&;$/&$)&/$)&$? Spammers

T

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,193
Reaction score
10,233
Location
Nkaaaaandla
So I got a complaint from our ISP that we're sending out spam. Logged in to the Exchange server, and took a shufty at the mail queues via the exchange manager.

700+ queues of spam. :wtf:

Cleaned up the active queues, and a bit more.

Then I went off to have a shufty at the log files. The log file for Tuesday was over 1Gb in size, and the log for Wednesday was over 500Mb in size. :eek: i kid you not.

Word, Notepad and Wordpad all balked at opening those log files.

So I copied them over to a Linux PC and took a shufty at these.

Found out that the spammer was using a static IP (hence blacklisting not working).... In a fit of rage I entered both his domain and static IP in the 'deny' lists.

Will post pics later up on what and where though.

Today I will be implementing a Linux mail filtering solution, to stop pesky buggers like this... this... ****** from spamming us again. And I'll contact Spamhaus to get that IP listed.

Can also be somebody else's email server got compromised though....
 
Your exchange is misconfigured ;)

I suspect it's an open relay,if you send me the IP I can confirm and tell you how to lock it down
 
PsyWulf said:
Your exchange is misconfigured ;)

I suspect it's an open relay,if you send me the IP I can confirm and tell you how to lock it down
Click to expand...

Nope.

The chappie who installed it, did indeed misconfigured it, and it was open. Googled for it, and locked it down pronto.

I PM'd you, if you ca just check and make sure?

Thanks!
 
A quick question, how did the culprit discover your mail server was an open relay? Is it perhaps a high impact domain, so everyone knows about it... Thinking out loud...

Mind sharing which ISP picked up this problem?
 
It's easy enough to script a test connection to port25 in an IP range and log any responses that aren't deny for later use ;)

Will test it now libs
 
Yep it's closed down now :)

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores
 
Oh high and mighty scripter... Please point me in the right direction so that I could learn some of your ways...

:)

*darn, still can't quote on mobile*
 
Lol,no,it's something that could be abused :P

Short answer is to generate a list of IPs in a range,usually by pinging and entire range and only logging responses,many ways to do this,and this logged list would be used for the 2nd part,connecting to port 25,sending a HELO,and waiting for a success response for RCPT TO: "external address" which you'd log
 
PsyWulf said:
Yep it's closed down now :)

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores
Click to expand...

Thanks, will take a shufty at that. But I think it's already enabled, won't hurt to make double sure.

Cleaned out the last bits of "retry" spam queues. So far so good.

Log files indicate that said spammer did try to connect and send spam, but instead got a .!.. :D :D :D

The ISP is Internet Solutions. I'm glad it was them - and not Spamhaus...
 
PsyWulf said:
Lol,no,it's something that could be abused :P

Short answer is to generate a list of IPs in a range,usually by pinging and entire range and only logging responses,many ways to do this,and this logged list would be used for the 2nd part,connecting to port 25,sending a HELO,and waiting for a success response for RCPT TO: "external address" which you'd log
Click to expand...

Or probing for open port 25's on an IP range, log these, then spam these with mail hoping something goes through... :rolleyes:

Crafty dang spammers :mad:
 
By the by, my firewall is locked down tight on outgoing ports. Nobody can smtp to the outside, only the email server can. Which means they have to smtp to the email server in order to send their message(s)...

Yonkers ago I got blacklisted :o What happened was that somebody got a spam mail with "Free games!!!" as the subject, forwarded it to his buddies at work, opened the attachment, and got turned into a spambot :mad: :rolleyes: Now I totally deny any outgoing port 25 request - if they need to check their gmail, they can use a web browser. So sorry, but I'm not gonna fall for that thing again.

Took a day or two for me to clean up the mess. I ***** him out good and proper. :D
 
Chunkyfeather said:
Ummmm, you use windows and you use those silly apps? Why haven't you installed Notepad++ ?
Click to expand...

Or try MetaPad, works great with huge files.

Glad you found the spam and shut it down quickly, that could have been really bad for you if you got blacklisted.
 
Actually your SMTP is listed on 2 lists at the moment libs :P
 
PsyWulf said:
Yep it's closed down now :)

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores
Click to expand...

Any articles on how to do that?
 
Implemented a ClearOS mail filter which sits between the Exchange and the firewall.

Still early days, but will leave it running and see what happens.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X