IanMorr Posted September 7, 2007 Posted September 7, 2007 One of my two outgoing mail servers was listed. ---- <tulsmtp02.willbros.com #5.0.0 X-Postfix; host sv1.westfallcomputing.com[209.223.47.84] said: 554 5.7.1 Service unavailable; Client host [12.41.208.210] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?12.41.208.210 (in reply to RCPT TO command)> ---- It appears to have just delisted, but a couple of hours ago returned: ---- 12.41.208.210 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week ---- I thought I was locked down pretty tight, but I guess I'm 0 for 2. I've done a little digging around, tightened a couple of things and I would appreciate any suggestions on where else to look. Our incoming mail goes through Vamsoft's ORF, then Trend's IMSS before being passed to Exchange 2003. Outgoing is sent from the IMSS box. Both NAT to 12.41.208.210. They sit in the DMZ and they're not doing AD lookups, so they're not checking for valid addresses. Exchange is handling the bounces for any mail that gets through. I don't allow OoO responses to Internet recipients, but I do send NDR's. The business wants them, and since almost all incoming spam gets dropped by ORF or quarantined with no response by IMSS, I felt most NDR's that went out from Exchange would be legit, so it hasn't been a hill I'm willing to die for. Should it be? If these are indeed the culprit then I guess allowing ORF to do AD lookups would be a better solution for NDR's, but I anticipate a fight with the network security guys. I did get a bunch of reports of the "greeting card" spam being caught by our anti-virus, so some may have slipped through. Workstations all run McAfee VirusScan 8.0, with port 25 blocked. The policy is enforced through ePO, but we've had VirusScan defeated before and there are sometimes non-company machines on guest networks that would get NAT'd to the same IP. I don't see anything abnormal in the running firewall logs, but don't have a lot of history to look at. I'm now dumping to a syslog server. I've (just now) started blocking port 25 from the users and guests VLAN to the Internet, which will hopefully take care of any more reports. Should I have received copies of these reports in my Postmaster account? I didn't see any, but it gets a lot of crud and my delete finger is sometimes a bit too quick. Thanks for any help or advice you can offer.
Telarin Posted September 7, 2007 Posted September 7, 2007 As far as reports go, those are currently going to abuse[at]att.net. Generally spamcop ignores small IP blocks (7 or 15 IPs) in WHOIS data, but you might be able to get the deputies to override this if you ask them. I'm not sure exactly what their policy is on this though, so you'd have to talk to them to find out for sure. You would only get user reports however, as spamtrap addresses are maintained as secret. On that note, you might consider contacting the deputies (deputies[at]admin.spamcop.net) to find out what TYPE of traffic they are seeing in the spamtraps. This will tell you if it is indeed NDRs, or if there was/is an infected machine somewhere on the network. The later is pretty unlikely if you've got port 25 blocked at the firewall, but there could be other possibilities as well. Hopefully one of the paying reporters can post a list of the reports that have been seen from that IP address, as they have access to past reports as well.
IanMorr Posted September 7, 2007 Author Posted September 7, 2007 On that note, you might consider contacting the deputies (deputies[at]admin.spamcop.net) to find out what TYPE of traffic they are seeing in the spamtraps. This will tell you if it is indeed NDRs, Thanks for the advice. I've emailed the deputies and will wait for their response.
Wazoo Posted September 7, 2007 Posted September 7, 2007 Recent history - user reports Submitted: Thursday, September 06, 2007 4:21:28 PM -0500: Your Privacy is being violated 2484602387 ( 12.41.208.210 ) To: abuse[at]att.net --------------------------------------- Submitted: Thursday, September 06, 2007 7:44:23 AM -0500: What you do online is no longer private. 2483806903 ( http://68.35.13.251/ ) To: abuse[at]comcast.net 2483806900 ( 12.41.208.210 ) To: abuse[at]att.net Reports routes for 12.41.208.210: routeid:30170879 12.0.0.0 - 12.255.255.255 to:abuse[at]att.net Administrator found from whois records Tracking details Display data: "whois 12.41.208.210[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-12-41-208-208-1 Display data: "whois NET-12-41-208-208-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Ignoring small (7 IP) network whois.arin.net contact: jhon_jenkins[at]willbros.com checking NET-12-0-0-0-1 Display data: "whois NET-12-0-0-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]att.net 12.0.0.0 - 12.255.255.255:abuse[at]att.net Routing details for 12.41.208.210 Using abuse net on abuse[at]att.net abuse net att.net = abuse[at]att.net Using best contacts abuse[at]att.net However, the 'real' issue may be seen by the numbers at http://www.senderbase.org/senderbase_queri...g=12.41.208.210 .. unless you know why the traffic has increased so much all of a sudden ...???? Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ..... 3.9 .. 1292% Last month . 2.8
Merlyn Posted September 7, 2007 Posted September 7, 2007 Looks like the numbers are going up according to senderbase: Last day 3.9 1306% Last month 2.8 that is a whole lot of mail
IanMorr Posted September 7, 2007 Author Posted September 7, 2007 However, the 'real' issue may be seen by the numbers at http://www.senderbase.org/senderbase_queri...g=12.41.208.210 .. unless you know why the traffic has increased so much all of a sudden ...???? Nope, there's no explanation I can think of other than that I've got a virus somewhere on the LAN. Thanks for highlighting that. I'll keep an eye on that stat over the weekend. Since we've now blocked port 25 from the LAN it should decrease. And at some point soon the culprit will pop up in my firewall logs. Once this is cleaned up, I'd like to NAT the mail server to its own unique external IP address, this should make troubleshooting easier, but is it considered bad form? I knew about this block because a mail was rejected by an external recipient. If a non-mail server address is spewing spam out and my ISP gets notified, but doesn't notify me then what? Looks like the numbers are going up according to senderbase: Last day 3.9 1306% Last month 2.8 that is a whole lot of mail Do you know if this updates in real time? Should I be seeing drops in the percentage already if I've caught this or will I need to wait until this time tomorrow?
