konczf Posted March 10, 2007 Share Posted March 10, 2007 Dear anybody, I am really confused now. I am a fanatic of computers since I'm 8-9 years old. Debian Linux is my favourite. Currently I am working for a company with about 90-100 users, they ONLY WANT TO HAVE a Windows 2003 SBS R1 server with the current ISA 2004 and Exchange 2003 w. sp2 (IMF updated) working. Since the last 14 days, it is my daily routine to delist our IP (213.163.49.30) from SpamCop and CBL, sometimes if I'm "late" from even the others (sbl and so on). Until now what I have done: - Tested open relay: from a computer outside the company I telnetted to our IP to port 25, and said "EHLO", then mail from: asdf[at]qwer (answer: sender OK), rcpt to: konczf[at]yahoo.com ---> Relay not allowed! So I think I'm relay secure. However, if I'm writing rcpt to: user[at]mcr.hu (which is our domain and user for example exists) ---> mail is sent. Okay. - I have "Filter recipients who are not in the Active Directory" checked - I have "Connection filtering" --> relays.ordb.org, sbl.spamhaus.org, xbl.spamhaus.org - I have "Sender filtering" ---> *[at]comcast.net, *[at]MidLASurgical.com, *[at]hinet.net - I have IMF kept updated: archive messages greater or equal of 7, but put mail to Junk folder from level 5. - I have picked out checkmark from Non-delivery report sending, but it should send me the mail from not delivered mail - on the ISA 2004 I have a rule of SMTP is only allowed from Localhost (not Internal), so that port 25 should be only allowed through the server - Outlook RPC is only allowed for a single client machine, which uses Nod32. - Past days the server used the Symantec Mail Security for Exchange 2003 (version trial, but the latest one). It filtered messages....some good some not, but no critical happenings. - SpamCop told me dispute listing reason, BUT I CANNOT SEE THE MESSAGES on the Message Tracking Center!! Everybody is in it, but those messages are NOT there. So what now...? What any other reason sends mail through our beloved (khehhmm) IP? What if one of our colleauges are sending spam? People are interesting ones....we have about 50-100 machines, in even different Countries...I simply cannot be at every laptop (there are some laptops too) with my beloved Ad-Aware, SpyBot SD and HijackThis. Please, bigger gurus...should I send the userlist to SpamCop case of one of them is trying to ...ahh.... I have done many things, but not all, please give me ideas. Microsoft VAP Support was not so helpful...! Sincerely, Ferenc Koncz (i.e. Frank Koncz) konczf[at]mcr.hu PS: we have forwarded through the DNS the mails. IP Spoof attacks are to seen in ISA logs. Maybe? But how to resolve? Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 10, 2007 Share Posted March 10, 2007 I am not a computer guru, but there are several here who can help you find your problem. They will need the IP address. I can give a couple of hints from other server admins who have checked everything. One is to check your firewall logs. Zombie computers often use other ports. The other hint is to look at the Senderbase statistics. If there are more emails than usual, then someone does have a zombie. Have you read Why Am I Blocked? FAQ? There is a section of common problems for server admins. It can be found in the Spamcop Blocklist forum. You are also in the wrong forum section. A moderator will probably move your post soon. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted March 10, 2007 Share Posted March 10, 2007 Since the last 14 days, it is my daily routine to delist our IP (213.163.49.30) from SpamCop and CBL, sometimes if I'm "late" from even the others (sbl and so on). I don't think so ... SpamCop.net gives 'you' one chance to use the 'express delisting' .. but that came with the warning that it was a onr-time thing, so the issue was supposed to be resolved prior to using that one chance. Based on the current data seen and your description, the problem was not resolved first. Until now what I have done: Noting that nothing was said about a firewall. I'm not sure that anythng listed dealt with the issue of a hacked server, usually via the use of a weak password. - SpamCop told me dispute listing reason, BUT I CANNOT SEE THE MESSAGES on the Message Tracking Center!! Everybody is in it, but those messages are NOT there. Correct ... as seen / explained at http://spamcop.net/w3m?action=checkblock&a...p=213.163.49.30 213.163.49.30 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 13 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems System administrator has already delisted this system once Because of