Bentwing Posted May 3, 2007 Share Posted May 3, 2007 why would the delist go from 4 hours at 11 am est to 15 hours [at] 3 pm eastern? we should have been in the home stretch, and as a corperate and governments attorneys office for 66.147.47.237 ksm-law.com why do the mx records shoot back to newsouth.net (which is only the line carrier)? our mx records are hosted at register.com but mainly, why when we should have been in a short time as of now, 15 more hours were added when i go to the delist page????? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 3, 2007 Share Posted May 3, 2007 why would the delist go from 4 hours at 11 am est to 15 hours [at] 3 pm eastern?[\quote] Probably because a new report came in: Submitted: Thursday, May 03, 2007 1:35:40 PM -0400: Important Notification 2272168621 ( 66.147.47.237 ) To: spamcop[at]nuvox.net The listing is based on when the message was actually sent however, not when the report was made. we should have been in the home stretch, and as a corperate and governments attorneys office for 66.147.47.237 ksm-law.com why do the mx records shoot back to newsouth.net (which is only the line carrier)? our mx records are hosted at register.com ksm-law.com MX preference = 5, mail exchanger = server47.appriver.com ksm-law.com MX preference = 0, mail exchanger = server46.appriver.com server47.appriver.com internet address = 69.20.60.123 server46.appriver.com internet address = 69.20.60.123 If you are talking about the reports going to spamcop[at]nuvox.net, they go to the owner of the IP address. If you are talking about the quick delisting, if your IP had a reverse lookup pointing to your domain, the MX record found would have been yours. Please do not do that until you know you have fixed the problem (which it appears you have not, or the time would not have gone up). Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week What have you done to fix the problem where you are sending email to addresses that have never been used? Can you explain the current email traffic leaving that IP address? http://www.senderbase.org/search?searchBy=...g=66.147.47.237 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.7 820% Last 30 days 3.2 -69% Average 3.7 Link to comment Share on other sites More sharing options...
Merlyn Posted May 3, 2007 Share Posted May 3, 2007 This IP is in a few blocklists. Why is this mail server sending email to spamtraps all over the web? Link to comment Share on other sites More sharing options...
Wazoo Posted May 3, 2007 Share Posted May 3, 2007 why would the delist go from 4 hours at 11 am est to 15 hours [at] 3 pm eastern? Means that something more arrived where it wasn't wanted, resulting in the 'adjustment' of the math formula involved in listing/de-listing ... http://spamcop.net/w3m?action=checkblock&a...p=66.147.47.237 66.147.47.237 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 14 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week This states that both spamtrap hits and actual people have received unwanted stuff from that IP address. http://www.senderbase.org/search?searchBy=...g=66.147.47.237 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.7 .. 820% Last 30 days .. 3.2 .. -69% Average ........ 3.7 If this is "your" output server, then you can explain this increase on outgoing flow with terms that would rule out spammer abuse, right? -------------------------------------- Submitted: Thursday, May 03, 2007 12:35:40 PM -0500: Important Notification 2272168621 ( 66.147.47.237 ) To: spamcop[at]nuvox.net -------------------------------------- Submitted: Wednesday, May 02, 2007 12:49:21 PM -0500: Important Notification 2271149722 ( 66.147.47.237 ) To: spamcop[at]nuvox.net -------------------------------------- we should have been in the home stretch, and as a corperate and governments attorneys office for 66.147.47.237 ksm-law.com why do the mx records shoot back to newsouth.net (which is only the line carrier)? our mx records are hosted at register.com MX records deal with your 'incoming' e-mail .. this listing is due to 'outgoing' e-mail. dns9.register.com reports the following MX records: Preference Host Name IP Address 0 server46.appriver.com 69.20.60.123 5 server47.appriver.com 69.20.60.123 Pretty unique set-up you seem to have ... web-site hosted in Register.com space. incoming e-mail servers in Rackspace.com space. outgoing e-mail servers in Newsouth.net space. I'd suggest that you are a victim of using a shared e-mail server. but mainly, why when we should have been in a short time as of now, 15 more hours were added when i go to the delist page????? As above, new reports, spamtrap hits reset the clock .. as "spam has not stopped" Link to comment Share on other sites More sharing options...
