slarson Posted April 5, 2007 Share Posted April 5, 2007 Our work email server is on the blocked list. The IP is 12.116.158.182. I've read all of the articles on this website, but I would like to know how to track down why our server has been compromised. We are not set up for open relay. Thank you, Sandi Link to comment Share on other sites More sharing options...
Telarin Posted April 5, 2007 Share Posted April 5, 2007 I'm sure a paying reporter will be long shortly to give us a report history for that IP, however, in the mean time, there are a few things that would be helpful for us to know, and a few things you might want to check. First, a quick check of that IP shows: 12.116.158.182 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week That tells us that there are recent user reports, so it is not just a spamtrap issue. Is this IP address (12.116.158.182) dedicated ONLY to your mail server, or is it shared through some type of NAT appliance with other machines on your networks? If this is a shared IP address, then it is very likely that one of the other machines on your network could be compromised rather than your server. You should also verify that you are not generating bounce emails to the from or reply-to address of incoming messages. Mail should always be rejected during SMTP with a 500 series error, as that is the only way you can be sure the rejection goes back to the original sender. Senderbase is showing a HUGE recent increase in emails, which would be consistent with a computer infected with a spam sending trojan somewhere on your network: Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.2 9193% Last 30 days 2.6 142% Average 2.2 If you have a firewall in place on your network, you may want to do some traffic monitoring for anything heading out on port 25 from anyplace other than your mail server, this will help you narrow down where the traffic is originating. Link to comment Share on other sites More sharing options...
slarson Posted April 5, 2007 Author Share Posted April 5, 2007 Thank you for your response. We have been checking computers and found one that was indeed infected with numerous viruses. We have cleaned it and are now playing a waiting game to see if the problem will be resolved. I will reply tomorrow after monitoring the system. Sandi Link to comment Share on other sites More sharing options...
dra007 Posted April 5, 2007 Share Posted April 5, 2007 There is some history of spam reports as already pointed out: Submitted: Thursday, April 05, 2007 4:37:32 PM -0300: ***spam***For Ctbico 2231737878 ( 12.116.158.182 ) To: abuse[at]att.net -------------------------------------------------------------------------------- Submitted: Thursday, April 05, 2007 2:08:20 PM -0300: For Cunningham 2231552510 ( 12.116.158.182 ) To: abuse[at]att.net -------------------------------------------------------------------------------- Submitted: Thursday, April 05, 2007 1:40:54 PM -0300: ***spam***For Ctbico 2231700680 ( 12.116.158.182 ) To: abuse[at]att.net -------------------------------------------------------------------------------- Submitted: Tuesday, April 03, 2007 2:31:47 PM -0300: Cool Community Projects 2230701709 ( http://img444.imageshack.us/img444/8848/5u4yl1.png ) To: abuse[at]cogentco.com 2230701702 ( 12.116.158.182 ) To: abuse[at]att.net -------------------------------------------------------------------------------- Submitted: Tuesday, April 03, 2007 1:58:46 PM -0300: For Hbutz 2228738763 ( http://sweetlove.hk/ ) To: cnc-abuse[at]abuse.sprint.net 2228738746 ( http://sweetlove.hk/ ) To: abuse[at]cnc-noc.net 2228738734 ( http://sweetlove.hk/ ) To: postmaster[at]china-netcom.com 2228738711 ( http://sweetlove.hk/ ) To: abuse-gd[at]china-netcom.com 2228738700 ( Forwarded spam ) To: [concealed user-defined recipient] 2228738695 ( 12.116.158.182 ) To: abuse[at]att.net Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.