«

Hi

My ip was black listed becuase somebody apparently spammed from it.

As I'm not spamming I think may be there are a worm in some machines in
the internal net or somebody is using an external smtp server from
internal net to make spam.

However, I need to stop this then I need to make something to avoid to
be black listed again.

I wonder if somebody out there was having a similar experience and could
give me a clue to detect why or who is generating the problem.

Thanks in advance

J

Javier wrote:

>
> Hi
>
> My ip was black listed becuase somebody apparently spammed from it.
>
> As I'm not spamming I think may be there are a worm in some machines in
> the internal net or somebody is using an external smtp server from
> internal net to make spam.
>
> However, I need to stop this then I need to make something to avoid to
> be black listed again.
>
> I wonder if somebody out there was having a similar experience and could
> give me a clue to detect why or who is generating the problem.
>
> Thanks in advance
>
> J

Port 25 access in/out:
A couple of things I would suggest. If you have a smtp gateway type setup.
Only your internall mail server(s) should be allowed access to port 25
(SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
And of coarse your email (smtp) gateways should have internal port 25
access to your internal email servers (DMZ to Internal). All other port 25
in/out should be blocked. This will prevent potential internal zombies from
getting Internet access to port 25 to the World.

Make sure your email (smtp) gateways are not email forwarding for the World:
Second, audit your gateways an make sure you are not email forwarding to the
World...You smtp gateways should only be forwarding for your internall
email servers and nothing more.

Lock down your desktops:
Third, do you run your host pcs allowing local admin? This is a horrible
combination: Non technically users + local admin privs + surfing the web.
This is what spyware/malware/trojan writers dream of. If you can get away
from it you will save yourself a lot of gray hair.

Fourth, run anti spyware apps (use multiple ones). I have use Spybot Search
and Destroy + Microsofts Antispware + Adware

That should get you going anyway...

Michael
--
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html

Protect your rights
http://www.eff.org/
http://www.publicknowledge.org/

Michael Pelletier <> writes:

>Javier wrote:

>>
>> Hi
>>
>> My ip was black listed becuase somebody apparently spammed from it.
>>
>> As I'm not spamming I think may be there are a worm in some machines in
>> the internal net or somebody is using an external smtp server from
>> internal net to make spam.
>>
>> However, I need to stop this then I need to make something to avoid to
>> be black listed again.
>>
>> I wonder if somebody out there was having a similar experience and could
>> give me a clue to detect why or who is generating the problem.

You give no clue as to what operating system you are using. Windows ??
OSX?? Linux?? ...

Those spams need not be coming from you. They could be someone spoofing
your return address (if that is the basis on which you were blacklisted.)
Have you seen any of the spams that were supposed to have come from you?
Look in the Received: lines and see if your machine IP is listed.

Anyway, IF you are running Windows then this is very common. You need to
reinstall and then befor bringing it back on line install all of the
security patches, and thereafter be religious in keeping it up to date.
Install virus checkers, etc.



>>
>> Thanks in advance
>>
>> J

>Port 25 access in/out:

Not necessarily. port 25 need only be used for incoming mail. The port used
to send out mail could be anything. Of course it needs to connect to other
machines on port 25, so that may have been what you meant.


>A couple of things I would suggest. If you have a smtp gateway type setup.
>Only your internall mail server(s) should be allowed access to port 25
>(SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
>And of coarse your email (smtp) gateways should have internal port 25
>access to your internal email servers (DMZ to Internal). All other port 25
>in/out should be blocked. This will prevent potential internal zombies from
>getting Internet access to port 25 to the World.

>Make sure your email (smtp) gateways are not email forwarding for the World:
>Second, audit your gateways an make sure you are not email forwarding to the
>World...You smtp gateways should only be forwarding for your internall
>email servers and nothing more.

>Lock down your desktops:
>Third, do you run your host pcs allowing local admin? This is a horrible
>combination: Non technically users + local admin privs + surfing the web.
>This is what spyware/malware/trojan writers dream of. If you can get away
>from it you will save yourself a lot of gray hair.

