Pulse001 Posted July 25, 2007 Share Posted July 25, 2007 This is not the IP of the mail server, but our mail is blocked, why? Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2007 Share Posted July 25, 2007 This is not the IP of the mail server, but our mail is blocked, why? 209.248.146.34.nw.nuvox.net is indeed blocked and if that's not your outward server address that factoid could have nothing to do with your mail being blocked. Apart from nuvox.net (with at least another 682 IP addresses associated with sending messages) the names George Lay Signs, Inc. (network owner) and WICHITA NEPHROLOGY GROUP, PA seem to be associated with the address. How are you determining your OUTWARDS mail server IP address? You got a non delivery notification quoting 209.248.146.34? That is usually an indication it is the address of the server handling your outwards mail. What happens when you enter your address in http://www.spamcop.net/bl.shtml the BL checker? Link to comment Share on other sites More sharing options...
Wazoo Posted July 25, 2007 Share Posted July 25, 2007 This is not the IP of the mail server, but our mail is blocked, why? If it's not the IP address of 'yout' e-mail server then why are you asking about it? If 'your' e-mail is blocked, where is the requested data to indicate that, typically the rejection / error message from the receiving ISP that should include the IP address in question? Did look at the Why am I Blocked? FAQ / Pinned entry before Registering / Validating / Posting? http://www.spamcop.net/w3m?action=checkblo...=209.248.146.34 209.248.146.34 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Listing History In the past 18.8 days, it has been listed 5 times for a total of 15.5 days http://www.senderbase.org/senderbase_queri...=209.248.146.34 Date of first message seen from this address 2007-05-26 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ....... 4.6 .. 140% Last month ... 4.2 Based on the address used to Register here; auth61.ns.uu.net reports the following MX records: Preference Host Name IP Address 3 mail.pulseinc.com 63.77.20.11 33 mail.uu.net 199.171.54.245 These would be the incoming e-mail servers, but perhaps what you were thinking of as 'your' servers ???? Link to comment Share on other sites More sharing options...
Pulse001 Posted July 25, 2007 Author Share Posted July 25, 2007 209.248.146.35 is the address of the mail server (comes up clean) 209.248.146.34 is the address of the pix firewall isp (nuvox) had some storm worm a week or so ago, so they were blocked in all directions does this help any? i did symantec virus scan on all workstations/servers 3 came up with something, and i cleaned those three (this was a week ago) there is nothing coming up yesterday or today so, basically, i need to consult with the isp again? Link to comment Share on other sites More sharing options...
Farelf Posted July 25, 2007 Share Posted July 25, 2007 so, basically, i need to consult with the isp again?I would say so - whatever is hitting the spamtraps is still doing it. Haven't a clue why the firewall is showing up but no doubt others here will have an explanation. Meantime, if you've cleaned everything you can find then some logs are needed to look for the leak - could be from someone sharing the address? - whatever - the very limited information the deputies *might* be prepared to release about spamtrap hits they would only do for the ISP. Maybe if there are some recent (non spamtrap) reports, if a reporter here has access and can look. Link to comment Share on other sites More sharing options...
Wazoo Posted July 25, 2007 Share Posted July 25, 2007 209.248.146.35 is the address of the mail server (comes up clean) Assimedly your 'oncoming' server?? http://www.senderbase.org/senderbase_queri...=209.248.146.35 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day 0.0 N/A Last month 0.0 Nothing significant seen by SenderBase as far as 'outgoing' 209.248.146.34 is the address of the pix firewall Why would a "firewall" be seen as an issue related to your outgoing e-mail veing blocked? 07/25/07 13:59:46 Slow traceroute 209.248.146.34 Trace 209.248.146.34 ... 64.89.67.53 RTT: 76ms TTL:170 (se4-0-27c1.wlmgnc-wi-ca001.nw.nuvox.net ok) 64.89.67.168 RTT: 79ms TTL:170 (se2-0-2c0.lxtnky-qi-ma001.nw.nuvox.net ok) 64.19.40.178 RTT: 80ms TTL:170 (64.19.40.178.nw.nuvox.net ok) 209.248.146.34 RTT: 81ms TTL:240 (209.248.146.34.nw.nuvox.net ok) telnet 209.248.146.34 25 220 ***************************************************0****0******************* **2******200*********2**0*00 A very unusual 'greeting' string, but ... it wiuld appear to be a server siting there ... defintiely not your normal 'firewall' type of response .... so, basically, i need to consult with the isp again? As stated previously, not only do you need to talk to them again .. asking about how your outging e-mail is actually routed .. but "we" are also asking for the signs / clues / rejection notices that you apparently received about being blocked by someone ... If you haven't looked at any of the FAQ data here yet, then you may have not yet seen that SpamCop.net cannot block any of your e-mail. SpamCop.net does provide the SpamCopDNSBL, but also does not recommend using it in a 'blocking' fashion. It is the receiving ISP that has chosen to configure their system to reject your e-mail due to the SpamCopDNSBL listing .... but the main confusion factor seems to be that you do not know how your e-mail is actually being handled. Link to comment Share on other sites More sharing options...
