dbiel Posted July 7, 2006 Share Posted July 7, 2006 I thank you for any help that is needed. All I am trying to do is fix this problem and stop us from sending out spam to others. At this point I am not sure what direction to go as I have followed almost every suggestion given.Try this test, it may prove informative or it may be a waste of time. Address an email in a non-existant name at each of your domains. Be sure to use a from/reply to address that will send the mail to a server other than the one you are actually sending the message from. Send it and find out what happens. Is it received by your server. Is it bounce by your server. If it is bounced, does the bounce go to the IP address it was sent to or to the from/reply to address contained in the message. If the bounce is going to the reply to address then you have found your problem. Be sure to test each and every domain you control, just incase they are not set up exactly the same. Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 7, 2006 Author Share Posted July 7, 2006 i tried using Mozilla's Thunderbird to set the email address but every time I try to send an email it gives me a 5.7.1 server response; unable to relay for xxxx[at]cpa-ws.com. So really we must be doing something right if people can not relay from another address. Link to comment Share on other sites More sharing options...
dbiel Posted July 7, 2006 Share Posted July 7, 2006 That adds the the favorable side of things for outbound mail, but does not address the possible server bouce issue. Try sending from a yahoo or hotmail account or even have a friend do it for you. As long as the orginal message does not go out through you server. You need to know exactly how your server handles mail address to your domain but not addresses to a real user. It is true that some of this has already been done per notes earlier in this thread, but with the changes made to the server, and not knowing if any other domains are involved it may still be worth the effort. Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 14, 2006 Author Share Posted July 14, 2006 We only have a single domain and it seems that our bounces are done the correct way. Once again I am at my wits end. Link to comment Share on other sites More sharing options...
Merlyn Posted July 14, 2006 Share Posted July 14, 2006 Looks like you removed yourself from the CBL at 2006-07-14 21:49 GMT If you keep doing this without fixing your problem you will get added without the option to remove it. HTH Link to comment Share on other sites More sharing options...
dbiel Posted July 14, 2006 Share Posted July 14, 2006 We only have a single domain and it seems that our bounces are done the correct way. Once again I am at my wits end.One of the problem with public forums is "trust". One of the problems of providing help is the need for information. You say you are at your wits end, but you do not trust us with the information to be able to help you. That is you call, but it limits our ability to help. You say "it seems that our bounces are done the correct way." May be yes, maybe know. We need to see the bounce before we can say it is not the problem. At this point it is all guess work. When you really get to your wits end, then post a complete copy of the bounced message. Also remember you get what you pay for. Here at the SpamCop Forums you get a whole lot more than you pay for. Keep that in mind when you are asking for help. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 14, 2006 Share Posted July 14, 2006 Also remember you get what you pay for. Here at the SpamCop Forums you get a whole lot more than you pay for. Keep that in mind when you are asking for help. That's a nice way of saying that if you need more help than has been given you here (considering the lack of data), then maybe you had better hire someone who knows what s/he is doing to fix your problem. Miss Betsy Link to comment Share on other sites More sharing options...
