Page 1 of 2

SPAM Block AUP link

Posted: Sun Nov 22, 2009 6:44 pm
by phoenixx
Hi,
I was SPAM blocked earlier. I have checked my servers, and the only machine configured to /send/ emails has not been used in the last week.

Can i get more details in case I missed something.

Is it possible to get a copy of the spam report/log whatever sent to my email?

I am /receiving/ a lot of spam, deliberately i suspect, an attempt to make it impossible for me to get any sales emails. Which is moot anyway, since the spams just get dumped in a trash folder my end, and the part of my business they are trying to ruin already shut down 2 years ago anyway. (I am happy to give you the logs, 10 years of spammer IP's/ISPs should be a welcome addition to your orbs database no doubt. I would have added them to my firewall, but there is just too many)

Other than spam, I just receive the occasional supplier catalog, or payment notification. Which i still need to receive. Plus the emails are linked to various commerce related things where i need to get a confirmation email to proceed, so i cant just shut the server off entirely or i would have already.

Since my mail server primarily receives email only these days, I find it odd that I have been spam blocked. I have shut off the two ports that allowed me to check/send email when I was on the road, (a webmail client, and my smtp port) which i almost never use these days. But the logs correctly indicate I (or anyone else) have not used it to send mail for some time.

All I can think is i have been spam blocked for /receiving/ emails in which case this is beyond my control, and must be a gross miss-configuration at your end.

Unless the AUP has changed since I signed up, I cant find a link to the AUP anywhere, can I get a link?

Unless the AUP now prohibits any sort of business from using your service, which is unlikely as you would be in breech of the original internet account contract terms agreed to by no doubt hundreds if not thousands of your clients - I cant see anything running here that should have triggered the spam block?

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 6:55 pm
by Dazzled
Spam usually comes from Windows zombies. They won't be using your mail client, just your web connection. Have you scanned any Windows boxes you have?

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 6:57 pm
by sable
Did you consider that you may have caught a virus and it is the virus that is spewing spam from your connection?

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 7:24 pm
by phoenixx
No bots running like that, I have application/network level firewalls on all machines telling me what is connected where and when.

Where I work my day job I actually have to find and kill those things off as my job. The only spam i see moving at all is the ones getting sent to me. As for "catching" nasty stuff the machines and servers on that network have not had anyone using them for a while beyond my periodical checks. The only thing I have been using then for lately is remote access to my visual basic / perl development server, and checking the odd email.. where it isnt a nigerian offering to send me money, an asian trying to sell me a rolex, a brazillian trying to sell me viagra, the russian mafia offering to marry me off to some fake russian women, or some guy in ghana trying to trick me into opening a word doc with details of a "missing shipment and western union payment"

The only thing that might be running is something that triggers when the machine is idle or half crashed, and somehow avoids the firewall. I go to great pains not to use outlook or internet explorer due to their vulnerabilities in this area. So it beats me.

Last time I got a spam block, someone had cracked the password on one of the email accounts. So i set that mail server to prevent emails sending, changed the account password, setup a dedicated seperate mail server inside the firewall if on the off chance i needed to send one - and logged every ip that attempted to use the email account and forwarded details to the federal authorities of whatever country owned the IP netblock. (most times it was china interestingly)

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 7:48 pm
by Dazzled
You seem to have access to a few boxes and some tech background. Why don't you put a genuinely secure Linux gateway right behind the modem, and track/filter everything. It won't take long to find exactly what's happening, and the gateway will get you back onside with Exetel.

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 7:51 pm
by phoenixx
Just got a mail server connection from 58.9.153.46 to a non existent email address.
Traces to bangkok. Connection failed so i know my relay isn't messing up. Routes via singapore and japan.

22/11/2009 7:41:34 PM - Requested SMTP connection from 58.9.153.46
22/11/2009 7:41:34 PM - ( 92) 220 <my mail server> ArGoSoft Mail Server Freeware, Version 1.8 (1.8.9.2)
22/11/2009 7:41:35 PM - ( 92) HELO jump
22/11/2009 7:41:35 PM - ( 92) 250 Welcome [58.9.153.46], pleased to meet you
22/11/2009 7:41:35 PM - ( 92) MAIL FROM: <johnsmithsvt@cybernexus.wox.org>
22/11/2009 7:41:35 PM - ( 92) 250 Sender "johnsmithsvt@cybernexus.wox.org" OK...
22/11/2009 7:41:36 PM - ( 92) RCPT TO: <johnsmithsvt@cybernexus.wox.org>
22/11/2009 7:41:36 PM - ( 92) 554 User unknown
22/11/2009 7:41:36 PM - ( 92)
22/11/2009 7:41:36 PM - Error: [10054] Connection reset by peer
22/11/2009 7:41:36 PM - SMTP connection with 58.9.153.46 ended. ID=92

No other traffic beyond me hitting send/receive so far. If i get another blast of incoming spam, be likely whoever behind that IP triggering it off to attack my mail server again.

