Blocked ip by spam

Discussion in 'Computer Security' started by Javier, May 11, 2005.

  1. Javier

    Javier Guest

    Hi

    My ip was black listed becuase somebody apparently spammed from it.

    As I'm not spamming I think may be there are a worm in some machines in
    the internal net or somebody is using an external smtp server from
    internal net to make spam.

    However, I need to stop this then I need to make something to avoid to
    be black listed again.

    I wonder if somebody out there was having a similar experience and could
    give me a clue to detect why or who is generating the problem.

    Thanks in advance

    J
     
    Javier, May 11, 2005
    #1
    1. Advertising

  2. Javier wrote:

    >
    > Hi
    >
    > My ip was black listed becuase somebody apparently spammed from it.
    >
    > As I'm not spamming I think may be there are a worm in some machines in
    > the internal net or somebody is using an external smtp server from
    > internal net to make spam.
    >
    > However, I need to stop this then I need to make something to avoid to
    > be black listed again.
    >
    > I wonder if somebody out there was having a similar experience and could
    > give me a clue to detect why or who is generating the problem.
    >
    > Thanks in advance
    >
    > J


    Port 25 access in/out:
    A couple of things I would suggest. If you have a smtp gateway type setup.
    Only your internall mail server(s) should be allowed access to port 25
    (SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
    And of coarse your email (smtp) gateways should have internal port 25
    access to your internal email servers (DMZ to Internal). All other port 25
    in/out should be blocked. This will prevent potential internal zombies from
    getting Internet access to port 25 to the World.

    Make sure your email (smtp) gateways are not email forwarding for the World:
    Second, audit your gateways an make sure you are not email forwarding to the
    World...You smtp gateways should only be forwarding for your internall
    email servers and nothing more.

    Lock down your desktops:
    Third, do you run your host pcs allowing local admin? This is a horrible
    combination: Non technically users + local admin privs + surfing the web.
    This is what spyware/malware/trojan writers dream of. If you can get away
    from it you will save yourself a lot of gray hair.

    Fourth, run anti spyware apps (use multiple ones). I have use Spybot Search
    and Destroy + Microsofts Antispware + Adware

    That should get you going anyway...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 11, 2005
    #2
    1. Advertising

  3. Javier

    Unruh Guest

    Michael Pelletier <> writes:

    >Javier wrote:


    >>
    >> Hi
    >>
    >> My ip was black listed becuase somebody apparently spammed from it.
    >>
    >> As I'm not spamming I think may be there are a worm in some machines in
    >> the internal net or somebody is using an external smtp server from
    >> internal net to make spam.
    >>
    >> However, I need to stop this then I need to make something to avoid to
    >> be black listed again.
    >>
    >> I wonder if somebody out there was having a similar experience and could
    >> give me a clue to detect why or who is generating the problem.


    You give no clue as to what operating system you are using. Windows ??
    OSX?? Linux?? ...

    Those spams need not be coming from you. They could be someone spoofing
    your return address (if that is the basis on which you were blacklisted.)
    Have you seen any of the spams that were supposed to have come from you?
    Look in the Received: lines and see if your machine IP is listed.

    Anyway, IF you are running Windows then this is very common. You need to
    reinstall and then befor bringing it back on line install all of the
    security patches, and thereafter be religious in keeping it up to date.
    Install virus checkers, etc.



    >>
    >> Thanks in advance
    >>
    >> J


    >Port 25 access in/out:


    Not necessarily. port 25 need only be used for incoming mail. The port used
    to send out mail could be anything. Of course it needs to connect to other
    machines on port 25, so that may have been what you meant.


    >A couple of things I would suggest. If you have a smtp gateway type setup.
    >Only your internall mail server(s) should be allowed access to port 25
    >(SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
    >And of coarse your email (smtp) gateways should have internal port 25
    >access to your internal email servers (DMZ to Internal). All other port 25
    >in/out should be blocked. This will prevent potential internal zombies from
    >getting Internet access to port 25 to the World.


    >Make sure your email (smtp) gateways are not email forwarding for the World:
    >Second, audit your gateways an make sure you are not email forwarding to the
    >World...You smtp gateways should only be forwarding for your internall
    >email servers and nothing more.


