share on other sites More sharing options...
Derek T Posted April 2, 2006 Share Posted April 2, 2006 User has been back, was even reading in this Topic ... apparently took the comments to heart, somehow got something resolved, but ... no post ... Last Active: 1st April 2006 - 04:10 PM 41739[/snapback] Ah well, nice to have been of some help. We don't do it for the thanks do we? Link to comment Share on other sites More sharing options...
Merlyn Posted April 3, 2006 Share Posted April 3, 2006 Not getting spam is thanks enough! Link to comment Share on other sites More sharing options...
Derek T Posted April 5, 2006 Share Posted April 5, 2006 Not getting spam is thanks enough! 41755[/snapback] Perhaps we spoke too soon... 1103 UTC 5th April Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.6 1675% Last 30 days 3.8 143% Average 3.4 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.