Possible public IP label spoof

I think that one of my external IPs is being spoofed to a fake domain name. "gateway.wunderlichsecurities.com" I never set this up through the ISP. I have sent a ticket into the ISP to do some verification done. Does anyone have anything that I can do to narrow the the spectrum on this problem?
wunderlichAsked:
Who is Participating?
 
Galtar99Commented:
I can't resolve that address.  So I don't think it's in external DNS.  Most likely you have a host file with that entry or you added it to an internal DNS server.
0
 
wunderlichAuthor Commented:
This what i am getting from SpamCop for the reason my IPis being blacklisted:

66.194.155.242 listed in bl.spamcop.net (127.0.0.2)


If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
Additional potential problems
(these factors do not directly result in spamcop listing)

DNS error: 66.194.155.242 is gateway.wunderlichsecurities.com but gateway.wunderlichsecurities.com has no DNS information
Because of the above problems, express-delisting is not available

Listing History
In the past 6.2 days, it has been listed 3 times for a total of 3.0 days
0
 
wunderlichAuthor Commented:
I don't have an internal entry for that in DNS.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
netnounoursCommented:
- Is the address one your yours (part of Time Warner range) ?
- Can you contact your ISP and ask for a complete list of your DNS zone (I assume they are managing it for you).
- Have you checked your SMTP server for weird activity (like relaying).
- One of your PC/Server may also be infected by some kind of virus/malware. Look at your firewall logs for outgoing SMTP traffic.

I hope this helps
0
 
Galtar99Commented:
66.194.155.242
Record Type:               IP Address

Time Warner Telecom, Inc. TWTC-NETBLK-4 (NET-66-192-0-0-1)
                                  66.192.0.0 - 66.195.255.255
Wunderlich Securities TWTC-WUSE (NET-66-194-155-240-1)
                                  66.194.155.240 - 66.194.155.255

That address is registered to Wunderlich Securities inside Time Warner's block of addresses.  If this is not your company you need to contact Time Warner to rectify the information they have.
http://www.rrsecurity-abuse.com/contactus.html

If that is you and everything is correct, then "gateway" is the name of your server, either it's hostname or as the email software knows it by.  You need to insure you're not relaying for someone and/or your legitimate clients are not sending bad email through it.  Logs and debugging will help you there.  It's a little different for each server implementation.

Once you've fix everything you can get SpamCop and whoever else has blacklisted you to take you off.  You can find good scanners on the internet that you can test your server with.
http://www.abuse.net/relay.html
http://members.iinet.net.au/~remmie/relay/
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html
0
 
wunderlichAuthor Commented:
Wunderlich Securities is my company and that ios my IP range. I am not seeing "gateway" noted anywhere in my firewall. Hades is the name of the server. Last week the ISP made some changes to their dns records which messed up redirection to my website and others. it was for the .243 and .247 addresses. Is it possible that this is another one they need to add back. I just took over the companies IT dept and am not totally familiar with the way they were setup before. I wonder if i nned to have them add a PRT record for the .242 address to.
0
 
netnounoursCommented:
the PTR for .242 is set to gateway... .That can be check be nslookup.
It seems that the original host record for gateway has been deleted by accident or not. Or, the ISP forgot to remove the pointer.

0
 
Galtar99Commented:
Yes, your ISP did not fix your PTR record in their IN-ADDR.ARPA zone so it matches your zone.  Have them update, contact the hostmaster.
0
 
wunderlichAuthor Commented:
i am waiting for them to call me back. I just called my rep to get this thing escalated.
0
 
wunderlichAuthor Commented:
I found the problem with the help of Microsoft  and got it fixed. I have a secondary fail-over internet connection which is load balanced with my main pipe. There was never an MX record established with the other Internet connection. When my SMTP server would send out e-mail it was going through the OPT WAN connection and the server on the other side couldn't come back for acknowledgement because the MX record wasn't there. Because of this my OPT WAN IP got blacklisted along with my external public IP. I switched it to a known good Exchange Server with an MX record, and BAM!!! Back in business. Now I just have to get the blacklists to take off the other IP and everything will be peachy. Thanks for everyones help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.