| View previous topic :: View next topic |
| Author |
Message |
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
 Posted: Tue Jul 10, 2007 10:37 am Post subject: Neep help here |
 |
|
we got hit at work by being blacklisted as a spammer. We are going through the network right now. And no, we do NOT spam!
Question is that the main engineer had gotten notice via Outblaze. I am suspicious as I do not know if they are legit and could have been trying some kind of invasion thing going on here. Their page which claims evidence shows a typical phisher.
Could there be some kind of wierd scam going on with them trying to invade via this method? Am curious here what is going on.
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
 |
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 19 Jun 2013
Posts: 10277
Location: sunny California
|
| Posted: Tue Jul 10, 2007 11:22 am Post subject: |
|
|
There is some spam going around that has fake warnings of something like that. I'm not familiar with Outblaze.
Here's one of the spams I got yesterday:
| Quote: |
Dear Customer,
Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.
We recommend you to install this patch
hxxp://209.91.19.249/?e368412571d7d41977bc649ea95523
to remove worm files and stop email sending, otherwise your account will be blocked.
Support Team |
Do you have a link to the page that claims evidence?
Or, it could be someone is spoofing your email address to send spam. That happens with my domains sometimes. I don't know if anyone else is getting the emails, but I get them.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Tue Jul 10, 2007 11:31 am Post subject: |
|
|
That is the same page that is the evidence claimed, yes. Literally, our emails at work are being blocked so they had it submitted or something.
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Tue Jul 10, 2007 11:49 am Post subject: |
|
|
http://spamblock.outblaze.com/71.129.162.210
http://spamblock.outblaze.com/cgi-bin/showspammail.cgi?ip=71.129.162.210&mail=10581522
I am trying to query Spamhaus XBL and am getting nothing back. IT could also be due to DDOS to it.
http://www.spamhaus.org/query/bl?ip=71.129.162.210
Spamhaus claims it is noty on their listing.
One email that came in also had the phish you quoted, but with another company email in the form.
Return-Path: <service@paypal.us>
Received: from trigonelectronics.com (71-129-162-210.ded.pacbell.net [71.129.162.210])
by spf18.us4.outblaze.com (Postfix) with ESMTP id 16BE2CF023; Wed, 4 Jul 2007 08:35:08 +0000 (GMT)
Received: from User ([67.100.98.128])
by trigonelectronics.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 4 Jul 2007 01:20:51 -0700
From: "service@paypal.us" <service@paypal.us>
Subject: Notification : Please confirm your PayPal account.
Date: Wed, 4 Jul 2007 01:32:17 -0700
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced
By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVER2003BdsnvUFcx00000148@trigonelectronics.com>
X-OriginalArrivalTime: 04 Jul 2007 08:20:51.0701 (UTC) FILETIME=[3BE7AA50:01C7BE14]
X-TM-AS-Product-Ver: SMEX-7.2.0.1122-5.0.1021-15276.003
X-TM-AS-Result: Yes-22.616500-5.000000-1
To: undisclosed-recipients: ;
<font size="2" face="Courier New, Helvetica, sans-serif">Dear PayPal Customer, <p>
<HR>
This email is to inform you, that we had to block your PayPal account access because we had <br>to upgrade our servers in order to remove <strong>online fraud.<br></strong>
Our terms and conditions you agreed to state that your account must always be under your control or those you designate at all times. We have noticed some unusual activity related to our servers that indicates that other parties may have access and, or control of your informations in your account.
<br>
This phish is VERY unusual to me since it does NOT show a click here kind of link. That would have helped figure out the identity of who it is.
I checked out my own computer here, tracking cookies but no ad sutff going on. We are getting our IT dude out here to check into the servers.
I keep firefox, no script and site advisor going on my ocmputer here. Practice safe computing 
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 19 Jun 2013
Posts: 10277
Location: sunny California
|
| Posted: Tue Jul 10, 2007 12:32 pm Post subject: |
|
|
I don't know about outlbaze, but Spamcop has the reputation of blacklisting IPs over one report of spam, whether it's valid or not. I don't know if that is really true, but that's what I've heard.
Is it possible a PC or PCs on the network could have been infected with an email worm or spambot? That could really cause problems.
Also spammers are good at forging email headers to make it it look like it came from some place that it didn't.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 19 Jun 2013
Posts: 10277
Location: sunny California
|
| Posted: Tue Jul 10, 2007 12:35 pm Post subject: |
|
|
It's not showing up as blocked here:
http://whois.domaintools.com/71.129.162.210
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Tue Jul 10, 2007 12:57 pm Post subject: |
|
|
Thanks. We are running AVG rootkit checkers right now as I type, mine is looking good.
