melainine Posted February 10, 2008 Share Posted February 10, 2008 hi ! anyone can help me ? when i check senderscor.org i found that my ip used by 4 domains which i dont authenticate, i want to know how they can access to my ip and used , am not open-relay , i have rDNS and SPF , please help me cxause this pb killing me [duplicate post http://forum.spamcop.net/forums/index.php?...ost&p=62569 in SpamCop Discussion > Discussions & Observations > SpamCop Email System & Accounts has been deleted] Link to comment Share on other sites More sharing options...
melainine Posted February 10, 2008 Author Share Posted February 10, 2008 please i still wait for someone to help, thank you !!!! Link to comment Share on other sites More sharing options...
Merlyn Posted February 10, 2008 Share Posted February 10, 2008 Hard to help without an IP address. Link to comment Share on other sites More sharing options...
Farelf Posted February 10, 2008 Share Posted February 10, 2008 We are just users of the SpamCop systems, not staff, we do not know what ip address you refer to - unless it is the one you used to contact here. Some of us can see that. http://www.senderbase.org/senderbase_queri...g=82.151.73.160 That is listed on SORBS, not SpamCop. Consulting SORBS: spam Sending Trojan or Proxy attempted to send mail from/to from=<imhcsbuh[at]el-puente.de> to=<7rrez[at]paticipating.domain> helo=<[82.151.73.160]> Seeing mail.gimtel.mr [82.151.73.160]. Using http://www.robtex.com/dns/mail.gimtel.mr.html base record name ip mail.gimtel.mr A [/tcol] 82.151.73.160 gimtel.mr NS bow.mauritel.mr 82.151.90.1 NS mail.gimtel.mr 82.151.73.160 [tcol]MXmail.gimtel.mr 82.151.73.160 domains using this as mailserver - gimtel.mr domains using this as nameserver - gimtel.mr I don't see four domains there. Mauritanian Telecommunication Company has many IPs listed on one or two blocklists. Which one are you talking about? Link to comment Share on other sites More sharing options...
Farelf Posted February 10, 2008 Share Posted February 10, 2008 Just to add, the senderscore result for that IP is consistent with the initial statements: https://www.senderscore.org/lookup.php?lookup=82.151.73.160 Part of that site page says: "Reputation Measures Registered users can view the following reputation measures: * Complaints * Volume * External Reputation * Unknown Users * spam Trap Hits" So, melainine, have you viewed those materials? Were there complaints and/or spam trap hits from SpamCop? Link to comment Share on other sites More sharing options...
Merlyn Posted February 10, 2008 Share Posted February 10, 2008 SORBS believes this is an exploitable server: Address and Port: 82.151.73.160 Record Created: Tue Jan 15 20:08:45 2008 GMT Record Updated: Sun Jan 20 17:39:44 2008 GMT Additional Information: spam Sending Trojan or Proxy attempted to send mail from/to from=<imhcsbuh[at]el-puente.de> to=<7rrez[at]paticipating.domain> helo=<[82.151.73.160]> Link to comment Share on other sites More sharing options...
melainine Posted February 11, 2008 Author Share Posted February 11, 2008 thank you all , but i didnt find anything new, my ip used by other domains 4-domains in senderscore.org, and they sends spam from my ip and they are : Domain Authenticated 1cho.com No el-puente.de No fadro.de No jemp.com.br No and this is sample of what they sent : under full header there is my IP address Subject: It's going to be a bumpy night, tell her to buckle down for the ride of her life From: "oma Lintag" <imenoh1952[at]1cho.com> Date: Thu, February 7, 2008 11:43 am To: chapman[at]chico.iecc.com Priority: Normal Options: View Full Header | View Printable Version Your Package will be all she wants on Valentine's Day. now i want to know how they can use my IP , and my score reputaion is too small how can i increase it ... thank you Link to comment Share on other sites More sharing options...
Derek T Posted February 11, 2008 Share Posted February 11, 2008 thank you all , but i didnt find anything new, my ip used by other domains 4-domains in senderscore.org, and they sends spam from my ip and they are : Domain Authenticated 1cho.com No el-puente.de No fadro.de No jemp.com.br No now i want to know how they can use my IP , and my score reputaion is too small how can i increase it ... thank you The 'from' field in spam is always forged: 'they' didn't send it, spammers did. The spammers obviously have more control over your server than do you. Unplug that machine from the internet until someone with a clue has rebuilt it from the ground up. The only way to improve reputation is to stop the spam. Link to comment Share on other sites More sharing options...
melainine Posted February 11, 2008 Author Share Posted February 11, 2008 i have a lan , and linux server , i did remove the server machine and i formatted it but still the same , how can i know which of my machines sedns and HOW THEY CAN USE MY IP Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 11, 2008 Share Posted February 11, 2008 You can look at the logs. You need to have a firewall. Then you can look at the firewall logs and see where the activity is. I don't remember now whether anyone has mentioned only allowing Port 25 for outgoing mail. I am not a server admin so I don't know all the tricks, but those are two that are essential in this time of spam and spam bots. You also need to scan all your machines for viruses and trojans. And install good anti virus programs on them. Miss Betsy Link to comment Share on other sites More sharing options...
melainine Posted February 11, 2008 Author Share Posted February 11, 2008 thanx miss Besty so much, how can i see the traffice on port 25 , i also checked the log , and my major question is how these domains used my ip thanks Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 11, 2008 Share Posted February 11, 2008 they have installed a program on one of your computers that sends spam email. sometimes the programs are very difficult to get rid of. you might need to hire a professional to help you. Miss Betsy Link to comment Share on other sites More sharing options...
melainine Posted February 11, 2008 Author Share Posted February 11, 2008 they install it on one of my machines or in the server which i re-build it Link to comment Share on other sites More sharing options...