Bentwing Posted May 3, 2007 Author Share Posted May 3, 2007 as to the volume - one of the largest bankruptcy attonerys files through emails into the ECF system. this is done through emails. as well as several corperate atty's have been sending and recieving huge contracts for bellsouth/at&t as well as sony music ect ect... the appriver handled by another company working with our email filters( cybertek), so our mx records hosted by register.com 216.21.234.75, appriver is one of our outside filters handled by cybertech , and nuvox/newsouth our line carrier. http://www.dnsstuff.com/tools/lookup.ch?na...com&type=MX so i see our mx records just fine. i have been on the phone all afternoon with all of them, and they see us clean and fine. appriver has all our mail incoming and out going have been on hold for the last 18 hours. this was stated by both cyberteck (trentc[at]cybertek-eng.com who has read this thread as well) and appriver. as well i have run on all local clients... adaware,spybot,avg, panda online scan, and hijack this and the servers i ran the avg for exchange, went to microsoft as well, and panda scan for servers. only one comp came back with a funweb products which adaware promptly removed with adaware. Link to comment Share on other sites More sharing options...
Bentwing Posted May 3, 2007 Author Share Posted May 3, 2007 could there be an open relay outside of ksm-law network that is being used? Link to comment Share on other sites More sharing options...
Merlyn Posted May 3, 2007 Share Posted May 3, 2007 could there be an open relay outside of ksm-law network that is being used? The mail is coming from your server and a lot of it is being sent to "non people". It is being sent to email addresses that should never receive email. Link to comment Share on other sites More sharing options...
Bentwing Posted May 3, 2007 Author Share Posted May 3, 2007 like i said...OUR SERVER IS NOT AND HASNT sent mail in the last 18 hours. appriver has held everything! and that is any mail! alright to help aliviete this situation i am running all scans again and will be shutting network and servers down for the night, untill 4:30 am est. at which time cybertek will notify appriver to release all incoming and outgoing mail at that time. so if we are listed within this time frame, i know it is not our servers and network, no? thank you for your suggestions and responces! Link to comment Share on other sites More sharing options...
Wazoo Posted May 3, 2007 Share Posted May 3, 2007 as to the volume - one of the largest bankruptcy attonerys files through emails into the ECF system. this is done through emails. as well as several corperate atty's have been sending and recieving huge contracts for bellsouth/at&t as well as sony music ect ect... Question/pointer dealt with the "last 24 hour' increase .. currently showing as; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.7 .. 779% Last 30 days .. 3.2 .. -69% Average ........ 3.7 down a bit from the last datapoint, but certainly not zero .... per SenderBase's "Magnitude" Explained we're looking at a jump from 2,000 e-mails a day to something like 125,000 e-mails a day .... the amount of chargable hours in that flow would be seen as a bit phenominal .... the appriver handled by another company working with our email filters( cybertek), appriver is your 'incoming' e-mail server ... not at issue here and nuvox/newsouth our line carrier. these are the folks involved with your 'outgoing' e-mail ... not addressed yet, other than my perceived facts .. this is not a server dedicated to 'only' your outgoing taffic .... i have been on the phone all afternoon with all of them, and they see us clean and fine. again, the concept of a 'shared' outgoing e-mail server doesn't seem to have been addressed. The problem may not be 'you' ... rather some other client using that same server for their outgoing .... or of course, that server itself .... appriver has all our mail incoming and out going have been on hold for the last 18 hours. this was stated by both cyberteck (trentc[at]cybertek-eng.com who has read this thread as well) and appriver. as well i have run on all local clients... not stated .... how your incoming e-mail servers interact with those out-going e-mail servers located elsewhere, under different ownership/management, etc. adaware,spybot,avg, panda online scan, and hijack this and the servers i ran the avg for exchange, went to microsoft as well, and panda scan for servers. only one comp came back with a funweb products which adaware promptly removed with adaware. again, the issue may not be 'you' ... but unknown until someone gets around to qualifying the out-going server involved here. Who controls it, who is using it ..... While we're at it, the reminder that SpamCop.net cannot and does not "block your e-mail" has to be made ... It it the receiving ISP that has chosen to use the SpamCopDNSBL in a blocking fashion (not even recommended by SpamCop.net) that would be causing you e-mail traffic issues .... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 3, 2007 Share Posted May 3, 2007 like i said...OUR SERVER IS NOT AND HASNT sent mail in the last 18 hours. appriver has held everything! There is no need to yell. Please remain calm. The spamcop reporters have received spam from that IP address in the last few hours. These messages would not be going through appriver but likely directly to the internet because a machine is comprimised in some way. You are unlikely to find the problem through the email logs (it is not using the official email software, but its own) on the server, but may find them if you have logging enabled on any firewall on the connection. Look for port 25 connections from any machine which should show you if it is a client hidden behind the same IP address causing the problem rather than the server itself. BTW, according to the FAQ your magnitude of 4.7 seen by senderbase is between: Magnitude 4 = 13.4 Thousand Estimated Daily Email Volume Magnitude 5 = 134 Thousand Estimated Daily Email Volume So senderbase has seen about 100,000 email messages. Are the lawyers you are talking about sending that many messages? Link to comment Share on other sites More sharing options...
