Jump to content

Help please


mpope
 Share

Recommended Posts

I am consulting for a company that has been added to the spamcop bl. The address is 24.123.103.228 and the domain is whitegoss.com. They have a rather odd setup (IMHO) and have traffic going to redundant connections through time warner and at&t. The bl was listed 16 hours ago according to spam cop though I have recieved no notification that I am aware of. I actually found out when client email started bouncing (its a law office). Anyway according the person I emailed at spamcop it was phishing emails passing through our server. We sit behind a decent firewall and as far as I can find have no open relay's.

This was the reason given:

Phish mails:

Received: from rrcs-24-123-103-228.central.biz.rr.com (HELO

WGEX.domain.com) (24.123.103.228)

[trap servername] with SMTP; 27 Oct 2006 05:xx:xx -0000

Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft

SMTPSVC(6.0.3790.1830);

Thu, 26 Oct 2006 07:xx:xx -0500

Subject: Update your online banking account information.

The 24.108.64.181 traces to the nameserver at iil.com which is according to arin in Canada. Im rather stumped, in the meantime I have an office full of lawyers breathing down my neck for "breaking their email". Any suggestions on what I could start looking for. BTW I am running exchange 2003.

Hope i've provided enough info.

Link to comment
Share on other sites

I am running exchange 2003

then please go directly to this FAQ page and follow its advice:

http://www.spamcop.net/fom-serve/cache/372.html

Also, since the traffic from that IP has been hitting secret spam trap addresses, you *might* also have a problem with misdirected non-delivery reports. Here's a link to the MS page about that:

http://support.microsoft.com/default.aspx?...kb;en-us;294757

Once you've seen the info there, report back here about whether those issues might be involved with your situation.

DT

Edited by DavidT
Link to comment
Share on other sites

Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft

SMTPSVC(6.0.3790.1830);

Thu, 26 Oct 2006 07:xx:xx -0500

The received line is similiar to my Exchange 2003 relay line that it is possible. Alpha1 below is in my allowed relay list.

Received: from alpha1.kopin.com ([192.168.1.62]) by owa.kopin.com with Microsoft SMTPSVC(6.0.3790.1830);

Fri, 27 Oct 2006 07:22:03 -0400

Have you checked to see your relaying rules?

Exchange System Manager

Drill down through Administrative Groups, First Administrative Group, Servers, SERVERNAME, Protocols, SMTP.

Open properties of: Default SMTP Virtual Server

Access Tab, Relay button.

See what the settings are there.

It looks like you do reject, at least for nonexistent addresses. You do allow external AUTH, however, so if there are no open relay IPs, you may have a cracked username/password. I assume you can get who AUTH'd by searching the logs for that message.

220 WGEX.domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 27 Oct 2006 18:36:18 -0500
ehlo underwood.spamcop.net
250-WGEX.domain.com Hello [66.168.115.246]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
mail from: <underwood[at]spamcop.net>
250 2.1.0 underwood[at]spamcop.net....Sender OK
rcpt to: <12345tester67890[at]whitegoss.com>
550 5.1.1 User unknown
rcpt to: <12345tester67890[at]
501 5.5.4 Invalid Address
quit
221 2.0.0 WGEX.domain.com Service closing transmission channel


Connection to host lost.

C:\>

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...