Merlyn Posted July 15, 2006 Share Posted July 15, 2006 That's a nice way of saying that if you need more help than has been given you here (considering the lack of data), then maybe you had better hire someone who knows what s/he is doing to fix your problem. Miss Betsy No one could have said it better! Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 17, 2006 Author Share Posted July 17, 2006 Looks like you removed yourself from the CBL at 2006-07-14 21:49 GMT If you keep doing this without fixing your problem you will get added without the option to remove it. HTH It's a catch 22, I am putting considerable amount of time in trying to fix this (just look at the length of these posts) and yet I have to be able to conduct my business. thanks for the zinger however, this makes it even more painful. All I am trying to do is get some answers and figure out what the problem is, coming to these forums I thought I would get that, as most of the forums I participate in we exchange knowledge and lend a hand as much as possible. As far as trust, sure I can post the bounced message. I sent this from my Roadrunner account to a ficticious address on our server, this is the message I got back. The original message was received at Mon, 17 Jul 2006 09:27:24 -0500 (CDT) from [10.93.38.36] ----- The following addresses had permanent fatal errors ----- <spammers[at]cpa-ws.com> (reason: 550 5.1.1 User unknown) ----- Transcript of session follows ----- ... while talking to mail.cpa-ws.com.: >>> DATA <<< 550 5.1.1 User unknown 550 5.1.1 <spammers[at]cpa-ws.com>... User unknown <<< 503 5.5.2 Need Rcpt command. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 17, 2006 Share Posted July 17, 2006 It's a catch 22, I am putting considerable amount of time in trying to fix this (just look at the length of these posts) and yet I have to be able to conduct my business. thanks for the zinger however, this makes it even more painful. It was not meant to be a zinger. Just letting you know you may have made things harder on yourself by removing yourself from lists before understanding what caused the problem in the first place. As someone else here has stated, if you do not feel confident giving us the information we need to help you, perhaps it is time to hire someone you do trust. Link to comment Share on other sites More sharing options...
Telarin Posted July 17, 2006 Share Posted July 17, 2006 Ok, lets go over what has been done so far, as this topic is getting long and I see things being suggested that have already been tried. I contacted Ellen and posted headers here. At the time, what was coming out was definitely actual spam. The email had exchange headers in it, but they didn't appear to be the correct version. This could be confirmed by sending an email through the exchange server to another email address and comparing the X header lines. Since exchange is responsible for adding those headers, if the version listed in the headers is not correct, then the email is probably not really moving through the exchange server. Have you had any success checking your firewall logs, or adjusting your firewall settings to block port 25 traffic to machines other than the server? Does your ISP provide you with just a single IP address, or do you have more that you can use? You might also want to contact Ellen again (deputies[at]admin.spamcop.net) to get a fresh set of headers. It is possible that the original problem was fixed and we are dealing with a new problem. What else has been done? Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 17, 2006 Author Share Posted July 17, 2006 It was not meant to be a zinger. Just letting you know you may have made things harder on yourself by removing yourself from lists before understanding what caused the problem in the first place. As someone else here has stated, if you do not feel confident giving us the information we need to help you, perhaps it is time to hire someone you do trust. It's not really a trust issue, I am providing you what you are asking. Maybe I need to just post things that aren't asked? Ok, lets go over what has been done so far, as this topic is getting long and I see things being suggested that have already been tried. I contacted Ellen and posted headers here. At the time, what was coming out was definitely actual spam. The email had exchange headers in it, but they didn't appear to be the correct version. This could be confirmed by sending an email through the exchange server to another email address and comparing the X header lines. Since exchange is responsible for adding those headers, if the version listed in the headers is not correct, then the email is probably not really moving through the exchange server. Have you had any success checking your firewall logs, or adjusting your firewall settings to block port 25 traffic to machines other than the server? Does your ISP provide you with just a single IP address, or do you have more that you can use? You might also want to contact Ellen again (deputies[at]admin.spamcop.net) to get a fresh set of headers. It is possible that the original problem was fixed and we are dealing with a new problem. What else has been done? Thank you for your response Telarin. Here is a recent email I have sent from my account on cpa-ws.com to a completely different server. Content-Class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C6A9AE.9B3A05B4" Date: Mon, 17 Jul 2006 08:38:01 -0600 [08:38:01 AM MDT] Delivery-date: Mon, 17 Jul 2006 08:33:07 -0600 Envelope-to: xxxxx[at]browseelpaso.com From: XXXXX<xxxxx[at]cpa-ws.com> MIME-Version: 1.0 Message-ID: <2D588D03F7C48D42B13C19F0B6F8B5AC690070[at]server1.cpa-ws.internal> Received: * from browseel by box30.bluehost.com with local-bsmtp (Exim 4.52) id 1G2U9U-00081f-Dk for xxx[at]browseelpaso.com; Mon, 17 Jul 2006 08:33:06 -0600 * from mail.cpa-ws.com ([209.12.205.10] helo=server1.cpa-ws.internal) by box30.bluehost.com with esmtp (Exim 4.52) id 1G2U9R-00080X-Rq for xxxxx[at]browseelpaso.com; Mon, 17 Jul 2006 08:32:50 -0600 * from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 08:38:03 -0600 Return-path: <xxxxx[at]cpa-ws.com> Subject: test Thread-Topic: test To: xxxxxx[at]browseelpaso.com X-MS-Has-Attach: X-MS-TNEF-Correlator: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 X-OriginalArrivalTime: 17 Jul 2006 14:38:03.0640 (UTC) FILETIME=[9C2F7F80:01C6A9AE] X-spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on box30.bluehost.com X-spam-Level: X-spam-Status: No, score=0.3 required=5.0 tests=AWL,HTML_MESSAGE autolearn=ham version=3.1.3 thread-index: AcaprpswXnvaEZgTSTa0XHWdrVFnOg== Link to comment Share on other sites More sharing options...
