Post new topic Reply to topic  [ 21 posts ] 
Author Message
 Post subject: Repeatedly getting blacklisted - please help
PostPosted: 2007-11-29 01:00 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
My mail server keeps getting blacklisted. Can someone help me to figure out how the spammers are getting in? I have a simple setup running at home on a static IP. Currently about 10 mail accounts of which 4 are really active.

I pass all open relay tests - everything seems to be locked up fine.
Virus scanned the server, nothing.
I am running all scanning tools recommended by CBL and so far nothing.
Running behind a firewall on my home network. All ports closed except those needed for mail server.
I am running apache on the same machine - for Squirrel Mail webmail.

What can I look for specifically in the mail server logs that might give me a clue as to where this is coming from, or if my external users have been infected?

Thanks.

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 01:20 
Senior user
Senior user

Joined: 2007-01-30 16:26
Posts: 595
Location: TÜRKIYE
Maybe one of your accounts is hacked, you can find from which account are these spams sent...


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 01:23 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
I don't think it is a hacked user. I changed all of the passwords on the mail server yesterday and Spam was still detected today. What do I look for in the logs to show evidence of the spammer and where it is originating (either a user with a virus or something like that?). Thanks.

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 03:12 
Site Admin
User avatar

Joined: 2005-07-29 16:18
Posts: 13808
Location: UK
Do you have external to external ticked on any of your IP ranges?
Is require authentication ticked for internet range?
Do you have any web scripts send mail through your mailserver?


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 08:44 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
External to external is ticked off (unchecked) on both My Computer and Internet.
For Internet range, Require Authentication is ticked for "To Remote Accounts" but not for "To Local Accounts".
I have no web scripts that send mail that I know about, except that I have Squirrel mail installed, but I don't think this has any vulnerabilities.

What I want to do is look through the log file to find out when and from where this SPAM is coming from. I am looking specifically for lots of MAIL TO commands or something like that, right?

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 10:42 
Normal user
User avatar

Joined: 2006-10-25 09:02
Posts: 64
Location: Centurion, South Africa
What is the actual reason for being blacklisted?

SpamCop, for example, will blacklist you if your send a bounce message in reply to one of their spam trap/honeypot tests.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 10:57 
Site Admin
User avatar

Joined: 2005-07-29 16:18
Posts: 13808
Location: UK
Yes look for SMTP sessions with lots of Mail TO commands from an account or strange from addresses. Please post some of the log if you are unsure.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 11:01 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
It appears to be CBL that is the only service that is listing me. It is happening repeatedly, every day. No reason is being given. I continue to request delist and they take me off and then put me back on again the next day. Spamhaus is also listing me, but when I check through it points to CBL as the source. I have emailed CBL twice for reasons and have had no response. Currently I am operating under the assumption that something is going on and I am trying to diagnose it. However, it could be that this is a mistake. What I want to know, and hopefully someone can help me here, what should I be looking for in my server log that will give me a clue as to if I am actually spamming. I assume I should see repeated outgoing emails? What SMTP commands should I be searching for in the log? I will also email CBL (again) for confirmation of the actual problem.

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 11:15 
Site Admin
User avatar

Joined: 2005-07-29 16:18
Posts: 13808
Location: UK
Difficult to tell you what to look for as a normal outgoing transaction looks like a spam outgoing transaction. Just make sure there are not hundreds and hundreds of outgoing emails in a short time space.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 11:16 
Normal user
User avatar

Joined: 2006-10-25 09:02
Posts: 64
Location: Centurion, South Africa
Go here: http://cbl.abuseat.org/lookup.cgi

It may (or may not) give you more details.

I see on the CBL site:
Quote:
The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.


This means (stab in the dark) that it may not be the hMailServer machine causing the blacklisting, but another machine behind the same NAT interface (on the firewall) as the hMailServer machine thats causing the problem. If this is the case, you won't find anything in the hMailServer logs.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 11:20 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
Thanks, I will look into this. My log files seem to be quite large, but that might be due to incoming spam. Can you give pointers on what to look for in the log file to confirm that I am spamming. If, for example, my mail server was sending out repeated emails as SPAM, presumably I would see that? What would I look for? Thanks

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 11:24 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
Just to be a little more specific. What sequence of SMTP commands am I looking for that will be in a very short time period. I am just learning how to read SMTP commands. Thanks.

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 12:28 
Senior user
Senior user
User avatar

Joined: 2005-10-13 21:28
Posts: 2486
Location: Lithuania
If your email server is also NAT gateway or it is behind NAT gateway, block or log all outgoing SMTP connections from internal network to remote addresses that are not coming from your email server.

Check size of your email queue.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-29 12:29 
Normal user
User avatar

Joined: 2006-10-25 09:02
Posts: 64
Location: Centurion, South Africa
It seems like you'll have to look for 'SMTPC' in the log(first column) where the 'FROM' (right-hand side) isn't your known sender addresses. If these are spoofed, you'll have to rely on trying to recognise the 'RCPT TO', noting to see if the specified recipients are known to you.