    >Lock down your desktops:
    >Third, do you run your host pcs allowing local admin? This is a horrible
    >combination: Non technically users + local admin privs + surfing the web.
    >This is what spyware/malware/trojan writers dream of. If you can get away
    >from it you will save yourself a lot of gray hair.


    >Fourth, run anti spyware apps (use multiple ones). I have use Spybot Search
    >and Destroy + Microsofts Antispware + Adware


    All good advice. But if, as is usual, you were cracked and spam mail
    software was installed, then reinstall your system. YOu will not be able to
    figure out allthe ways the crackers could have hidden malware on your
    system. And remember that an unprotected, unpatched system has a lifetime
    of minutes (certainly not hours) before it is cracked.
     
    Unruh, May 11, 2005
    #3
  4. Unruh wrote:

    > Michael Pelletier <> writes:
    >
    >>Javier wrote:

    >
    >>>
    >>> Hi
    >>>
    >>> My ip was black listed becuase somebody apparently spammed from it.
    >>>
    >>> As I'm not spamming I think may be there are a worm in some machines in
    >>> the internal net or somebody is using an external smtp server from
    >>> internal net to make spam.
    >>>
    >>> However, I need to stop this then I need to make something to avoid to
    >>> be black listed again.
    >>>
    >>> I wonder if somebody out there was having a similar experience and could
    >>> give me a clue to detect why or who is generating the problem.

    >
    > You give no clue as to what operating system you are using. Windows ??
    > OSX?? Linux?? ...
    >
    > Those spams need not be coming from you. They could be someone spoofing
    > your return address (if that is the basis on which you were blacklisted.)
    > Have you seen any of the spams that were supposed to have come from you?
    > Look in the Received: lines and see if your machine IP is listed.


    If he was blacklisted by a DNSBL then the spam email would have been
    blacklisted by the SPAM senders IP address not the "from" address. If
    someone has blacklisted him on their smtp gateway(s) then you are correct
    they probably blocked his email address even when it was not technically
    sent by him (spoofed). Their are a lot of dumbass email "administrators"
    that block by email address even when it was spoofed ;-(

    > Anyway, IF you are running Windows then this is very common. You need to
    > reinstall and then befor bringing it back on line install all of the
    > security patches, and thereafter be religious in keeping it up to date.
    > Install virus checkers, etc.


    I would recommend using procmail or sendmail (latest version) on a non
    windows box for your email gateways. This allows you to use anti-SPAM
    applications like Razor, Spamassasin, MIMEDefang (not only is it good at
    filtering bad mime emails but also is very good at filtering/sanitizing
    html email by the way) and DNSBL (you can use DNSBL with windose too).


    >
    >
    >
    >>>
    >>> Thanks in advance
    >>>
    >>> J

    >
    >>Port 25 access in/out:

    >
    > Not necessarily. port 25 need only be used for incoming mail. The port
    > used to send out mail could be anything. Of course it needs to connect to
    > other machines on port 25, so that may have been what you meant.
    >
    >
    >>A couple of things I would suggest. If you have a smtp gateway type setup.
    >>Only your internall mail server(s) should be allowed access to port 25
    >>(SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
    >>And of coarse your email (smtp) gateways should have internal port 25
    >>access to your internal email servers (DMZ to Internal). All other port 25
    >>in/out should be blocked. This will prevent potential internal zombies
    >>from getting Internet access to port 25 to the World.

    >
    >>Make sure your email (smtp) gateways are not email forwarding for the
    >>World: Second, audit your gateways an make sure you are not email
    >>forwarding to the World...You smtp gateways should only be forwarding for
    >>your internall email servers and nothing more.

    >
    >>Lock down your desktops:
    >>Third, do you run your host pcs allowing local admin? This is a horrible
    >>combination: Non technically users + local admin privs + surfing the web.
    >>This is what spyware/malware/trojan writers dream of. If you can get away
    >>from it you will save yourself a lot of gray hair.

