So I got a complaint from our ISP that we're sending out spam. Logged in to the Exchange server, and took a shufty at the mail queues via the exchange manager.

700+ queues of spam. :wtf:

Cleaned up the active queues, and a bit more.

Then I went off to have a shufty at the log files. The log file for Tuesday was over 1Gb in size, and the log for Wednesday was over 500Mb in size. :eek: i kid you not.

Word, Notepad and Wordpad all balked at opening those log files.

So I copied them over to a Linux PC and took a shufty at these.

Found out that the spammer was using a static IP (hence blacklisting not working).... In a fit of rage I entered both his domain and static IP in the 'deny' lists.

Will post pics later up on what and where though.

Today I will be implementing a Linux mail filtering solution, to stop pesky buggers like this... this... ****** from spamming us again. And I'll contact Spamhaus to get that IP listed.

Can also be somebody else's email server got compromised though....

Your exchange is misconfigured ;)

I suspect it's an open relay,if you send me the IP I can confirm and tell you how to lock it down

Your exchange is misconfigured ;)

I suspect it's an open relay,if you send me the IP I can confirm and tell you how to lock it down

Nope.

The chappie who installed it, did indeed misconfigured it, and it was open. Googled for it, and locked it down pronto.

I PM'd you, if you ca just check and make sure?

Thanks!

A quick question, how did the culprit discover your mail server was an open relay? Is it perhaps a high impact domain, so everyone knows about it... Thinking out loud...

Mind sharing which ISP picked up this problem?

It's easy enough to script a test connection to port25 in an IP range and log any responses that aren't deny for later use ;)

Will test it now libs

Yep it's closed down now :)

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores

Oh high and mighty scripter... Please point me in the right direction so that I could learn some of your ways...

:)

*darn, still can't quote on mobile*

Lol,no,it's something that could be abused :P

Short answer is to generate a list of IPs in a range,usually by pinging and entire range and only logging responses,many ways to do this,and this logged list would be used for the 2nd part,connecting to port 25,sending a HELO,and waiting for a success response for RCPT TO: "external address" which you'd log

Yep it's closed down now :)

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores

Thanks, will take a shufty at that. But I think it's already enabled, won't hurt to make double sure.

Cleaned out the last bits of "retry" spam queues. So far so good.

Log files indicate that said spammer did try to connect and send spam, but instead got a .!.. :D :D :D

The ISP is Internet Solutions. I'm glad it was them - and not Spamhaus...

Lol,no,it's something that could be abused :P

Short answer is to generate a list of IPs in a range,usually by pinging and entire range and only logging responses,many ways to do this,and this logged list would be used for the 2nd part,connecting to port 25,sending a HELO,and waiting for a success response for RCPT TO: "external address" which you'd log

Or probing for open port 25's on an IP range, log these, then spam these with mail hoping something goes through... :rolleyes:

Crafty dang spammers :mad:

By the by, my firewall is locked down tight on outgoing ports. Nobody can smtp to the outside, only the email server can. Which means they have to smtp to the email server in order to send their message(s)...

Yonkers ago I got blacklisted :o What happened was that somebody got a spam mail with "Free games!!!" as the subject, forwarded it to his buddies at work, opened the attachment, and got turned into a spambot :mad: :rolleyes: Now I totally deny any outgoing port 25 request - if they need to check their gmail, they can use a web browser. So sorry, but I'm not gonna fall for that thing again.

Took a day or two for me to clean up the mess. I ***** him out good and proper. :D

Word, Notepad and Wordpad all balked at opening those log files.

So I copied them over to a Linux PC and took a shufty at these.


Ummmm, you use windows and you use those silly apps? Why haven't you installed Notepad++ ?

Ummmm, you use windows and you use those silly apps? Why haven't you installed Notepad++ ?

Or try MetaPad, works great with huge files.

Glad you found the spam and shut it down quickly, that could have been really bad for you if you got blacklisted.

Actually your SMTP is listed on 2 lists at the moment libs :P

Actually your SMTP is listed on 2 lists at the moment libs :P

MEH

Which lists?

MEH

Found http://www.mxtoolbox.com/blacklists.aspx

Yup, am on two "backscatter" email lists.

Bladdy spammers :mad:

Maak my sommer die **** in...

