NoseNuggets Posted January 24, 2007 Posted January 24, 2007 well ill start with the important info. http://www.spamcop.net/w3m?action=checkblo...p=67.126.57.249 and this one http://www.senderbase.org/search?searchBy=...g=67.126.57.249 this is one of my clients. i went through all the exchange logs and found nothing out of the ordinary. this leads me to believe there is some kind of email bot on one of my end users systems. we (me and the head admin, who is not here and why im handling the issue) have deployed Trend Micros client/server security agent on the server and all the client systems. this software pushes all updates automatically and has served us well in the past. i forced a full system scan on all systems the other day but nothing came up. i am wondering if anyone has any ideas. is there an app that hunts down these email bots? im not sure manually sifting through 15 systems for this bot is going to be a cost effective solution. thanks in advance for any support you guys can give me. oh yeah, i also found this when i googled the ip in question ------------ ==================== Written on: Tue Jan 16 08:01:17 PST 2007 ========== Received: from 67.126.57.249 by sites.bunnyinc.net (envelope-from [adbgca[at]carma.com.au], uid 88) with qmail-scanne Received: from mail.hoodexhibits.com (67.126.57.249) by sites.bunnyinc.net with SMTP; 16 Jan 2007 15:49:28 -0000 D X-spam-Status: Yes, hits=16.3 required=5.0 X-spam-Level: ++++++++++++++++ X-Antivirus-Bunnyinc-Mail-From: adbgca[at]c From: Nasdaq.com Alert! [adbgca[at]carma.com.au] X-Mailer: The Bat! (v2.00) UNREG / CD5BF9353B3B7091 Reply-To: adbgca To: revdeacon[at]the-deacon.com Subject: --spam-- MHII.OB this is really amazing company that you always dreamt MIME- Subject: --spam-- MHII.OB this is really amazing company that you always dreamt MIME-Version: 1.0 Content-Type: te Date: Tue, 16 Jan 2007 16:57:06 +0480 From: Nasdaq.com Alert! [adbgca[at]carma.com.au] X-Mailer: The Bat! (v2.00) UNR Badword was: --spam--
Wazoo Posted January 24, 2007 Posted January 24, 2007 well ill start with the important info. http://www.spamcop.net/w3m?action=checkblo...p=67.126.57.249 and this one http://www.senderbase.org/search?searchBy=...g=67.126.57.249 Thanks for that .. but wondering why there wasn't a bit more commentary on those details seen .... The SpamCopDNSBL listing page notes that 'both' spamtrap hits and user-reports are involved. The SenderBase data shows somethoing spewing forth greatly from that IP address. Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.4 .. 14395% Last 30 days .. 2.9 ..... 350% Average ........ 2.2 this is one of my clients. i went through all the exchange logs and found nothing out of the ordinary. this leads me to believe there is some kind of email bot on one of my end users systems. we (me and the head admin, who is not here and why im handling the issue) have deployed Trend Micros client/server security agent on the server and all the client systems. this software pushes all updates automatically and has served us well in the past. i forced a full system scan on all systems the other day but nothing came up. Implication is that the "e-mail server was checked" .... I have no idea what all was checked via the TrendMicro tools, but .... what I do see missing is any mention of a search of a firewall traffic log/report .. or that a firewall even exists .... the point being that from the results you've offered up, you're actually looking for traffic that is not using the e-mail server itself to send the spew, but that server's connection is the one that the (unauthorized) traffic is exiting from. i am wondering if anyone has any ideas. is there an app that hunts down these email bots? im not sure manually sifting through 15 systems for this bot is going to be a cost effective solution. User-reports would have been sent to; Parsing input: 67.126.57.249 host 67.126.57.249 = mail.hoodexhibits.com (cached) host 67.126.57.249 = mail.hoodexhibits.com (cached) [report history] Routing details for 67.126.57.249 [refresh/show] Cached whois for 67.126.57.249 : abuse[at]sbcglobal.net Using best contacts abuse[at]prodigy.net Personally, not happy with that set of results, so did a Refresh on that table ... oddly, didn't actually change ... Anyway, some data available at this point; Report History: Submitted: Thursday, January 18, 2007 7:02:25 PM -0600: U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela ... 2105462337 ( 67.126.57.249 ) To: abuse[at]prodigy.net (known Subject line of the recent 'Storm Worm') Submitted: Thursday, January 18, 2007 10:30:47 AM -0600: Hurry do not let yourself to miss this incredible offer. 2104883890 ( 67.126.57.249 ) To: abuse[at]prodigy.net Submitted: Wednesday, January 17, 2007 2:56:44 AM -0600: Join MHII.OB (MARSHALL HOLDINGS INTERNATIONAL) favorable conditions and real ... 2103230340 ( 67.126.57.249 ) To: abuse[at]prodigy.net Submitted: Tuesday, January 16, 2007 5:35:13 PM -0600: We have the most lowest and favorable prices join MHII.OB 2102746966 ( 67.126.57.249 ) To: abuse[at]prodigy.net news.admin.net-abuse.sightings show a posting from yesterday at http://groups.google.com/group/news.admin....5a9ff99c1384a8b
NoseNuggets Posted January 24, 2007 Author Posted January 24, 2007 thank you very very much for the reply. we do have a firewall and other security measures in place as far as i know, but not being the lead admin i dont have information for those devices readily available to me. what i ended up doing was running Ethereal and just watching the ports. im happy to report that i found the bugged box and pulled it. it was pushing out spam at a perty good clip, about 100 in 15 seconds. which is extreamly surprising given that its a SUPER old system. ill do a few more checks at random intervals to make sure it was the only one and then submit the request to be unblocked.