Telarin Posted July 17, 2006 Share Posted July 17, 2006 Your server appears to be kicking back a 550 error for unknown users, which is exactly what it should do, so I don't think that is the problem. As I said, when I checked with Ellen before she told me that it all looked like real spam, and all had headers similar to what I posted here. Try this: Using every method that your users would use to submit mail (both local and remote, just in case the headers are different), send yourself a message at an outside email address and post the headers here (feel free to munge the addresses, as we are mostly interested in the X-headers at this point). That way we can compare it with the headers on the spam to see if it is really coming from the exchange server, or from a Zombied PC somewhere on the network. What kind of AV software are you running on your network PCs? Are they all up to date? Do you have any users that might be using personal laptops on the network, or to access their emails? Do you have a way of checking those for viruses and trojans? Many companies won't allow users to use their personal computers to access the company network at all other than through internet facing websites like Outlook Web Access, you might want to considers something like this (at least for the time being) until we get this sorted out. Have you loaded Exchange Service Pack 2 on your server? This fixed several possible security issues and exploits. It also updated IMF (Intelligent Message Filtering) to version 2 and may help with incoming spam as well. Do you enforce a strong password policy on your users, and do you require them to change their passwords periodically? You might want to consider expiring all passwords on the network and requiring your users to change them immediately just in case a hacker has "guessed" one of the passwords and is using it to access the network through legitimate means. Thats all I can think of right now, but I will post any other ideas I have on the matter as I come up with them. Edit: Ok, you replied with more data while I was in the process of composing this book, so lets look at it. The headers you posted contains: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 While the headers I posted before contains: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 chances are you have loaded some patches since then, so that could account for the slight difference in versions. If that is the case, then I would suspect that the mail is definitely moving through the exchange server. While a zombie can certainly forge the X-lines, it would be extremely unlikely that it would happen to have the correct Exchange version if it was forged, considering the number of different revisions of Exchange in production environments. Check in the system manager under: Servers->Servername->Protocols->Default SMTP Server (properties) Access tab->Relay Under the Select which computer may relay through this virtual server: You should have "Only the list below" Computers: 127.0.0.1 You might also have your private IP block listed, for instance: 192.168.1.0 (255.255.255.0) if you were using 192.168.1.x locally. There should not be any public IP addresses listed here. Click the "Users" button on this same page: Authenticated Users should have Submit Permission, and nothing else. No other users should be listed. Have you tried using the Message Tracking Center to pull up the message that Ellen gave us the headers for? We might be able to tell something from that. You might also want to search your exchange logs (c:\program files\exchsrvr\logging\servername.log by default) for the partial message ID listed in those headers. I don't know how long you have it set to retain logs, so you might have to contact Ellen for fresh headers. This will generally give you an idea where the messages are being submitted from. You might also want to contact your ISP and find out why the abuse reports are not being forwarded to you, as the headers from those reports would be very helpful, and you could also possible figure out when these emails are actually going out. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 17, 2006 Share Posted July 17, 2006 It's not really a trust issue, I am providing you what you are asking. Maybe I need to just post things that aren't asked? We need the complete bounce message, including the headers. Parsing some information from that message shows your mail server is not currently accepting any commands I could find so I could not confirm that your bounces do not go to forged headers: C:\>nslookup Default Server: kopdc01.kopin.com Address: 10.1.75.11 > mail.cpa-ws.com Server: kopdc01.kopin.com Address: 10.1.75.11 Non-authoritative answer: Name: mail.cpa-ws.com Address: 209.12.205.10 C:\> telnet 209.12.205.10 25 220 **************************************************************************** ******************************************* helo underwood.spamcop.net 500 5.3.3 Unrecognized command help 500 5.3.3 Unrecognized command ? 500 5.3.3 Unrecognized command list 500 5.3.3 Unrecognized command Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 17, 2006 Author Share Posted July 17, 2006 Using every method that your users would use to submit mail (both local and remote, just in case the headers are different), send yourself a message at an outside email address and post the headers here (feel free to munge the addresses, as we are mostly interested in the X-headers at this point). That way we can compare it with the headers on the spam to see if it is really coming from the exchange server, or from a Zombied PC somewhere on the network. I sent myself a message by logging into the Web Access: Microsoft Mail Internet Headers Version 2.0 Received: from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 08:58:08 -0600 x-pp-smtpvs:1 x-pp-sclvalue:-1 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary Subject: test Date: Mon, 17 Jul 2006 08:58:07 -0600 Message-ID: <2D588D03F7C48D42B13C19F0B6F8B5AC01FD73[at]server1.cpa-ws.internal> X-MS-Has-Attach: X-MS-TNEF-Correlator: <2D588D03F7C48D42B13C19F0B6F8B5AC01FD73[at]server1.cpa-ws.internal> Thread-Topic: test Thread-Index: AcapsWnkaDDYSrsYQIWYfWOmcUARfg== From: "xxxx" <xxxx[at]cpa-ws.com> To: "xxxxx" <xxxxx[at]cpa-ws.com> X-OriginalArrivalTime: 17 Jul 2006 14:58:08.0859 (UTC) FILETIME=[6A8D52B0:01C6A9B1] Here is a message I sent a completely independent email address of mine from a machine on the network: Return-path View brief message headers<xxxx[at]cpa-ws.com> Received from ms-mta-03 (ms-mta-03-eri0.texas.rr.com [10.93.46.17]) by ms-mss-06.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J00M66YWFZF[at]ms-mss-06.texas.rr.com> for xxxx[at]elp.rr.com; Mon, 17 Jul 2006 09:57:51 -0500 (CDT) Received from hrndva-mx-07.mgw.rr.com (hrndva-mx-07.mgw.rr.com [24.28.204.26]) by ms-mta-03.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J006ONYWBCS[at]ms-mta-03.texas.rr.com> for xxxxx[at]elp.rr.com (ORCPT xxxx[at]elp.rr.com); Mon, 17 Jul 2006 09:57:51 -0500 (CDT) Received from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) by hrndva-mx-07.mgw.rr.com with ESMTP; Mon, 17 Jul 2006 10:57:42 -0400 Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 Date Mon, 17 Jul 2006 09:02:44 -0600 From xxxx <xxxx[at]cpa-ws.com> Subject test To xxxxx[at]elp.rr.com Message-id <2D588D03F7C48D42B13C19F0B6F8B5AC690073[at]server1.cpa-ws.internal> MIME-version 1.0 X-MIMEOLE Produced By Microsoft MimeOLE V6.00.3790.1830 Content-type multipart/alternative; boundary="----_=_NextPart_001_01C6A9B2.0F0FA356" Content-class urn:content-classes:message Thread-topic test Thread-index Acapsg8KhqdsVKA/Qj6JS3BtbJJSnA== X-MS-Has-Attach X-MS-TNEF-Correlator Original-recipient rfc822;xxxxxx[at]elp.rr.com X-OriginalArrivalTime 17 Jul 2006 15:02:46.0593 (UTC) FILETIME=[10182B10:01C6A9B2] What kind of AV software are you running on your network PCs? Are they all up to date? Do you have any users that might be using personal laptops on the network, or to access their emails? Do you have a way of checking those for viruses and trojans? Some machines are running AVG others are using Trend Micro. All are set for daily scans and updates, this I have made sure, twice! We have several users that have laptops on the network and can access their emails when out of the office using Outlooks Web Access. I have checked for virii and trojans just last week, all were clean. Have you loaded Exchange Service Pack 2 on your server? This fixed several possible security issues and exploits. It also updated IMF (Intelligent Message Filtering) to version 2 and may help with incoming spam as well.We had installed SP2, but had a conflict with some of our software at the time. I will look into the problems we've had and research this a little. Do you enforce a strong password policy on your users, and do you require them to change their passwords periodically? You might want to consider expiring all passwords on the network and requiring your users to change them immediately just in case a hacker has "guessed" one of the passwords and is using it to access the network through legitimate means. Yes we enforce strong passwords and change them regularly. I just changed them last week in fact. Link to comment Share on other sites More sharing options...