    >
    >>Fourth, run anti spyware apps (use multiple ones). I have use Spybot
    >>Search and Destroy + Microsofts Antispware + Adware

    >
    > All good advice. But if, as is usual, you were cracked and spam mail
    > software was installed, then reinstall your system. YOu will not be able
    > to figure out allthe ways the crackers could have hidden malware on your
    > system. And remember that an unprotected, unpatched system has a lifetime
    > of minutes (certainly not hours) before it is cracked.


    Yup, very true...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 11, 2005
    #4
  5. Javier

    Winged Guest

    Javier wrote:
    >
    > Hi
    >
    > My ip was black listed becuase somebody apparently spammed from it.
    >
    > As I'm not spamming I think may be there are a worm in some machines in
    > the internal net or somebody is using an external smtp server from
    > internal net to make spam.
    >
    > However, I need to stop this then I need to make something to avoid to
    > be black listed again.
    >
    > I wonder if somebody out there was having a similar experience and could
    > give me a clue to detect why or who is generating the problem.
    >
    > Thanks in advance
    >
    > J


    If I were a betting man and the blocks were widespread I would suspect
    the mail server is an open relay. Might check to see if it is listed here:

    http://www.ordb.org/faq/

    There is a relatively new vulnerability (4/20) for exchange hosts (2000,
    2003) that can allow you mail host to be compromised, exploits are in
    the wild. The vulnerability is caused due to a boundary error in the
    "SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
    X-LINK2STATE extended verb requests. This can be exploited to cause a
    heap-based buffer overflow by connecting to the SMTP service and issuing
    a specially crafted command. Essentially this allows the attacker to
    run with system privileges.

    More on this at:

    http://secunia.com/advisories/14920/

    Getting off blocked lists is far harder than getting on them.

    You don't really provide enough data to troubleshoot your problem nor
    how long the problem has existed. I am just providing starting look points.

    Winged
     
    Winged, May 12, 2005
    #5
  6. Winged wrote:

    > Javier wrote:
    >>
    >> Hi
    >>
    >> My ip was black listed becuase somebody apparently spammed from it.
    >>
    >> As I'm not spamming I think may be there are a worm in some machines in
    >> the internal net or somebody is using an external smtp server from
    >> internal net to make spam.
    >>
    >> However, I need to stop this then I need to make something to avoid to
    >> be black listed again.
    >>
    >> I wonder if somebody out there was having a similar experience and could
    >> give me a clue to detect why or who is generating the problem.
    >>
    >> Thanks in advance
    >>
    >> J

    >
    > If I were a betting man and the blocks were widespread I would suspect
    > the mail server is an open relay. Might check to see if it is listed
    > here:
    >
    > http://www.ordb.org/faq/
    >
    > There is a relatively new vulnerability (4/20) for exchange hosts (2000,
    > 2003) that can allow you mail host to be compromised, exploits are in
    > the wild. The vulnerability is caused due to a boundary error in the
    > "SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
    > X-LINK2STATE extended verb requests. This can be exploited to cause a
    > heap-based buffer overflow by connecting to the SMTP service and issuing
    > a specially crafted command. Essentially this allows the attacker to
    > run with system privileges.
    >
    > More on this at:
    >
    > http://secunia.com/advisories/14920/
    >
    > Getting off blocked lists is far harder than getting on them.
    >
    > You don't really provide enough data to troubleshoot your problem nor
    > how long the problem has existed. I am just providing starting look
    > points.
    >
    > Winged


    ....that was good info. I do not use Microsoft anything in the DMZs but, it
    still was good info.

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 12, 2005
    #6
  7. Winged wrote:

    > Javier wrote:
    >>
    >> Hi
    >>
    >> My ip was black listed becuase somebody apparently spammed from it.
    >>
    >> As I'm not spamming I think may be there are a worm in some machines in
    >> the internal net or somebody is using an external smtp server from
    >> internal net to make spam.
    >>
    >> However, I need to stop this then I need to make something to avoid to
    >> be black listed again.
    >>
    >> I wonder if somebody out there was having a similar experience and could
    >> give me a clue to detect why or who is generating the problem.
    >>
    >> Thanks in advance
    >>
    >> J