>Fourth, run anti spyware apps (use multiple ones). I have use Spybot Search
>and Destroy + Microsofts Antispware + Adware

All good advice. But if, as is usual, you were cracked and spam mail
software was installed, then reinstall your system. YOu will not be able to
figure out allthe ways the crackers could have hidden malware on your
system. And remember that an unprotected, unpatched system has a lifetime
of minutes (certainly not hours) before it is cracked.

Unruh wrote:

> Michael Pelletier <> writes:
>
>>Javier wrote:
>
>>>
>>> Hi
>>>
>>> My ip was black listed becuase somebody apparently spammed from it.
>>>
>>> As I'm not spamming I think may be there are a worm in some machines in
>>> the internal net or somebody is using an external smtp server from
>>> internal net to make spam.
>>>
>>> However, I need to stop this then I need to make something to avoid to
>>> be black listed again.
>>>
>>> I wonder if somebody out there was having a similar experience and could
>>> give me a clue to detect why or who is generating the problem.
>
> You give no clue as to what operating system you are using. Windows ??
> OSX?? Linux?? ...
>
> Those spams need not be coming from you. They could be someone spoofing
> your return address (if that is the basis on which you were blacklisted.)
> Have you seen any of the spams that were supposed to have come from you?
> Look in the Received: lines and see if your machine IP is listed.

If he was blacklisted by a DNSBL then the spam email would have been
blacklisted by the SPAM senders IP address not the "from" address. If
someone has blacklisted him on their smtp gateway(s) then you are correct
they probably blocked his email address even when it was not technically
sent by him (spoofed). Their are a lot of dumbass email "administrators"
that block by email address even when it was spoofed ;-(

> Anyway, IF you are running Windows then this is very common. You need to
> reinstall and then befor bringing it back on line install all of the
> security patches, and thereafter be religious in keeping it up to date.
> Install virus checkers, etc.

I would recommend using procmail or sendmail (latest version) on a non
windows box for your email gateways. This allows you to use anti-SPAM
applications like Razor, Spamassasin, MIMEDefang (not only is it good at
filtering bad mime emails but also is very good at filtering/sanitizing
html email by the way) and DNSBL (you can use DNSBL with windose too).


>
>
>
>>>
>>> Thanks in advance
>>>
>>> J
>
>>Port 25 access in/out:
>
> Not necessarily. port 25 need only be used for incoming mail. The port
> used to send out mail could be anything. Of course it needs to connect to
> other machines on port 25, so that may have been what you meant.
>
>
>>A couple of things I would suggest. If you have a smtp gateway type setup.
>>Only your internall mail server(s) should be allowed access to port 25
>>(SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
>>And of coarse your email (smtp) gateways should have internal port 25
>>access to your internal email servers (DMZ to Internal). All other port 25
>>in/out should be blocked. This will prevent potential internal zombies
>>from getting Internet access to port 25 to the World.
>
>>Make sure your email (smtp) gateways are not email forwarding for the
>>World: Second, audit your gateways an make sure you are not email
>>forwarding to the World...You smtp gateways should only be forwarding for
>>your internall email servers and nothing more.
>
>>Lock down your desktops:
>>Third, do you run your host pcs allowing local admin? This is a horrible
>>combination: Non technically users + local admin privs + surfing the web.
>>This is what spyware/malware/trojan writers dream of. If you can get away
>>from it you will save yourself a lot of gray hair.
>
>>Fourth, run anti spyware apps (use multiple ones). I have use Spybot
>>Search and Destroy + Microsofts Antispware + Adware
>
> All good advice. But if, as is usual, you were cracked and spam mail
> software was installed, then reinstall your system. YOu will not be able
> to figure out allthe ways the crackers could have hidden malware on your
> system. And remember that an unprotected, unpatched system has a lifetime
> of minutes (certainly not hours) before it is cracked.

Yup, very true...

