Jump to content

71.6.48.162 listed Newbe


Tanquen

Recommended Posts

Spamcop info:

71.6.48.162 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Here is an email:

-----Original Message-----

From: CMCAdmin

Sent: Tuesday, April 10, 2007 8:11 AM

To: Jeihri

Subject: Mail could not be delivered

****** Message from InterScan Messaging Security Suite ******

Sent <<< [session Initiation]

Received >>> 554 service unavailable; client host [71.6.48.162] blocked using bl.spamcop.net; blocked - see http://www.spamcop.net/bl.shtml?71.6.48.162

Unable to deliver message to <badams[at]reverecontrol.com>.

************************ End of message **********************

We have been trying to get this fixed for a few days now. We have been listed two other times that I know of and that was because relaying was on in the Exchange sever. After we turned relaying off we were all good. This time we are having a real hard time finding the issue. We are getting spam traps and reports.

Ive tried looking through the mail server logs and I set up the Syslog on our Kentrox firewall to log everything. Looking trough it in Excel Im not seeing the culprit. Im not sure what to look for. I see lots of line like this that look like the firewall is doing what it should be:

Apr 10 14:21:26 NAPA: firewall | inform | Terminate session - normal: TCP, SRC=209.219.62.3:1372, DST=172.16.0.10:443, NAT=71.6.48.162:443 <ipwan>

And one likes that look to be legitimate:

Apr 10 14:21:28 NAPA: firewall | inform | Start session: TCP, SRC=208.69.113.119:55242, DST=172.16.0.20:25, NAT=71.6.48.162:25 <ipwan>

And some like this that I dont know what it is:

Apr 10 14:21:26 NAPA: firewall | inform | Start session: TCP, SRC=172.16.0.20:3993, DST=207.44.141.137:25, NAT=71.6.48.162:3993 <ipwan>

Thanks for any help.

-Richard

Link to comment
Share on other sites

And one likes that look to be legitimate:

Apr 10 14:21:28 NAPA: firewall | inform | Start session: TCP, SRC=208.69.113.119:55242, DST=172.16.0.20:25, NAT=71.6.48.162:25 <ipwan>

And some like this that I dont know what it is:

Apr 10 14:21:26 NAPA: firewall | inform | Start session: TCP, SRC=172.16.0.20:3993, DST=207.44.141.137:25, NAT=71.6.48.162:3993 <ipwan>

These are both mail sessions, you can tell by the destination port 25. If I were going to guess, I would say that you have a mail server at 172.16.0.20.

The first one is an incoming mail session (your mailserver is the destination).

The second appears to be an outgoing session (your mailserver is the source).

What I would look for is any OUTGOING traffic with a destination port of 25, i.e. DST=x.x.x.x:25, that is NOT from 172.16.0.20, that should help you narrow down which computer on your network is sending spam. If you do not find any such sessions, then it would indicate that the spam is originating from the server itself.

If you do find any SMTP traffic from computers other than your mail server, I would check them for any viruses or trojans, as that is the most likely problem. To prevent this problem in the future, you might consider setting your firewall to only allow outbound traffic to port 25 from the mail server, and block it from all other internal computer. That is, of course, unless there is a legitimate need for other computer on your network to send mail directly (or through an external mail server).

Link to comment
Share on other sites

I'm not sure that this is necessarily a great help to you but, for what it is worth, the spam messages passing through this IP address that have been reported by users have the subject:

Play over 50 lotteries online

Senderbase notes a massive increase in Email traffic from your IP:

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 18747%

Last 30 days 2.4 145%

That would suggest, to me, an infected PC behind the IP which is spewing spam. I'd investigate all your PCs to see which, if any, are infected with a trojan.

Firewall logs may be of help in identifying the source.

You are are also listed in the Composite Blocklist (CBL) http://cbl.abuseat.org/lookup.cgi?ip=71.6.48.162

Andrew

Link to comment
Share on other sites

...I'd investigate all your PCs to see which, if any, are infected with a trojan.

