idesign Posted November 23, 2006 Share Posted November 23, 2006 Happy Thanksgiving! I am the server administrator for a small hosting company and recently our server, 66.135.33.231, has been listed on SpamCop's blacklist serveral times over the last couple weeks. I have taken several steps to secure the mail server, Running Mail Enable software, but I am still seeing spam sent out and we are still getting listed. I believe the problem is a trojan sending out mail but was looking for any other info or advice the community can provide. My reason to belive it is a trojan is because sample spam I am seeing sent is not coming from any customers on the server and I can't find a history of it in the SMTP activity logs. I am using SPF, relays are closed, Reverse DNS lookups, and authenticated senders must be sending from a valid domain. The amount of junk mail coming from the server has been greatly reduced but I am still having problems being listed... I am in the process of changing passwords and setting up a firewall (I know a firewall should have always been there... I am new to this and trying my best to learn). Any other advice, suggestions is greatly appreciated. I fully support what SpamCop is doing and I hate that I may inadvertently be contributing to spam!!!! Thanks in advance! Neal - idesign Link to comment Share on other sites More sharing options...
petzl Posted November 23, 2006 Share Posted November 23, 2006 Happy Thanksgiving! I am the server administrator for a small hosting company and recently our server, 66.135.33.231, has been listed on SpamCop's blacklist several times over the last couple weeks. Thanks in advance! Neal - idesign 501 Your domain does not seem to be valid. Could not find MX record for your domain Your server (if not infected) is not stamping the IP source from where the email came http://www.spamcop.net/sc?id=z1087964718z8...c974068e18a468z IP 211.27.248.13 is my computer If an email server is competently set-up SpamCop will only block the source computer not an email server after it Your server is bouncing (joe jobbing email addresses) to SpamCop Spamtraps which are better than bank security to guess spam samples reported from/through your email server Submitted: Tuesday, 21 November 2006 2:01:58 AM +1100: [***spam*** Score/Req: 11.3/8.0] Poised to Make a Big Move?,Michael Miller 2027177523 ( 66.135.33.231 ) To: spamcop[at]imaphost.com 2027177497 ( 66.135.33.231 ) To: abusespamcop[at]tickets.serverbeach.com -------------------------------------------------------------------------------- Submitted: Sunday, 19 November 2006 9:54:42 PM +1100: Squawk Box Stock Alert,MICHIO TAMAKI 2025169400 ( 66.135.33.231 ) To: spamcop[at]imaphost.com 2025169345 ( 66.135.33.231 ) To: abusespamcop[at]tickets.serverbeach.com -------------------------------------------------------------------------------- Submitted: Sunday, 19 November 2006 10:36:14 AM +1100: Stock Player Emerging Equity Report,Marian Nardini 2024420685 ( 66.135.33.231 ) To: abusespamcop[at]tickets.serverbeach.com Link to comment Share on other sites More sharing options...
idesign Posted November 23, 2006 Author Share Posted November 23, 2006 Thanks for the quick reply. A couple questions regarding your post... What does the 501 error refer to? I do have MX records for the valid domains setup on the server. What domain did you check that returned that error? You also mentioned that my server, if not infected, is not properly stamping the source URL where the email came from. I believe that the proper settings are in place to track the referring URL. How can I test this? Also, I searched the SMTP log for Nov. 21st, I looked for the address [at] imaphost.com and there is no record of any message being sent to that address. To me that means I am probably infected... Is that a safe assumption? Sorry if these questions seem basic... Trying to learn and take the best approach to fix the issue. Neal - idesign. Link to comment Share on other sites More sharing options...
Derek T Posted November 23, 2006 Share Posted November 23, 2006 Might help if we new what type (and version) of server you are using. There are faqs here about the SMTP/AUTH hack. Does your server stamp the IP of the originating compuer in the headers? If so, the SpamCop algorithm will list that IP rather than your mailserver. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 23, 2006 Share Posted November 23, 2006 Also, I searched the SMTP log for Nov. 21st, I looked for the address [at] imaphost.com and there is no record of any message being sent to that address. To me that means I am probably infected... Is that a safe assumption? No, not a safe assumption. The addresses listed are the asdresses that reports went to. To get mote information on those reports, you should contact the people at: abusespamcop[at]tickets.serverbeach.com Link to comment Share on other sites More sharing options...