the above problems, express-delisting is not available Listing History In the past 15.5 days, it has been listed 8 times for a total of 6.5 days Other hosts in this "neighborhood" with spam reports 213.163.49.3 213.163.49.25 So what now...? What any other reason sends mail through our beloved (khehhmm) IP? A kot of this is addressed in the Why am U Blocked? FAQ entry here .. use one of the SpamCop FAQ links at the top of this page (or noting the Pinned entry at the top of the Forum section page that this post has been moved into ... ) What if one of our colleauges are sending spam? People are interesting ones....we have about 50-100 machines, in even different Countries...I simply cannot be at every laptop (there are some laptops too) with my beloved Ad-Aware, SpyBot SD and HijackThis. The 'eveb in different countries" really shouldn't be an issue, as this 'problem' is only dealing with this one identified e-mail server/IP address. What you tried to suggest is that you can find nothing on the e-mail server that seems to be suspicous enough to indicate a problem. That might possibly be true, but .. additional data suggests that the 'traffic' itself should be somewhat easier to find (especially if a firewall is in use) http://www.senderbase.org/search?searchBy=...g=213.163.49.30 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.5 .. 1396% Last 30 days ... 2.9 ... 297% Average ......... 2.3 Can you identify / explain this increase in traffic other than the implied spammer abuse? Had there been an 'reported spam' those reports would have gone to; Parsing input: 213.163.49.30 host 213.163.49.30 = dial049030.pool.invitel.hu (cached) host 213.163.49.30 = dial049030.pool.invitel.hu (cached) Cached whois for 213.163.49.30 : nic[at]ip.vivendi.hu Using last resort contacts nic[at]ip.vivendi.hu Last 'seen' that are shown to other than the paid-staff; Submitted: Sunday, February 25, 2007 7:41:04 AM -0600: Gillian 2167132071 ( 213.163.49.30 ) To: nic[at]ip.vivendi.hu ----------------------------------------------- Submitted: Friday, February 23, 2007 1:02:32 AM -0600: [Possible spam] BibbLil KimLinda LohanLisa 2162492786 ( 213.163.49.30 ) To: nic[at]ip.vivendi.hu ------------------------------------------------- Submitted: Thursday, February 22, 2007 12:54:27 PM -0600: pajamas 2161519863 ( 213.163.49.30 ) To: [concealed user-defined recipient] 2161519817 ( 213.163.49.30 ) To: nic[at]ip.vivendi.hu Moving to the more appropriate Forum section SpamCop Blocklist Help with this post. Link to comment Share on other sites More sharing options...
Merlyn Posted March 10, 2007 Share Posted March 10, 2007 canonical name dial049030.pool.invitel.hu. aliases addresses 213.163.49.30 It looks like you are using a dynamic IP. Many mail servers will nat accept mail from a dynamic IP. Although there are signs of spam on many other blocklists from this IP and others in that /24. Link to comment Share on other sites More sharing options...
konczf Posted March 10, 2007 Author Share Posted March 10, 2007 Hi. Thank You for moving my post onto the right place, so where it belongs. What I have done after the confusion - I have read all what You so nicely wrote to me, thanks a lot for it. 1. Unfortunately, the people who wrote me I should read the FAQ's and so on - do You think I would have questions if I would all understand them? I'm not that lazy one who thinks only asking and asking and no google. Anyways I wouldn't prefer mostly debian. Cheers! But anyway, thanks. 2. For maybe a lucky day one good point was that somebody mentioned "I haven't written anything about ISA Firewall"! ---> I simply created a rule before Outbound access: Access: DENY Protocol: SMTP From: Internal To: External Applies to: All Users and everybody Because I've already created a rule: SMTP allow from Local Host To External...BUT NO DENY RULE FOR ANYBODY ELSE! Probably those modifications will first of all stop spamming through my server and so I'll have more time to check the client machines. I've tried to telnet from a client machine, because I couldn't do it, only from the server - it should work smoothly. At least, today no CBLs, hope for same in the following days... One other thing is, that our khm ISP is giving Fix IP-s like after from a pool which is dynamic...so cool solution... I will check the DNS records too I think. Hopefully, my nights will be okay. I'll post Hijackthis to everyone, asking for sending me the logs or the PrtScr screenshot as an attachement. Hopefully they won't send me "pagefile.sys" as for a mistake :-))))) Cheers :-))) Link to comment Share on other sites More sharing options...
