[SpamCop-List] Re: HELP - Something from us hit a spamtrap

[Mike Easter]

Tom G. wrote:
> "Ellen"
>> Assuming that you are talking about 66.237.10.227: Your exchange
>> server is relaying spam for spammers. It appears that your
>> exchange server is being used by spammers exploiting the
>> SMTP/AUTH hack. Please see this faq for information about the
>> exploit and how to fix the problem:

> My thanks to all for pointing me in about 10 different possible
> directions. We will track this down.

Yabbut, the one that really matters is Ellen.  She's a deputy and has
actually *looked at* the evidence for you;  that is, she has peeked into
the actual spams in the spamtraps to give you a clue about what is
*really* going on.  The rest of us were making guesses at possible
causes.

> 2. I have never had even ONE abuse report on being an open relay but
> I will make sure that our IT company investigates.

Imperative.  I'll repost Ellen's links.

Ellen wrote:
> http://news.spamcop.net/cgi-bin/fom?file=372
> http://www.winnetmag.com/article/articleid/40507/40507.html
> http://www.winnetmag.com/article/articleid/42406/42406.html
>
>
> This exploit allows spammers to relay thru your exchange server. This
> relaying does not show up using standard open relay tests as the
> spammer has gained "legal" access to your server by hacking an
> account/password combination.
>
> It's the usual body parts spam.


> 4. I'm 95% sure we are patched current. However, I will personally
> check myself and if we aren't, a new IT company may be in the offing.
>
>> mail.sdenergy.org  calls itself  'SYNC01.SDREONET.local' on > smtp
> transaction, which might reflect a similar behavior on > traceline
> stamp, which could result in a premature SC parse chain > break if
> any item were parsed by a spamtrap hit
>
> 5. Yes, this is our Exchange server. We have been getting a s***load
> of forged emails coming into us looking like they are from our
> employees. We tracked one particular source to another XO IP very
> close to ours that was a lean, mean virus spewing machine. (Yes, we
> use XO for voice & data -- I wish we didn't but we're under a long
> term contract setup before I came onboard.)
>
> Should we change the name of our server? Would that do anything? I
> know just enough about this stuff to be dangerous. Again, we rely a
> lot on our IT consulting guys.

The server's traceline configuration is a separate issue from your
current smtp/auth hack insecurity Ellen mentioned, and the last line I
saw in a spam relayed from/by your server was in 2002 Oct at MAPS, but
that one is misconfigured in the way I described above, and is consistent
with how your server answers in the smtp transaction just today:

Received: from [66.237.10.227] by daver.bungi.com via sendmail with smtp;
Mon, 28 Oct 2002 13:50:36 -0800 (PST)
Received: from yahoo.com ([200.61.189.73]) by SYNC01.SDREONET.local with
Microsoft SMTPSVC(5.0.2195.5329); Mon, 28 Oct 2002 13:50:29 -0800

or, abbreviating for discussion about the 'from' and 'by' fields of the
lines:

  from [66.237.10.227] by daver.bungi.com
  from yahoo.com ([200.61.189.73]) by SYNC01.SDREONET.local

In order to be RFC compliant, the 2nd 'by' field should reflect the fully
qualified domainname of the server, such as its real name
'mail.sdenergy.org' instead of that 'local' name.

But that issue is much much much less important than taking the server
offline until the smtp/auth exploit can be secured, or rather, securing
it immediately.

> 6. I am very open to any and all suggestions. I am a marketing guy
> first and a technogeek second.
>
> Thanks to all for the help. I really, really, really want to close
> this off if we in fact have a genuine problem. Heck, if someone wants
> to call me and chat, I'm at 858-244-1184.

That's a local tollfree telno for me ;-) -  I visited your company's
SDREO website.  You are in the PR about the recent 3 hires;  not as a new
hire of course, since you're an old timer, but the promotion to director
of marketing.

-- 
Mike Easter
kibitzer, not SC admin