• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1403
  • Last Modified:

Blacklisted for spam, possible ip spoof

Hello,

At the beginning of the week my public IP got Blacklisted for SPAM. I am runnig into a brick wall. I ca't find out where the SPAM is coming from. I believe the my public IP is being spoofed, but not sure. I just keep running into one wall after another. Any available help is greatly appreciated. The external IP is 66.194.155.242. It was on several black lists on mxtoolbox.com, but now it is only on two of them. Please tell me any info I can give to help with understanding the issue better.
0
wunderlich
Asked:
wunderlich
  • 7
  • 4
  • 2
5 Solutions
 
Stacy SpearCommented:
You are not a relay correct? Run Exchange Best Practices Analyzer from Microsoft to find that out. If you are relaying everything else is moot till that is fixed. Ensure that your firewall allows Port 25 connections coming in and out only to the Exchange server (or its gateway device if it exists). This could be a box on your network sending out crap if the port isn't blocked.
0
 
wunderlichAuthor Commented:
Correct. we were actually just re-listed.  here is the information:

Additional potential problems
(these factors do not directly result in spamcop listing)

DNS error: 66.194.155.242 is gateway.wunderlichsecurities.com but gateway.wunderlichsecurities.com has no DNS information


does this make any sense to you?
0
 
Stacy SpearCommented:
Your forward and reverse DNS is not matching. Your reverse IP maps to gateway.wunderlichsecurities.com  where the gateway.wunderlichsecurities.com has no information. Your mail server on DNS is .243. It checks out good except for response time.

Is your mail leaving the domain with .242 or .243 as the final hop?
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
wunderlichAuthor Commented:
.242. Here is a header that I was able to send to my Yahoo account. I used eMailTrackerPro to come to the conclusion.

From Aaron Goodwin Fri Oct  5 11:45:32 2007
Return-Path: <agoodwin@wunderlichsecurities.com>
Authentication-Results: mta163.mail.re3.yahoo.com  from=wunderlichsecurities.com; domainkeys=neutral (no sig)
Received: from 66.194.155.242  (EHLO hades.wunderlichsecurities.com) (66.194.155.242)
  by mta163.mail.re3.yahoo.com with SMTP; Fri, 05 Oct 2007 11:47:22 -0700
Received: from uranus.wunderlichsecurities.com ([192.168.1.212]) by hades.wunderlichsecurities.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 5 Oct 2007 13:46:22 -0500
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Importance: normal
Priority: normal
Content-Type: multipart/related;
      type="multipart/alternative";
      boundary="----_=_NextPart_001_01C80780.05DD7AF8"
x-cr-puzzleid: {B779B71B-2D37-4AC4-8381-166CCCBCC76D}
Content-class: urn:content-classes:message
x-cr-hashedpuzzle: 1cw= AgeM Al/J Aps1 B8UB CZNF DVxt Dl7l EIVn E6PH Gv2h Gwko Iu40 JA3L JceA LElR;1;ZwBvAG8AZAB3AGkAbgAxADAAMgA3AEAAeQBhAGgAbwBvAC4AYwBvAG0A;Sosha1_v1;7;{B779B71B-2D37-4AC4-8381-166CCCBCC76D};YQBnAG8AbwBkAHcAaQBuAEAAdwB1AG4AZABlAHIAbABpAGMAaABzAGUAYwB1AHIAaQB0AGkAZQBzAC4AYwBvAG0A;Fri, 05 Oct 2007 18:45:32 GMT;dABlAHMAdAA=
Subject: test
Date: Fri, 5 Oct 2007 13:45:32 -0500
Message-ID: <5FC467FAA5BBF04E85FAE628A974931101E8AC80@uranus.wunderlichsecurities.com>
Thread-Topic: test
Thread-Index: AcgHf+iAJ2ddoMOrQLSZHKhnjz/NxA==
From: "Aaron Goodwin" <agoodwin@wunderlichsecurities.com>
To: "Aaron Goodwin" <goodwin1027@yahoo.com>
Return-Path: <agoodwin@wunderlichsecurities.com>
Content-Length: 10233  
0
 
SembeeCommented:
You have a mismatch.