Wazoo Posted March 10, 2007 Share Posted March 10, 2007 Things don't look good. Again, you are focusing on the SMTP e-mail server, but .. that may not be where the traffic is actually coming from ... http://www.senderbase.org/search?searchBy=...g=213.163.49.30 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.2 .. 6778% Last 30 days .. 3.0 ... 305% Average ........ 2.4 Link to comment Share on other sites More sharing options...
konczf Posted March 10, 2007 Author Share Posted March 10, 2007 Uhh..... Where should I look then? We have a second SBS server in other town; they are both are together with a static routing so that they can communicate. I've stopped already the Default Virtual SMTP Server on the second one. On the router which communicates to the internet, smtp pop and other ports are OPENED and NOT FORWARDED. Could this be a problem? Or should I communicate with the ISP? CBL even does not allow me now to delist!!! The only good thing is that it is weekend so not so many people have mailing problems! Scary... NOW WHAT?! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 10, 2007 Share Posted March 10, 2007 Uhh..... Where should I look then? We have a second SBS server in other town; they are both are together with a static routing so that they can communicate. I've stopped already the Default Virtual SMTP Server on the second one. On the router which communicates to the internet, smtp pop and other ports are OPENED and NOT FORWARDED. Could this be a problem? Or should I communicate with the ISP? CBL even does not allow me now to delist!!! The only good thing is that it is weekend so not so many people have mailing problems! Scary... NOW WHAT?! 1. Do you have firewall logs to check? If so, it should not be too hard to see the amount of traffic being reported from that IP address. 2. I think you stated you already did this, but make sure no clients can send port 25 traffic to the internet except your mail server. We used to (previous job) allow ONLY HTTP and HTTPS (SSL) ports out from the client community. We also had them all share an IP that was different from our mail server IP for this very reason. All of this traffic will be SMTP traffic FROM that IP address. Link to comment Share on other sites More sharing options...
Wazoo Posted March 10, 2007 Share Posted March 10, 2007 Where should I look then? We have a second SBS server in other town; they are both are together with a static routing so that they can communicate. I've stopped already the Default Virtual SMTP Server on the second one. I'm a little confused at the moment. Currently I am working for a company with about 90-100 users, they ONLY WANT TO HAVE a Windows 2003 SBS R1 server with the current ISA 2004 and Exchange 2003 w. sp2 (IMF updated) working. <snip> - Tested open relay: from a computer outside the company I telnetted to our IP to port 25, and said "EHLO", then mail from: asdf[at]qwer (answer: sender OK), rcpt to: konczf[at]yahoo.com ---> Relay not allowed! So I think I'm relay secure. However, if I'm writing rcpt to: user[at]mcr.hu (which is our domain and user for example exists) ---> mail is sent. Okay. The above doesn't seem to really match my quick look ..... C:\>telnet 213.163.49.30 25 220 AVG ESMTP Proxy Server 7.5.442/7.5.446 [268.18.8/716] helo 250 localhost Hello help 250 RTFM quit 221 Asta la vista You've never mentioned anything about any kind of a proxy being in the mix .... and I don't read the initial response as an Exchange server .... but I claim no expertise on an Exchange server .... Link to comment Share on other sites More sharing options...
konczf Posted March 11, 2007 Author Share Posted March 11, 2007 I have now the problem I think: The colleague of mine I think has seen, I'm taking the whole system seriously. Has changed on the DNS server something and TOLD THE BOSS THAT THE PROBLEM IS AT CONNECTION FILTERING!!!!! Now the Boss said this should be the problem, this didn't happen before...they deleted relays.ordb.org and sbl.spamhaus.org and xbl.spamhaus.org from the Connection Filtering section AND CHANGED BACK PROBABLY THE DNS ON THE PLACE I CANNOT! Why the ... are people so cool only because they are not fanatic ones?! How could I proove that? I don't want to loose my job only because of a colleauge as he says Microsoft and everybody is stupid only he knows....THIS IS FALSE, PLEASE PROOVE! Link to comment Share on other sites More sharing options...
