&;$/&$)&/$)&$? Spammers

**The_Librarian** · 20-04-2012 06:00 AM

So I got a complaint from our ISP that we're sending out spam. Logged in to the Exchange server, and took a shufty at the mail queues via the exchange manager.

700+ queues of spam.

Cleaned up the active queues, and a bit more.

Then I went off to have a shufty at the log files. The log file for Tuesday was over 1Gb in size, and the log for Wednesday was over 500Mb in size.

i kid you not.

Word, Notepad and Wordpad all balked at opening those log files.

So I copied them over to a Linux PC and took a shufty at these.

Found out that the spammer was using a static IP (hence blacklisting not working).... In a fit of rage I entered both his domain and static IP in the 'deny' lists.

Will post pics later up on what and where though.

Today I will be implementing a Linux mail filtering solution, to stop pesky buggers like this... this... ****** from spamming us again. And I'll contact Spamhaus to get that IP listed.

Can also be somebody else's email server got compromised though....

**PsyWulf** · 20-04-2012 06:30 AM

Your exchange is misconfigured

I suspect it's an open relay,if you send me the IP I can confirm and tell you how to lock it down

**The_Librarian** · 20-04-2012 06:34 AM

Originally Posted by PsyWulf

Your exchange is misconfigured

I suspect it's an open relay,if you send me the IP I can confirm and tell you how to lock it down

Nope.

The chappie who installed it, did indeed misconfigured it, and it was open. Googled for it, and locked it down pronto.

I PM'd you, if you ca just check and make sure?

Thanks!

**shakes1** · 20-04-2012 07:01 AM

A quick question, how did the culprit discover your mail server was an open relay? Is it perhaps a high impact domain, so everyone knows about it... Thinking out loud...

Mind sharing which ISP picked up this problem?

**PsyWulf** · 20-04-2012 07:07 AM

It's easy enough to script a test connection to port25 in an IP range and log any responses that aren't deny for later use

Will test it now libs

**PsyWulf** · 20-04-2012 07:12 AM

Yep it's closed down now

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores

**shakes1** · 20-04-2012 07:26 AM

Oh high and mighty scripter... Please point me in the right direction so that I could learn some of your ways...

*darn, still can't quote on mobile*

**PsyWulf** · 20-04-2012 07:33 AM

Lol,no,it's something that could be abused :P

Short answer is to generate a list of IPs in a range,usually by pinging and entire range and only logging responses,many ways to do this,and this logged list would be used for the 2nd part,connecting to port 25,sending a HELO,and waiting for a success response for RCPT TO: "external address" which you'd log

**The_Librarian** · 20-04-2012 07:51 AM

Originally Posted by PsyWulf

Yep it's closed down now

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores

Thanks, will take a shufty at that. But I think it's already enabled, won't hurt to make double sure.

Cleaned out the last bits of "retry" spam queues. So far so good.

Log files indicate that said spammer did try to connect and send spam, but instead got a .!..

The ISP is Internet Solutions. I'm glad it was them - and not Spamhaus...

**The_Librarian** · 20-04-2012 07:52 AM

Originally Posted by PsyWulf

Lol,no,it's something that could be abused :P

Short answer is to generate a list of IPs in a range,usually by pinging and entire range and only logging responses,many ways to do this,and this logged list would be used for the 2nd part,connecting to port 25,sending a HELO,and waiting for a success response for RCPT TO: "external address" which you'd log

Or probing for open port 25's on an IP range, log these, then spam these with mail hoping something goes through...

Crafty dang spammers

**The_Librarian** · 20-04-2012 07:55 AM

By the by, my firewall is locked down tight on outgoing ports. Nobody can smtp to the outside, only the email server can. Which means they have to smtp to the email server in order to send their message(s)...

Yonkers ago I got blacklisted

What happened was that somebody got a spam mail with "Free games!!!" as the subject, forwarded it to his buddies at work, opened the attachment, and got turned into a spambot

Now I totally deny any outgoing port 25 request - if they need to check their gmail, they can use a web browser. So sorry, but I'm not gonna fall for that thing again.

Took a day or two for me to clean up the mess. I ***** him out good and proper.

**Chunkyfeather** · 20-04-2012 08:34 AM

Originally Posted by The_Librarian

Word, Notepad and Wordpad all balked at opening those log files.

So I copied them over to a Linux PC and took a shufty at these.

Ummmm, you use windows and you use those silly apps? Why haven't you installed Notepad++ ?

**Species8472** · 20-04-2012 09:28 AM

Originally Posted by Chunkyfeather

Ummmm, you use windows and you use those silly apps? Why haven't you installed Notepad++ ?

Or try MetaPad, works great with huge files.

Glad you found the spam and shut it down quickly, that could have been really bad for you if you got blacklisted.

**PsyWulf** · 20-04-2012 09:42 AM

Actually your SMTP is listed on 2 lists at the moment libs :P

**The_Librarian** · 20-04-2012 01:12 PM

Originally Posted by PsyWulf

Actually your SMTP is listed on 2 lists at the moment libs :P

MEH

Which lists?

Thread: &;$/&$)&/$)&$? Spammers

Thread Tools

Display

&;$/&$)&/$)&$? Spammers

Bookmarks

Bookmarks

Posting Permissions