    >
    > If I were a betting man and the blocks were widespread I would suspect
    > the mail server is an open relay. Might check to see if it is listed
    > here:
    >
    > http://www.ordb.org/faq/
    >
    > There is a relatively new vulnerability (4/20) for exchange hosts (2000,
    > 2003) that can allow you mail host to be compromised, exploits are in
    > the wild. The vulnerability is caused due to a boundary error in the
    > "SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
    > X-LINK2STATE extended verb requests. This can be exploited to cause a
    > heap-based buffer overflow by connecting to the SMTP service and issuing
    > a specially crafted command. Essentially this allows the attacker to
    > run with system privileges.
    >
    > More on this at:
    >
    > http://secunia.com/advisories/14920/
    >
    > Getting off blocked lists is far harder than getting on them.
    >
    > You don't really provide enough data to troubleshoot your problem nor
    > how long the problem has existed. I am just providing starting look
    > points.
    >
    > Winged


    When you come across info like that post it. It is good that the group
    knows...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 12, 2005
    #7
  8. Javier

    Javier Guest

    Michael Pelletier wrote:
    >
    > Port 25 access in/out:
    > A couple of things I would suggest. If you have a smtp gateway type setup.
    > Only your internall mail server(s) should be allowed access to port 25
    > (SMTP) on your email (smtp) gateways (coming from Internal to your DMZ).
    > And of coarse your email (smtp) gateways should have internal port 25
    > access to your internal email servers (DMZ to Internal). All other port 25
    > in/out should be blocked. This will prevent potential internal zombies from
    > getting Internet access to port 25 to the World.
    >
    > Make sure your email (smtp) gateways are not email forwarding for the World:
    > Second, audit your gateways an make sure you are not email forwarding to the
    > World...You smtp gateways should only be forwarding for your internall
    > email servers and nothing more.



    Hi

    Thanks for your reply.

    I'm running a w2k server with w2k SP4 workstations and using Merak mail
    server.

    It's supposed nobody can relay from outside using my Merak smtp service
    but, obviously, I'll auditing deeply. I'll check if somebody could get a
    port 25 outside from internal net.


    >
    > Lock down your desktops:
    > Third, do you run your host pcs allowing local admin? This is a horrible
    > combination: Non technically users + local admin privs + surfing the web.
    > This is what spyware/malware/trojan writers dream of. If you can get away
    > from it you will save yourself a lot of gray hair.


    Well, users can't surf but I'm not sure if they have admin rights. I'll
    check it out too.


    >
    > Fourth, run anti spyware apps (use multiple ones). I have use Spybot Search
    > and Destroy + Microsofts Antispware + Adware
    >



    Well, I'll queue this in my action plan.



    Thanks a lot

    J
     
    Javier, May 12, 2005
    #8
  9. Javier

    Javier Guest

    Unruh wrote:
    >
    >
    > You give no clue as to what operating system you are using. Windows ??
    > OSX?? Linux?? ...
    >
    > Those spams need not be coming from you. They could be someone spoofing
    > your return address (if that is the basis on which you were blacklisted.)
    > Have you seen any of the spams that were supposed to have come from you?
    > Look in the Received: lines and see if your machine IP is listed.
    >
    > Anyway, IF you are running Windows then this is very common. You need to
    > reinstall and then befor bringing it back on line install all of the
    > security patches, and thereafter be religious in keeping it up to date.
    > Install virus checkers, etc.
    >
    >



    Hi

    Thanks for your reply.

    I'm running w2k (in both servers and workstations) and Merak mail server.

    You said "They could be someone spoofing your return address". How is it
    ? Could you explain a bit ?

    I want to know wich are to common methods spammers use to f*ck me to
    really understand the problem and think the solutions.

    By know I guess I've two or three posible problems:

    1 - Somebody sending mail from internal net but using an external smtp.
    2 - A virus in a workstation.
    3 - Spyware in a workstation..

    I discard an external relay in my smtp server.

    Any other clue ?

    Thanks in advance

    J
     
    Javier, May 12, 2005
    #9
  10. Javier

    Javier Guest

    Michael Pelletier wrote:
    > If he was blacklisted by a DNSBL then the spam email would have been
    > blacklisted by the SPAM senders IP address not the "from" address. If
    > someone has blacklisted him on their smtp gateway(s) then you are correct
    > they probably blocked his email address even when it was not technically
    > sent by him (spoofed). Their are a lot of dumbass email "administrators"
    > that block by email address even when it was spoofed ;-(
    >


    How could I know if my server was spoofed ? Do you a tool to make a test ?


