Help finding which computer is causing us to be blacklisted?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


According to a number of internet dns blacklists at 9am today a
computer on our customer's network sent out enough spam to land us on
a blacklist.  They don't say which internal computer in particular,
just that it came from our network's IP address.

I've done two different virus scans plus a malwarebytes scan on every
single computer on the network (20 of) plus on our server.  No
viruses, no malware found whatsoever.

There's obviously something on one of the computers causing this
problem but I don't want to request delisting from the blacklists
until I'm absolutely sure i've fixed the problem computer.

Is there anything else I can try?  Checking 21 systems as you'd expect
is a big job!

I have some packet monitoring software on the server but there's
nothing obvious appearing in the logs (unless I need to look for
something specific).

I've checked and double checked to make sure we don't have an open
relay either - which we dont.

thanks in advance!

Re: Help finding which computer is causing us to be blacklisted?




| According to a number of internet dns blacklists at 9am today a
| computer on our customer's network sent out enough spam to land us on
| a blacklist.  They don't say which internal computer in particular,
| just that it came from our network's IP address.

| I've done two different virus scans plus a malwarebytes scan on every
| single computer on the network (20 of) plus on our server.  No
| viruses, no malware found whatsoever.

| There's obviously something on one of the computers causing this
| problem but I don't want to request delisting from the blacklists
| until I'm absolutely sure i've fixed the problem computer.

| Is there anything else I can try?  Checking 21 systems as you'd expect
| is a big job!

| I have some packet monitoring software on the server but there's
| nothing obvious appearing in the logs (unless I need to look for
| something specific).

| I've checked and double checked to make sure we don't have an open
| relay either - which we dont.

| thanks in advance!

I suggest you do some network sniffing using WireShark or some other utility at
the border
gateway or using RMON on a managed E-Switch..

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Help finding which computer is causing us to be blacklisted?



I have installed WireShark on the server (gateway).  What should I be
looking for in particular??


Re: Help finding which computer is causing us to be blacklisted?




| I have installed WireShark on the server (gateway).  What should I be
| looking for in particular??


How are you using the server as a gateway ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Help finding which computer is causing us to be blacklisted?

David H. Lipman wrote:
Quoted text here. Click to load it


You didn't mention the ip in question, or if any other details are
available.

DO all machines have complete access to internet (all ports and
protocols ) , if so try to limit access at the gateway to only that
which is required and watch the firewall logs for blocked traffic.

DO you use an internal mail relay, can you check it's logs

Another tools that might help is etherape to give you a visual of
traffic on your network


John

Re: Help finding which computer is causing us to be blacklisted?




Quoted text here. Click to load it

Which ip address, and which blocklist?  The ip you're posting from belongs
to as43234.net

Some blocklists provide more information.  For example
http://www.uceprotect.net/en/rblcheck.php?asn=43234
shows AS43234 - CPWBBSERV-AS Carphone Warehouse Broadband Services
has 3,083 ip addresses that have sent enought spam to spamtraps, in the
last seven days, to get listed.  One of the ranges, 92.0.0.0/13 has sent
enough spam, that the entire /13 is now listed.

The above url allows you to check by individual ip addresse, or by
the asn.

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Help finding which computer is causing us to be blacklisted?



"eggedd2k" wrote:

Quoted text here. Click to load it

Some lists give more details about the type of spam. Have you checked?
For example, if you are running a mailserver you might be sending out
backscatter; that is, sending 'bounce' messages to the false sender
addresses in spam after having first accepted the mail.

Or perhaps one of your customers is a spammer.

Without knowing the IP address concerned or which blacklists you're
on, one can only speculate. Some lists are more relevant than others.

A better group to ask is news.admin.net-abuse.email (NANAE) but put on
your flame-proof underwear first.



Re: Help finding which computer is causing us to be blacklisted?



In article <f9c951a4-9195-4a76-8713-3808698b9ca8
@k13g2000hse.googlegroups.com>, chrisnrach17@aol.com says...
Quoted text here. Click to load it

Your firewall should permit you to see what OUTBOUND traffic is being
sent on TCP Port 21 and from what internal computer.

Just look at the firewall protecting your network, look for OUTBOUND
SMTP (TCP 25) from anywhere and go check that/those computer(s)


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Help finding which computer is causing us to be blacklisted?



In terms of how they have their server and internet configured, they
have the server (2k3 SBS) which the workstations have as their gateway
ip for internet access, the server in turn is configured (originally
via the internet setup wizard) to send internet traffic on to a
Draytek Vigor 2500 series router.

