Jump to content

[Resolved] Clients external domain/ip blocked


NoseNuggets
 Share

Recommended Posts

well ill start with the important info.

http://www.spamcop.net/w3m?action=checkblo...p=67.126.57.249

and this one

http://www.senderbase.org/search?searchBy=...g=67.126.57.249

this is one of my clients. i went through all the exchange logs and found nothing out of the ordinary. this leads me to believe there is some kind of email bot on one of my end users systems. we (me and the head admin, who is not here and why im handling the issue) have deployed Trend Micros client/server security agent on the server and all the client systems. this software pushes all updates automatically and has served us well in the past. i forced a full system scan on all systems the other day but nothing came up.

i am wondering if anyone has any ideas. is there an app that hunts down these email bots? im not sure manually sifting through 15 systems for this bot is going to be a cost effective solution.

thanks in advance for any support you guys can give me.

oh yeah, i also found this when i googled the ip in question

------------

==================== Written on: Tue Jan 16 08:01:17 PST 2007 ==========

Received: from 67.126.57.249 by sites.bunnyinc.net (envelope-from [adbgca[at]carma.com.au], uid 88) with qmail-scanne

Received: from mail.hoodexhibits.com (67.126.57.249) by sites.bunnyinc.net with SMTP; 16 Jan 2007 15:49:28 -0000 D

X-spam-Status: Yes, hits=16.3 required=5.0 X-spam-Level: ++++++++++++++++ X-Antivirus-Bunnyinc-Mail-From: adbgca[at]c

From: Nasdaq.com Alert! [adbgca[at]carma.com.au] X-Mailer: The Bat! (v2.00) UNREG / CD5BF9353B3B7091 Reply-To: adbgca

To: revdeacon[at]the-deacon.com Subject: --spam-- MHII.OB this is really amazing company that you always dreamt MIME-

Subject: --spam-- MHII.OB this is really amazing company that you always dreamt MIME-Version: 1.0 Content-Type: te

Date: Tue, 16 Jan 2007 16:57:06 +0480 From: Nasdaq.com Alert! [adbgca[at]carma.com.au] X-Mailer: The Bat! (v2.00) UNR

Badword was: --spam--

Link to comment
Share on other sites

Thanks for that .. but wondering why there wasn't a bit more commentary on those details seen ....

The SpamCopDNSBL listing page notes that 'both' spamtrap hits and user-reports are involved.

The SenderBase data shows somethoing spewing forth greatly from that IP address.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.4 .. 14395%

Last 30 days .. 2.9 ..... 350%

Average ........ 2.2

this is one of my clients. i went through all the exchange logs and found nothing out of the ordinary. this leads me to believe there is some kind of email bot on one of my end users systems. we (me and the head admin, who is not here and why im handling the issue) have deployed Trend Micros client/server security agent on the server and all the client systems. this software pushes all updates automatically and has served us well in the past. i forced a full system scan on all systems the other day but nothing came up.

Implication is that the "e-mail server was checked" .... I have no idea what all was checked via the TrendMicro tools, but .... what I do see missing is any mention of a search of a firewall traffic log/report .. or that a firewall even exists .... the point being that from the results you've offered up, you're actually looking for traffic that is not using the e-mail server itself to send the spew, but that server's connection is the one that the (unauthorized) traffic is exiting from.

i am wondering if anyone has any ideas. is there an app that hunts down these email bots? im not sure manually sifting through 15 systems for this bot is going to be a cost effective solution.

User-reports would have been sent to;

Parsing input: 67.126.57.249

host 67.126.57.249 = mail.hoodexhibits.com (cached)

host 67.126.57.249 = mail.hoodexhibits.com (cached)

[report history]

Routing details for 67.126.57.249

[refresh/show] Cached whois for 67.126.57.249 : abuse[at]sbcglobal.net

Using best contacts abuse[at]prodigy.net

Personally, not happy with that set of results, so did a Refresh on that table ... oddly, didn't actually change ...

Anyway, some data available at this point;

Report History:

Submitted: Thursday, January 18, 2007 7:02:25 PM -0600:

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela ...

