blocked work email

[slarson]

Our work email server is on the blocked list. The IP is 12.116.158.182. I've read all of the articles on this website, but I would like to know how to track down why our server has been compromised. We are not set up for open relay.

Thank you,

Sandi

[Telarin]

I'm sure a paying reporter will be long shortly to give us a report history for that IP, however, in the mean time, there are a few things that would be helpful for us to know, and a few things you might want to check.

First, a quick check of that IP shows:

12.116.158.182 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

That tells us that there are recent user reports, so it is not just a spamtrap issue.

Is this IP address (12.116.158.182) dedicated ONLY to your mail server, or is it shared through some type of NAT appliance with other machines on your networks?

If this is a shared IP address, then it is very likely that one of the other machines on your network could be compromised rather than your server.

You should also verify that you are not generating bounce emails to the from or reply-to address of incoming messages. Mail should always be rejected during SMTP with a 500 series error, as that is the only

way you can be sure the rejection goes back to the original sender.

Senderbase is showing a HUGE recent increase in emails, which would be consistent with a computer infected with a spam sending trojan somewhere on your network:

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.2 9193%

Last 30 days 2.6 142%

Average 2.2

If you have a firewall in place on your network, you may want to do some traffic monitoring for anything heading out on port 25 from anyplace other than your mail server, this will help you narrow down where the traffic is originating.

[slarson]

Thank you for your response. We have been checking computers and found one that was indeed infected with numerous viruses. We have cleaned it and are now playing a waiting game to see if the problem will be resolved. I will reply tomorrow after monitoring the system.

Sandi

[dra007]

There is some history of spam reports as already pointed out:

Submitted: Thursday, April 05, 2007 4:37:32 PM -0300:

***spam***For Ctbico

2231737878 ( 12.116.158.182 ) To: abuse[at]att.net

--------------------------------------------------------------------------------

Submitted: Thursday, April 05, 2007 2:08:20 PM -0300:

For Cunningham

2231552510 ( 12.116.158.182 ) To: abuse[at]att.net

--------------------------------------------------------------------------------

Submitted: Thursday, April 05, 2007 1:40:54 PM -0300:

***spam***For Ctbico

2231700680 ( 12.116.158.182 ) To: abuse[at]att.net

--------------------------------------------------------------------------------

Submitted: Tuesday, April 03, 2007 2:31:47 PM -0300:

Cool Community Projects

2230701709 ( http://img444.imageshack.us/img444/8848/5u4yl1.png ) To: abuse[at]cogentco.com

2230701702 ( 12.116.158.182 ) To: abuse[at]att.net

--------------------------------------------------------------------------------

Submitted: Tuesday, April 03, 2007 1:58:46 PM -0300:

For Hbutz

2228738763 ( http://sweetlove.hk/ ) To: cnc-abuse[at]abuse.sprint.net

2228738746 ( http://sweetlove.hk/ ) To: abuse[at]cnc-noc.net

2228738734 ( http://sweetlove.hk/ ) To: postmaster[at]china-netcom.com

2228738711 ( http://sweetlove.hk/ ) To: abuse-gd[at]china-netcom.com

2228738700 ( Forwarded spam ) To: [concealed user-defined recipient]

2228738695 ( 12.116.158.182 ) To: abuse[at]att.net