|
Posted by S. Pidgorny on February 8, 2008, 5:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
Capture the traffic to see what's sent.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
> This is long, but I want to give as much info and what I've done to try
> and tackle this myself as possible. I really need some help at this
> point, so I hope someone out there has the time and can provide some much
> needed and much appreciated assistance/advice, etc.
>
> I work at a pretty low-tech place with 8 PC's, all running XP, using
> comcast's cable internet service, with file sharing set up so all users
> can access a shared folder on one of the PC's. No user or group policies
> are set up. All PC's use TrendMicro's pay service, we havy a Linksys
> router, and I periodically run Spybot and a few other favorite
> virus/trojan/bad stuff finders on all the PCS' (but TrenMicro is the only
> thing running 24/7). There's also one NetGear wireless access point for
> an in-office laptop (it requires a web key to log into the network)
>
> We use a webmail software located on our dedicated server at a hosting
> company (where our website is) to do email; the web server at the hosting
> company is also the email server. Currently it's using SmarterMail (which
> is apprently a pretty popular partnered email software with hosting
> companies). So users use a web browser to log into their email, which is
> housed on the dedicated server.
>
> We've had some emails sent to yahoo email addreses come back with a
> rejection notice due to yahoo user complaints about spam (not the users
> the email was sent to, just users in general, apparnetly), and we've also
> had undeliverable mail come back looking as if we sent it but we know we
> didn't (there's spammy stuff in it). Also, Comcast recently disallowed
> all outgoing traffic from our public IP (the router) that was looking for
> port 25, because they said they saw a lot of spammy-looking traffic
> leaving our router as well.
>
> Since it seemed like we had a real issue going on, I followed all the
> directions SmarterMail has to make sure SMTP requires
> authentication, etc., all the steps to minimize possible hijacking and
> whatever. I used a few of these online websites where you put in the IP
> address of the mail server and it sees if it looks like an open relay, and
> they all reported negative. I had everyone change their passwords to
> relatively strong ones for logging in t our mail server.
>
> The problem seemed to remain. Then I turned on the outgoing log on the
> Linksys router. About every ten seconds I see a couple outgoing packets
> going to the same IP but with a different last number, then after about
> ten of those it goes to another series of IP's with differnet last number.
> For instance, I'd see outgoing to:
>
> 64.86.95.6
> 64.86.95.7
> 64.86.95.8
> 64.86.95.27
> 64.86.95.27
> 64.86.95.10
> 64.86.95.26
> 64.86.95.10
> 64.86.95.10
>
> then there are bunch that are ("myserver" used instead of my actual web
> server)
>
> smtp.myserver.com
> smtp.myserver.com
> smtp.myserver.com
>
> Some of these come from my own box's internal local IP, some come from the
> other internal local IP's.
>
> So, unless these are legitimate (like Windows update doing checks, trend
> micro doing checks, etc.), it appears I actually DO have something sending
> out IP traffic from inside. I looked up some of these IP's, and the most
> numerous batch of outging IP's (starting with 64.86.95) show up as
> belonging to:
>
> Teleglobe Inc. TELEGLOBE (NET-64-86-0-0-1)
> 64.86.0.0 - 64.86.255.255
> Akamai Technologies AKAMAI-TGB (NET-64-86-95-0-1)
> 64.86.95.0 - 64.86.95.255
>
> I found one (and one only) reference to this IP and this company on the
> web, where someone else was wondering about it, and it seemed like the
> assumption was it was a place doing stuff for Microsoft's Windows update.
>
> But when I turn off update, I still these outgoing traffic items in the
> Linksys log.
>
> I feel as if I've done everyhting I can and/or know how to do, so can
> anyone out there tell me a good solid way to see if I have some kind of
> SpamBot on our side of the router, or if someone has hacked our email
> server externally? The problem's getting worse, it seems, and I don't
> know what I can do when none of the popular security softwares find
> anything, but comcast and yahoo and our inbox full of undeliverablre
> messages looking like they were sent by us are pointing to us having a
> serious issue.
>
> Please help, we rely on our ability to send emails to subscribers, and
> they're getting rejected due to "user complaints", and we can't afford to
> be blacklisted (and yes, we only send to subscribers, we follow all te
> opt-in and opt-out stuff, and are very consciensious about keeping our
> mailing list clean.
>
> Please help!
>
> Your time and assitance would be GREATLY appreciated. And thanks for
> reading.
>
| 
XML site map