Jump to content

[Resolved] Windows 2003 + Exchange 2003sp2 + ISA 2004


konczf

Recommended Posts

Dear anybody,

I am really confused now. I am a fanatic of computers since I'm 8-9 years old. Debian Linux is my favourite.

Currently I am working for a company with about 90-100 users, they ONLY WANT TO HAVE a Windows 2003 SBS R1 server with the current ISA 2004 and Exchange 2003 w. sp2 (IMF updated) working.

Since the last 14 days, it is my daily routine to delist our IP (213.163.49.30) from SpamCop and CBL, sometimes if I'm "late" from even the others (sbl and so on).

Until now what I have done:

- Tested open relay: from a computer outside the company I telnetted to our IP to port 25, and said "EHLO", then mail from: asdf[at]qwer (answer: sender OK), rcpt to: konczf[at]yahoo.com ---> Relay not allowed! So I think I'm relay secure. However, if I'm writing rcpt to: user[at]mcr.hu (which is our domain and user for example exists) ---> mail is sent. Okay.

- I have "Filter recipients who are not in the Active Directory" checked

- I have "Connection filtering" --> relays.ordb.org, sbl.spamhaus.org, xbl.spamhaus.org

- I have "Sender filtering" ---> *[at]comcast.net, *[at]MidLASurgical.com, *[at]hinet.net ;)

- I have IMF kept updated: archive messages greater or equal of 7, but put mail to Junk folder from level 5.

- I have picked out checkmark from Non-delivery report sending, but it should send me the mail from not delivered mail

- on the ISA 2004 I have a rule of SMTP is only allowed from Localhost (not Internal), so that port 25 should be only allowed through the server

- Outlook RPC is only allowed for a single client machine, which uses Nod32.

- Past days the server used the Symantec Mail Security for Exchange 2003 (version trial, but the latest one). It filtered messages....some good some not, but no critical happenings.

- SpamCop told me dispute listing reason, BUT I CANNOT SEE THE MESSAGES on the Message Tracking Center!! Everybody is in it, but those messages are NOT there.

So what now...?

What any other reason sends mail through our beloved (khehhmm) IP? :(

What if one of our colleauges are sending spam? People are interesting ones....we have about 50-100 machines, in even different Countries...I simply cannot be at every laptop (there are some laptops too) with my beloved Ad-Aware, SpyBot SD and HijackThis.

Please, bigger gurus...should I send the userlist to SpamCop case of one of them is trying to ...ahh....

I have done many things, but not all, please give me ideas. Microsoft VAP Support was not so helpful...!

Sincerely,

Ferenc Koncz (i.e. Frank Koncz)

konczf[at]mcr.hu

PS: we have forwarded through the DNS the mails. IP Spoof attacks are to seen in ISA logs. Maybe? But how to resolve?

Link to comment
Share on other sites

I am not a computer guru, but there are several here who can help you find your problem. They will need the IP address.

I can give a couple of hints from other server admins who have checked everything. One is to check your firewall logs. Zombie computers often use other ports. The other hint is to look at the Senderbase statistics. If there are more emails than usual, then someone does have a zombie. Have you read Why Am I Blocked? FAQ? There is a section of common problems for server admins. It can be found in the Spamcop Blocklist forum.

You are also in the wrong forum section. A moderator will probably move your post soon.

Miss Betsy

Link to comment
Share on other sites

Since the last 14 days, it is my daily routine to delist our IP (213.163.49.30) from SpamCop and CBL, sometimes if I'm "late" from even the others (sbl and so on).

I don't think so ... SpamCop.net gives 'you' one chance to use the 'express delisting' .. but that came with the warning that it was a onr-time thing, so the issue was supposed to be resolved prior to using that one chance. Based on the current data seen and your description, the problem was not resolved first.

Until now what I have done:

Noting that nothing was said about a firewall.

I'm not sure that anythng listed dealt with the issue of a hacked server, usually via the use of a weak password.

