wng Posted October 1, 2007 Share Posted October 1, 2007 Hi, I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam. William wng[at]horngroup.com Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 1, 2007 Share Posted October 1, 2007 What is happening is that emails from the same IP address that your company uses to send email have been reported as spam or 'misdirected bounces'. You may share an IP address with others. You may have an infected machine on your network that is sending spam without your knowledge. You may be accepting email and then sending a 'bounce' message to forged email addresses. You may have Out of Office replies replying to spam. Those are some of the reasons you may get a spamcop report or your company IP address may be on the spamcop blocklist. If you provide the IP address of the mail server that your company uses, people may be able to give better guesses on why you have a problem. Miss Betsy Link to comment Share on other sites More sharing options...
Derek T Posted October 1, 2007 Share Posted October 1, 2007 I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam. Sorry, all our psychics are out of the office at the moment. Read the FAQs on how to avoid a rude/silly answer, supply an IP and we might be able to help you. Link to comment Share on other sites More sharing options...
wng Posted October 1, 2007 Author Share Posted October 1, 2007 Sorry, all our psychics are out of the office at the moment. Read the FAQs on how to avoid a rude/silly answer, supply an IP and we might be able to help you. 208.49.196.41 I supplied the IP in the header of the topic. Link to comment Share on other sites More sharing options...
Telarin Posted October 1, 2007 Share Posted October 1, 2007 *quietly points out that the IP address was listed in the subject* 208.49.196.41 resolves to exchange2.horngroup.com I'm guessing from that PTR record that this is most likely a dedicated mail server belonging to your company, so I'm going to ignore the "sharing an IP address" scenarios here. Does the rejection message you are getting back from bounced email indicate that it was blocked due to a spamcop listing? Currently your IP address is not listed, but I don't have the ability to see past reports, so perhaps a paying reporter will happen by soon and be able to post any reports that they can see. If there were any user reports, they would have been sent to abuse[at]gblx.net. I'm guessing that is probably your ISP, and not your organization direcly. You may want to check with those folks and find out why reports have not been forwarded to you for handling. What version of exchange are you running? I know with some older verisions (5.5 and earlier I believe), the default behavior was to accept all mail, and then generate an email later to the (almost always forged) envelope FROM address stating that the message could not be delivered. This is no longer acceptable behavior for a mail server, as those thousands of misdirected bounces go to uninvolved third parties, and are themselves no better than spam. I believe there is a hotfix for Exchange 5.5 on Microsoft's website that allows you to disable these misdirected bounces. More recent versions of exchange do not have this problem unless they are intentionally misconfigured. Is that IP address dedicated to JUST your mail server, or is it sitting on the same IP as the rest of your network using some kind of NAT device? If this is the case, and your router supports it, I would suggest blocking outbound connections to port 25 from anything except the mail server. There is generally no reason for PCs to try to send email direct to MX. This should also create entries in your firewall log when connections are attempted and rejected, which should help you track down an infected machine if that is causing the problem. Link to comment Share on other sites More sharing options...
Wazoo Posted October 1, 2007 Share Posted October 1, 2007 http://www.spamcop.net/w3m?action=checkblo...p=208.49.196.41 208.49.196.41 not listed in bl.spamcop.net http://www.senderbase.org/senderbase_queri...g=208.49.196.41 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 2.0 .. -48% Last month .. 2.3 Appearance is that someone fixed something ...??? There is no "Report History" available at the moment (no known issues with that database) so that would imply (as per the Why am I Blocked? FAQ and Pinned entry) that the listing was due to spamtrap hits alone. Adn again, as per that referenced document and other FAQ entries, no one here can give you any detailed datsa. You must contact one of the few that have access to the database to see if they might give you some insight as to what hit the spamtraps. Link to comment Share on other sites More sharing options...
Merlyn Posted October 1, 2007 Share Posted October 1, 2007 I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam. Hi, I need help understanding why you think you are on the Spamcop blocklist. Link to comment Share on other sites More sharing options...
DavidT Posted October 1, 2007 Share Posted October 1, 2007 Further on the IP in question...it's not listed on any other RBLs at the moment, near as I can tell, nor are there any reports in the SpamCop system, as Wazoo mentioned, so it makes one wonder if the IP was actually on the SCBL at all, or if the OP received some false indication thereof. DT Link to comment Share on other sites More sharing options...
Derek T Posted October 2, 2007 Share Posted October 2, 2007 208.49.196.41 I supplied the IP in the header of the topic. OOOOPS! so you did, so sorry, I didn't think to look there. Link to comment Share on other sites More sharing options...
GraemeL Posted October 2, 2007 Share Posted October 2, 2007 I need help in understanding why e-mails from my company were blocked. How are they determined to be spam? What can I do to prevent this from happening. This is the second time that I have been notified that my company e-mails have been labeled as spam. You have AUTH LOGIN enabled to allow users not on your network to send mail through your server after supplying a valid username/password combination. You also have an account on the system which has a very weak password. I'll send you a PM with the username and password after I post this. If you don't require remote users from arbitrary IPs to be able to use your server to relay mail, then you should disable that functionality. You should also check all of the passwords on your system to ensure that they are sufficiently complex to avoid brute forcing. The fact that you're not constantly listed on the SCBL and are not listed on other blocklists makes it probable that this is not your main problem. However, your machine is currently not secure and you should fix it immediately. You can grab the perl I used to test your box here. Link to comment Share on other sites More sharing options...
