Abuse Reports (emails)

[Ulquiorra]

I've received 12 abuse report emails from last night. And I have no idea what they mean, or what to do. As for the IP in question, there is no such device on my network. Any help or explanation regarding this would be much appreciated!

I'd like to add that the reports where all for different reasons. Spam/Virus. But always the same IP

Here is copy pasta of 1 of the emails that i received:

Hi,

We have received a complaint as outlined below, from an IP allocated to your company. Please investigate this issue and liaise with your client/user/employee as necessary. Please inform us of the actions taken and the outcome of your investigations by replying to this email.

--
Kind Regards,
IS Abuse

Please find below complaint information:
----------------------------------------
Subject: [clean-mx-spam-93550878] abuse report about 196.38.20.82 - Mon, 11 Jul 2016 12:06:11 +0200 Sent to: [email protected] Parent VCP:
Suspected Activity: Spam
Client IP Address: 196.38.20.82
Client IP Netblock: 196.38.20.80/30
Company Name: hiding my company name
Service Identifier: metroclear
Stalled Status: Client notified

ORIGINAL COMPLAINT - 2375030
------------------------------------------------

Hello Abuse-Team,

your Server with the IP: 196.38.20.82 has attacked one of our server on the service:
"postfix" on Time: Mon, 11 Jul 2016 12:06:11 +0200 The IP was automatically blocked for more than 10 minutes. To block an IP, it needs
3 failed Logins, one match for "invalid user" or a 5xx-Error-Code (eg.
Blacklist)!

Please check the machine behind the IP 196.38.20.82 (unknown) and fix the problem.

 

[kianm]

As for the IP in question, there is no such device on my network.

As for the IP , you won't find it on your network (LAN) , that would be your public IP rather, the internet address used by devices on your network to go on the internet.

Without much information all i can see is the complainant claims that there is attack traffic originating from your network (your public IP which can be used by any one of your internal devices) and they need you to address the issue.

Could be due to may reasons including one of your devices bearing an infection & being used as a bot to attack other hosts on the internet

 

[The_Ogre]

Of course you won't find that IP on your network, your IP's are NAT'ed behind your default gateway. Check your router logs to see which device was spamming the remote IP.

It will become a bit more complex if you have a VPN (and I see you're using metroclear, so the odds are high) because then you'll have multiple sites and possibly in different cities in which the offending device could be located.

 

[Zipkoppie]

You need to start by checking the logs on your router and firewall (if its a separate device), and then take it from there, depending on what you find.

Its also generally best to only allow outbound access to specific ports when needed by the host. ie, only your mail server should be able to establish outbound connections on port 25 etc. User machines should only have outbound access on the ports they specifically need like https, https etc see: https://en.wikipedia.org/wiki/Principle_of_least_privilege

 

[access]

if that IP address is not your public IP address then let IS abuse know it does not belong to you.

a computer on your network might be infected, end user or mail server or other server.

things like email crawlers gather random email addresses then the infected machine is used as a spambot until a spamtrap catches the crawler.

as mentioned, the firewall/router logs is a good place to start your investigation. scan your IP address for unnecessary open ports to the public, mxtoolbox will do this on some ports, there are other sites and methods too.

 

[Ulquiorra]

Thanks for all the help regarding this so far. I will start going through the firewall logs on my router. I've established that the IP address in question is not my public IP address, therefor they have the wrong person responsible?

 

[shadow_man]

Postfix is for a mail server - so you're spamming their mail server with spam or logins by the looks of things.

 

[shadow_man]

Thanks for all the help regarding this so far. I will start going through the firewall logs on my router. I've established that the IP address in question is not my public IP address, therefor they have the wrong person responsible?

I highly doubt it, but without you providing further information it really is impossible to help. All we can see from the notice is that something behind that external IP is trying to a) send out spam or b) brute force their mail server login.

A quick port scan on that IP shows port 80 and 443 open, so i'm guessing that's your firewall probably and you're doing NAT to get out / in to your network.

Additionally, why not outsource your IT if you're not able to do it yourself?

 

[Zipkoppie]

The IP listed in the email from IS would be your external IP address. You can confirm this by visiting a site like icanhazip.com (Assuming your internet access is configured to go via the same router).

You won't see that IP in your logs, you need to check for IPs from your internal address space (usually 192.168.x.x or 10.x.x.x) for IPs making outbound connections on port 25 and then have a closer look at that machine.

If you want, you can send me those log entries in a PM and I'll be happy to have a look at them.