Farelf Posted September 8, 2007 Posted September 8, 2007 ...Do you know if this updates in real time? Should I be seeing drops in the percentage already if I've caught this or will I need to wait until this time tomorrow?Don't know that anyone here would have the precise answer to that. What is published at the IronPort site is at The SenderBase Network and in relation to the database that is said to be realtime etc. but nothing specific about the displayed data. I have noticed fairly frequent fluctuation (toggling between the same two values) over short timescales (minutes, sometimes). At the end of the day, from past cases, I'm thinking significant changes seem to be evident over a period of hours only, certainly not days....Once this is cleaned up, I'd like to NAT the mail server to its own unique external IP address, this should make troubleshooting easier, but is it considered bad form?Sounds okay/normal but I'm not an admin. Others care to comment?...I knew about this block because a mail was rejected by an external recipient. If a non-mail server address is spewing spam out and my ISP gets notified, but doesn't notify me then what?Just guessing here but talk to your ISP as the first approach. You would need to set up abuse records which would involve their action within their IP block, may not be possible but they may have other solutions. Next try, as Will (Telarin) said, the Deputies may be able to over-ride regular reporting channels for a specific IP address or range, subject to whatever records changes and authorization requirements they might have.
StevenUnderwood Posted September 8, 2007 Posted September 8, 2007 ...Once this is cleaned up, I'd like to NAT the mail server to its own unique external IP address, this should make troubleshooting easier, but is it considered bad form? Sounds okay/normal but I'm not an admin. Others care to comment? To my thinking, that would be the preferred way to handle a mail server (or any server). All the installations I have seen, the user community (client machines) has always been hidden behind one specific IP address different from the servers. This is in corporate environments where IP addresses were not really scarce, however. Be careful that you have the address fixed, though, because if spam starts coming from a new IP address, it will be listed quicker because of the lack of good email to balance it out. Might be safer to change the IP address of your user community and monitor that IP's listing status (and senderbase stats) for spam. That way listings wil not affect your mail server and you don't run into the "reputation" issues.
Wazoo Posted September 8, 2007 Posted September 8, 2007 http://www.senderbase.org/senderbase_queri...g=12.41.208.210 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 2.9 .. 37% Last month .. 2.8
IanMorr Posted September 8, 2007 Author Posted September 8, 2007 http://www.senderbase.org/senderbase_queri...g=12.41.208.210 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 2.9 .. 37% Last month .. 2.8 Thanks everyone for your help and advice, still haven't found the culprit internally, but half the company has Friday off, so it could have been a laptop user. I will leave the mail server NAT'd to this IP and NAT the LAN to a different one. Thanks again.
Miss Betsy Posted September 8, 2007 Posted September 8, 2007 And thanks to you for taking this so seriously and working to track down the culprit! It is always great to hear from responsible server admins! Miss Betsy
Wazoo Posted September 9, 2007 Posted September 9, 2007 Thanks everyone for your help and advice, still haven't found the culprit internally, but half the company has Friday off, so it could have been a laptop user. The 'bad' part of that possibility ... per SenderBase's "Magnitude" Explained ... the difference between 3.9 and 2.9 is approximatly 12,000 e-mails a day .... spread over 24 hours, probably not noticeable, but compressed into the somewhat normal 8-hour day, one would be looking at something along the lines of 25 e-mails a minute .... perhaps still not enough with a recent power-user type computer, but .... would still think that the user would/should have noticed some kind of performance hit ...????
Recommended Posts
Archived
This topic is now archived and is closed to further replies.