Take a look at these nslookup results.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>nslookup
Default Server:  server1.domain.co.uk
Address:  192.168.3.1

> 66.194.155.242
Server:  server1.domain.co.uk
Address:  192.168.3.1

Name:    gateway.wunderlichsecurities.com
Address:  66.194.155.242

> gateway.wunderlichsecurities.com
Server:  server1.domain.co.uk
Address:  192.168.3.1

*** server1.domain.co.uk can't find gateway.wunderlichsecurities.com: Non-existent domain
>

The IP address you have given has a reverse DNS of gateway.wunderlichsecurities.com but that host name does not resolve. Get that fixed first.

However your MX records point to another IP address

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>nslookup
Default Server:  server1.domain.co.uk
Address:  192.168.3.1

> set type=mx
> wunderlichsecurities.com
Server:  server1.domain.co.uk
Address:  192.168.3.1

Non-authoritative answer:
wunderlichsecurities.com        MX preference = 20, mail exchanger = PORTAL.wunderlichsecurities.com
wunderlichsecurities.com        MX preference = 10, mail exchanger = MAIL.wunderlichsecurities.com

> set type=all
> mail.wunderlichsecurities.com
Server:  server1.domain.co.uk
Address:  192.168.3.1

Non-authoritative answer:
mail.wunderlichsecurities.com   internet address = 66.194.155.243
> portal.wunderlichsecurities.com
Server:  server1.domain.co.uk
Address:  192.168.3.1

Non-authoritative answer:
portal.wunderlichsecurities.com internet address = 66.194.155.247
>

Therefore...

I cannot connect to your MX records on telnet to port 25. Are you doing something to change that at the moment?
That will cause a problem with sites that do any verification.
It also means I cannot see how your servers are announcing themselves or whether you have an Exchange server or not.

It could also be your NAT on your firewall isn't set correctly and the email comes out of a different IP address so things don't match.

Finally, on the listing, if you allow port 25 out from your network then it could be that you have a compromised workstation sending out spam.

To put it simply, your DNS is a mess.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
wunderlichAuthor Commented:
BUt where would i check to fix the DNS issue. It can't be inside...do you think it is on the ISPs side? Currently looking through the firewall.
0
 
SembeeCommented:
It is your external DNS that has the problems. Things are not consistent.
The ISP has a hand in it with regards to the reverse DNS (aka PTR) records, if they look after your domain as well then they have that to deal with. If your domain is with someone else then you need to get them to sort themselves out.

You have two basic problems.

1. Your MX records point to a different IP address than the Exchange server appears to come out from. Presuming that it is an Exchange server receiving email.
That could be an issue with the NAT configuration on your firewall.
2. The reverse DNS records on the IP addresses are not correct.
On 243 the reverse DNS is 66-194-155-243.static.twtelecom.net
On 242 the reverse DNS is gateway.wunderlichsecurities.com - which doesn't resolve.

I have also noticed in the headers that your server is announcing itself as hades.wunderlichsecurities.com - which also doesn't resolve.

Simon.
0
 
wunderlichAuthor Commented:
Simon,
Hades is the Exchnage server sending the e-mail out. It is NATed within the firewall. I host the domain myself and Time Warner Telecom is the ISP. Trying to get hold of someone at the ISP
 
0
 
SembeeCommented:
Does your email go in through another server?
Or has someone hacked around with SMTP?

220 Wunderlich SMTP Services

If your email is going in through another server, that is fine.
What you need to do is ensure that the NAT on the firewall for the Exchange server is correct, that a host resolves to its IP address, that the same host name is in the reverse DNS records and finally that the Exchange server announces itself as that host, which may or may not (should not be) the same as as its real name.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
wunderlichAuthor Commented:
Just talked to an engineer at the ISP. He is trying to the reverse transaltion fixed.
0
 
wunderlichAuthor Commented:
I have confirmed that it is on the ISPs side. They made changes at the beginning of the week to the global DNS settings. They are in the middle of resolving the issue. Thanks to all for the help.
0
 
wunderlichAuthor Commented:
Hey guys as of yesterday morning I got the main DNS issue resolved. Now on to the second issue. I think that one of my external IPs is being spoofed to a fake domain name. "gateway.wunderlichsecurities.com" I never set this up through the ISP. I have sent a ticket into the ISP to do some verification done. Does anyone have anything that I can do to narrow the the spectrum on this problem?
0
 
SembeeCommented:
Everything I have written above is based on public information that I have found for your domain and IP addresses. Therefore someone has set it up - most likely the ISP.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now