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 7:56 pm
by Dazzled
This lot - http://trueinternet.co.th/memberservice.html - how's your Thai? It looks like an ISP

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 8:02 pm
by phoenixx
I do have a mikrotik powered ISP grade licence gateway unit that ran my towns community network that has been offline 2 months now since a flood took out the power supplies to the mast. public means no funding means no spare parts lol. It was setup to run direct passthrough mode over the adsl modem, but it has limitations in regard to portforwarding pppoe so it was left off after a one day test run, as it disabled the second network and all the internet servers therein! No email/game servers/ web/ voip owch. Worked great on the community network side, if nobody wanted to play on the on site game servers. But a dedicated link that gets internally shaped to 128k, which cuts off my entire business network and all the remaining bandwidth could not be justified for non-profit purposes as a good trade off!

Don't know any thai! How about you?

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 8:16 pm
by phoenixx
heres some more - ho chi min, routed via frankfurt and hong kong.. odd path

22/11/2009 7:52:36 PM - Requested SMTP connection from 125.212.253.214
22/11/2009 7:52:36 PM - Error: [10054] Connection reset by peer
22/11/2009 7:52:36 PM - SMTP connection with 125.212.253.214 ended. ID=97

And another - in the vicinity of delhi india.. routed via canada and singapore?

22/11/2009 8:03:27 PM - Requested SMTP connection from 117.194.32.7
22/11/2009 8:03:27 PM - ( 98) 220 xxxxxxxxxxxxx ArGoSoft Mail Server Freeware, Version 1.8 (1.8.9.2)
22/11/2009 8:03:28 PM - ( 98) EHLO DGPJLNC
22/11/2009 8:03:28 PM - ( 98) 250-Welcome [117.194.32.7], pleased to meet you
22/11/2009 8:03:28 PM - ( 98) 250-AUTH=LOGIN
22/11/2009 8:03:28 PM - ( 98) 250-AUTH LOGIN
22/11/2009 8:03:28 PM - ( 98) 250-SIZE 5242880
22/11/2009 8:03:28 PM - ( 98) 250 HELP
22/11/2009 8:03:29 PM - ( 98) MAIL FROM: <strafef0@radiantpartners.com>
22/11/2009 8:03:29 PM - ( 98) 250 Sender "strafef0@radiantpartners.com" OK...
22/11/2009 8:03:30 PM - ( 98) RCPT TO: <an email account i deleted 2 years ago>
22/11/2009 8:03:30 PM - ( 98) 554 User unknown
22/11/2009 8:03:31 PM - ( 98) RSET
22/11/2009 8:03:31 PM - ( 98) 250 Reset state
22/11/2009 8:03:31 PM - ( 98) MAIL FROM: <fittingly89@radissonsas.com>
22/11/2009 8:03:31 PM - ( 98) 250 Sender "fittingly89@radissonsas.com" OK...
22/11/2009 8:03:32 PM - ( 98) RCPT TO: <my same email address i deleted 2 years ago>
22/11/2009 8:03:32 PM - ( 98) 554 User unknown
22/11/2009 8:03:33 PM - Error: [10054] Connection reset by peer
22/11/2009 8:03:33 PM - SMTP connection with 117.194.32.7 ended. ID=98
22/11/2009 8:03:34 PM - Requested SMTP connection from 117.194.32.7
22/11/2009 8:03:34 PM - ( 99) 220 XXXXXXXXx ArGoSoft Mail Server Freeware, Version 1.8 (1.8.9.2)
22/11/2009 8:03:34 PM - ( 99) EHLO JHFFKVRSFT
22/11/2009 8:03:34 PM - ( 99) 250-Welcome [117.194.32.7], pleased to meet you
22/11/2009 8:03:35 PM - ( 99) 250-AUTH=LOGIN
22/11/2009 8:03:35 PM - ( 99) 250-AUTH LOGIN
22/11/2009 8:03:35 PM - ( 99) 250-SIZE 5242880
22/11/2009 8:03:35 PM - ( 99) 250 HELP
22/11/2009 8:03:36 PM - ( 99) MAIL FROM: <toledo7@researchdiets.com>
22/11/2009 8:03:36 PM - ( 99) 250 Sender "toledo7@researchdiets.com" OK...
22/11/2009 8:03:37 PM - ( 99) RCPT TO: <same address again, persistent arn't they>
22/11/2009 8:03:37 PM - ( 99) 554 User unknown
22/11/2009 8:03:37 PM - Error: [10054] Connection reset by peer
22/11/2009 8:03:37 PM - SMTP connection with 117.194.32.7 ended. ID=99

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 8:21 pm
by phoenixx
and another one again, user@ was an old account, but it is sending to a domain my mail server hasn't sat on in 5 years. I wonder how they put those two together. Not an address i would use, but the way the mail server is designed had the user@ account still existed, and had i still be listening on that domain, it might have ended up in my email in box for that old account.