Wazoo Posted May 3, 2007 Share Posted May 3, 2007 So senderbase has seen about 100,000 email messages. Are the lawyers you are talking about sending that many messages? in the last 24 hours .... thus my remark about 'chargable hours' ..... In the old days, they could charge those immense hourly rates based on the overhead/staff needed to manually look-up, review, capsulize that research, hand-type all the paperwork, review, error-correct, re-type all that paperwork .... nowadays, reseach done via on-line databases, forms available on disk only needing a few 'blanks' filled in, a few paragraphs tailored here and there .... but the rates charged remain 'up there' <g> .... the suggestion in this case being just how that same crew of lawyers had enough 'free time' to generate this many new e-mails .... with most charging 'hourly rates', a few I've ran across would charge in half-hour increments, only one that I recall using quarter-hour increments .... in excess of 125,000 outgoing e-mails on a single day seems like a lot of 'hours' involved <g> BTW: at the time of this posting; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.7 .. 769% Last 30 days .. 3.2 .. -69% Average ........ 3.7 Link to comment Share on other sites More sharing options...
Merlyn Posted May 3, 2007 Share Posted May 3, 2007 like i said...OUR SERVER IS NOT AND HASNT sent mail in the last 18 hours. appriver has held everything! and that is any mail! Probably any mail that goes through the following services SMTP - 25 220 KSMLAWEX.ksm-law.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 3 May 2007 19:28:38 -0400 POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (KSMLAWEX.ksm-law.com) ready. But is hasn't stopped the "phishes" that have been coming from this server. Sorry to say it but this server has been compromised. Link to comment Share on other sites More sharing options...
Bentwing Posted May 4, 2007 Author Share Posted May 4, 2007 ok register.com claims to be of no help. nuvox/newsouth says they have nothing to do with it. hwoever being that all destops were scanned and shut down, along with the servers and kept that way for the entire night.. i noticed that sender base volume actually went up from 4.7 to 4.9 throughout the night.. and all mail has been held since wensday from the appriver. i am at a loss of knowledge here.... currently sifting through log files, checking ports.... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 4, 2007 Share Posted May 4, 2007 hwoever being that all destops were scanned and shut down, along with the servers and kept that way for the entire night.. i noticed that sender base volume actually went up from 4.7 to 4.9 throughout the night.. and all mail has been held since wensday from the appriver. i am at a loss of knowledge here.... Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.9 1351% Last 30 days 3.6 -29% Average 3.7 Though you have now been delisted from spamcop. That listing will likely return quickly if any further reports are received because your "number" is likely just below the listing level. I just noticed you are posting from that same IP address meaning that every machine behind your firewall is using the same IP address. Do you have any firewall logs you can check out? Perhaps your firewall is comprimised? Something on a DMZ if you have one? Can you power off your internet connection overnight as a test? It may be time to hire a professional to figure out what is happening. Messages appear to continue to be sent in high numbers from that IP address. Much further help here will require a more thourough understanding of your environment, more than you may want to post in public. Also, remember that all scanners only work for the threats they know about. Link to comment Share on other sites More sharing options...