Yep it's closed down now :)

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores

Any articles on how to do that?

Implemented a ClearOS mail filter which sits between the Exchange and the firewall.

Still early days, but will leave it running and see what happens.

Any articles on how to do that?

Look up recipient filtering for your exchange version

Look up recipient filtering for your exchange version

Forgot about msexchange.org

Found out how, did it.

Now I gotta tweak the spam filters...

Forgot about msexchange.org

Found out how, did it.

Now I gotta tweak the spam filters...

m-sex-change? :eek:

Ok guys

Said spammer did indeed send out copious amounts of spam. His IP is 74.238.194.123

How do I report this so that it can be blacklisted? I can forward log files proving that he loaded the server with spam.

In the meantime I have added a blacklist entry for his IP so he can do diddly-squat.

These (use all of them):

www.spamhaus.org
www.spamcop.net
www.dnsbl.info

Those above are aimed at punishing the ISP for allowing its network to be used by spammers and force the ISP to suspend the spammer's broadband account.

And then do this one as well for good measure:


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.238.194.123?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 74.224.0.0 - 74.255.255.255
CIDR: 74.224.0.0/11
OriginAS: AS6389
NetName: BELLSNET-BLK18
NetHandle: NET-74-224-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
Comment: For Abuse Issues, email abuse@att.net. NO ATTACHMENTS. Include IP address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 2006-01-17
Updated: 2012-04-16
Ref: http://whois.arin.net/rest/net/NET-74-224-0-0-1

OrgName: BellSouth.net Inc.
OrgId: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US
RegDate: 1995-03-02
Updated: 2010-09-20
Comment: For Abuse Issues, email abuse@att.net.
Comment: For Subpoena Issues, please email ipadmin@bellsouth.net with "SUBPOENA" in the subject line.
Comment:
Comment: Rwhois rwhois.eng.bellsouth.net 4321
Ref: http://whois.arin.net/rest/org/BELL

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-919-319-8265
OrgAbuseEmail: abuse@att.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE81-ARIN

OrgTechHandle: IPOPE3-ARIN
OrgTechName: IP Operations
OrgTechPhone: +1-888-510-5545
OrgTechEmail: ipoperations@bellsouth.net
OrgTechRef: http://whois.arin.net/rest/poc/IPOPE3-ARIN

RAbuseHandle: ABUSE81-ARIN
RAbuseName: Abuse Group
RAbusePhone: +1-919-319-8265
RAbuseEmail: abuse@att.net
RAbuseRef: http://whois.arin.net/rest/poc/ABUSE81-ARIN

RTechHandle: IPOPE3-ARIN
RTechName: IP Operations
RTechPhone: +1-888-510-5545
RTechEmail: ipoperations@bellsouth.net
RTechRef: http://whois.arin.net/rest/poc/IPOPE3-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Right... so gonna complain of that abuse, thanks.

A snippet from my log :




2012-4-21 23:57:23 GMT 74.238.194.123 User mx.google.com MYSERVER 192.168.50.1 clgaa@pldt.com.ph 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

2012-4-21 23:57:23 GMT 74.238.194.123 User mx.google.com MYSERVER 192.168.50.1 clhaney@crosstel.net 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

2012-4-21 23:57:23 GMT 74.238.194.123 User mx.google.com MYSERVER 192.168.50.1 clhdg@alloymail.com 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

>snip<

2012-4-21 23:57:24 GMT 74.238.194.123 User mx.b.hostedemail.com MYSERVER 192.168.50.1 clgarcia@cob.us 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

2012-4-21 23:57:24 GMT 74.238.194.123 User mx.b.hostedemail.com MYSERVER 192.168.50.1 clgusguthrie@isp.com 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

>some more snipping<


2012-4-21 23:57:24 GMT 74.238.194.123 User COL0-MC1-F47.Col0.hotmail.com MYSERVER 192.168.50.1 clgarcia@cob.us 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

2012-4-21 23:57:24 GMT 74.238.194.123 User COL0-MC1-F47.Col0.hotmail.com MYSERVER 192.168.50.1 clgusguthrie@isp.com 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -
>aaaaaaaand some more snipperings<

2012-4-21 23:57:24 GMT 74.238.194.123 User BAY0-MC4-F34.Bay0.hotmail.com MYSERVER 192.168.50.1 clgarcia@cob.us 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -

2012-4-21 23:57:24 GMT 74.238.194.123 User BAY0-MC4-F34.Bay0.hotmail.com MYSERVER 192.168.50.1 clgusguthrie@isp.com 1031 MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co. za 3 0 1488 50 2012-4-21 23:57:3 GMT 0 Version: 6.0.3790.3959 - Mystery Shopper/Customer Service Evaluator agency@senateshopper.net -



Over and over and over again... 900+ of this kuk... The only thing that is static is the IP the spammer uses, so I assume he/she managed to compromise a server somewhere.