- SpamCop told me dispute listing reason, BUT I CANNOT SEE THE MESSAGES on the Message Tracking Center!! Everybody is in it, but those messages are NOT there.

Correct ... as seen / explained at http://spamcop.net/w3m?action=checkblock&a...p=213.163.49.30

213.163.49.30 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 13 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 15.5 days, it has been listed 8 times for a total of 6.5 days

Other hosts in this "neighborhood" with spam reports

213.163.49.3 213.163.49.25

So what now...?

What any other reason sends mail through our beloved (khehhmm) IP? :(

A kot of this is addressed in the Why am U Blocked? FAQ entry here .. use one of the SpamCop FAQ links at the top of this page (or noting the Pinned entry at the top of the Forum section page that this post has been moved into ... )

What if one of our colleauges are sending spam? People are interesting ones....we have about 50-100 machines, in even different Countries...I simply cannot be at every laptop (there are some laptops too) with my beloved Ad-Aware, SpyBot SD and HijackThis.

The 'eveb in different countries" really shouldn't be an issue, as this 'problem' is only dealing with this one identified e-mail server/IP address. What you tried to suggest is that you can find nothing on the e-mail server that seems to be suspicous enough to indicate a problem. That might possibly be true, but .. additional data suggests that the 'traffic' itself should be somewhat easier to find (especially if a firewall is in use)

http://www.senderbase.org/search?searchBy=...g=213.163.49.30

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.5 .. 1396%

Last 30 days ... 2.9 ... 297%

Average ......... 2.3

Can you identify / explain this increase in traffic other than the implied spammer abuse?

Had there been an 'reported spam' those reports would have gone to;

Parsing input: 213.163.49.30

host 213.163.49.30 = dial049030.pool.invitel.hu (cached)

host 213.163.49.30 = dial049030.pool.invitel.hu (cached)

Cached whois for 213.163.49.30 : nic[at]ip.vivendi.hu

Using last resort contacts nic[at]ip.vivendi.hu

Last 'seen' that are shown to other than the paid-staff;

Submitted: Sunday, February 25, 2007 7:41:04 AM -0600:

Gillian

2167132071 ( 213.163.49.30 ) To: nic[at]ip.vivendi.hu

-----------------------------------------------

Submitted: Friday, February 23, 2007 1:02:32 AM -0600:

[Possible spam] BibbLil KimLinda LohanLisa

2162492786 ( 213.163.49.30 ) To: nic[at]ip.vivendi.hu

-------------------------------------------------

Submitted: Thursday, February 22, 2007 12:54:27 PM -0600:

pajamas

2161519863 ( 213.163.49.30 ) To: [concealed user-defined recipient]

2161519817 ( 213.163.49.30 ) To: nic[at]ip.vivendi.hu

Moving to the more appropriate Forum section SpamCop Blocklist Help with this post.

Link to comment
Share on other sites

canonical name dial049030.pool.invitel.hu.

aliases

addresses 213.163.49.30

It looks like you are using a dynamic IP. Many mail servers will nat accept mail from a dynamic IP. Although there are signs of spam on many other blocklists from this IP and others in that /24.

Link to comment
Share on other sites

Hi.

Thank You for moving my post onto the right place, so where it belongs.

What I have done after the confusion - I have read all what You so nicely wrote to me, thanks a lot for it.

1. Unfortunately, the people who wrote me I should read the FAQ's and so on - do You think I would have questions if I would all understand them? I'm not that lazy one who thinks only asking and asking and no google. Anyways I wouldn't prefer mostly debian. Cheers! But anyway, thanks.

2. For maybe a lucky day one good point was that somebody mentioned "I haven't written anything about ISA Firewall"! ---> I simply created a rule before Outbound access:

Access: DENY

Protocol: SMTP

From: Internal

To: External

Applies to: All Users and everybody

Because I've already created a rule: SMTP allow from Local Host To External...BUT NO DENY RULE FOR ANYBODY ELSE!