Firewall logs may be of help in identifying the source.

You are are also listed in the Composite Blocklist (CBL) http://cbl.abuseat.org/lookup.cgi?ip=71.6.48.162

We just upgraded our Symantec software to Trend Micro Office Scan. We have done many full system scans and have not found anything. Is there a chance that Office Scan is missing it?

Link to comment
Share on other sites

We just upgraded our Symantec software to Trend Micro Office Scan. We have done many full system scans and have not found anything. Is there a chance that Office Scan is missing it?

Apparently, yes.

Firewall logs are the place to look. If you don't know how to find the problem, then you will have to bite the bullet and hire a professional.

Miss Betsy

Link to comment
Share on other sites

I would also check the network for any stray computers that might not have gotten new AV software. I've found executive's laptops are generally harboring any number of nasty infections. Also, if you have a wireless access point, check its logs to make sure you don't have any unauthorized "users" piggy-backing on your network.

Link to comment
Share on other sites

...What I would look for is any OUTGOING traffic with a destination port of 25, i.e. DST=x.x.x.x:25, that is NOT from 172.16.0.20, that should help you narrow down which computer on your network is sending spam. If you do not find any such sessions, then it would indicate that the spam is originating from the server itself.

Like this:

SRC=172.16.10.114:2504 DST=210.4.3.2:25 NAT=71.6.48.162:2504 <ipwan>

SRC=172.16.10.114:2504 DST=210.4.3.2:25 NAT=71.6.48.162:2504 <ipwan>

SRC=172.16.10.114:2128 DST=141.2.1.1:25 NAT=71.6.48.162:2128 <ipwan>

SRC=172.16.10.114:2172 DST=12.4.86.1:25 NAT=71.6.48.162:2172 <ipwan>

SRC=172.16.10.114:2128 DST=141.2.1.1:25 NAT=71.6.48.162:2128 <ipwan>

Link to comment
Share on other sites

Yes, exactly like that (assuming that 172.16.10.114 is not your mail server). Now you need to track down which computer has that IP address. You should be able to match that IP to a MAC address by checking the lease tables in your DHCP server. Assuming you have kept good asset records, you should then be able to see which computer has that MAC address and go from there.

Link to comment
Share on other sites

Yes, exactly like that (assuming that 172.16.10.114 is not your mail server). Now you need to track down which computer has that IP address. You should be able to match that IP to a MAC address by checking the lease tables in your DHCP server. Assuming you have kept good asset records, you should then be able to see which computer has that MAC address and go from there.

Yes. I had already found the computer in question in our DHCP leases. It had the latest version of Trend Micros Office Scan on it. So we tried a demo version of Symantec software and it finds some stuff in the registry and says that it may be an unknown virus. Fun! It labels it Bloodhound.SONAR.1. Any better trial scanner that we should try? :) Also, with it off the network it looks like our Spamming has stoped.

Thanks for all the help.

Link to comment
Share on other sites

I've never really trusted Trend Micro as a top-tier scanner. I would go with either Symantec Corporate Edition, or one of McAfee's offerings.

Trend Micro can't find it.

Norton AntiVirus can't find it.

Kaspersky can't find it.

Could not find a free trial of MacAfee.

Link to comment
Share on other sites

Trend Micro can't find it.

Norton AntiVirus can't find it.

Kaspersky can't find it.

Could not find a free trial of MacAfee.

While I heavily encourage home users to use some of the free products out there (I recommend AVG AV, Spybot-Search and Destroy, Lavasoft Ad-Aware, and recently started testing (and like) Prevx-1) becuase it is better to have some protection than not, if keeping your mail server off the blocklists is important to you, I suggest you invest in a quality product intended for the size of your enterprise, whatever that may be. A spyware detection package should also be considered (which is one reason I like Prevx-1, it is both).