konczf Posted March 11, 2007 Author Share Posted March 11, 2007 Now I know. The DNS is not even registered. So I know the problem lied that I assumed - as told me - everything is working. I assumed that and told the server to look connections after the blacklists. The problem lied in that, everybody just can install a server and tell "I'm mcr.hu". I have to contact the DNS admin that we have no seem to have the record to be an MX. It's a Linux server which I like very-very much so it won't be taking long to set it up. The good thing that the boss believed me that I'm right. "The clever one is not the one who talks much, but the one who is understandable". I'll set up the domain with a strong debian server and tell MX record as mail2.mcr.hu. The correct thing that our Company is not a false Company (from which I was a little bit afraid of). Hopefully, the cruelity will end up now after clearing up the full misconfigured open-proxy and so on...DNS. SpamCop, be patient and please delist us for the following three days, I'm working on the thing! Frank Koncz Systems Admin Link to comment Share on other sites More sharing options...
Wazoo Posted March 11, 2007 Share Posted March 11, 2007 At the time of your Linear Post #10, http://www.senderbase.org/search?searchBy=...g=213.163.49.30 showed something over 2300% for the last 24 hours. At the time of your Linear Post #11, it is now showing 1602% .. and noting that it is dropping .. it was 1607% a few minutes ago ... Good work .. and good luck on the new server, DNS set-up no one here can 'adjust' the SpamCopDNSBL listing .. as it's pretty much run on autopilot, based on the math formula involved ... setting another data point ... http://spamcop.net/w3m?action=checkblock&a...p=213.163.49.30 213.163.49.30 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 9 hours. The catch is that this IP address has also made it into other BLs ... http://moensted.dk/spam/?addr=213.163.49.3...p;Submit=Submit .... dang ... while typig all this up, the SenderBase data took an upturn .. now reading 1604% .. http://www.mxtoolbox.com/index.aspx ns.i-trade.hu reports the following MX records: Preference Host Name IP Address TTL 20 mail2.mcr.hu 213.163.49.30 604800 SMTP Diagnostics RESULT: mail2.mcr.hu Banner: mcr.hu Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Sun, 11 Mar 2007 18:06:19 +0100 [437 ms] Connect Time: 0.172 seconds - Good Transaction Time: 11.140 seconds - Not good! Relay Check: OK - This server is not an open relay. (Note: this is a very simple test) Rev DNS Check: OK - 213.163.49.30 resolves to dial049030.pool.invitel.hu GeoCode Info: Geocoding server is unavailable Session Transcript: TIMEOUT after HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx -- 10.530 seconds http://www.mxtoolbox.com/blacklists.aspx?IP=213.163.49.30 - some additional BL listings Link to comment Share on other sites More sharing options...
konczf Posted March 12, 2007 Author Share Posted March 12, 2007 We both got an ultimate thing: until wednesday, we HAVE to get from the lists off or we're get fired. So, please help me: I send every needed thing: ATRT has Bind with a used linux server with following config: ; mcr.hu ; $TTL 604800 [at] IN SOA ns.atrtnet.hu. postmaster.mcr.hu. ( 2006112101 ; Serial 86400 ; Refresh 7200 ; Retry 3600000 ; Expire 3600 ) ; Negative Cache TTL ; [at] IN NS ns.i-trade.hu. [at] IN NS ns2.i-trade.hu. [at] IN A 212.92.1.62 www IN A 212.92.1.62 mail IN A 85.90.176.138 [at] IN MX 20 mail2 mail2 IN A 213.163.49.30 I'm confused I can send ISA config pictures, but I'm trying to do my best as I will be fired. The router has NAT for port forwarding to port 25 to server and open port too for port 25. ISA has a DENY rule for port 25 as told before. Problem is we cannot send mail because of listings. I don't really find where I should look, please tell me a phone number I can find every needed thing. Link to comment Share on other sites More sharing options...
