s0nic
asked on
Need to be unblocked by CBL
The IP is infected with spamware, most recently detected at:
2009:04:07 ~16:00 UTC+/- 15 minutes (approximately 10 hours ago)
It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
in front of a machine that is infected with spam
sending spamware.
2) It's directly infested with spam sending spamware.
This IP has or is NAT'ing for a pharma2 BOT infection
Note that while this description may seem vague, be assured that there is NO POSSIBILITY that this listing was caused by any form of legitimate mail or network activity. Secondly, there is also NO POSSIBILITY that the IP address was spoofed. Thirdly, the presence or lack of anti-virus software in your mail server CANNOT and DOES NOT prevent this from happening, because most of these infections contain their own mail clients, and they bypass your mail server software.
You will need to examine the machine for a virus or spam sending spyware/adware/worm.
Up-to-date anti-virus and anti-spyware tools are essential.
For NAT firewalls, we recommend you pay careful attention to the next paragraph:
If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers. Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
Running a combination of anti-spyware and anti-virus programs should help to find the malware.
It is unfortunate, however, the track record of current/popular Anti-Virus software at finding current and severe threats is abysmal.
In fact, recent studies have shown that "new" threats are only caught by _any_ of 35 of the most common A-V packages 23% of the time, and that only improves to 50% after a month. In other words, if you were running ALL of those 35 A-V products at once, a new threat would be caught only 23% of the time by _any_ of them.
http://www.mynetwatchman.com/tools/sc/ (the seccheck tester) will probably be the most helpful in analyzing system security, as well as yielding information we can use to help others to find/kill it.
However, Seccheck requires considerable Windows system internals experience, and other tools may be more appropriate.
"Hijackthis" is similar to seccheck. There are online forums where you can upload hijackthis reports and have an expert analyse them, identify what is wrong, and make suggestions on how to fix it.
Perhaps one of the best tools for spot-removal of specific current and common threats without requiring very high levels of expertise is the Microsoft Malicious Software Removal tool (MSRT) at
http://www.microsoft.com/security/malwareremove/default.mspx
MSRT is NOT a replacement for a good A-V scanner. It's just good at finding/removing many of the BOTs we detect (eg: cutwail, srizbi, storm, etc).
MSRT is continuously updated with new heuristics. If your copy of MSRT is more than a day or two old, download it from Microsoft again.
If this IP is a firewall, scanning/eradication of viruses on your internal network will NOT reliably keep the IP out of the CBL.
You MUST apply the configuration changes we recommend above to NAT firewalls.
If you are running Barracuda, you MUST turn off the "bounce spam and viruses" option. As spam and viruses are always forged, the "bounce" feature simply results in mailbombing innocent third parties with misdirected garbage - in other words, the Barracuda is spamming.
I've removed the entry from the list.
It may take a few hours to propogate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.
Other IP-based reputation lists are also listing your IP address:
http://www.barracudanetworks.com/reputation/?pr=1&ip= Info: Barracuda (BRBL) blacklist
Blocked - see http://www.spamcop.net/bl.shtml? Info: Hitting spam traps or generates high complaint/valid email ratio
Listed in PSBL, see http://psbl.surriel.com/listing?ip= Info: See http://psbl.surriel.com/
2009:04:07 ~16:00 UTC+/- 15 minutes (approximately 10 hours ago)
It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
in front of a machine that is infected with spam
sending spamware.
2) It's directly infested with spam sending spamware.
This IP has or is NAT'ing for a pharma2 BOT infection
Note that while this description may seem vague, be assured that there is NO POSSIBILITY that this listing was caused by any form of legitimate mail or network activity. Secondly, there is also NO POSSIBILITY that the IP address was spoofed. Thirdly, the presence or lack of anti-virus software in your mail server CANNOT and DOES NOT prevent this from happening, because most of these infections contain their own mail clients, and they bypass your mail server software.
You will need to examine the machine for a virus or spam sending spyware/adware/worm.
Up-to-date anti-virus and anti-spyware tools are essential.
For NAT firewalls, we recommend you pay careful attention to the next paragraph:
If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers. Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
Running a combination of anti-spyware and anti-virus programs should help to find the malware.