2105462337 ( 67.126.57.249 ) To: abuse[at]prodigy.net

(known Subject line of the recent 'Storm Worm')

Submitted: Thursday, January 18, 2007 10:30:47 AM -0600:

Hurry do not let yourself to miss this incredible offer.

2104883890 ( 67.126.57.249 ) To: abuse[at]prodigy.net

Submitted: Wednesday, January 17, 2007 2:56:44 AM -0600:

Join MHII.OB (MARSHALL HOLDINGS INTERNATIONAL) favorable conditions and real ...

2103230340 ( 67.126.57.249 ) To: abuse[at]prodigy.net

Submitted: Tuesday, January 16, 2007 5:35:13 PM -0600:

We have the most lowest and favorable prices join MHII.OB

2102746966 ( 67.126.57.249 ) To: abuse[at]prodigy.net

news.admin.net-abuse.sightings show a posting from yesterday at http://groups.google.com/group/news.admin....5a9ff99c1384a8b

Link to comment
Share on other sites

thank you very very much for the reply. we do have a firewall and other security measures in place as far as i know, but not being the lead admin i dont have information for those devices readily available to me.

what i ended up doing was running Ethereal and just watching the ports. im happy to report that i found the bugged box and pulled it. it was pushing out spam at a perty good clip, about 100 in 15 seconds. which is extreamly surprising given that its a SUPER old system.

ill do a few more checks at random intervals to make sure it was the only one and then submit the request to be unblocked.

Link to comment
Share on other sites

<snip>

what i ended up doing was running Ethereal and just watching the ports. im happy to report that i found the bugged box and pulled it. it was pushing out spam at a perty good clip, about 100 in 15 seconds. which is extreamly surprising given that its a SUPER old system.

ill do a few more checks at random intervals to make sure it was the only one and then submit the request to be unblocked.

...On behalf of internet and e-mail users everywhere -- thank you!! :D <big g>
Link to comment
Share on other sites

...On behalf of internet and e-mail users everywhere -- thank you!! <big g>
Seconded!
...what i ended up doing was running Ethereal and just watching the ports. im happy to report that i found the bugged box and pulled it. it was pushing out spam at a perty good clip, about 100 in 15 seconds. which is extreamly surprising given that its a SUPER old system.

ill do a few more checks at random intervals to make sure it was the only one and then submit the request to be unblocked.

Good work NoseNuggets - and it seems like your life will be even more interesting when you do get information on your security devices and measures.
...i am wondering if anyone has any ideas. is there an app that hunts down these email bots? im not sure manually sifting through 15 systems for this bot is going to be a cost effective solution.
A starting point, if you want to delve, might be faqs.org COMPUTER SECURITY with current listings

Link to comment
Share on other sites

Looks like the spew was significant and that you're going to face another12-20 hours listed in the SCBL until the reports time off the system.

But, as with the others, thanks for such an excellent proactive bit of searching to identify the source of your problem.

I'd suggest you double check other machines on your network just in case they have been infected too.

Andrew

Link to comment
Share on other sites

so by tomorrow the numbers on those two sites will reflect the current values? is that right?

i still see

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 8563%

I also see those numbers and that may indicate a significant problem. However, the magniture is almost half what it was previously so it could just be that Senderbase is still using old data to calculate.

The SCBL timeout is down to four hours which is a good sign. If the figures keep dropping then all should be well when you arrive for work tomorrow :-)

Andrew

Link to comment
Share on other sites

yeah i certainly was not expecting to still see 8K%. but its a ratio of email:time in some fashion, so maybe its a running average over the week as apposed to each 24 hour period.

what ever. if its not down by at least another half tomorrow ill log back in and snoop around a little more.

Link to comment
Share on other sites

yeah i certainly was not expecting to still see 8K%. but its a ratio of email:time in some fashion, so maybe its a running average over the week as apposed to each 24 hour period.

what ever. if its not down by at least another half tomorrow ill log back in and snoop around a little more.

Spamcop working exactly as it should gives a responsible admin the heads-up. Admin finds and fixes problem. Result!

You're welocome to stick around 'here' and help other admons to be as responsible and pesponsive as you were - we're not a bad little community :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...