Another thought would be to get another IP address, one specifically for your mail server and hide the desktops behind a different one.

Link to comment
Share on other sites

We think we have the PC that was infected and causing the problem but there is another one that also has passed all scans but it has some odd activity in the firewall logs. It looks like it is port scanning or something.

SRC=172.26.10.21:1368 DST=207.68.179.219:80

SRC=172.26.10.21:1370 DST=207.68.179.219:80

SRC=172.26.10.21:1368 DST=207.68.179.219:80

SRC=172.26.10.21:1370 DST=207.68.179.219:80

SRC=172.26.10.21:1025 DST=172.18.106.5:161

SRC=172.26.10.21:1025 DST=172.17.106.200:161

SRC=172.26.10.21:1025 DST=172.18.106.5:161

SRC=172.26.10.21:1463 DST=66.102.7.104:80

SRC=172.26.10.21:1466 DST=66.102.7.104:80

SRC=172.26.10.21:1466 DST=66.102.7.104:80

SRC=172.26.10.21:1463 DST=66.102.7.104:80

SRC=172.26.10.21:1502 DST=66.102.7.104:80

SRC=172.26.10.21:1502 DST=66.102.7.104:80

SRC=172.26.10.21:1025 DST=172.18.106.5:161

SRC=172.26.10.21:1025 DST=172.17.106.200:161

StevenUnderwood -

We have the full Trend Micro product that we bought on recommendation just this year. (been nothing but trouble) We had Symantec mail and virus software that we paid for before that. I was just look for free trials with the latest signatures hoping that one of them could find the virus that is defiantly spamming from that PC. It’s a little troubling that we have something that none of these scanners can find.

Link to comment
Share on other sites

We think we have the PC that was infected and causing the problem but there is another one that also has passed all scans but it has some odd activity in the firewall logs. It looks like it is port scanning or something.

Some software "phones home" checking for updates, however:

host 207.68.179.219 = g.msn.com

host 66.102.7.104 = mc-in-f104.google.com

The other IPs are internal and port 161 is normally SNMP traffic.

I often found interesting things when watching the logs closer than normal.

I was just look for free trials with the latest signatures hoping that one of them could find the virus that is defiantly spamming from that PC. It’s a little troubling that we have something that none of these scanners can find.

That is understood. I have done the same thing in the past. I have also used the AVG product for that same purpose. Have you checked out any spyware scanners. Spyware and viruses are 2 distint critters and AV software often will not detect spyware and vice-versa.

Link to comment
Share on other sites

We have the full Trend Micro product that we bought on recommendation just this year. (been nothing but trouble) We had Symantec mail and virus software that we paid for before that. I was just look for free trials with the latest signatures hoping that one of them could find the virus that is defiantly spamming from that PC. It’s a little troubling that we have something that none of these scanners can find.

My general advice to all the people whose computers are affected by virus is to dump that M$ os, and use some other OS which is more secure like Debian GNU/Linux. It is free of all that worms, viruses, spyware what not... If your organization does not allow you to shift to a more secure system ... Well! good luck with all the anti virus software. Just wait till some virus erases your data, then you can come back and use Linux.

Link to comment
Share on other sites

My general advice to all the people whose computers are affected by virus is to dump that M$ os, and use some other OS which is more secure like Debian GNU/Linux. It is free of all that worms, viruses, spyware what not... If your organization does not allow you to shift to a more secure system ... Well! good luck with all the anti virus software. Just wait till some virus erases your data, then you can come back and use Linux.

I totally get what you are saying but if everyone switches the Linux then it would end up (more than likely) just as virus laden. Then we could call it Lin$ux and wish for an OS free of spammers and hackers. My TSR-80 has the most secure OS ever. :) Just giving you a hard time man but I can’t help but feel that a big part of why Macs and Linux and whatever is seen as more secure is that they are much less of a target.