petzl Posted November 24, 2006 Share Posted November 24, 2006 What does the 501 error refer to? I do have MX records for the valid domains setup on the server. What domain did you check that returned that error? You also mentioned that my server, if not infected, is not properly stamping the source URL where the email came from. I believe that the proper settings are in place to track the referring URL. How can I test this? Also, I searched the SMTP log for Nov. 21st, I looked for the address [at] imaphost.com and there is no record of any message being sent to that address. To me that means I am probably infected... Is that a safe assumption? (1) Just checked if your email server to see if it was OPEN (It is secure) However a warning was "501 Your domain does not seem to be valid. Could not find MX record for your domain" I believe this means the/an IP can/maybe "Spoofed" (2) Send yourself an email to Hotmail (free throw-away account and look) (3) Can you have Symantec check that IP for both Virus and trojan? Its free (4) You need to look for SUBJECT IMAP [at] is where SpamCop sends secondary reports (secondary reports often are then used to contact criminal agencies) Look for SUBJECTS such as "Poised to Make a Big Move?,Michael Miller" "Squawk Box Stock Alert,MICHIO TAMAKI" You can also contact "abusespamcop[at]tickets.serverbeach.com" Link to comment Share on other sites More sharing options...
idesign Posted November 27, 2006 Author Share Posted November 27, 2006 (1) Just checked if your email server to see if it was OPEN (It is secure) However a warning was "501 Your domain does not seem to be valid. Could not find MX record for your domain" I believe this means the/an IP can/maybe "Spoofed" (2) Send yourself an email to Hotmail (free throw-away account and look) (3) Can you have Symantec check that IP for both Virus and trojan? Its free (4) You need to look for SUBJECT IMAP [at] is where SpamCop sends secondary reports (secondary reports often are then used to contact criminal agencies) Look for SUBJECTS such as "Poised to Make a Big Move?,Michael Miller" "Squawk Box Stock Alert,MICHIO TAMAKI" You can also contact "abusespamcop[at]tickets.serverbeach.com" Thank you for the advice so far. Unfortunately, my Thanksgiving holiday and supposed "break" has been spent trying to solve my IP spam issues and I don't think I'm making much headway... Here is what I have done in the last few days, but it doesn't look like it has been much help. Any more advice is GREATLY appreciated... 1. As suggested, I have sent myself a message to Hotmail, and all headers are included below. From what I can tell the server is stamping the IP's correctly. From : <nstclair[at]idesignbusiness.com> Sent : Friday, November 24, 2006 11:39 AM To : <nstclair78[at]hotmail.com> Subject : Email Test MIME-Version: 1.0 Received: from mail.idesignbusiness.com ([66.135.33.231]) by bay0-mc10-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 24 Nov 2006 11:43:51 -0800 Received: from 71.130.213.4 ([71.130.213.4]) by idesignbusiness.com with MailEnable WebMail; Fri, 24 Nov 2006 11:39:28 -0800 X-Message-Info: txF49lGdW43OLNgW/qhd6jSTprYU8Ia6MpJKPFkiY2A= X-Mailer: MailEnable Web Mail 1.1 X-Read: 0 Return-Path: nstclair[at]idesignbusiness.com X-OriginalArrivalTime: 24 Nov 2006 19:43:51.0440 (UTC) FILETIME=[DE071900:01C71000] 2. I ran a full system scan using the Symantec link above. It did find a couple viruses, specifically, Hackbox, and the two infected files were deleted from the system. That was the only thing found. 3. I did receive an email from abusespamcop[at]tickets.serverbeach.com and I have included the headers of one of the spam email below: [ Offending message ] Return-path: <wjxyex[at]midwayproducts.com> Envelope-to: x Delivery-date: Sun, 26 Nov 2006 17:25:04 -0800 Received: from avcon2 by corvus.lunarpages.com with local-bsmtp (Exim 4.52) id 1GoVEy-0000Kk-RB for x; Sun, 26 Nov 2006 17:25:04 -0800 X-spam-Flag: YES X-spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on corvus.lunarpages.com X-spam-Level: ******** X-spam-Status: Yes, score=8.8 required=7.5 tests=BAYES_99,INVESTMENT_ADVICE, RCVD_IN_BL_SPAMCOP_NET,UNPARSEABLE_RELAY autolearn=no version=3.1.7 X-spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay * lines * 3.7 INVESTMENT_ADVICE BODY: Message mentions investment advice * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.0000] * 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [blocked - see <http://www.spamcop.net/bl.shtml?66.135.33.231>] Received: from [66.135.33.231] (helo=idesignbusiness.com) by corvus.lunarpages.com with smtp (Exim 4.52) id 1GoVEy-0000Ka-Et for x; Sun, 26 Nov 2006 17:25:00 -0800 Received: from root by idesignbusiness.com (Postfix) with SMTP id T3vIOhYQOwtM for <x>; Sun, 26 Nov 2006 17:19:05 -0800 X-BrightmailFiltered: true X-Brightmail-Tracker:DJKSD== X-IronPort-AV:i="1.43,321,2118149489"; d="scan'219"; a="3728321:sNHT843912823" Message-ID: <05Jb________________________LVG1[at]midwayproducts.com> From: chad a wilson <wjxyex[at]midwayproducts.com> To: convert <x> Subject: [j_100] *****spam***** The SmallCapInvestor,Mr Geoff Smith Date: Sun, 26 Nov 2006 17:09:22 -0800 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-AIMC-AUTH: wjxyex X-AIMC-MAILFROM: wjxyex[at]midwayproducts.com X-spam-Prev-Subject: The SmallCapInvestor,Mr Geoff Smith 4. I am running MailEnable Pro on a Windows 2000 Server and today I installed MEFilters which is their advanced filtering software. The filters I am using include: - spam Filter - Stopping messages with specific phrases found in the subject and body - SPF Filter - I am stopping all messages with a "NONE" SPF, Soft Fail, or Fail SPF - Authentication is Required, Relay is Closed - Authenticated Senders must send from a valid domain on the server - Reverse DNS, PTR is enabled Since I setup the new filters approx. 12 hours ago the spam filter has stopped ~80 messages, SPF ~ 1200. BUT... with all these actions in place I am repeatedly being listed in SpamCop. It actually has gotten worse in the last couple days not better... Is it really this hard to stop this malicious action? I have invested so much time in this but I am close to giving up and begin the arduous process of moving all my client domains to another hosting provider and getting out of this all together... Any more help or tips out there? Neal Link to comment Share on other sites More sharing options...