    >
    > I would recommend using procmail or sendmail (latest version) on a non
    > windows box for your email gateways. This allows you to use anti-SPAM
    > applications like Razor, Spamassasin, MIMEDefang (not only is it good at
    > filtering bad mime emails but also is very good at filtering/sanitizing
    > html email by the way) and DNSBL (you can use DNSBL with windose too).
    >



    Thanks for your recommendations, but I run windows.

    Nevertheless, I wonder if those tools are for pop servers or they check
    smtp out traffic...

    Thanks

    J
     
    Javier, May 12, 2005
    #10
  11. Javier wrote:

    > Michael Pelletier wrote:
    >> If he was blacklisted by a DNSBL then the spam email would have been
    >> blacklisted by the SPAM senders IP address not the "from" address. If
    >> someone has blacklisted him on their smtp gateway(s) then you are correct
    >> they probably blocked his email address even when it was not technically
    >> sent by him (spoofed). Their are a lot of dumbass email "administrators"
    >> that block by email address even when it was spoofed ;-(
    >>

    >
    > How could I know if my server was spoofed ? Do you a tool to make a test ?


    How did you know you were blacklisted? Did you get a failure message? The
    first thing you need to find out is how you were blacklisted. Was it by a
    DNSBL or was it local (ie an email admin blocked you on his/her email
    gateway). The best way is to look at the failure message. I send failure
    messages that will "point" you to the DNSBL you are listed on. If you do
    not know, email me your information and tonight I will do some searching
    for you. You need to email me your doamin name...my email address above is
    my personal email system and it is real. Also send me your failure email
    message.

    >> I would recommend using procmail or sendmail (latest version) on a non
    >> windows box for your email gateways. This allows you to use anti-SPAM
    >> applications like Razor, Spamassasin, MIMEDefang (not only is it good at
    >> filtering bad mime emails but also is very good at filtering/sanitizing
    >> html email by the way) and DNSBL (you can use DNSBL with windose too).
    >>

    >
    >
    > Thanks for your recommendations, but I run windows.


    No time better than the present to learn some Linux/*BSD...I would highly
    recommend *NOT* using exchange as your email gateway...

    > Nevertheless, I wonder if those tools are for pop servers or they check
    > smtp out traffic...


    Not sure what you mean by that statement. If you are asking who DNSBLs work,
    the email gateway, upon receiving and email, will check the IP address of
    the client sending the email against the DNSBL. If it receives a "special"
    reply then it knows to block/reject the email. Please realize that my
    description above is very generic. If you do a search on google you can
    find more specific information about DNSBL and how they work.

    To answer your question above, DNSBLs do not work on POP/IMAP servers. POP
    and IMAP are the protocol that a typical email client uses for
    sending/receiving email from it's server. SMTP is use to send email from
    *YOUR* email server/gateway to someone else's *SERVER*. That is where the
    DNSBLs are used...

    > Thanks
    >
    > J


    Again, realize that doing a google search and spending some time reading is
    probably better than my 2 minute description...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 12, 2005
    #11
  12. Javier wrote:

    > Michael Pelletier wrote:
    >>
    >> Port 25 access in/out:
    >> A couple of things I would suggest. If you have a smtp gateway type
    >> setup. Only your internall mail server(s) should be allowed access to
    >> port 25 (SMTP) on your email (smtp) gateways (coming from Internal to
    >> your DMZ). And of coarse your email (smtp) gateways should have internal
    >> port 25 access to your internal email servers (DMZ to Internal). All
    >> other port 25 in/out should be blocked. This will prevent potential
    >> internal zombies from getting Internet access to port 25 to the World.
    >>
    >> Make sure your email (smtp) gateways are not email forwarding for the
    >> World: Second, audit your gateways an make sure you are not email
    >> forwarding to the World...You smtp gateways should only be forwarding for
    >> your internall email servers and nothing more.