Michael
--
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html

Protect your rights
http://www.eff.org/
http://www.publicknowledge.org/

Javier wrote:
>
> Hi
>
> My ip was black listed becuase somebody apparently spammed from it.
>
> As I'm not spamming I think may be there are a worm in some machines in
> the internal net or somebody is using an external smtp server from
> internal net to make spam.
>
> However, I need to stop this then I need to make something to avoid to
> be black listed again.
>
> I wonder if somebody out there was having a similar experience and could
> give me a clue to detect why or who is generating the problem.
>
> Thanks in advance
>
> J

If I were a betting man and the blocks were widespread I would suspect
the mail server is an open relay. Might check to see if it is listed here:

http://www.ordb.org/faq/

There is a relatively new vulnerability (4/20) for exchange hosts (2000,
2003) that can allow you mail host to be compromised, exploits are in
the wild. The vulnerability is caused due to a boundary error in the
"SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
X-LINK2STATE extended verb requests. This can be exploited to cause a
heap-based buffer overflow by connecting to the SMTP service and issuing
a specially crafted command. Essentially this allows the attacker to
run with system privileges.

More on this at:

http://secunia.com/advisories/14920/

Getting off blocked lists is far harder than getting on them.

You don't really provide enough data to troubleshoot your problem nor
how long the problem has existed. I am just providing starting look points.

Winged

Winged wrote:

> Javier wrote:
>>
>> Hi
>>
>> My ip was black listed becuase somebody apparently spammed from it.
>>
>> As I'm not spamming I think may be there are a worm in some machines in
>> the internal net or somebody is using an external smtp server from
>> internal net to make spam.
>>
>> However, I need to stop this then I need to make something to avoid to
>> be black listed again.
>>
>> I wonder if somebody out there was having a similar experience and could
>> give me a clue to detect why or who is generating the problem.
>>
>> Thanks in advance
>>
>> J
>
> If I were a betting man and the blocks were widespread I would suspect
> the mail server is an open relay. Might check to see if it is listed
> here:
>
> http://www.ordb.org/faq/
>
> There is a relatively new vulnerability (4/20) for exchange hosts (2000,
> 2003) that can allow you mail host to be compromised, exploits are in
> the wild. The vulnerability is caused due to a boundary error in the
> "SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
> X-LINK2STATE extended verb requests. This can be exploited to cause a
> heap-based buffer overflow by connecting to the SMTP service and issuing
> a specially crafted command. Essentially this allows the attacker to
> run with system privileges.
>
> More on this at:
>
> http://secunia.com/advisories/14920/
>
> Getting off blocked lists is far harder than getting on them.
>
> You don't really provide enough data to troubleshoot your problem nor
> how long the problem has existed. I am just providing starting look
> points.
>
> Winged

....that was good info. I do not use Microsoft anything in the DMZs but, it
still was good info.

Michael
--
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html

Protect your rights
http://www.eff.org/
http://www.publicknowledge.org/

Winged wrote:

> Javier wrote:
>>
>> Hi
>>
>> My ip was black listed becuase somebody apparently spammed from it.
>>
>> As I'm not spamming I think may be there are a worm in some machines in
>> the internal net or somebody is using an external smtp server from
>> internal net to make spam.
>>
>> However, I need to stop this then I need to make something to avoid to
>> be black listed again.
>>
>> I wonder if somebody out there was having a similar experience and could
>> give me a clue to detect why or who is generating the problem.
>>
>> Thanks in advance
>>
>> J
>
> If I were a betting man and the blocks were widespread I would suspect
> the mail server is an open relay. Might check to see if it is listed
> here:
>
> http://www.ordb.org/faq/
>
> There is a relatively new vulnerability (4/20) for exchange hosts (2000,
> 2003) that can allow you mail host to be compromised, exploits are in
> the wild. The vulnerability is caused due to a boundary error in the
> "SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
> X-LINK2STATE extended verb requests. This can be exploited to cause a
> heap-based buffer overflow by connecting to the SMTP service and issuing
> a specially crafted command. Essentially this allows the attacker to
> run with system privileges.
>
> More on this at:
>
> http://secunia.com/advisories/14920/
>
> Getting off blocked lists is far harder than getting on them.
>
> You don't really provide enough data to troubleshoot your problem nor
> how long the problem has existed. I am just providing starting look
> points.
>
> Winged

When you come across info like that post it. It is good that the group
knows...

