[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Possible public IP label spoof

Posted on 2007-10-08
10
Medium Priority
?
554 Views
Last Modified: 2012-05-05
I think that one of my external IPs is being spoofed to a fake domain name. "gateway.wunderlichsecurities.com" I never set this up through the ISP. I have sent a ticket into the ISP to do some verification done. Does anyone have anything that I can do to narrow the the spectrum on this problem?
0
Comment
Question by:wunderlich
  • 5
  • 3
  • 2
10 Comments
 
LVL 6

Accepted Solution

by:
Galtar99 earned 1200 total points
ID: 20035586
I can't resolve that address.  So I don't think it's in external DNS.  Most likely you have a host file with that entry or you added it to an internal DNS server.
0
 

Author Comment

by:wunderlich
ID: 20035596
This what i am getting from SpamCop for the reason my IPis being blacklisted:

66.194.155.242 listed in bl.spamcop.net (127.0.0.2)


If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
Additional potential problems
(these factors do not directly result in spamcop listing)

DNS error: 66.194.155.242 is gateway.wunderlichsecurities.com but gateway.wunderlichsecurities.com has no DNS information
Because of the above problems, express-delisting is not available

Listing History
In the past 6.2 days, it has been listed 3 times for a total of 3.0 days
0
 

Author Comment

by:wunderlich
ID: 20035606
I don't have an internal entry for that in DNS.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 6

Assisted Solution

by:netnounours
netnounours earned 800 total points
ID: 20035724
- Is the address one your yours (part of Time Warner range) ?
- Can you contact your ISP and ask for a complete list of your DNS zone (I assume they are managing it for you).
- Have you checked your SMTP server for weird activity (like relaying).
- One of your PC/Server may also be infected by some kind of virus/malware. Look at your firewall logs for outgoing SMTP traffic.

I hope this helps
0
 
LVL 6

Assisted Solution

by:Galtar99
Galtar99 earned 1200 total points
ID: 20036096
66.194.155.242
Record Type:               IP Address

Time Warner Telecom, Inc. TWTC-NETBLK-4 (NET-66-192-0-0-1)
                                  66.192.0.0 - 66.195.255.255
Wunderlich Securities TWTC-WUSE (NET-66-194-155-240-1)
                                  66.194.155.240 - 66.194.155.255

That address is registered to Wunderlich Securities inside Time Warner's block of addresses.  If this is not your company you need to contact Time Warner to rectify the information they have.
http://www.rrsecurity-abuse.com/contactus.html

If that is you and everything is correct, then "gateway" is the name of your server, either it's hostname or as the email software knows it by.  You need to insure you're not relaying for someone and/or your legitimate clients are not sending bad email through it.  Logs and debugging will help you there.  It's a little different for each server implementation.

Once you've fix everything you can get SpamCop and whoever else has blacklisted you to take you off.  You can find good scanners on the internet that you can test your server with.
http://www.abuse.net/relay.html
http://members.iinet.net.au/~remmie/relay/
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html
0
 

Author Comment

by:wunderlich
ID: 20036260
Wunderlich Securities is my company and that ios my IP range. I am not seeing "gateway" noted anywhere in my firewall. Hades is the name of the server. Last week the ISP made some changes to their dns records which messed up redirection to my website and others. it was for the .243 and .247 addresses. Is it possible that this is another one they need to add back. I just took over the companies IT dept and am not totally familiar with the way they were setup before. I wonder if i nned to have them add a PRT record for the .242 address to.
0
 
LVL 6

Assisted Solution

by:netnounours
netnounours earned 800 total points
ID: 20036361
the PTR for .242 is set to gateway... .That can be check be nslookup.
It seems that the original host record for gateway has been deleted by accident or not. Or, the ISP forgot to remove the pointer.

0
 
LVL 6

Assisted Solution

by:Galtar99
Galtar99 earned 1200 total points
ID: 20037120
Yes, your ISP did not fix your PTR record in their IN-ADDR.ARPA zone so it matches your zone.  Have them update, contact the hostmaster.
0
 

Author Comment

by:wunderlich
ID: 20037126
i am waiting for them to call me back. I just called my rep to get this thing escalated.
0
 

Author Comment

by:wunderlich
ID: 20040782
I found the problem with the help of Microsoft  and got it fixed. I have a secondary fail-over internet connection which is load balanced with my main pipe. There was never an MX record established with the other Internet connection. When my SMTP server would send out e-mail it was going through the OPT WAN connection and the server on the other side couldn't come back for acknowledgement because the MX record wasn't there. Because of this my OPT WAN IP got blacklisted along with my external public IP. I switched it to a known good Exchange Server with an MX record, and BAM!!! Back in business. Now I just have to get the blacklists to take off the other IP and everything will be peachy. Thanks for everyones help.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Read about achieving the basic levels of HRIS security in the workplace.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question