I have installed WireShark on their server.  Presumably my next step
is to monitor traffic for a period of time and then filter it to show
TCP ports 21 and 25 OUTBOUND?

These are the blacklists they're on:

CBL  LISTED Blocked - see Detail
Return codes were: 127.0.0.2 3600 969
DNSBLNETAUT1  LISTED Blocked - see Detail
Return codes were: 127.0.0.2 10800 1984
LASHBACK  LISTED Sender has sent to LashBack Unsubscribe Probe
accounts
Return codes were: 127.0.0.2 3600 1812
MSRBL-Combined  LISTED Virus Sending Host - see Detail
Return codes were: 127.1.0.2 2100 1781
MSRBL-Viruses  LISTED Virus Sending Host - see Detail
Return codes were: 127.1.0.2 2100 1765
RATS-Dyna  LISTED SPAMRATS IP Addresses See: Detail
Return codes were: 127.0.0.36 3600 1672
Spamhaus-ZEN  LISTED Detail
Return codes were: 127.0.0.4 1800 1562


This is the extra info that MSRBL gave me - seems like a particular
email:

Received: from host217-41-16-85.in-addr.btopenworld.com
(host217-41-16-85.in-addr.btopenworld.com [217.41.16.85])
    by smtp.sd73.bc.ca (Postfix) with ESMTP id 2C67C1A000B11
Received: from [217.41.16.85] by mx0.arionboard.de; Wed, 27 Aug 2008
11:52:11 +0000
Date:    Wed, 27 Aug 2008 11:52:11 +0000
X-Mailer: The Bat! (v3.5.25) Professional
X-Priority: 3 (Normal)
Subject: Corel draw! just at best price
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----------CDACD39B0946731"


thanks again for all your help so far!

Re: Help finding which computer is causing us to be blacklisted?



for info, part of our nat table log:

-------------------------------------------------------------------------
     Private IP :Port #Pseudo Port         Peer IP :Port  Ifno
Status
-------------------------------------------------------------------------------
   192.168.0.37  1752        34814   216.178.7.253    25     3  0
  192.168.0.254 51174        34881   213.123.26.23   110     3  0
   192.168.0.37  2451        33602     67.96.97.67    25     3  0
   192.168.0.37  2763        33616   208.42.184.11    25     3  0
   192.168.0.37  1753        32967   216.178.7.253    25     3  0
   192.168.0.37  4369        33147   66.118.65.197    25     3  0
  192.168.0.254 47079        33148   213.123.26.23   110     3  0
   192.168.0.37  1048        35193  206.190.53.191    25     3  0
   192.168.0.37  1451        33421    72.16.164.44    25     3  0
   192.168.0.37  1812        34659   64.71.166.195    25     3  0
   192.168.0.14  2413        34396   195.55.72.130   443     3  0
   192.168.0.37  2523        34931   216.178.7.253    25     3  0
   192.168.0.37  4315        33427   216.178.7.253    25     3  0
   192.168.0.37  3345        34458   12.71.144.199    25     3  0
   192.168.0.37  4651        34163    72.66.23.173    25     3  0
   192.168.0.37  3903        35182  193.252.22.153    25     3  0
   192.168.0.37  4001        35070   149.174.40.55    25     3  0
   192.168.0.37  1499        34849   216.178.7.253    25     3  0
   192.168.0.37  1227        33779    69.49.109.14    25     3  0
   192.168.0.37  2524        34087   216.178.7.253    25     3  0
   192.168.0.37  2012        35059   216.178.7.253    25     3  0
   192.168.0.37  4316        33361   216.178.7.253    25     3  0
   192.168.0.37  3277        33018    68.75.244.12    25     3  0
   192.168.0.37  1050        33219  206.190.53.191    25     3  0
   192.168.0.37  3946        35188    66.113.1.111    25     3  0
   192.168.0.37  2175        33002   64.164.137.90    25     3  0
   192.168.0.37  1346        34668  64.129.101.151    25     3  0
   192.168.0.37  2494        35250  216.157.145.27    25     3  0
   192.168.0.37  4060        33342   216.178.7.253    25     3  0

Re: Help finding which computer is causing us to be blacklisted?



In article <e0a92d78-b0a6-4d4f-969d-7f9c7935f7af@
25g2000hsx.googlegroups.com>, chrisnrach17@aol.com says...
Quoted text here. Click to load it

Based on the above, your computer at 192.168.0.37 is the offender.

Now, look in your DHCP leases and see what the name of the computer at
.37 is and go turn it off.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Site Timeline