Re: spam
- From: "Larry Struckmeyer [SBS-MVP]" <lstruckmeyer@xxxxxxxxxxxxxxx>
- Date: Thu, 14 Aug 2008 07:33:11 -0400
I have to say it again.. I love this place. Learn something every time I come here.
Dave I had not seen that spam list before. Looks like you get listed and removed at irregular intervals.
I read through the pages and the logic for that list and found it interesting that he/they rely on self removing to clear out the occasional or "innocent" spammers from those that are robots and continue to spam, many without even knowing they are.
Since you get an occasional hit, and can be removed and not relisted for some time, I wonder if there are any stations on your network, or laptops that check in infrequently?
It is also possible that there is a sleeping bot in your system, but the volume of spam does not seem all that high, and the usual bot will send out thousands. I did not see any evidence that this was the case, and unlike my customer who was listed on several of the lists, your ip seems to only have been listed on this one site. (Unless you have further information, that is.)
You can usually watch the router and see the lights pumping when there is a lot of activity. Sometimes you can unplug things one at a time to find the culprit, or all the workstations to check the server.
If there is no activity in your Exchange monitor then I suspect either a rouge SMTP server on the SBS or one of the workstations. Because the volume appears to be very low, and intermittent, maybe a notebook that only comes into the office occasionally?
I guess a thorough scan with a good AV and Anti Malware program may be in order. One that I like is to download the engine and the pattern files from www.trendmicro.com and run them independently from any other AV or AS you are using. Of course if you are already using Trend on your server and clients, you may wish to find another.
The engine (sysclean.com) can be found here:
http://www.trendmicro.com/download/dcs.asp
And the patterns are here:
http://www.trendmicro.com/download/pattern.asp
which links to:
http://www.trendmicro.com/download/viruspattern.asp
and
http://www.trendmicro.com/download/spywarepattern.asp
where you can get this file:
Ssapiptn.da5 Pattern File: ssapiptn677.zip 5.6MB
MD5 checksum: e5b3a3dcc2032205449abb118dc9d192
unzip all of these to the folder that has the engine and dbl click the sysclean.com, which will start the scan. Once you have it working you can copy it all to a network share or to a thumb drive. Be aware that it creates a report in the folder that it runs from, so copy the set to each client and run it from there.
-Larry
Note you have to get all three unzipped and moved into the same folder.
"Brian Cryer" <not.here@localhost> wrote in message news:eaxLdye$IHA.1036@xxxxxxxxxxxxxxxxxxxxxxx
"Paul Smith" <psmith@xxxxxxxxxxxxxxx> wrote in message news:uM2A%23GW$IHA.4740@xxxxxxxxxxxxxxxxxxxxxxxThis is my second post concerning our SBS 2003 server putting out spam. We keep hitting block lists every 6 months or so. Do they have false positives?
I didnt have any concrete facts before, but now I do:
Since our network all goes through the SBS server (2 nic cards, one public, one private), could this be a machine on our network since I cant find any signs of this in Exchange Message Tracking center?
I have been getting this same spam in my exchange mailbox, and other some of my other email addresses.
Thanks,
Paul
--------------------------------------------------------------------------------
http://psbl.surriel.com/evidence?ip=70.251.220.81&action=Check+evidence
From sevgi-legeps@xxxxxxxxx Fri Aug 08 00:02:27 2008
Delivery-date: Fri, 08 Aug 2008 00:02:27 -0400
Received: from [70.251.220.81] (helo=mail.computersmarts.biz)
by mail.victim.example with esmtp (Exim 4.63)
If the site psbl.surriel.com is providing the original header and mail.computersmarts.biz is your mail server, then I would say that yes this originated from you.
Each email server that received an email, whether its for final delivery or just to relay it to another server, adds a line in the header "Received: from ..." which indicates the server that it received the email from. Whilst spammers can forge these, all they can do is to add additional bogus ones. The most recent one is always genuine because the recipients email server added it. The one before that, if there is one, may be genuine but might be bogus (if added by a spammer) and so on.
Since this header only contains one received from and that is your mail server (hence my opening comment about the reliability of the information and whether mail.computersmarts.biz is yours) the logical conclusion is that it originated from your server - or at least from your IP address. If all your PCs connect through a router then it could be any one of those pcs and not necessarily your server which is generating the spam. However on the basis of this evidence I would conclude that this spam did come from you. Sorry.
Do all your workstations use your SBS as a proxy or can they connect directly to the internet? I don't use SBS as a proxy and have all my workstations connected directly to my router, so this isn't an area where I have any expertise. If SBS is your proxy then can you block port 25 for all workstations? If it isn't then at your router can you block outbound port 25 for all pcs other than your server. Otherwise I wonder whether there might be some malware installed on your server, there is no reason why two different applications (say exchange and some-malware) could not both be sending out mail.
--
Brian Cryer
www.cryer.co.uk/brian
.
- Prev by Date: Re: SBS basic questions
- Next by Date: Re: Recommendations for VPN
- Previous by thread: Re: spam
- Next by thread: SBS exchange how do i configure outgoing mail
- Index(es):
Relevant Pages
|
