mpope Posted October 27, 2006 Posted October 27, 2006 I am consulting for a company that has been added to the spamcop bl. The address is 24.123.103.228 and the domain is whitegoss.com. They have a rather odd setup (IMHO) and have traffic going to redundant connections through time warner and at&t. The bl was listed 16 hours ago according to spam cop though I have recieved no notification that I am aware of. I actually found out when client email started bouncing (its a law office). Anyway according the person I emailed at spamcop it was phishing emails passing through our server. We sit behind a decent firewall and as far as I can find have no open relay's. This was the reason given: Phish mails: Received: from rrcs-24-123-103-228.central.biz.rr.com (HELO WGEX.domain.com) (24.123.103.228) [trap servername] with SMTP; 27 Oct 2006 05:xx:xx -0000 Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 26 Oct 2006 07:xx:xx -0500 Subject: Update your online banking account information. The 24.108.64.181 traces to the nameserver at iil.com which is according to arin in Canada. Im rather stumped, in the meantime I have an office full of lawyers breathing down my neck for "breaking their email". Any suggestions on what I could start looking for. BTW I am running exchange 2003. Hope i've provided enough info.
DavidT Posted October 27, 2006 Posted October 27, 2006 I am running exchange 2003 then please go directly to this FAQ page and follow its advice: http://www.spamcop.net/fom-serve/cache/372.html Also, since the traffic from that IP has been hitting secret spam trap addresses, you *might* also have a problem with misdirected non-delivery reports. Here's a link to the MS page about that: http://support.microsoft.com/default.aspx?...kb;en-us;294757 Once you've seen the info there, report back here about whether those issues might be involved with your situation. DT
mpope Posted October 27, 2006 Author Posted October 27, 2006 Thanks for the quick response, I'll start digging through that now. Figures things would go bad the week my boss leaves town.
StevenUnderwood Posted October 27, 2006 Posted October 27, 2006 Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 26 Oct 2006 07:xx:xx -0500 The received line is similiar to my Exchange 2003 relay line that it is possible. Alpha1 below is in my allowed relay list. Received: from alpha1.kopin.com ([192.168.1.62]) by owa.kopin.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 27 Oct 2006 07:22:03 -0400 Have you checked to see your relaying rules? Exchange System Manager Drill down through Administrative Groups, First Administrative Group, Servers, SERVERNAME, Protocols, SMTP. Open properties of: Default SMTP Virtual Server Access Tab, Relay button. See what the settings are there. It looks like you do reject, at least for nonexistent addresses. You do allow external AUTH, however, so if there are no open relay IPs, you may have a cracked username/password. I assume you can get who AUTH'd by searching the logs for that message. 220 WGEX.domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Fri, 27 Oct 2006 18:36:18 -0500 ehlo underwood.spamcop.net 250-WGEX.domain.com Hello [66.168.115.246] 250-TURN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM LOGIN 250-X-EXPS=LOGIN 250-AUTH GSSAPI NTLM LOGIN 250-AUTH=LOGIN 250-X-LINK2STATE 250-XEXCH50 250 OK mail from: <underwood[at]spamcop.net> 250 2.1.0 underwood[at]spamcop.net....Sender OK rcpt to: <12345tester67890[at]whitegoss.com> 550 5.1.1 User unknown rcpt to: <12345tester67890[at] 501 5.5.4 Invalid Address quit 221 2.0.0 WGEX.domain.com Service closing transmission channel Connection to host lost. C:\>
Recommended Posts
Archived
This topic is now archived and is closed to further replies.