[plug] any advice

Daniel Pittman daniel at rimspace.net
Fri Aug 6 10:18:49 WST 2010 

Patrick Coleman <blinken at gmail.com> writes:
> On Fri, Aug 6, 2010 at 9:27 AM, Jon L Miller
> <jlmiller at mmtnetworks.com.au> wrote:
>
>> I seem to be having e-mail problems relating to me sending  regular e-mail
>> and getting a message back stating I may have a  spamming mail server.
>>
>> Looked in the logs to see this quite a bit:
>>
>> Aug  6 08:37:13 mmtlnx postfix/smtpd[5235]: NOQUEUE: reject: RCPT from
>> brash.confluence.volia.net[93.74.97.23]: 550 SPAM; Client host [93.74.97.23]
>> blocked using zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=93.74.97.23
>
> For starters, you're listed in the PBL, so your ISP has indicated that your
> IP address is one that should not be sending email. You should talk to them
> about getting a static IP that's in a range they permit mail to be sent from
> (or just forward your mail through their mailserver).
>
> If you're sure you're not sending spam, the CBL listing might go away once
> you fix the PBL issue.

No, the CBL list it as a genuine source of spam: 

http://cbl.abuseat.org/lookup.cgi?ip=93.74.97.23

    currently listed in the CBL. It appears to be infected with a spam sending
    trojan or proxy.

    It was last detected at 2010-08-05 23:00 GMT (+/- 30 minutes),
    approximately 3 hours, 30 minutes ago.

    This IP is infected (or NATting for a computer that is infected) with a
    spambot we have not yet been able to identify. For the time being we refer
    to it as the unknown0442 spambot.


My usual approach to this problem would be to identify the source of the
traffic: work out which machine is sending the messages, then track it down.

However, the two usual candidates for this are a Win32 machine that got hit by
some malware or other, or a web service account that got compromised through
some insecure web thing you run in a public facing way.

Those might help speed things up if you can't just monitor for outbound SMTP
on the appropriate port.


Oh, and it might be worth setting the ADSL modem to block outbound SMTP
(25/TCP) if you can — at least it will limit the damage you do until you sort
it out.

Regards,
        Daniel

-- 
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

More information about the plug mailing list