Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mailserver on abuseat.org's CBL, can't figure out why


  • Please log in to reply
No replies to this topic

#1 SeidoJohn

SeidoJohn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 27 August 2010 - 04:43 PM

Hello,

Last week, all of a sudden, emails we were sending to the outside world were being bounced back with 4.4.7, 5.4.0, and 5.7.1 errors. I checked around, and learned that we are on the Composite Blocking List at abuseat.org (www.cbl.abuseat.org). They have a couple of great guides on how to figure out what's wrong with your server/network, and I've been following their instructions.

Here's what I've done so far:
* Added a rule to the firewall to block outgoing port 25 connections from any computer on the network other than the mailserver (hoping that that would stop any strange smtp traffic, if it were coming from a client computer)
*Ran various virus-scans & MalwareBytes on all client computers, and removed a couple of bots and a trojan (Rogue.AntispywareBot, Adware.Minibug, and Trojan.Agent)
*Used TCPView on each client computer, looking for smtp or port 25 connections, but did not see any

So far, I'm still clueless as to where this spam is coming from... abuseat.org says it's coming from our mailserver. Here's what their site actually says:

IP Address 173.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2010-08-27 08:00 GMT (+/- 30 minutes), approximately 13 hours ago.

It has been relisted following a previous removal at 2010-08-26 20:30 GMT (1 days, 54 minutes ago)

In all probility this IP address is a NAT gateway, and the machine at 192.168.16.2 in your local LAN is either infected, or if it's a server, badly misconfigured.


I delisted it yesterday, hoping that I had solved the problem, since it had been over 24 hours since abuseat.org had detected any spam from us... clearly, I was wrong :-P

We are all (11 clients, 1 server) connected to a 24-port rnetwork switch, which is connected to a firewall, which is connected to Comcast's router.

My server has been acting VERY strange lately (the last couple days), so I think it really is the problem machine. I can't access it using RDP (the client could not establish a connection to the remote computer), Symantec Endpoint Protection no longer sits in the system tray (nor does it appear to be running unless I start it manually), and it is running slow.

I know this seems like a lot of problems to list in one post, but they all seem to be related (to me... I'm no expert ;-) ) If this is just confusing or not enough info, just let me know what you need, and I'll get it right away (or try to explain the problem in a different way).

Thanks a ton,
John

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users