Bentwing Posted May 4, 2007 Author Share Posted May 4, 2007 i am going for the unplug tonight. but i must wait for the buisness hours to close. and more excederine. i will not bother you with log files that are under way from researching. but as stated above i have a rather unique system to crawl through for several hours. to find our hitchhiker. i did notice in the header packet of on of the violation letters a unique user number as in Received: from User ([62.142.88.3]) by KSMLAWEX.ksm-law.com this same setup has been sending from other sources as well...as in Received: from User (unknown [62.142.88.3]) by mail.timeact.co.uk (Postfix) with ESMTP id 94227489D1A; and http://nety.cec.eu.int/youth-white-paper-o...nternetHeader=1 all are paypal phishing emails ... again thank you guys for pointers and direction. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 4, 2007 Share Posted May 4, 2007 That IP address is spewing the same types of spam: Submitted: Wednesday, May 02, 2007 7:21:28 AM -0400: Important Notification 2270716125 ( 62.142.88.3 ) To: mole[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, May 01, 2007 7:36:09 PM -0400: Important Notification 2270153113 ( 62.142.88.3 ) To: mole[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, May 01, 2007 11:17:21 AM -0400: New Notification! 2269755010 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 2269755008 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi -------------------------------------------------------------------------------- Submitted: Tuesday, May 01, 2007 7:19:47 AM -0400: Important Notification 2269688364 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi -------------------------------------------------------------------------------- Submitted: Monday, April 30, 2007 8:29:19 PM -0400: Important Notification 2269123756 ( [url="http://210.97.229.34/bbs/icon/private_name/inde."]http://210.97.229.34/bbs/icon/private_name/inde.[/url].. ) To: postmaster[at]eftelecom.net 2269123712 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi -------------------------------------------------------------------------------- Submitted: Monday, April 30, 2007 9:03:34 AM -0400: [spam?#####] New Notification! 2268507085 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 2268507044 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi -------------------------------------------------------------------------------- Submitted: Sunday, April 29, 2007 11:51:56 AM -0400: New Notification! 2267437843 ( [url="http://12.26.45.35/html/help/preview.html"]http://12.26.45.35/html/help/preview.html[/url] ) To: nomaster[at]devnull.spamcop.net 2267437831 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi -------------------------------------------------------------------------------- Submitted: Saturday, April 28, 2007 4:42:29 PM -0400: New Notification! 2266618066 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 2266618065 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 2266618063 ( 128.121.21.6 ) To: abuse[at]nexpoint.net 2266618060 ( 128.121.21.39 ) To: abuse[at]nexpoint.net Another one at: http://diswww.mit.edu/bloom-picayune/cfs/15991 With the following: Received: from User ([207.59.123.82]) by KSMLAWEX.ksm-law.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 May 2007 09:26:58 -0400 There are 2 similiar spamcop reports on that IP address as well: Submitted: Thursday, May 03, 2007 5:39:15 PM -0400: Important Notification 2272345768 ( 207.59.123.82 ) To: mole[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Thursday, May 03, 2007 4:05:05 AM -0400: Important Notification 2271684112 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 2271684110 ( 207.59.123.82 ) To: abuse#uslec.com[at]devnull.spamcop.net Link to comment Share on other sites More sharing options...
Telarin Posted May 4, 2007 Share Posted May 4, 2007 Something odd going on here, lets look at the headers. Received: (qmail 3633 invoked from network); 2 May 2007 13:22:08 -0000 Received: from nsc66.147.47-237.newsouth.net (HELO KSMLAWEX.ksm-law.com) (66.147.47.237) by charon.mit.edu with SMTP; 2 May 2007 13:22:08 -0000 Received: from User ([207.59.123.82]) by KSMLAWEX.ksm-law.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 May 2007 09:26:58 -0400 Specifically, the second one where it is received from KSMLAWEX.ksm-law.com. That line tells us that the message must have gone through the exchange server itself, rather than a trojan using its own SMTP engine. We can tell this by the HELO KSMLAWEX.ksm-law.com. If the message had been sent direct to MX by a trojan, there is no way it could have known the KSMLAWEX name, as there is no RDNS on that IP address. I would check your Exchange server itself to see if it is the victim of an SMTP auth attack. If you have it configured to allow SMTP relaying, make sure that it requires authentication, and that any authorized users have strong passwords. Edit: I tried bouncing a message off your server using telnet, and it refused to relay to outside email addresses, which is good, it means you're not set up as an open relay, but that makes the likelyhood of an SMTP AUTH hack much higher. Link to comment Share on other sites More sharing options...