DavidT Posted July 25, 2007 Share Posted July 25, 2007 209.248.146.34 is indeed being seen as transmitting email, so your understanding of the function of the various IPs appears to be flawed. Here's proof: http://www.senderbase.org/senderbase_queri...=209.248.146.34 A Senderbase "magnitude" of 4.6 is pretty high, and Senderbase has seen email traffic from that IP starting on 2007-05-26. DT Link to comment Share on other sites More sharing options...
Telarin Posted July 25, 2007 Share Posted July 25, 2007 I believe those pix firewalls have an option where they can be used in a NAT mode to translate one public IP address to another public IP address. Kind of like IP mapping, but using 2 publics instead of mapping a public to a private. Not sure why you would configure one like this, but it appears that is what has been done. I would talk to whoever setup your network to find out why your mail server traffic is not going out on its own IP address. Link to comment Share on other sites More sharing options...
Merlyn Posted July 25, 2007 Share Posted July 25, 2007 Looks like an infected machine behind the firewall is part of a botnet spewing greeting card spam trying to infect other machines. here is an example: http://psbl.surriel.com/evidence?ip=209.24...=Check+evidence You are getting nto many blocklists, you can check them here: http://www.moensted.dk/spam/ Link to comment Share on other sites More sharing options...
Pulse001 Posted July 25, 2007 Author Share Posted July 25, 2007 Looks like an infected machine behind the firewall is part of a botnet spewing greeting card spam trying to infect other machines. here is an example: http://psbl.surriel.com/evidence?ip=209.24...=Check+evidence You are getting nto many blocklists, you can check them here: http://www.moensted.dk/spam/ Merlyn: The moensted.dk link is what revealed to me that the site was spamming in the first place, as the other list that checked "147 blacklists" had it coming up clean. Not until I checked the firewall IP did I notice any issues. I saw that greeting card spam link, but I somehow can't catch it with symantec corporate virus scan with current definitions? What gives? I guess I should be asking how do I catch the greeting card spam machine, then? It is not coming up on the virus scan, so I must need stronger scanning software? I've seen mailer-type virii picked up by symantec corporate in the past, so I was hoping that would be the case with this one, I guess I'm wrong? This is how the network looks: { internet } ---> [firewall ...34] ---> [e-mail server] the e-mail server is publicly .35, but it receives traffic through the firewall, that redirects to the server based on it coming in on 209.248.146.35, port 25, 80, etc. Let me see if I can find a specific "storm worm" fix, then, maybe I have been looking at this all wrong. Link to comment Share on other sites More sharing options...
turetzsr Posted July 25, 2007 Share Posted July 25, 2007 <snip> I saw that greeting card spam link, but I somehow can't catch it with symantec corporate virus scan with current definitions? What gives? ...Antivirus software only looks for viruses, not other malware that might send spam.I guess I should be asking how do I catch the greeting card spam machine, then? <snip> ...IIUC (I am not a server admin), if you have access to (or access to someone who has access to) the outgoing server firewall logs, that might help you determine which machine is originating the spam. Link to comment Share on other sites More sharing options...
Merlyn Posted July 26, 2007 Share Posted July 26, 2007 Merlyn: The moensted.dk link is what revealed to me that the site was spamming in the first place, as the other list that checked "147 blacklists" had it coming up clean. Not until I checked the firewall IP did I notice any issues. I saw that greeting card spam link, but I somehow can't catch it with symantec corporate virus scan with current definitions? What gives? I guess I should be asking how do I catch the greeting card spam machine, then? It is not coming up on the virus scan, so I must need stronger scanning software? I've seen mailer-type virii picked up by symantec corporate in the past, so I was hoping that would be the case with this one, I guess I'm wrong? This is how the network looks: { internet } ---> [firewall ...34] ---> [e-mail server] the e-mail server is publicly .35, but it receives traffic through the firewall, that redirects to the server based on it coming in on 209.248.146.35, port 25, 80, etc. Let me see if I can find a specific "storm worm" fix, then, maybe I have been looking at this all wrong. Just using an antivirus solution will not fix your problem. You also need a few others: Spybot Search & Destroy AdAware Believe it or not MS Windows Defener And that is just a start Link to comment Share on other sites More sharing options...
Telarin Posted July 27, 2007 Share Posted July 27, 2007 You might also apply the blunt hammer method. Configure your pix firewall to only allow outgoing connections to port 25 if they originate from the mail server. port 25 connections originating from other computers on the LAN side should be blocked. This of course will cause problems if you have someone using an external SMTP server, but in most cases, you shouldn't. Link to comment Share on other sites More sharing options...
Farelf Posted July 27, 2007 Share Posted July 27, 2007 Deploying a Darknet sounds interesting, but that would be more at the nuvox.net level. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.