Probably those modifications will first of all stop spamming through my server and so I'll have more time to check the client machines.

I've tried to telnet from a client machine, because I couldn't do it, only from the server - it should work smoothly. At least, today no CBLs, hope for same in the following days...

One other thing is, that our khm ISP is giving Fix IP-s like after from a pool which is dynamic...so cool solution...

I will check the DNS records too I think. Hopefully, my nights will be okay.

I'll post Hijackthis to everyone, asking for sending me the logs or the PrtScr screenshot as an attachement. Hopefully they won't send me "pagefile.sys" as for a mistake :-)))))

Cheers :-)))

Link to comment
Share on other sites

Things don't look good. Again, you are focusing on the SMTP e-mail server, but .. that may not be where the traffic is actually coming from ...

http://www.senderbase.org/search?searchBy=...g=213.163.49.30

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.2 .. 6778%

Last 30 days .. 3.0 ... 305%

Average ........ 2.4

Link to comment
Share on other sites

Uhh.....

Where should I look then? We have a second SBS server in other town; they are both are together with a static routing so that they can communicate.

I've stopped already the Default Virtual SMTP Server on the second one.

On the router which communicates to the internet, smtp pop and other ports are OPENED and NOT FORWARDED. Could this be a problem?

Or should I communicate with the ISP? CBL even does not allow me now to delist!!! The only good thing is that it is weekend so not so many people have mailing problems!

Scary... :o NOW WHAT?!

Link to comment
Share on other sites

Uhh.....

Where should I look then? We have a second SBS server in other town; they are both are together with a static routing so that they can communicate.

I've stopped already the Default Virtual SMTP Server on the second one.

On the router which communicates to the internet, smtp pop and other ports are OPENED and NOT FORWARDED. Could this be a problem?

Or should I communicate with the ISP? CBL even does not allow me now to delist!!! The only good thing is that it is weekend so not so many people have mailing problems!

Scary... :o NOW WHAT?!

1. Do you have firewall logs to check? If so, it should not be too hard to see the amount of traffic being reported from that IP address.

2. I think you stated you already did this, but make sure no clients can send port 25 traffic to the internet except your mail server. We used to (previous job) allow ONLY HTTP and HTTPS (SSL) ports out from the client community. We also had them all share an IP that was different from our mail server IP for this very reason.

All of this traffic will be SMTP traffic FROM that IP address.

Link to comment
Share on other sites

Where should I look then? We have a second SBS server in other town; they are both are together with a static routing so that they can communicate.

I've stopped already the Default Virtual SMTP Server on the second one.

I'm a little confused at the moment.

Currently I am working for a company with about 90-100 users, they ONLY WANT TO HAVE a Windows 2003 SBS R1 server with the current ISA 2004 and Exchange 2003 w. sp2 (IMF updated) working.

<snip>

- Tested open relay: from a computer outside the company I telnetted to our IP to port 25, and said "EHLO", then mail from: asdf[at]qwer (answer: sender OK), rcpt to: konczf[at]yahoo.com ---> Relay not allowed! So I think I'm relay secure. However, if I'm writing rcpt to: user[at]mcr.hu (which is our domain and user for example exists) ---> mail is sent. Okay.

The above doesn't seem to really match my quick look .....

C:\>telnet 213.163.49.30 25

220 AVG ESMTP Proxy Server 7.5.442/7.5.446 [268.18.8/716]

helo

250 localhost Hello

help

250 RTFM :)

quit

221 Asta la vista

You've never mentioned anything about any kind of a proxy being in the mix .... and I don't read the initial response as an Exchange server .... but I claim no expertise on an Exchange server ....

Link to comment
Share on other sites

I have now the problem I think:

The colleague of mine I think has seen, I'm taking the whole system seriously. Has changed on the DNS server something and TOLD THE BOSS THAT THE PROBLEM IS AT CONNECTION FILTERING!!!!!