turetzsr Posted January 25, 2007 Posted January 25, 2007 <snip> what i ended up doing was running Ethereal and just watching the ports. im happy to report that i found the bugged box and pulled it. it was pushing out spam at a perty good clip, about 100 in 15 seconds. which is extreamly surprising given that its a SUPER old system. ill do a few more checks at random intervals to make sure it was the only one and then submit the request to be unblocked. ...On behalf of internet and e-mail users everywhere -- thank you!! <big g>
NoseNuggets Posted January 25, 2007 Author Posted January 25, 2007 yall are a distant second to making my client happy lol which includes removing there entire friggin domain from a couple web black lists. but your welcome none the less
Farelf Posted January 25, 2007 Posted January 25, 2007 ...On behalf of internet and e-mail users everywhere -- thank you!! <big g>Seconded!...what i ended up doing was running Ethereal and just watching the ports. im happy to report that i found the bugged box and pulled it. it was pushing out spam at a perty good clip, about 100 in 15 seconds. which is extreamly surprising given that its a SUPER old system. ill do a few more checks at random intervals to make sure it was the only one and then submit the request to be unblocked. Good work NoseNuggets - and it seems like your life will be even more interesting when you do get information on your security devices and measures....i am wondering if anyone has any ideas. is there an app that hunts down these email bots? im not sure manually sifting through 15 systems for this bot is going to be a cost effective solution.A starting point, if you want to delve, might be faqs.org COMPUTER SECURITY with current listings computer-security/anonymous-ftp-faq Subject: computer-security/anonymous-ftp FAQ (HTML Version) computer-security/compromise-faq Subject: computer-security/compromise FAQ computer-security/evaluations Subject: Computer Security Evaluation FAQ, Version 2.1 computer-security/keydist-faq Subject: alt.security.keydist Frequently Asked Questions computer-security/most-common-qs: Multipart Subject: comp.security.unix and comp.security.misc frequently asked questionsDiscussions computer-security/ntsecurity Subject: computer-security/Windows NT Security FAQ computer-security/secmaillist Subject: computer-security/secmaillist FAQ computer-security/security-patches Subject: computer-security/security-patches FAQ computer-security/sniffers Subject: computer-security/sniffers FAQ computer-security/ssh-faqSubject: SSH (Secure Shell) FAQ - Frequently Asked Questions computer-security/ssl-talk-faq Subject: [sSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 computer-security/vendor-contacts Subject: computer-security/vendor-contacts FAQ
NoseNuggets Posted January 25, 2007 Author Posted January 25, 2007 im always down to 'delve'. thanks for the links, i will check them out.
Wazoo Posted January 25, 2007 Posted January 25, 2007 data point: http://www.senderbase.org/search?searchBy=...g=67.126.57.249 2005 GMT -6 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.4 .. 14471% Last 30 days .. 2.9 ..... 350% Average ........ 2.2
agsteele Posted January 25, 2007 Posted January 25, 2007 Looks like the spew was significant and that you're going to face another12-20 hours listed in the SCBL until the reports time off the system. But, as with the others, thanks for such an excellent proactive bit of searching to identify the source of your problem. I'd suggest you double check other machines on your network just in case they have been infected too. Andrew
NoseNuggets Posted January 25, 2007 Author Posted January 25, 2007 so by tomorrow the numbers on those two sites will reflect the current values? is that right? i still see Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.3 8563% Last 30 days 3.0 355% Average 2.3 on sender base
agsteele Posted January 25, 2007 Posted January 25, 2007 so by tomorrow the numbers on those two sites will reflect the current values? is that right? i still see Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.3 8563% I also see those numbers and that may indicate a significant problem. However, the magniture is almost half what it was previously so it could just be that Senderbase is still using old data to calculate. The SCBL timeout is down to four hours which is a good sign. If the figures keep dropping then all should be well when you arrive for work tomorrow :-) Andrew
NoseNuggets Posted January 25, 2007 Author Posted January 25, 2007 yeah i certainly was not expecting to still see 8K%. but its a ratio of email:time in some fashion, so maybe its a running average over the week as apposed to each 24 hour period. what ever. if its not down by at least another half tomorrow ill log back in and snoop around a little more.
NoseNuggets Posted January 26, 2007 Author Posted January 26, 2007 yesssssssss!!!!!!!! /does the dealer hand flip im out thanks for your assistance gentlement, i hope to god i never have to come back here.
Derek T Posted January 26, 2007 Posted January 26, 2007 yeah i certainly was not expecting to still see 8K%. but its a ratio of email:time in some fashion, so maybe its a running average over the week as apposed to each 24 hour period. what ever. if its not down by at least another half tomorrow ill log back in and snoop around a little more. Spamcop working exactly as it should gives a responsible admin the heads-up. Admin finds and fixes problem. Result! You're welocome to stick around 'here' and help other admons to be as responsible and pesponsive as you were - we're not a bad little community
turetzsr Posted January 26, 2007 Posted January 26, 2007 yesssssssss!!!!!!!! <snip> ...Thank you for taking the time to return here and let us know the good news. Based on this, I am marking this forum thread as "Resolved."
NoseNuggets Posted January 31, 2007 Author Posted January 31, 2007 sure, ill pop my head in occasionally and see whats going down.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.