Merlyn Posted July 17, 2006 Share Posted July 17, 2006 Same old med stuff............... Submitted: Friday, June 16, 2006 5:51:14 PM -0400: Discount meds shipping world wide Submitted: Thursday, June 15, 2006 2:39:47 PM -0400: Our store is your cureall! --------------------------------------------------------------- IP Address 209.12.205.10 was not found in the CBL. It was previously listed, but was removed at 2006-07-17 13:54 GMT ------------------------------------------------------------------------------- Looks like you just keep removing yourself from the CBL without fixing your trojanned machine but don't worry it will be back on soon. Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 17, 2006 Author Share Posted July 17, 2006 Looks like you just keep removing yourself from the CBL without fixing your trojanned machine but don't worry it will be back on soon. Seriously, I can do without the cracks, if it's not obvious to you that I am not trying to fix this then feel free to pile it on. I am not the enemy, the spammers are. Same old med stuff............... Submitted: Friday, June 16, 2006 5:51:14 PM -0400: Discount meds shipping world wide Submitted: Thursday, June 15, 2006 2:39:47 PM -0400: Our store is your cureall! June??? That is wll over a month ago. We need the complete bounce message, including the headers. Here you go: Return-path View brief message headers<> Received from ms-mta-04 (ms-mta-04-eri0.texas.rr.com [10.93.46.18]) by ms-mss-06.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J00MT6XHTZF[at]ms-mss-06.texas.rr.com> for xxxx[at]elp.rr.com; Mon, 17 Jul 2006 09:27:36 -0500 (CDT) Received from ms-smtp-01.texas.rr.com (ms-smtp-01.texas.rr.com [24.93.47.40]) by ms-mta-04.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J003K1XHXCL[at]ms-mta-04.texas.rr.com> for xxxx[at]elp.rr.com (ORCPT xxx[at]elp.rr.com); Mon, 17 Jul 2006 09:27:33 -0500 (CDT) Received from localhost (localhost) by ms-smtp-01.texas.rr.com (8.13.6/8.13.6) id k6HERSNY007228; Mon, 17 Jul 2006 09:27:28 -0500 (CDT) Date Mon, 17 Jul 2006 09:27:28 -0500 (CDT) From Mail Delivery Subsystem <MAILER-DAEMON[at]ms-smtp-01.texas.rr.com> Subject Returned mail: see transcript for details To xxx[at]elp.rr.com Message-id <200607171427.k6HERSNY007228[at]ms-smtp-01.texas.rr.com> Auto-submitted auto-generated (failure) MIME-version 1.0 Content-type multipart/report; report-type=delivery-status; boundary="k6HERSNY007228.1153146448/ms-smtp-01.texas.rr.com" Original-recipient rfc822;xxx[at]elp.rr.com Attachments message/delivery-status 1K The original message was received at Mon, 17 Jul 2 Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 17, 2006 Author Share Posted July 17, 2006 Edit: Ok, you replied with more data while I was in the process of composing this book, so lets look at it. The headers you posted contains: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 While the headers I posted before contains: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 chances are you have loaded some patches since then, so that could account for the slight difference in versions. If that is the case, then I would suspect that the mail is definitely moving through the exchange server. While a zombie can certainly forge the X-lines, it would be extremely unlikely that it would happen to have the correct Exchange version if it was forged, considering the number of different revisions of Exchange in production environments. I don't think we've loaded patches since then. Check in the system manager under: Servers->Servername->Protocols->Default SMTP Server (properties) Access tab->Relay Under the Select which computer may relay through this virtual