Now the Boss said this should be the problem, this didn't happen before...they deleted relays.ordb.org and sbl.spamhaus.org and xbl.spamhaus.org from the Connection Filtering section AND CHANGED BACK PROBABLY THE DNS ON THE PLACE I CANNOT!

Why the ... are people so cool only because they are not fanatic ones?!

How could I proove that? I don't want to loose my job only because of a colleauge as he says Microsoft and everybody is stupid only he knows....THIS IS FALSE, PLEASE PROOVE!

Link to comment
Share on other sites

Now I know.

The DNS is not even registered. So I know the problem lied that I assumed - as told me - everything is working.

I assumed that and told the server to look connections after the blacklists.

The problem lied in that, everybody just can install a server and tell "I'm mcr.hu". I have to contact the DNS admin that we have no seem to have the record to be an MX.

It's a Linux server which I like very-very much so it won't be taking long to set it up. The good thing that the boss believed me that I'm right.

"The clever one is not the one who talks much, but the one who is understandable".

I'll set up the domain with a strong debian server and tell MX record as mail2.mcr.hu. The correct thing that our Company is not a false Company (from which I was a little bit afraid of).

Hopefully, the cruelity will end up now after clearing up the full misconfigured open-proxy and so on...DNS.

SpamCop, be patient and please delist us for the following three days, I'm working on the thing!

Frank Koncz

Systems Admin

Link to comment
Share on other sites

At the time of your Linear Post #10, http://www.senderbase.org/search?searchBy=...g=213.163.49.30 showed something over 2300% for the last 24 hours. At the time of your Linear Post #11, it is now showing 1602% .. and noting that it is dropping .. it was 1607% a few minutes ago ...

Good work .. and good luck on the new server, DNS set-up

no one here can 'adjust' the SpamCopDNSBL listing .. as it's pretty much run on autopilot, based on the math formula involved ... setting another data point ...

http://spamcop.net/w3m?action=checkblock&a...p=213.163.49.30

213.163.49.30 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 9 hours.

The catch is that this IP address has also made it into other BLs ...

http://moensted.dk/spam/?addr=213.163.49.3...p;Submit=Submit

.... dang ... while typig all this up, the SenderBase data took an upturn .. now reading 1604% ..

http://www.mxtoolbox.com/index.aspx

ns.i-trade.hu reports the following MX records:

Preference Host Name IP Address TTL

20 mail2.mcr.hu 213.163.49.30 604800

SMTP Diagnostics

RESULT: mail2.mcr.hu

Banner: mcr.hu Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Sun, 11 Mar 2007 18:06:19 +0100 [437 ms]

Connect Time: 0.172 seconds - Good

Transaction Time: 11.140 seconds - Not good!

Relay Check: OK - This server is not an open relay. (Note: this is a very simple test)

Rev DNS Check: OK - 213.163.49.30 resolves to dial049030.pool.invitel.hu

GeoCode Info: Geocoding server is unavailable

Session Transcript: TIMEOUT after HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx -- 10.530 seconds

http://www.mxtoolbox.com/blacklists.aspx?IP=213.163.49.30 - some additional BL listings

Link to comment
Share on other sites

We both got an ultimate thing:

until wednesday, we HAVE to get from the lists off or we're get fired.

So, please help me: I send every needed thing:

ATRT has Bind with a used linux server with following config:

; mcr.hu

;

$TTL 604800

[at] IN SOA ns.atrtnet.hu. postmaster.mcr.hu. (

2006112101 ; Serial

86400 ; Refresh

7200 ; Retry

3600000 ; Expire

3600 ) ; Negative Cache TTL

;

[at] IN NS ns.i-trade.hu.

[at] IN NS ns2.i-trade.hu.

[at] IN A 212.92.1.62

www IN A 212.92.1.62

mail IN A 85.90.176.138

[at] IN MX 20 mail2

mail2 IN A 213.163.49.30

I'm confused I can send ISA config pictures, but I'm trying to do my best as I will be fired.

The router has NAT for port forwarding to port 25 to server and open port too for port 25.