GraemeL Posted October 2, 2007 Share Posted October 2, 2007 Oops, hit reply instead of edit. Edit to add: On further investigation, you also have PCAnywhere available on the box. This, together with the weak password means that you should treat the box as having been totally compromised and remove it from the internet until such a time as you can format all of its drives and rebuild it from scratch. Dependant on your network/firewall configurations, you should probably also carry out a full audit of all of the machines on your internal network as the machine could have been used as a staging point for attacks against your internal networks. Link to comment Share on other sites More sharing options...
DavidT Posted October 2, 2007 Share Posted October 2, 2007 Graeme, will that scri_pt run on a Linux box? (I just tried and it died with "Can't locate Authen/SASL.pm in [at]INC") DT Link to comment Share on other sites More sharing options...
GraemeL Posted October 2, 2007 Share Posted October 2, 2007 Graeme, will that scri_pt run on a Linux box? (I just tried and it died with "Can't locate Authen/SASL.pm in [at]INC") Yup, I'm running it from a Linux box myself. SASL isn't a dependency for the scri_pt, but it may be a dependency for NET::SMTP which is needed by the scri_pt. try installing NET::SMTP via cpan and it should tell you the requirements. Link to comment Share on other sites More sharing options...
DavidT Posted October 2, 2007 Share Posted October 2, 2007 try installing NET::SMTP via cpan and it should tell you the requirements. Any risk involved in doing that on a shared web server? I've got a VPS account, where virtualization is used to wall off the various accounts sharing the same server, so we all have root access to our own sheltered zones. Thanks, DT Link to comment Share on other sites More sharing options...
GraemeL Posted October 2, 2007 Share Posted October 2, 2007 Any risk involved in doing that on a shared web server? I've got a VPS account, where virtualization is used to wall off the various accounts sharing the same server, so we all have root access to our own sheltered zones. Can't think of any. Since you're running in a virtual server, you effectively have your own box to play with without the risk of being able to mess up anybody else on the same physical machine. Run cpan and do "i NET::SMTP" and "i NET::SMTP_auth". I don't think the _auth extension is part of the default package. No idea why I put that requirement in a comment rather than in the documentation. When you do the installs, cpan will tell you all of the dependencies that you don't have installed yet and should offer to take care of them for you. Link to comment Share on other sites More sharing options...
DavidT Posted October 2, 2007 Share Posted October 2, 2007 Run cpan and do "i NET::SMTP" and "i NET::SMTP_auth" The first worked, but the second resulted in: cpan> i NET::SMTP_auth CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Tue, 02 Oct 2007 05:36:43 GMT Strange distribution name [NET::SMTP_auth] No objects found of any type for argument NET::SMTP_auth CPAN also recommended that I do a "install Bundle::CPAN" but that failed with: Strange distribution name [Bundle::CPAN] Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/authors/id/A/AN/ANDK/Bundle-CPAN-1.856.tar.gz Out of memory! Terminal does not support GetHistory. ? DT Link to comment Share on other sites More sharing options...
GraemeL Posted October 2, 2007 Share Posted October 2, 2007 The first worked, but the second resulted in: cpan> i NET::SMTP_auth CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Tue, 02 Oct 2007 05:36:43 GMT Strange distribution name [NET::SMTP_auth] No objects found of any type for argument NET::SMTP_auth hm, no idea. you can grab it from here a a tar bundle and do a manual install. CPAN also recommended that I do a "install Bundle::CPAN" but that failed with: Strange distribution name [Bundle::CPAN] Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/authors/id/A/AN/ANDK/Bundle-CPAN-1.856.tar.gz Out of memory! Terminal does not support GetHistory. Looks like you're too limited in memory with your virtual server. The GetHistory thing shouldn't be a problem, I get it myself. I wouldn't worry about upgrading it, though you might be able to get it to work with a manual install like I suggested for the _auth package above. This is really off-topic for here. Follow up with a post to the software forum if you need any more help. Link to comment Share on other sites More sharing options...
DavidT Posted October 2, 2007 Share Posted October 2, 2007 This is really off-topic for here. Follow up with a post to the software forum if you need any more help. Agreed, and will do. DT Link to comment Share on other sites More sharing options...
wng Posted October 2, 2007 Author Share Posted October 2, 2007 You have AUTH LOGIN enabled to allow users not on your network to send mail through your server after supplying a valid username/password combination. You also have an account on the system which has a very weak password. I'll send you a PM with the username and password after I post this. If you don't require remote users from arbitrary IPs to be able to use your server to relay mail, then you should disable that functionality. You should also check all of the passwords on your system to ensure that they are sufficiently complex to avoid brute forcing. Hey, Thanks for the help. Apparently my company got the problem resolved, so that is why it was not showing up on the list at first. We do seem to have some kind of problem with a "service[at]poste.it" mail. I think this might be the culprit that is triggering spam block. We are working on securing the server. Thanks a lot for your help all. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.