server: You should have "Only the list below" Computers: 127.0.0.1 You might also have your private IP block listed, for instance: 192.168.1.0 (255.255.255.0) if you were using 192.168.1.x locally. There should not be any public IP addresses listed here. Click the "Users" button on this same page: Authenticated Users should have Submit Permission, and nothing else. No other users should be listed. Yes, that has been done many months ago, I just checked again to make sure and they are the correct settings as you have listed. Have you tried using the Message Tracking Center to pull up the message that Ellen gave us the headers for? We might be able to tell something from that. You might also want to search your exchange logs (c:\program files\exchsrvr\logging\servername.log by default) for the partial message ID listed in those headers. I don't know how long you have it set to retain logs, so you might have to contact Ellen for fresh headers. We have logs going back several months, but it's hard to figure out the partial headers. Link to comment Share on other sites More sharing options...
dbiel Posted July 17, 2006 Share Posted July 17, 2006 First of all, thanks for trying to fix the situation, I realize that it is a real pain. Trying to review a few points to see if we can narrow down the actual source of the problem. 1) spam has been reported as coming from 209.12.205.10 2) The following is a portion of the header you posted previous which indicate to me something that you should try to fix to be better able to track back messages to their actual source Received from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) by hrndva-mx-07.mgw.rr.com with ESMTP; Mon, 17 Jul 2006 10:57:42 -0400 Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 Date Mon, 17 Jul 2006 09:02:44 -0600 From xxxx <xxxx[at]cpa-ws.com> Subject test It will have no effect on being listed on not, but will make it easier for you to find out where it is coming from. hrndva-mx-07.mgw.rr.com received the message from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) But where did your server get the message from? Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 does not really tell you much. Next set to questions which may seem obvious but could lead to wrong answers based on specific assumptions. The exchange server using IP address 209.12.205.10 is running on what computer? Specifically, are any other services running on that computer and using the same IP address? Does the computer running Exchange have more that one external routable IP address that could allow for access to the computer by a hacker with out going through exchange first? Or put another way, are there any backdoors to the computer that is running exchange? Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 18, 2006 Author Share Posted July 18, 2006 First of all, thanks for trying to fix the situation, I realize that it is a real pain.And thank you for your understanding. 2) The following is a portion of the header you posted previous which indicate to me something that you should try to fix to be better able to track back messages to their actual sourceIt will have no effect on being listed on not, but will make it easier for you to find out where it is coming from. hrndva-mx-07.mgw.rr.com received the message from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) But where did your server get the message from? Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 does not really tell you much. Yes I agree that is doesn't tell you much which is why I really didn't post my messages to begin with. What steps do I need to take to get more information? The exchange server using IP address 209.12.205.10 is running on what computer? Specifically, are any other services running on that computer and using the same IP address? Does the computer running Exchange have more that one external routable IP address that could allow for access to the computer by a hacker with out going through exchange first? Or put another way, are there any backdoors to the computer that is running exchange? It it being run on Server1, the name of the computer. We only have 1 external routable IP address. I really don't think there is a backdoor to the computer running exchange. Link to comment Share on other sites More sharing options...
