mpope Posted October 27, 2006 Share Posted October 27, 2006 I am consulting for a company that has been added to the spamcop bl. The address is 22.214.171.124 and the domain is whitegoss.com. They have a rather odd setup (IMHO) and have traffic going to redundant connections through time warner and at&t. The bl was listed 16 hours ago according to spam cop though I have recieved no notification that I am aware of. I actually found out when client email started bouncing (its a law office). Anyway according the person I emailed at spamcop it was phishing emails passing through our server. We sit behind a decent firewall and as far as I can find have no open relay's. This was the reason given: Phish mails: Received: from rrcs-24-123-103-228.central.biz.rr.com (HELO WGEX.domain.com) (126.96.36.199) [trap servername] with SMTP; 27 Oct 2006 05:xx:xx -0000 Received: from User ([188.8.131.52]) by WGEX.domain.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 26 Oct 2006 07:xx:xx -0500 Subject: Update your online banking account information. The 184.108.40.206 traces to the nameserver at iil.com which is according to arin in Canada. Im rather stumped, in the meantime I have an office full of lawyers breathing down my neck for "breaking their email". Any suggestions on what I could start looking for. BTW I am running exchange 2003. Hope i've provided enough info. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.