[plug] any advice

Jon L Miller jlmiller at mmtnetworks.com.au
Fri Aug 6 14:05:59 WST 2010


I did a capture on the mailserver and this is what one of the streams
produced.
220 mmtlnx.mmtnetworks.com.au ESMTP Postfix

EHLO [188.52.13.116]

250-mmtlnx.mmtnetworks.com.au

250-PIPELINING

250-SIZE 200240000

250-VRFY

250-ETRN

250 8BITMIME

MAIL FROM:<s041ee82.071 at mmtnetworks.com.au> SIZE=403

250 Ok

RCPT TO:<s041ee82.071 at mmtnetworks.com.au>

550 SPAM; Client host [188.52.13.116] blocked using zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=188.52.13.116 - Phone +61 412 126 166 if
you believe this to be in error.

QUIT

221 Bye

I can see that the MAIL FROM is stating an address that does not exist on my
system.
Question is how I can find which PC this is coming from? using netstat can I
grep it to show only information that has port 25?


Regards,

Jon

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Daniel Pittman
Sent: Friday, 6 August 2010 10:19 AM
To: plug at plug.org.au
Subject: Re: [plug] any advice

Patrick Coleman <blinken at gmail.com> writes:
> On Fri, Aug 6, 2010 at 9:27 AM, Jon L Miller
> <jlmiller at mmtnetworks.com.au> wrote:
>
>> I seem to be having e-mail problems relating to me sending  regular
e-mail
>> and getting a message back stating I may have a  spamming mail server.
>>
>> Looked in the logs to see this quite a bit:
>>
>> Aug  6 08:37:13 mmtlnx postfix/smtpd[5235]: NOQUEUE: reject: RCPT from
>> brash.confluence.volia.net[93.74.97.23]: 550 SPAM; Client host
[93.74.97.23]
>> blocked using zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=93.74.97.23
>
> For starters, you're listed in the PBL, so your ISP has indicated that
your
> IP address is one that should not be sending email. You should talk to
them
> about getting a static IP that's in a range they permit mail to be sent
from
> (or just forward your mail through their mailserver).
>
> If you're sure you're not sending spam, the CBL listing might go away once
> you fix the PBL issue.

No, the CBL list it as a genuine source of spam: 

http://cbl.abuseat.org/lookup.cgi?ip=93.74.97.23

    currently listed in the CBL. It appears to be infected with a spam
sending
    trojan or proxy.

    It was last detected at 2010-08-05 23:00 GMT (+/- 30 minutes),
    approximately 3 hours, 30 minutes ago.

    This IP is infected (or NATting for a computer that is infected) with a
    spambot we have not yet been able to identify. For the time being we
refer
    to it as the unknown0442 spambot.


My usual approach to this problem would be to identify the source of the
traffic: work out which machine is sending the messages, then track it down.

However, the two usual candidates for this are a Win32 machine that got hit
by
some malware or other, or a web service account that got compromised through
some insecure web thing you run in a public facing way.

Those might help speed things up if you can't just monitor for outbound SMTP
on the appropriate port.


Oh, and it might be worth setting the ADSL modem to block outbound SMTP
(25/TCP) if you can — at least it will limit the damage you do until you
sort
it out.

Regards,
        Daniel

-- 
? Daniel Pittman            ? daniel at rimspace.net            ? +61 401 155
707
               ? made with 100 percent post-consumer electrons
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au




More information about the plug mailing list