Mail comming into your server will start with "SMTPD".

Hope I've got it right...


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 03:36 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
I don't believe my email server is a NAT gateway, so I guess it is not?

I checked the log files. They average about 10-14MB per day. 150,000 lines. Is this a lot when I have all logging turned on?

I searched for SMTPC throughout the document, there were not a lot of these entries. All of the FROM commands are to email addresses I recognize, and there are not a lot of them.

From all I can deduce, my server is not spamming anyone. I also ran all scans and malware checks I can to see if anything else is sending out through my network that has nothing to do with the server.

The only service that repeatedly blacklists me is CBL. I have now delisted with them 5 times and emailed them 4 times asking to provide evidence that there is a problem and they have not responded. Does anyone know how I can get them to respond?

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 07:12 
Senior user
Senior user
User avatar

Joined: 2005-10-13 21:28
Posts: 2486
Location: Lithuania
simondsmason wrote:
I don't believe my email server is a NAT gateway, so I guess it is not?


How many machines you have in your home network? This is not a question about your beliefs. You have one machine or you have more than one machine with same external IP address visible to CBL and others. If you are using wireless access point or router, this includes wireless clients.

CBL blacklists addresses that spam. If you repeatedly unlist your IP without solving the issue, you can end up in permanent blacklist.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 10:50 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
I have 4 machines in my home network sharing the same IP address. I have scanned all of them to see if they are doing anything they shouldn't be - using usual malware scanners, etc. So far I have found nothing. What can I do to find out where this is coming from? CBL simply has not responded to me so I don't even know what evidence they have to support the blacklisting. This is the most frustrating part of this whole thing. They keep blacklisting me, and they won't talk to me!

_________________
Simon DS Mason


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 11:07 
Normal user
User avatar

Joined: 2006-10-25 09:02
Posts: 64
Location: Centurion, South Africa
Ok, so you do have NAT running on the common point, i.e. a router or firewall of sorts.

Use the router to dissallow all outgoing traffic (on port 25) on all machines except the mail server. If they stop listing you, its not the mail server. Repeat this process for every machine on the network.

I have found that certain malware/virus scanners do not find all instances/variations of proxy bots and virusses and some trojans hide themselves ver skillfully.

Another option is to go to each machine, and open a command prompt and run 'netstat' to try and find a machine with an unnatural amount of connections. Using 'netstat - b' will show you which application is making the connections on th machine.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 11:07 
Senior user
Senior user
User avatar

Joined: 2005-10-13 21:28
Posts: 2486
Location: Lithuania
simondsmason wrote:
I have 4 machines in my home network sharing the same IP address. I have scanned all of them to see if they are doing anything they shouldn't be - using usual malware scanners, etc. So far I have found nothing. What can I do to find out where this is coming from? CBL simply has not responded to me so I don't even know what evidence they have to support the blacklisting. This is the most frustrating part of this whole thing. They keep blacklisting me, and they won't talk to me!


Log or block all traffic that goes from local network to remote tcp 25 port. Only your email server should be able to contact other email servers. If you block smtp traffic of other machines, it reduces number of RBL issues because those machines can send email only through your server and you will notice non-standard email activity.

Watch email queue of your email server. In SOHO mail servers queue size is very small and any spam activity increases number of queued messages. Please note that you can't use queue to detect spam, if you forward all your outgoing emails to ISP's server.

Check logs for any non standard email activity. Sudden increases of email queue size. Spikes in number of processed emails. Emails with lots of recipients. Emails that you haven't send. SMTP authentication from unknown remote addresses.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 17:53 
Normal user
User avatar

Joined: 2007-11-29 00:52
Posts: 147
Update: I was emailing CBL at the wrong address! They responded very quickly when I got the correct address. Want to clear the record concerning their response time.

I have now restricted port 25 on my router and I am hoping this will put a stop to the SPAM. If it does, this means that I have a problem machine on my network. I have scanned all machines and found nothing. But as one reply above stated this is not conclusive. I am checking the other options suggested.


Top
 Profile  
 
 Post subject:
PostPosted: 2007-11-30 18:39 
New user
New user

Joined: 2007-11-18 06:27
Posts: 7
Yeah, sounds like one of your PC's might have been hit with a zombie bot.
They're commonly used for this purpose. The person or group who controls the bot network sells their services to Asian spammers, for instance, and uses the zombie hosts in their network to send the spam for their clients. They're pretty smart about it too, they cycle through the PC's, each one sending a few mails here and there. But together, they send can send out hundreds of thousands of spam mails.
The problem is, the bot is not just a trojan but a rootkit. You won't be able to detect it from the host OS.
You need to get some anti-virus software on a bootable CD and run some scans.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests



Search for:
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group