Jump to content

Help please


mpope

Recommended Posts

Posted

I am consulting for a company that has been added to the spamcop bl. The address is 24.123.103.228 and the domain is whitegoss.com. They have a rather odd setup (IMHO) and have traffic going to redundant connections through time warner and at&t. The bl was listed 16 hours ago according to spam cop though I have recieved no notification that I am aware of. I actually found out when client email started bouncing (its a law office). Anyway according the person I emailed at spamcop it was phishing emails passing through our server. We sit behind a decent firewall and as far as I can find have no open relay's.

This was the reason given:

Phish mails:

Received: from rrcs-24-123-103-228.central.biz.rr.com (HELO

WGEX.domain.com) (24.123.103.228)

[trap servername] with SMTP; 27 Oct 2006 05:xx:xx -0000

Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft

SMTPSVC(6.0.3790.1830);

Thu, 26 Oct 2006 07:xx:xx -0500

Subject: Update your online banking account information.

The 24.108.64.181 traces to the nameserver at iil.com which is according to arin in Canada. Im rather stumped, in the meantime I have an office full of lawyers breathing down my neck for "breaking their email". Any suggestions on what I could start looking for. BTW I am running exchange 2003.

Hope i've provided enough info.

Posted
I am running exchange 2003

then please go directly to this FAQ page and follow its advice:

http://www.spamcop.net/fom-serve/cache/372.html

Also, since the traffic from that IP has been hitting secret spam trap addresses, you *might* also have a problem with misdirected non-delivery reports. Here's a link to the MS page about that:

http://support.microsoft.com/default.aspx?...kb;en-us;294757

Once you've seen the info there, report back here about whether those issues might be involved with your situation.

DT

Posted

Thanks for the quick response, I'll start digging through that now. Figures things would go bad the week my boss leaves town. :)

Posted

Received: from User ([24.108.64.181]) by WGEX.domain.com with Microsoft

SMTPSVC(6.0.3790.1830);

Thu, 26 Oct 2006 07:xx:xx -0500

The received line is similiar to my Exchange 2003 relay line that it is possible. Alpha1 below is in my allowed relay list.

Received: from alpha1.kopin.com ([192.168.1.62]) by owa.kopin.com with Microsoft SMTPSVC(6.0.3790.1830);

Fri, 27 Oct 2006 07:22:03 -0400

Have you checked to see your relaying rules?

Exchange System Manager

Drill down through Administrative Groups, First Administrative Group, Servers, SERVERNAME, Protocols, SMTP.

Open properties of: Default SMTP Virtual Server

Access Tab, Relay button.

See what the settings are there.

It looks like you do reject, at least for nonexistent addresses. You do allow external AUTH, however, so if there are no open relay IPs, you may have a cracked username/password. I assume you can get who AUTH'd by searching the logs for that message.

220 WGEX.domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 27 Oct 2006 18:36:18 -0500
ehlo underwood.spamcop.net
250-WGEX.domain.com Hello [66.168.115.246]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
mail from: <underwood[at]spamcop.net>
250 2.1.0 underwood[at]spamcop.net....Sender OK
rcpt to: <12345tester67890[at]whitegoss.com>
550 5.1.1 User unknown
rcpt to: <12345tester67890[at]
501 5.5.4 Invalid Address
quit
221 2.0.0 WGEX.domain.com Service closing transmission channel


Connection to host lost.

C:\>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...