    >
    >
    > Hi
    >
    > Thanks for your reply.
    >
    > I'm running a w2k server with w2k SP4 workstations and using Merak mail
    > server.
    >
    > It's supposed nobody can relay from outside using my Merak smtp service
    > but, obviously, I'll auditing deeply. I'll check if somebody could get a
    > port 25 outside from internal net.
    >
    >
    >>
    >> Lock down your desktops:
    >> Third, do you run your host pcs allowing local admin? This is a horrible
    >> combination: Non technically users + local admin privs + surfing the web.
    >> This is what spyware/malware/trojan writers dream of. If you can get away
    >> from it you will save yourself a lot of gray hair.

    >
    > Well, users can't surf but I'm not sure if they have admin rights. I'll
    > check it out too.
    >
    >
    >>
    >> Fourth, run anti spyware apps (use multiple ones). I have use Spybot
    >> Search and Destroy + Microsofts Antispware + Adware
    >>

    >
    >
    > Well, I'll queue this in my action plan.
    >
    >
    >
    > Thanks a lot
    >
    > J


    The best way to find out is to always do set tests :).

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 12, 2005
    #12
  13. Javier

    Javier Guest

    Michael Pelletier wrote:
    >
    > How did you know you were blacklisted? Did you get a failure message? The
    > first thing you need to find out is how you were blacklisted. Was it by a
    > DNSBL or was it local (ie an email admin blocked you on his/her email
    > gateway). The best way is to look at the failure message. I send failure
    > messages that will "point" you to the DNSBL you are listed on. If you do
    > not know, email me your information and tonight I will do some searching
    > for you. You need to email me your doamin name...my email address above is
    > my personal email system and it is real. Also send me your failure email
    > message.
    >


    Users of my not started to receive sent mail rejected with a message
    that said our ip was black listed. I'm in home now and don't have data here.

    As far as I remember, the message was something like this:

    <<< 554 Your host IP xx.xxx.xxx.xxx was found in a cbl.abuseat.org
    DNSBlacklist

    This is a consecuence of spoofing ?


    >
    > No time better than the present to learn some Linux/*BSD...I would highly
    > recommend *NOT* using exchange as your email gateway...
    >


    I know Linux and FreeBSD, but company policy forced us to use
    Micro$oft... However, we are using Merak, not Exchange.


    >
    > Not sure what you mean by that statement. If you are asking who DNSBLs work,
    > the email gateway, upon receiving and email, will check the IP address of
    > the client sending the email against the DNSBL. If it receives a "special"
    > reply then it knows to block/reject the email. Please realize that my
    > description above is very generic. If you do a search on google you can
    > find more specific information about DNSBL and how they work.
    >


    I mean I want to place a filter in my net to detect if someone inside
    the internal net is trying to "kill me" sending spam from inside but
    using an external smtp server. I know the solution could be close ports
    in my firewall but I want first to discover the bad guy/girl...


    Also I want to know if a virus or spyware could make something in that
    way...

    Thanks in advance

    J
     
    Javier, May 12, 2005
    #13
  14. Javier wrote:

    > Michael Pelletier wrote:
    >>
    >> How did you know you were blacklisted? Did you get a failure message? The
    >> first thing you need to find out is how you were blacklisted. Was it by a
    >> DNSBL or was it local (ie an email admin blocked you on his/her email
    >> gateway). The best way is to look at the failure message. I send failure
    >> messages that will "point" you to the DNSBL you are listed on. If you do
    >> not know, email me your information and tonight I will do some searching
    >> for you. You need to email me your doamin name...my email address above
    >> is my personal email system and it is real. Also send me your failure
    >> email message.
    >>

    >
    > Users of my not started to receive sent mail rejected with a message
    > that said our ip was black listed. I'm in home now and don't have data
    > here.
    >
    > As far as I remember, the message was something like this:
    >
    > <<< 554 Your host IP xx.xxx.xxx.xxx was found in a cbl.abuseat.org
    > DNSBlacklist
    >
    > This is a consecuence of spoofing ?


    No. Someone sent SPAM via your email gateway. :-( Now, this can come
    generally from two forms: Internal (ie a pc on you network is a spam bot)
    or you are allowing email forward through your email gateway.

