[plug] any advice

Jon L Miller jlmiller at mmtnetworks.com.au
Fri Aug 6 11:04:46 WST 2010


Thanks Daniel I'm currently trying to find which PC is running it. I did
have a malware issue the other day when I was cleaning a client Laptop of
the bug, but forgot to rescan my flash drive and I've since used it on my
own PC and found a malware/virus on it.  I had cleaned it off, but currently
rescanning the entire system.  My mail server is on a Linux SuSe box so I'll
check it also.  

Jon

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Daniel Pittman
Sent: Friday, 6 August 2010 10:19 AM
To: plug at plug.org.au
Subject: Re: [plug] any advice

Patrick Coleman <blinken at gmail.com> writes:
> On Fri, Aug 6, 2010 at 9:27 AM, Jon L Miller
> <jlmiller at mmtnetworks.com.au> wrote:
>
>> I seem to be having e-mail problems relating to me sending  regular
e-mail
>> and getting a message back stating I may have a  spamming mail server.
>>
>> Looked in the logs to see this quite a bit:
>>
>> Aug  6 08:37:13 mmtlnx postfix/smtpd[5235]: NOQUEUE: reject: RCPT from
>> brash.confluence.volia.net[93.74.97.23]: 550 SPAM; Client host
[93.74.97.23]
>> blocked using zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=93.74.97.23
>
> For starters, you're listed in the PBL, so your ISP has indicated that
your
> IP address is one that should not be sending email. You should talk to
them
> about getting a static IP that's in a range they permit mail to be sent
from
> (or just forward your mail through their mailserver).
>
> If you're sure you're not sending spam, the CBL listing might go away once
> you fix the PBL issue.

No, the CBL list it as a genuine source of spam: 

http://cbl.abuseat.org/lookup.cgi?ip=93.74.97.23

    currently listed in the CBL. It appears to be infected with a spam
sending
    trojan or proxy.

    It was last detected at 2010-08-05 23:00 GMT (+/- 30 minutes),
    approximately 3 hours, 30 minutes ago.

    This IP is infected (or NATting for a computer that is infected) with a
    spambot we have not yet been able to identify. For the time being we
refer
    to it as the unknown0442 spambot.


My usual approach to this problem would be to identify the source of the
traffic: work out which machine is sending the messages, then track it down.

However, the two usual candidates for this are a Win32 machine that got hit
by
some malware or other, or a web service account that got compromised through
some insecure web thing you run in a public facing way.

Those might help speed things up if you can't just monitor for outbound SMTP
on the appropriate port.


Oh, and it might be worth setting the ADSL modem to block outbound SMTP
(25/TCP) if you can — at least it will limit the damage you do until you
sort
it out.

Regards,
        Daniel

-- 
? Daniel Pittman            ? daniel at rimspace.net            ? +61 401 155
707
               ? made with 100 percent post-consumer electrons
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au




More information about the plug mailing list