ISA has a DENY rule for port 25 as told before. Problem is we cannot send mail because of listings.

I don't really find where I should look, please tell me a phone number I can find every needed thing.

:excl::excl::excl:

Link to comment
Share on other sites

You are currently not on the Spamcop blocklist but you are now on many other blocklists.

Resolved 213.163.49.30 to mail2.mcr.hu.

mail2.mcr.hu. has no MX records -> [mcr.hu has 1 MX record mail2.mcr.hu.(20)]

--------------------------------------------------------------------------------

XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4

http://www.spamhaus.org/query/bl?ip=213.163.49.30

--------------------------------------------------------------------------------

PBL The Policy Block List: pbl.spamhaus.org -> 127.0.0.11

--------------------------------------------------------------------------------

ZEN Spamhaus combined SBL, XBL and PBL - replaces SBLXBL: zen.spamhaus.org -> 127.0.0.4 -> 127.0.0.11

http://www.spamhaus.org/query/bl?ip=213.163.49.30

--------------------------------------------------------------------------------

CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=213.163.49.30

--------------------------------------------------------------------------------

NJABLDYNA NJABL list of dynamic ip spaces: dynablock.njabl.org -> 127.0.0.3

Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html

--------------------------------------------------------------------------------

NJABLCOMBINED NJABL & NJABLDYNA combined: combined.njabl.org -> 127.0.0.3

Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html

--------------------------------------------------------------------------------

SPAMCANNIBAL the SpamCannibal project: bl.spamcannibal.org -> 127.0.0.2

blocked, See: http://www.spamcannibal.org/cannibal.cgi?p...p;lookup=$

--------------------------------------------------------------------------------

SWINOG Swinog DNSRBL: dnsrbl.swinog.ch -> 127.0.0.3

IP Blacklisted. See http://antispam.imp.ch/spamikaze/spamlisti...t=213.163.49.30

--------------------------------------------------------------------------------

UCEPROTECTL1 UCEPROTECT®-Network Project - Level 1: dnsbl-1.uceprotect.net -> 127.0.0.2

Sorry 213.163.49.30 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=213.163.49.30

--------------------------------------------------------------------------------

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=213.163.49.30

--------------------------------------------------------------------------------

DNSBLUCEPN External Block List - UCEPROTECT®-Network Project: ucepn.dnsbl.net.au -> 127.0.0.2

PLEASE SEE http://www.uceprotect.net/

Link to comment
Share on other sites

Dear SpamCop,

I now am finished and the problem is resolved. Boss believed me and this was even proved by our ISP. I did know that the good will win!

For those who have problems with spams I've learned a lot as for I can help others too now:

Possible causes:

- Allowing automated NDR (if we receive 10 000 spams - non-delivery reports automated bounce back)

- making a deny rule for everybody - except the server - for using port 25 (depends on network enviroment too!)

- The need of a reverse DNS

- Closing relay

- Active and good working virus- and spyware cleaners (Nod32+Ad-Aware+SpyBot SD is enough). If possible, scan it through with a Netsky Cleaner and seek after the log of HijackThis.

Now I just set up "Connection Filtering" again, but not using relays.ordb.org anymore, but using "sbl.spamhaus.org" and "xbl.spamhaus.org" too.

An interesting thing was that my colleauge didn't really wanted to allow me scan his machine too. After 3 hours of asking, he did some Netsky cleaning and we installed the Nod32. Now we're not on the lists.

Thank You all people! If possible and needed, I'll look how I could help your work too! On the need I'll love to help other people in Debian...

Link to comment
Share on other sites

I am a Debian user and like it very much. But I fail to see what connection it has with this particular issue. The issue seems to be M$ related.
You are correct Raju, it goes back to the opening statement of Ferenc's first post
...I am a fanatic of computers since I'm 8-9 years old. Debian Linux is my favourite.
- he just wants to repay the SC community whatever way he can. Nice gesture, thanks Frank!
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...