Telarin Posted July 18, 2006 Share Posted July 18, 2006 As far as I know, there is know way to get exchange to stamp the "source" computers IP in the header. You should however be able to find this in your logs... If we look back at the spam header sample I posted, we can search for a number of the values listed. I would recommend doing a search of your logfiles for the subject "Our store is your cureall!". The exchange logs should be located in c:\program files\exchsrvr\logging\server1.log, they are plain text files. I find the easiest way to search through a batch of them is to CD to that directory in a command prompt and enter the following command: find /i "Our store is your" *.log > results.txt This will create a file called results.txt with all the messages containing this subject. Post the trimmed contents of this file here, and I will try to go through it in more detail. If this subject does not show up anywhere in those log files, then either the logs don't go back far enough and we will have to get a fresh header sample from Ellen, or the logs are being modified after the fact. Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 18, 2006 Author Share Posted July 18, 2006 Here is one of the results from your instructions: 2006-7-11 8:15:30 GMT 87.7.146.32 friend - SERVER1 192.168.1.1 xxxxxx[at]cpa-ws.com 1024 <000001c6a4c1$6a8e6c80$0100007f[at]j6w6h1> From: "Simon" <john[at]e-zone-defense.biz> To: <xxxx[at]cpa-ws.com> Subject: Our store is your cureall! Date: Tue, 11 Jul 2006 10:10:05 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="------------ms000808020300060500090702" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. --------------ms000808020300060500090702 Content-Type: multipart/alternative; boundary="------------ms020802090404080207020508" --------------ms020802090404080207020508 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable --------------ms020802090404080207020508 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//D All I find are messages received from spammers to one of the mailboxes on our exchange, I don't see messages being sent that have that subject. Link to comment Share on other sites More sharing options...
Telarin Posted July 19, 2006 Share Posted July 19, 2006 I think at this point we may have a problem because we are working with old data. Email Ellen (deputies[at]admin.spamcop.net) and see if you can get a fresh set of headers from her. The one I posted is well over a month old now, so may not even be in those files anymore. Link to comment Share on other sites More sharing options...
sesblacklisted Posted July 19, 2006 Author Share Posted July 19, 2006 I think at this point we may have a problem because we are working with old data. Email Ellen (deputies[at]admin.spamcop.net) and see if you can get a fresh set of headers from her. The one I posted is well over a month old now, so may not even be in those files anymore. I email Ellen a few days ago and go this: Partial headers from a spamtrap: Received: from friend (mail.cpa-ws.com [209.12.205.10]) [trap servername] (Postfix) with ESMTP id x for <x>; Sat, 15 Jul 2006 22:xx:xx +0000 (GMT) Subject: Products that can improve you life! Ellen SpamCop I looked through the logs and found nothing on "products that can improve". Link to comment Share on other sites More sharing options...
dbiel Posted July 19, 2006 Share Posted July 19, 2006 I email Ellen a few days ago and go this: Partial headers from a spamtrap: Received: from friend (mail.cpa-ws.com [209.12.205.10]) [trap servername] (Postfix) with ESMTP id x for <x>; Sat, 15 Jul 2006 22:xx:xx +0000 (GMT) Subject: Products that can improve you life! So what is the result of your log search based on this new data? Subject: Products that can improve you life! using the posted time stamp as the starting place in the log, checking forwards and backwards from that starting point. If nothing is found in the logs, then try setting up a firewall between (mail.cpa-ws.com [209.12.205.10]) and the internet and trap anything containing that data stream. The simple fact is that there is still spam coming from your server going to spamtraps that needs to be stopped and you need to find the source before you can stop it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.