    >>
    >> No time better than the present to learn some Linux/*BSD...I would highly
    >> recommend *NOT* using exchange as your email gateway...
    >>

    >
    > I know Linux and FreeBSD, but company policy forced us to use
    > Micro$oft... However, we are using Merak, not Exchange.


    Not familiar with Merak.You should ask why they have such a ridiculous
    policy....

    >
    >
    >>
    >> Not sure what you mean by that statement. If you are asking who DNSBLs
    >> work, the email gateway, upon receiving and email, will check the IP
    >> address of the client sending the email against the DNSBL. If it receives
    >> a "special" reply then it knows to block/reject the email. Please realize
    >> that my description above is very generic. If you do a search on google
    >> you can find more specific information about DNSBL and how they work.
    >>

    >
    > I mean I want to place a filter in my net to detect if someone inside
    > the internal net is trying to "kill me" sending spam from inside but
    > using an external smtp server. I know the solution could be close ports
    > in my firewall but I want first to discover the bad guy/girl...


    You have a firewall right? Block the port (port 25 from pcs internall going
    to your email gateway) and log the connection attempts. Any pc that is
    trying to send mail (port 25) to your email gateway is most probably a SPAM
    bot. I would suggest blocking, and loggin, port 25 access ASAP. Remember
    you are allowing SPAM to be generated....

    >
    >
    > Also I want to know if a virus or spyware could make something in that
    > way...


    YES. There are too many to list that will turn your pc into a spam bot. Here
    are some quick suggestions (I already mentioned them before):

    1) Get rid of local admin privs for users. This is nothing but a headache
    and the main vehicle for most spyware/malware/crapware etc infections...

    2) restrict port 25 from your internal network to your email gateways. Your
    internall email servers are the only machines that should be allowed to
    communicate to you email gateways (From internal to email gateway).

    3) Log all port 25 access (again going from your internal network to your
    email gateway that is not an internal email server). This will allow you to
    catch pcs that have become spam bots.

    4) If you can get procmail or sendmail for your email gateways. There are
    many features and open source solutions that will greatly reduce the level
    of SPAM. I get an average of 98% SPAM kill rate at work and home. The few
    that do get through are the one line spams (ie. goto
    http://www.something.com)



    > Thanks in advance
    >
    > J


    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/
    http://www.publicknowledge.org/
     
    Michael Pelletier, May 12, 2005
    #14
  15. Javier

    Mike Guest

    Michael Pelletier wrote:
    > No time better than the present to learn some Linux/*BSD...I would highly
    > recommend *NOT* using exchange as your email gateway...


    Oh plurleeeeze. Exchange can be secured just the same as sendmail can.
    Sendmail can be made insecure just the same as exchange can.
     
    Mike, May 13, 2005
    #15
  16. Javier

    Ashp Guest

    Mike wrote:

    > Oh plurleeeeze. Exchange can be secured just the same as sendmail can.
    > Sendmail can be made insecure just the same as exchange can.


    Well said.

    ash.
     
    Ashp, May 13, 2005
    #16
  17. Mike wrote:

    > Michael Pelletier wrote:
    >> No time better than the present to learn some Linux/*BSD...I would highly
    >> recommend *NOT* using exchange as your email gateway...

    >
    > Oh plurleeeeze. Exchange can be secured just the same as sendmail can.
    > Sendmail can be made insecure just the same as exchange can.


    Exchange is a POS...Sorry but it is true...

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
     
    Michael Pelletier, May 13, 2005
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stefano
    Replies:
    5
    Views:
    4,499
    Moz Champion
    Feb 9, 2005
  2. C A Preston

    Spam-Spam and more Spam

    C A Preston, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    748
    Hywel
    Apr 12, 2004
  3. ATTENTION  ACCOUNTS PAYABLE

    open spam blocked emails

    ATTENTION ACCOUNTS PAYABLE, Mar 8, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    481
    Blinky the Shark
    Mar 9, 2005
  4. Clwddncr
    Replies:
    6
    Views:
    820
    Dave - Dave.net.nz
    Feb 7, 2005
  5. Jim Beaver
    Replies:
    12
    Views:
    5,475
    Desk Rabbit
    Oct 8, 2008
Loading...

Share This Page