And yup, I think there might be a spambot. Evidently, it was doing its thing july 4th when we were closed.
Will see a LOT of Firefox, SiteAdvisor and hopefully Thunderbird in here before the day is through...
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
Oldfrog
Site Admin
Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX
|
| Posted: Tue Jul 10, 2007 12:58 pm Post subject: |
|
|
| Quote: |
Received: from User ([67.100.98.128])
by trigonelectronics.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 4 Jul 2007 01:20:51 -0700 |
Any chance that your mailserver is relaying SMTP? You might check the logs for references to 67.100.98.128. |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Tue Jul 10, 2007 1:44 pm Post subject: |
|
|
It relays only when authenticated.
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Tue Jul 10, 2007 2:36 pm Post subject: |
|
|
I've got a question regarding your setup:
Your MX record suggests that all the mail goes to the barracuda and that this machine seems to be acting as proxy to the Exchange server:
| Quote: |
[olliver@bunkiten ~]$ host -t mx trigonelectronics.com
trigonelectronics.com mail is handled by 2 BARRACUDA.trigonelectronics.com.
[olliver@bunkiten ~]$ host BARRACUDA.trigonelectronics.com
BARRACUDA.trigonelectronics.com has address 216.193.197.102 |
Mail banner:
| Quote: |
[olliver@bunkiten ~]$ telnet trigonelectronics.com 25
Trying 216.193.197.102...
Connected to trigonelectronics.com (216.193.197.102).
Escape character is '^]'.
220 barracuda.micronetoc.com ESMTP (bc96533c669f452718a5c206628503bc)
quit
221 Bye |
So assuming that is true, then Exchange shouldn't accept any connections from the Internet (except the barracuda, of course), right? Because that's what the Barracuda is proxying for. The Exchange server however does accept connections from strangers if contacted directly:
| Quote: |
[olliver@bunkiten ~]$ telnet 71.129.162.210 25
Trying 71.129.162.210...
Connected to 71-129-162-210.ded.pacbell.net (71.129.162.210).
Escape character is '^]'.
220 trigonelectronics.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Tue, 10 Jul 2007 14:37:43 -0700
quit
221 2.0.0 trigonelectronics.com Service closing transmission channel
Connection closed by foreign host. |
This exposes the machine to the Internet and spammy now can abuse it as soon as the latest 0-day exploit for Exchange hits the "bulkerz" discussion boards. It has been my observation also, that the majority of mail admins prevent direct access of Exchange servers to the Internet and advise strongly against it. therefore it might make sense to deny incoming connections to port 25 TCP from the Internet except for 216.193.197.102 (barracuda proxy). But then again I don't know your setup and what possibly prevents this obvious step to be taken. But keep in mind that an Exchange server open to the internet is a constant security risk (according to admins who have to tame the beast, there's a lot of evidence in relevant newsgroups)
Btw: the mail swerver also landed on other blocklists
http://www.uceprotect.net/rblcheck.php?ipr=71.129.162.210
| Quote: |
UCEPROTECT-Network Level 1:
IP 71.129.162.210 is blacklisted at UCEPROTECT Level 1
This means spamtraps were hit from this IP directly within the last 7 days.
Find out, which UCEPROTECT-Server did list your IP and for what reason.
To do this, grep your logs (last 8 days) for following expression:
UCEPROTECT-Policy Server
All you need to know in order to locate the problem should be inside those logfiles.
If this is not your IP, but your providers server we recommend:
Please send a compliant to your provider and request him to fix this problem immediatly.
Think about this: You pay him for, that you can use the internet without problems. |
http://dnsbl.burnt-tech.com/lookup.php?ip=71.129.162.210
| Quote: |
IP Address 71.129.162.210 is currently listed in the DNSBL.
First listed: 2007-07-08 02:57 GMT.
First possible removal scheduled: 2007-07-12 02:00 GMT (+/- 30 minutes). |
There's an APEWS listing too, but that can be safely ignored (See various NANAE posts why).
Also some good news, there's no reported spam from that ip address in NANAS, so it doesn't seem to be a permanent problem.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Tue Jul 10, 2007 4:35 pm Post subject: |
|
|
back, we ran some testing out here and the server seems clean. IT guy is doing his thing, I didnt get any more details, sorry. Thanks a mil Notepet, Suzi, OldFrog. I asked the IT dude to take a look in here and things and let's see how it all shakes loose. I wonder if it was spoof city or something...
Tony
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
|