Bentwing Posted May 4, 2007 Author Share Posted May 4, 2007 we are able to send mail as of today, appriver sees it going through them as well. however appriver stated when they went to release the mail to us they recieved an "out of memory error" from the exchange server. i have since cleared mem and gone voer registry, and yes i believe the server has been compromised, yet how can the mail still be sent by volumes in such a way when the servers were offline last night. would this lead to the router being used as the relay? Received: from KSMLAWEX.ksm-law.com (nsc66.147.47.237.newsouth.net [66.147.47.237]) by ns2.bizsystems.net with ESMTP id l42FSkFN027403 for <michael[at]bizsystems.com>; Wed, 02 May 2007 08:28:48 -0700 (PDT) Received: from User ([62.142.88.3]) by KSMLAWEX.ksm-law.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 May 2007 11:33:42 -0400 this is the one is the one that caused our first listing, why the different headers? From service[at]paypal.com Sun Apr 29 21:22:04 2007 Return-Path: <service[at]paypal.com> Delivered-To: munch-mtg[at]charon.mit.edu Received: (qmail 19478 invoked from network); 29 Apr 2007 21:22:04 -0000 Received: from unknown (HELO ahnhancpas.com) (207.148.216.94) by charon.mit.edu with SMTP; 29 Apr 2007 21:22:04 -0000 Received: from quimby.hornok.com ([68.60.174.38]) by ahnhancpas.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 29 Apr 2007 17:20:15 -0400 Received: from User ([207.59.123.82]) by quimby.hornok.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 29 Apr 2007 17:07:12 -0400 though this one with the HELO is the same as our ksm-law header, even with the same made up user ip. fyi all mail from ksm is on a manual hold. all att. are using alternate emails (backup system, yes i do have opposable thubs still.) currently scanning with and streching it with the being a server with some scans.. current avg sever/exchange edition nonstop spybot hijackthis ewido trend bitdefender also ccleaner windows live care and a couple of others. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 4, 2007 Share Posted May 4, 2007 though this one with the HELO is the same as our ksm-law header, even with the same made up user ip. It may not be a made up user IP. Your server may be comprimised to the point where someone now has a valid account and it "legally" relaying through your machine, ie. SMTP AUTH hack. Link to comment Share on other sites More sharing options...
Bentwing Posted May 4, 2007 Author Share Posted May 4, 2007 k, thanks. cookies for your help and knowledge. as admins you rock. Link to comment Share on other sites More sharing options...
Merlyn Posted May 4, 2007 Share Posted May 4, 2007 It may not be a made up user IP. Your server may be comprimised to the point where someone now has a valid account and it "legally" relaying through your machine, ie. SMTP AUTH hack. As we are able to see a complete example of the phish it looks more like a compromised machine that an AUTH hack, but I have been wrong before Link to comment Share on other sites More sharing options...
Merlyn Posted May 5, 2007 Share Posted May 5, 2007 Looks like Last day 4.9 1159% Last 30 days 3.8 1% that IP is still spewing phishes. This machine/firewall/whatever should be shut down and everything disconnected from the web until the problem is found. This is getting out of hand. Link to comment Share on other sites More sharing options...
Bentwing Posted May 10, 2007 Author Share Posted May 10, 2007 yes it did... indeed. got yo love the firm partners that think they are tech savy. an endura and thunder bird account and mindspring account (personal) was infected. a laptop and irc bots. all one man... i know this poor guy is going to get a letter from the local cable host... erethral netstat zone alarm oh my, hear the bells ring. thank you guys for your pointers and knowledge. can you as well point me to something along the lines of "spam" 101 and or the idiots guide to mail for these attorneys? Link to comment Share on other sites More sharing options...
Telarin Posted May 10, 2007 Share Posted May 10, 2007 Well, one good place to start educating them might be the spam wiki: http://en.wikipedia.org/wiki/Email_spam Lots of good general spam information there. Spamhaus.org is also a fairly good resource for information. Link to comment Share on other sites More sharing options...
Farelf Posted May 10, 2007 Share Posted May 10, 2007 ...can you as well point me to something along the lines of "spam" 101 and or the idiots guide to mail for these attorneys?Best Google around a bit but here's one that caught my attention a while back The 25 Most Common Mistakes in Email Security Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.