chrisa1967 Posted January 23, 2008 Share Posted January 23, 2008 We have an Exchange server behind an ISA server and it is the address of the ISA box that is blacklisted. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 80.168.5.22 has no reverse dns Part of our network is used by computers we have no control over and I suspect one or more of them has a virus. I cannot block SMTP for everything except our mail server because many of these machines mail out directly using SMTP / POP3. What I am looking for is any help you could offer in tracking down the offending machine(s) Many thanks. Link to comment Share on other sites More sharing options...
Farelf Posted January 23, 2008 Share Posted January 23, 2008 ... What I am looking for is any help you could offer in tracking down the offending machine(s) Hopefully a paying member will drop in and contribute the headers of the spam which were/was the subject of member report(s). Those (reports), with more detail, would have gone to abuse-noverbose[at]clara.net, can you access them there? Details of the spamtrap hits are not available though those are the ones which do most of the damage in terms of getting an IP address listed. At this time 80.168.5.22 is due to time out of the bl in 4 hours, no further spam ensuing. Looks like an unusually restricted spam run: http://www.senderbase.org/senderbase_queri...ing=80.168.5.22 Link to comment Share on other sites More sharing options...
Telarin Posted January 23, 2008 Share Posted January 23, 2008 You might consider getting a separate dedicated IP address for the mail server, especially if you don't have control over other computers sharing the primary IP address. Link to comment Share on other sites More sharing options...
chrisa1967 Posted January 23, 2008 Author Share Posted January 23, 2008 Thanks for the help. We have found the guilty party and we have removed eight trojans from the machine! I have recently taken on this network and it looks like we need to segregate the bits we don't have control over ASAP. Cheers! Link to comment Share on other sites More sharing options...
Telarin Posted January 23, 2008 Share Posted January 23, 2008 That is an excellent idea. If you have a reasonably high-end network connection, most providers won't have a problem giving you more than a single IP address. I know with my Comcast fiber all I have to do is call and ask and they'll give me another block as long as I can justify it. If nothing else, 1 IP for NAT for the workstations, and one IP for each server that needs to be accessible from the internet should help out a LOT. Just make sure to firewall off those server IPs so only the ports you actually need are open to the internet. Link to comment Share on other sites More sharing options...
chrisa1967 Posted January 23, 2008 Author Share Posted January 23, 2008 Thanks for that Telarin. It's an interesting scenario because part of our site is office space we rent out. Those users bypass all of our network apart from the ISA box. I think we will probably physically segregate the two parts in the future and operate them as different networks but in the meantime a different IP is now top of my to do list. We had trouble spotting the spammer because it turns out he was using a laptop and didn't come in until this afternoon. So no serious outbound SMTP traffic until he walked in and then it went bonkers! Thanks again. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.