:mad:

It is permanent on a blacklist now. Not going to remove it anymore. (both firewall and email server)

Reported the spammer to AT&T

Will report later to Spamhaus etc.

:whistle:

Die spammers DIE!!

Added this :




smtpd_recipient_restrictions =

reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net
reject_rbl_client zen.spamhaus.org
permit


Hope it do the trick... I'm getting gautvol.

SORBS will delist today at 23:00 GMT. :rolleyes:

Delisted from all but one blacklist. :D

Quite..... an interesting experience, I must say. Learnt something new. Tightened up email practices etc.

Looking at ASSP for email filtering as the ClearOS filter doesn't work.

What is terrible is when one has been de-blacklisted and a week later ones machine starts sending out spam again.

Then it takes weeks to resolve and one has to beg them to delist one. Horrible experience, libs does your Exchange server make use of a smart host or does it deliver mail using mx records?

What is terrible is when one has been de-blacklisted and a week later ones machine starts sending out spam again.

Then it takes weeks to resolve and one has to beg them to delist one. Horrible experience, libs does your Exchange server make use of a smart host or does it deliver mail using mx records?

We don't make use of smart hosts. Deliver direct to the Internet. But I want to change that - get ASSP to filter both incoming and outgoing mail (if possible) to ensure that we don't pump out spam by accident.

And yes, it's a horrible experience.

The one ClearOs box I set up for a client do make use of smarthosts to deliver mail, but since that box runs fetchmail to retrieve their mails from their ISP, I don't need to worry about it sending out spam. Port 25 ob that box is closed tho.

Two weeks later and no more spammings. Yay.

I rebuilt our main Smoothwall as its IP block feature wasn't working - probably the HDD on its way out as it was a three-year old install.

I did a little Google on that IP, and found this :

http://www.bizimbal.com/odb/details.html?id=1069700

Quite interesting little busybody... seems he does a little bit here - a little bit there to stay under the radar.

I wonder if other people (Linoman etc) have the same spammer/IP as visitor...

I rebuilt our main Smoothwall as its IP block feature wasn't working - probably the HDD on its way out as it was a three-year old install.

PATA/IDE HDD?

I've had quite a few HDDs die on me over the years in IPCop/SWEx boxes.

I suspect one might have better luck with an SSD HDD now that the prices are coming down.

PATA/IDE HDD?

I've had quite a few HDDs die on me over the years in IPCop/SWEx boxes.

I suspect one might have better luck with an SSD HDD now that the prices are coming down.

Yup, PATA

Been thinking to get one big box, RAID it, install proxmox with supported 4-port NIC and run smoothwall virtualized....



On the topic - been quiet on the spam-injecting front. Yay.

Just checked our IP via mxtoolbox.com

All is green, not one single blacklist.

Time for a celebration, methinks :D

I have reason to believe that this poxy spammer is now exploiting vulnerable PC's in order to "offload" his junk onto other servers.

Got a lovely lot of spam queues (18000+) this morning :rolleyes:

Blacklisted IP 65.97.167.206 on firewall level.

Bah. :mad:

High time to look at ASSP. All other things gonna be shelved until I implemented it 100%.

ASSP installed and implemented. So glad. Spam is definitely down a bit. Greylisting works wonders :cool:

This might also be a recently-discovered vulnerability in Exchange 2003 itself...

Should be interesting to hear if other Exchange 2003 admins also got the same issue or not.

Nope,Mail Marshal and Postini are handling my pre-filtering ;)

:o

twas a compromised account

:o


A big boo-hiss for M$ programmers who don't include the IP address when you do SMTP logging :mad:

At least it's sorted out now.