It is unfortunate, however, the track record of current/popular Anti-Virus software at finding current and severe threats is abysmal.
In fact, recent studies have shown that "new" threats are only caught by _any_ of 35 of the most common A-V packages 23% of the time, and that only improves to 50% after a month. In other words, if you were running ALL of those 35 A-V products at once, a new threat would be caught only 23% of the time by _any_ of them.
http://www.mynetwatchman.com/tools/sc/ (the seccheck tester) will probably be the most helpful in analyzing system security, as well as yielding information we can use to help others to find/kill it.
However, Seccheck requires considerable Windows system internals experience, and other tools may be more appropriate.
"Hijackthis" is similar to seccheck. There are online forums where you can upload hijackthis reports and have an expert analyse them, identify what is wrong, and make suggestions on how to fix it.
Perhaps one of the best tools for spot-removal of specific current and common threats without requiring very high levels of expertise is the Microsoft Malicious Software Removal tool (MSRT) at
http://www.microsoft.com/security/malwareremove/default.mspx
MSRT is NOT a replacement for a good A-V scanner. It's just good at finding/removing many of the BOTs we detect (eg: cutwail, srizbi, storm, etc).
MSRT is continuously updated with new heuristics. If your copy of MSRT is more than a day or two old, download it from Microsoft again.
If this IP is a firewall, scanning/eradication of viruses on your internal network will NOT reliably keep the IP out of the CBL.
You MUST apply the configuration changes we recommend above to NAT firewalls.
If you are running Barracuda, you MUST turn off the "bounce spam and viruses" option. As spam and viruses are always forged, the "bounce" feature simply results in mailbombing innocent third parties with misdirected garbage - in other words, the Barracuda is spamming.
I've removed the entry from the list.
It may take a few hours to propogate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.
Other IP-based reputation lists are also listing your IP address:
http://www.barracudanetworks.com/reputation/?pr=1&ip= Info: Barracuda (BRBL) blacklist
Blocked - see http://www.spamcop.net/bl.shtml? Info: Hitting spam traps or generates high complaint/valid email ratio
Listed in PSBL, see http://psbl.surriel.com/listing?ip= Info: See http://psbl.surriel.com/
ASKER
So I've install AV on all computers and malwarebytes on all computers and I've ran a scan on all. Everything checks out clean and I've ran it twice. As for my firewall port 25 is only used by my exchange server. However, I have 3 users here that are using pop they are not part of the company but they use the same outgoing ip address. What I did was I created a firewall rule for them for pop and smtp just for their address range. I hope that helps. I've also ran all AV and malwarebytes on their computer. So far only one has checked out bad, but it has been cleaned. My firewall doesn't show any signs of smtp bouncing back or being blocked.
Could that be the problem the 3 users? Even though they check out clean?
Could that be the problem the 3 users? Even though they check out clean?
One of them could be the source of SPAM e-mails. You need to be careful next time when you give normal users the permission to send e-mails through the FW.
Did you contact the blacklist site administrator/support to de-list your MX ?
Did you contact the blacklist site administrator/support to de-list your MX ?
ASKER
Yes I did. So far after running all the AV on all machines today I'm only listed in 2 instead of 4. I don't know what happened there. However I'm noticing a lot more emails have gone through yet new ones are being blocked??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the step by step instructions. So far were on our way to good. Any remaining blacklist will be contacted.
My pleasure :)
You need to do the following:
1) Check your Internet gateways and find any leak (ACL or FW policies) that may allow outbound SMTP traffic from workstations.
2) Only allow your authorized mail server to send outbound SMTP traffic
3) Trace the source of infection and disconnect it
4) Check your MX IP against BL and start contacting them (http://www.mxtoolbox.com/blacklists.aspx)
5) If the SPAM traffic is not stopped, you may face permanent blacklisting.
The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:
1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracud
2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).
3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:
http://www.arbornetworks.com/
http://www.genienrm.com/
http://www.narus.com/
http://www.lancope.com/
http://www.flukenetworks.com/
4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.towerdata.com/services/email/deliverability/repcheck.html
5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client. Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.
A Symantec Certified Specialist @ your service