Michael
--
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html

Protect your rights
http://www.eff.org/
http://www.publicknowledge.org/

Michael Pelletier wrote:
>
> Port 25 access in/out:
> A couple of things I would suggest. If you have a smtp gateway type setup.
> Only your internall mail server(s) should be allowed access to port 25
> (SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
> And of coarse your email (smtp) gateways should have internal port 25
> access to your internal email servers (DMZ to Internal). All other port 25
> in/out should be blocked. This will prevent potential internal zombies from
> getting Internet access to port 25 to the World.
>
> Make sure your email (smtp) gateways are not email forwarding for the World:
> Second, audit your gateways an make sure you are not email forwarding to the
> World...You smtp gateways should only be forwarding for your internall
> email servers and nothing more.


Hi

Thanks for your reply.

I'm running a w2k server with w2k SP4 workstations and using Merak mail
server.

It's supposed nobody can relay from outside using my Merak smtp service
but, obviously, I'll auditing deeply. I'll check if somebody could get a
port 25 outside from internal net.


>
> Lock down your desktops:
> Third, do you run your host pcs allowing local admin? This is a horrible
> combination: Non technically users + local admin privs + surfing the web.
> This is what spyware/malware/trojan writers dream of. If you can get away
> from it you will save yourself a lot of gray hair.

Well, users can't surf but I'm not sure if they have admin rights. I'll
check it out too.


>
> Fourth, run anti spyware apps (use multiple ones). I have use Spybot Search
> and Destroy + Microsofts Antispware + Adware
>


Well, I'll queue this in my action plan.



Thanks a lot

J

Unruh wrote:
>
>
> You give no clue as to what operating system you are using. Windows ??
> OSX?? Linux?? ...
>
> Those spams need not be coming from you. They could be someone spoofing
> your return address (if that is the basis on which you were blacklisted.)
> Have you seen any of the spams that were supposed to have come from you?
> Look in the Received: lines and see if your machine IP is listed.
>
> Anyway, IF you are running Windows then this is very common. You need to
> reinstall and then befor bringing it back on line install all of the
> security patches, and thereafter be religious in keeping it up to date.
> Install virus checkers, etc.
>
>


Hi

Thanks for your reply.

I'm running w2k (in both servers and workstations) and Merak mail server.

You said "They could be someone spoofing your return address". How is it
? Could you explain a bit ?

I want to know wich are to common methods spammers use to f*ck me to
really understand the problem and think the solutions.

By know I guess I've two or three posible problems:

1 - Somebody sending mail from internal net but using an external smtp.
2 - A virus in a workstation.
3 - Spyware in a workstation..

I discard an external relay in my smtp server.

Any other clue ?

Thanks in advance

J

Michael Pelletier wrote:
> If he was blacklisted by a DNSBL then the spam email would have been
> blacklisted by the SPAM senders IP address not the "from" address. If
> someone has blacklisted him on their smtp gateway(s) then you are correct
> they probably blocked his email address even when it was not technically
> sent by him (spoofed). Their are a lot of dumbass email "administrators"
> that block by email address even when it was spoofed ;-(
>

How could I know if my server was spoofed ? Do you a tool to make a test ?


>
> I would recommend using procmail or sendmail (latest version) on a non
> windows box for your email gateways. This allows you to use anti-SPAM
> applications like Razor, Spamassasin, MIMEDefang (not only is it good at
> filtering bad mime emails but also is very good at filtering/sanitizing
> html email by the way) and DNSBL (you can use DNSBL with windose too).
>


Thanks for your recommendations, but I run windows.

Nevertheless, I wonder if those tools are for pop servers or they check
smtp out traffic...

Thanks

J