Thanks for the input. I will double check everything. I don't believe the server to be open. It uses the same configuration as our other IMail server with the exception of host settings. I'm also doing a nondestructive scan on the entire system to get a list of everything that is possibly infected as well.
On Wednesday, February 2, 2005 at 4:13:03 AM, [EMAIL PROTECTED] confabulated: > CBL feeds it's list by way of spamtraps exclusively (to the best of my > knowledge).� They > also take care to try to not list non-exploited legitimate servers such as a > listserv from a > legitimate company that one customer just so happened to have loaded in an > address that hit a > spam trap.� This includes things such as whether or the IP is in DUL space, > or has no reverse > DNS entry, or in this case it appears that they tagged you as being exploited > because your IP > made multiple connections that hit their spam traps using different HELO's > which is very > zombie-ish. > If it is in fact your IP that is making the connection (I assume they > exclude multi-hop > relay conditions based on the accuracy of their zone), then instead of > checking for the > symptom of the multiple HELO's, you should in fact be primarily concerned > about the prospect > of being an open relay by way of misconfiguration or exploit (most often a > virus infection > that opened a back door from which you were hacked).� Typically > hacked/exploited servers are > easy to diagnose because spammers tend to pump as much as they can out of > your box, so both > the processor utilization and bandwidth consumption should be telling. > With what you have shared, my best guess is that you are an open relay for > spammers.� Try > to verify this because it is very unlikely that you would have hit their > spamtraps under > multiple names without being used as a spam relay. > Matt > Duane Hill wrote: > Ok. Here is a partial snip of the conversation: > ----- > The CBL attempts to detect compromised machines in a number of ways > based upon the email that the CBL's mail servers receive. > During this it tries distinguish whether the connections represent real > mail servers by ensuring that each connection is claiming a plausible > machine name for itself (via SMTP HELO), and not listing any IP that > corresponds to a real mail server (or several mail servers if the IP > address is a NAT firewall with multiple mail servers behind it). > 63.110.136.164 was found to be using several different names during multiple > connections on or about 2005:01:31 ~23:30 UTC. > The names seen included: > > opexonline.com,mail2.ispdial.com,jet-the.net,mail.ispdial.com,blazeisp.com > ----- > On Wednesday, February 2, 2005 at 2:30:37 AM, [EMAIL PROTECTED] confabulated: > 192.168.0.2 isn't telling anybody anything. That's an unroutable IP, like > 172.0.0.0/12 and 10.0.0.0/8. > Since you didn't include the real domain name, we can't check for you on > dnsreport.com, but you > can!http://www.dnsreport.com/tools/dnsreport.ch?domain=example.com. > See what's what from the point of view of outside your firewall. > Dan > -----Original Message----- > From: [EMAIL PROTECTED]:[EMAIL PROTECTED] Behalf Of Duane Hill > Sent: Tuesday, February 01, 2005 8:55 PM > To: [EMAIL PROTECTED]: [IMail Forum] cbl.abuseat.org listing > Just had an issue recently of having one of our IMail servers being listed > on cbl.abuseat.org. > I have been in a long e-mail conversation with one of the administrators > with CBL. They are > claiming our server is using multiple domains when connecting to their > server, thus making it > appear as though there is an issue with a proxy. ----- Duane Hill Sr E-Mail Administrator http://www.yournetplus.com To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