Merlyn Posted March 12, 2007 Share Posted March 12, 2007 You are currently not on the Spamcop blocklist but you are now on many other blocklists. Resolved 213.163.49.30 to mail2.mcr.hu. mail2.mcr.hu. has no MX records -> [mcr.hu has 1 MX record mail2.mcr.hu.(20)] -------------------------------------------------------------------------------- XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4 http://www.spamhaus.org/query/bl?ip=213.163.49.30 -------------------------------------------------------------------------------- PBL The Policy Block List: pbl.spamhaus.org -> 127.0.0.11 -------------------------------------------------------------------------------- ZEN Spamhaus combined SBL, XBL and PBL - replaces SBLXBL: zen.spamhaus.org -> 127.0.0.4 -> 127.0.0.11 http://www.spamhaus.org/query/bl?ip=213.163.49.30 -------------------------------------------------------------------------------- CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=213.163.49.30 -------------------------------------------------------------------------------- NJABLDYNA NJABL list of dynamic ip spaces: dynablock.njabl.org -> 127.0.0.3 Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html -------------------------------------------------------------------------------- NJABLCOMBINED NJABL & NJABLDYNA combined: combined.njabl.org -> 127.0.0.3 Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html -------------------------------------------------------------------------------- SPAMCANNIBAL the SpamCannibal project: bl.spamcannibal.org -> 127.0.0.2 blocked, See: http://www.spamcannibal.org/cannibal.cgi?p...p;lookup=$ -------------------------------------------------------------------------------- SWINOG Swinog DNSRBL: dnsrbl.swinog.ch -> 127.0.0.3 IP Blacklisted. See http://antispam.imp.ch/spamikaze/spamlisti...t=213.163.49.30 -------------------------------------------------------------------------------- UCEPROTECTL1 UCEPROTECT®-Network Project - Level 1: dnsbl-1.uceprotect.net -> 127.0.0.2 Sorry 213.163.49.30 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=213.163.49.30 -------------------------------------------------------------------------------- DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=213.163.49.30 -------------------------------------------------------------------------------- DNSBLUCEPN External Block List - UCEPROTECT®-Network Project: ucepn.dnsbl.net.au -> 127.0.0.2 PLEASE SEE http://www.uceprotect.net/ Link to comment Share on other sites More sharing options...
konczf Posted March 12, 2007 Author Share Posted March 12, 2007 We have www.mcr.hu as at AtRt. the mx record is ours, we have set up a reverse DNS, that is the reason of resolving mail2.mcr.hu for dial049030 or whatever. And now what? Greets Link to comment Share on other sites More sharing options...
konczf Posted March 14, 2007 Author Share Posted March 14, 2007 Dear SpamCop, I now am finished and the problem is resolved. Boss believed me and this was even proved by our ISP. I did know that the good will win! For those who have problems with spams I've learned a lot as for I can help others too now: Possible causes: - Allowing automated NDR (if we receive 10 000 spams - non-delivery reports automated bounce back) - making a deny rule for everybody - except the server - for using port 25 (depends on network enviroment too!) - The need of a reverse DNS - Closing relay - Active and good working virus- and spyware cleaners (Nod32+Ad-Aware+SpyBot SD is enough). If possible, scan it through with a Netsky Cleaner and seek after the log of HijackThis. Now I just set up "Connection Filtering" again, but not using relays.ordb.org anymore, but using "sbl.spamhaus.org" and "xbl.spamhaus.org" too. An interesting thing was that my colleauge didn't really wanted to allow me scan his machine too. After 3 hours of asking, he did some Netsky cleaning and we installed the Nod32. Now we're not on the lists. Thank You all people! If possible and needed, I'll look how I could help your work too! On the need I'll love to help other people in Debian... Link to comment Share on other sites More sharing options...
Merlyn Posted March 14, 2007 Share Posted March 14, 2007 Nice work! Good luck... Link to comment Share on other sites More sharing options...
Wazoo Posted March 14, 2007 Share Posted March 14, 2007 Thanks for the work, congratulations on the results. Marking this one as Resolved. Link to comment Share on other sites More sharing options...
kamaraju Posted March 14, 2007 Share Posted March 14, 2007 On the need I'll love to help other people in Debian... I am a Debian user and like it very much. But I fail to see what connection it has with this particular issue. The issue seems to be M$ related. raju Link to comment Share on other sites More sharing options...
Farelf Posted March 14, 2007 Share Posted March 14, 2007 I am a Debian user and like it very much. But I fail to see what connection it has with this particular issue. The issue seems to be M$ related.You are correct Raju, it goes back to the opening statement of Ferenc's first post...I am a fanatic of computers since I'm 8-9 years old. Debian Linux is my favourite. - he just wants to repay the SC community whatever way he can. Nice gesture, thanks Frank! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.