Derek T Posted February 11, 2008 Share Posted February 11, 2008 thanx miss Besty so much, how can i see the traffice on port 25 , i also checked the log , and my major question is how these domains used my ip thanks 'These domains' did NOT use your IP, 'These domains' are forgeries. A spammer has installed a trojan on a machine on your network OR hacked your SMTP server. Link to comment Share on other sites More sharing options...
melainine Posted February 11, 2008 Author Share Posted February 11, 2008 thanks , if it is a trojan is it enogh to scan the computer that might be infected which i dont know, if it is a hack on my smtp what can i do ? Link to comment Share on other sites More sharing options...
Derek T Posted February 11, 2008 Share Posted February 11, 2008 thanks , if it is a trojan is it enogh to scan the computer that might be infected which i dont know, if it is a hack on my smtp what can i do ? You can probably trace the infected machine by examining your firewall logs for suspicious activity. Trojans often don't use port 25 so set your SMTP to relay ONLY what comes in on port 25. If SMTP AUTH is not needed, switch it off. These I have gleaned from being around here for a few years, I am not an Admin but someone who knows more will be along shortly! I have checked your server for weak passwords and not found any, but absence of evidence is not evidence of absence. Pay special attention to laptops when looking for trojanned machines. Link to comment Share on other sites More sharing options...
agsteele Posted February 12, 2008 Share Posted February 12, 2008 if it is a trojan is it enogh to scan the computer that might be infected which i dont know, if it is a hack on my smtp what can i do ? Hi melainine! I am sure you have sympathy and understanding from folk here. You are in a tough spot with the situation you face. However, it seems from the questions you are asking that you really need to get help from somebody with more technical expertise than yourself. I doubt that anyone here can do very much to help you by Email and forum posts. Of course these may point you in the right direction but I think you should look for a local IT person with the necessary experience and expertise to supplement your abilities. Andrew Link to comment Share on other sites More sharing options...
melainine Posted February 12, 2008 Author Share Posted February 12, 2008 agsteele : you disappointed me Derek T: how to do that and to switch SMPT AUTH off ?? thank you so much Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 12, 2008 Share Posted February 12, 2008 Derek and I are not server admins. All we know is that you should be careful with your SMPT AUTH. Server admins are very busy people. Sometimes they don't mind helping another server admin with a tough problem, but they really don't have time to instruct someone on how to be a server admin. There are others who look at these posts who make their living by fixing other people's computer problems. Again, they are often willing to help with suggestions and advice in tough problems or to help a newbie with a simple problem. But they have to make a living. Another problem is that there is more to make secure than just the SMPT AUTH. It would be very long and tedious to check all the potential problems by question and answer posts in this forum. Even if someone took the time to tell you how to set up your mail server, unless you understand all the other aspects also, you could still be open to having spam being sent from your computer. If you want to be a responsible netizen, then you will find someone to either set your computer up correctly or teach you how. There are other forums where users of particular types of email programs and email servers ask questions. If you are using a Microsoft Exchange server, for instance, you can ask questions in a Microsoft Exchange user forum about how to set up your SMPT AUTH. Here are links from the Spamcop FAQ "Why Am I Blocked" To prevent SMTP relaying with Microsoft Exchange and How to block open SMTP relaying and clean up queues - the last one is a link to Microsoft help and support. There are several other links in that FAQ plus information about php mailer program, another place where spammers can invade. Miss Betsy Link to comment Share on other sites More sharing options...
Derek T Posted February 12, 2008 Share Posted February 12, 2008 If you are using a Microsoft Exchange server, for instance, you can ask questions in a Microsoft Exchange user forum about how to set up your SMPT AUTH. Here are links from the Spamcop FAQ "Why Am I Blocked" To prevent SMTP relaying with Microsoft Exchange and How to block open SMTP relaying and clean up queues - the last one is a link to Microsoft help and support. There are several other links in that FAQ plus information about php mailer program, another place where spammers can invade. It's a linux server, (s)he said so up-thread. I think it's a case of 'if you have to ask, you need to get a professional in'. OP: there /are/ admins in this forum. Please post /exactly/ what server and version you are using, ditto firewall. Did you check the firewall logs yet? Link to comment Share on other sites More sharing options...
melainine Posted February 13, 2008 Author Share Posted February 13, 2008 Miss Betsy: thnx , here i found ppl who can help me at least share with me their knowledge and it is not sure that the problem will be solved but from here i can understand it and find a clear vision on it and the most important is to see that there are some ppl like you for support, DarkT , yes i checked the logs and i didnt see any NON-auth outgoing mails i use Fedora core 3 and sendmail , Link to comment Share on other sites More sharing options...
agsteele Posted February 13, 2008 Share Posted February 13, 2008 agsteele : you disappointed me Sorry to have been a disappointment - seems to be the story of my life But as Miss Betsy and Derek T have noted you are asking some pretty basic questions. You really sound like you need someone local to guide you through these steps. Andrew Link to comment Share on other sites More sharing options...
melainine Posted February 13, 2008 Author Share Posted February 13, 2008 yes Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 13, 2008 Share Posted February 13, 2008 yes Glad you found someone local! Once you understand how it works, you will be a valuable netizen! You are persistent in finding out what is going on and that's really good! Miss Betsy Link to comment Share on other sites More sharing options...
Derek T Posted February 13, 2008 Share Posted February 13, 2008 DarkT , yes i checked the logs and i didnt see any NON-auth outgoing mails i use Fedora core 3 and sendmail , And the firewall? which firewall are you using and what do its logs say? The spew continues so there's something infected in there. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.