Link to comment
Share on other sites

Just giving you a hard time man but I can’t help but feel that a big part of why Macs and Linux and whatever is seen as more secure is that they are much less of a target.

This is not true. I used to think the same way. But I was obviously wrong. The above argument is just microsft's FUD.

Have you heard of apache or MySQL etc.? Apache is the most famous webserver, MySQL is one of the popular database servers. Both of these are popular and yet the same time very secure. Just because tons of people use a particular software does not make it prone to attacks. The reason why those things work are better software design coupled with open source software philosophy. The same is true for Linux distribution as well. If a problem is found, the fixes will be ready in couple of hours. All you need to do is perform a security update. The same fixes take couple of months for M$ or any other proprietary OS.

Granted, you can make windows machine secure and a Linux machine insecure. A good admin can make the server as secure as possible no matter what the OS is (and vice versa). I am talking about average Joe's computer. It might be difficult the first time he uses Linux but everything is that way in Linux.

Linux's kernel is designed with security and networking in mind. Windows is designed with money in mind.

Link to comment
Share on other sites

This is not true. I used to think the same way. But I was obviously wrong. The above argument is just microsft's FUD.

Linux's kernel is designed with security and networking in mind. Windows is designed with money in mind.

I disagree. :)

I’m not a fan of MS but there are lots of people involved from other companies even. To just say that it’s “MS FUD†and “Windows is designed with money in mind.†is not very persuasive. Also, I’ve never heard this argument from anyone, it’s just my thoughts on the issue having used computers my whole life. MS operating systems are on most computers (it’s not just about severs or sever apps) and there is way more interest around the world in hacking, spamming from and trying to steal information from these PCs. I’m no expert and I’ve not researched the issue but these people aren’t just going to disappear. If every PC that is now running an MS OS switched to some other OS (in time) we would still have all these issues.

Wi-Fi is so easy to hack. Whose fault is that? When Bluetooth started to show up on most phones they started to get hacked. I remember the first solution, turning it off by default. :)

I don’t know. Maybe some Linux guy can make an encapsulation program or container for windows and then all these problems will go away and this Linux guy can be the richest guy on the planet. :)

“Linux's kernel is designed with security and networking in mind.†That sounds just like all the propaganda I’ve ever heard about any piece of software no matter what it is or what it’s supposed to do. Then you buy it and it works, sort of works or it don’t work.

Link to comment
Share on other sites

We tried Ad-Aware and Spy-Bot and Panda. I even took it home and ran the online versions of Symantec and Panda anti-virus. Panda did find one more but the PC still keeps spamming. :( I guess we’re just going to reinstall windows but man I wish there was a scanner that could find it. I still think that’s a little scary. What about the other PC in our network? Are they doomed to be infected/re-infected? Anyone know a good forum for troubleshooting viruses?

Link to comment
Share on other sites

If you are up to another suggestion? This is mine.

You seem to be running a exchange server on a network with multiple computers attached and may has be permitting off site computer to connect to the exchange server and send mail as well.

Some specific steps that can be taken:

1) do not accept any outbound port 25 traffic on 71.6.48.162 except from your exchange server

2) make sure that you are using a different IP address to connect to you exchange server.

3) 71.6.48.162 should only be used to accept inbound traffic for your registered users and for outbound traffic from you server only. All other mail traffic should be using a different IP address.

4) require authentication to send mail

5) require all user to change their passwords

6) make sure you log all mail traffic and login attempts

7) look for the high volume senders and check them out first.

The biggest problems with Microsoft (also one of its biggest benefits) is that it is fairly easy to set up to simply get it working without having any understanding of how it really works. And thats the real problem.

Not knowing how it really works, keeps one from taking the required steps to fully protect the system. In today's world, any system that is on the internet should have everything locked down except for those functions that are actually needed. Microsoft generally goes the other direction leaving everything open except for the ones take become necessary to lock down. Nice for ease of use, but also great for make abuses possible.

Enough of my ramblings.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...