Farelf Posted November 27, 2006 Share Posted November 27, 2006 [ Offending message ] Message-ID: <05Jb________________________LVG1[at]midwayproducts.com> From: chad a wilson <wjxyex[at]midwayproducts.com> Subject: The SmallCapInvestor,Mr Geoff Smith Date: Sun, 26 Nov 2006 17:09:22 -0800... Hi Neal, you found no trace of the origin of that message? Or the others, subjects of which petzl quoted? Hopefully a server admin will give you some advice next time one wanders past. Yes, it does seem to be getting worse - noting from http://www.dnsstuff.com/tools/ip4r.ch?ip=66.135.33.231 appearance on a number of other blocklists. On the positive side, these provide yet more data for your search for how this stuff is coming from your address - such as http://bl.csma.biz/cgi-bin/listing.cgi?ip=66.135.33.231 Fri Nov 3 22:13:22 2006 Received - New Breed of Stock Trader,Mary Lou Begg Sat Nov 4 10:54:11 2006 Received - The Bull is Back in Select Small Caps,L M McCarthy Fri Nov 17 22:09:42 2006 Received - Stock Maven Newsletter,Hussein Dossaji Sun Nov 19 12:21:08 2006 Received - Addicted to Growth Stocks?,Earl E West jr Good luck. Link to comment Share on other sites More sharing options...
agsteele Posted November 27, 2006 Share Posted November 27, 2006 Is it really this hard to stop this malicious action? I have invested so much time in this but I am close to giving up and begin the arduous process of moving all my client domains to another hosting provider and getting out of this all together... Neal, I can certainly appreciate the frustration you are facing. Earlier in the thread Derek T asked if you would say which software you are using for your mail server. I'd expand that a little. Could you describe how your outgoing Email is processed including telling us which SMTP server you are using for outgoing including ip addresses where appropriate. A description would help me, at least, to understand how your mail is being distributed. Andrew Link to comment Share on other sites More sharing options...
petzl Posted November 27, 2006 Share Posted November 27, 2006 1. As suggested, I have sent myself a message to Hotmail, and all headers are included below. From what I can tell the server is stamping the IP's correctly. SpamCop correctly parses this and identifies IP 71.130.213.4 as the source of message http://www.spamcop.net/sc?id=z1148117337z6...cea34496badbcfz SpamCop would not list your email server 2. I ran a full system scan using the Symantec link above. It did find a couple viruses, specifically, Hackbox, and the two infected files were deleted from the system. That was the only thing found. You need to ALSO do the "security scan" not only the virus one 3. I did receive an email from abusespamcop[at]tickets.serverbeach.com and I have included the headers of one of the spam email below: In this case SpamCop identifies the email server as the source http://www.spamcop.net/sc?id=z1148137281z6...b39417c1d559bdz You are probable bouncing email to spamtraps which means you are getting listed on other blocklists Many Companies ISP's do not disclose their blocklists and just bitbin email 4. I am running MailEnable Pro on a Windows 2000 Server and today I installed MEFilters which is their advanced filtering software. Since I setup the new filters approx. 12 hours ago the spam filter has stopped ~80 messages, SPF ~ 1200. Any more help or tips out there? Neal For starters stop bouncing undeliverable email http://www.spamcop.net/fom-serve/cache/329.html Link to comment Share on other sites More sharing options...
Merlyn Posted November 27, 2006 Share Posted November 27, 2006 4. I am running MailEnable Pro on a Windows 2000 Server and today I installed MEFilters which is their advanced filtering software. Since I setup the new filters approx. 12 hours ago the spam filter has stopped ~80 messages, SPF ~ 1200. Any more help or tips out there? Neal He might be blocking it coming in but he is not stopping any from going out. A lot reported just today. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.