The routing on this one is just bizzare. new york, bucarest, budapest, westminster, berlin, frankfurt again, all over europe. Does someone think spam is like a game of uplink or something pffft.

I could go on all night but you see the crap my server gets. Tracking the amount of IP's the spammers use is too hard manually.

22/11/2009 8:09:04 PM - Requested SMTP connection from 94.52.76.58
22/11/2009 8:09:04 PM - ( 100) 220 xxxxxxxxxxxxxx ArGoSoft Mail Server Freeware, Version 1.8 (1.8.9.2)
22/11/2009 8:09:05 PM - ( 100) helo mail.lt
22/11/2009 8:09:05 PM - ( 100) 250 Welcome [94.52.76.58], pleased to meet you
22/11/2009 8:09:05 PM - ( 100) mail from:<info@jackal.com>
22/11/2009 8:09:05 PM - ( 100) 250 Sender "info@jackal.com" OK...
22/11/2009 8:09:06 PM - ( 100) rcpt to:<an old account@trafalgar.org.au>
22/11/2009 8:09:06 PM - ( 100) 551 User not local. We don't relay
22/11/2009 8:09:07 PM - ( 100)
22/11/2009 8:09:07 PM - Error: [10054] Connection reset by peer
22/11/2009 8:09:07 PM - SMTP connection with 94.52.76.58 ended. ID=100


You will also notice none of it is outbound, all inbound.

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 8:48 pm
by Dazzled
Another ISP - how's your Romanian?
I did a tracepath for a change to this bizarre little beauty:

Code: Select all

$ tracepath 94.52.76.58
 1:  192.168.1.13 (192.168.1.13)                            0.134ms pmtu 1500
 1:  192.168.1.1 (192.168.1.1)                             26.757ms asymm  3 
 1:  192.168.1.1 (192.168.1.1)                             27.387ms asymm  3 
 2:  192.168.1.1 (192.168.1.1)                              1.403ms pmtu 1492
 2:  no reply
 3:  10.0.1.33 (10.0.1.33)                                 43.447ms 
 4:  no reply
 5:  37.2.233.220.static.exetel.com.au (220.233.2.37)      45.002ms 
 6:  49.ge-1-2-0.GW8.SYD2.ALTER.NET (203.166.42.101)       44.077ms asymm 14 
 7:  0.so-7-2-0.XT4.SYD2.ALTER.NET (210.80.33.193)         43.858ms asymm 13 
 8:  0.so-1-3-0.IR2.LAX12.Alter.Net (210.80.48.69)        269.983ms asymm 21 
 9:  0.so-5-0-0.IL2.LAX9.ALTER.NET (152.63.48.69)         269.803ms asymm 20 
10:  0.so-7-1-0.XL4.LAX15.ALTER.NET (152.63.1.242)        271.320ms asymm 20 
11:  0.ge-6-1-0.BR2.LAX15.ALTER.NET (152.63.116.153)      270.031ms asymm 21 
12:  xe-11-0-0.edge1.SanJose3.level3.net (4.68.111.249)   201.907ms asymm 13 
13:  ae-63-60.ebr3.LosAngeles1.Level3.net (4.69.144.52)   202.705ms asymm 12 
14:  ae-4.ebr4.Washington1.Level3.net (4.69.132.82)       279.946ms 
15:  ae-84-84.csw3.Washington1.Level3.net (4.69.134.186)  273.964ms asymm 13 
16:  ae-82-82.ebr2.Washington1.Level3.net (4.69.134.153)  268.913ms asymm 14 
17:  ae-43-43.ebr2.Frankfurt1.Level3.net (4.69.137.57)    357.392ms asymm 14 
18:  ae-2-2.ebr1.Dusseldorf1.Level3.net (4.69.132.137)    361.213ms asymm 15 
19:  ae-1-100.ebr2.Dusseldorf1.Level3.net (4.69.141.150)  361.892ms asymm 16 
20:  ae-3-3.ebr2.Berlin1.Level3.net (4.69.133.145)        376.030ms asymm 17 
21:  ae-1-100.ebr1.Berlin1.Level3.net (4.69.133.173)      376.437ms asymm 18 
22:  ae-8-8.car1.Bucharest1.Level3.net (4.69.141.29)      398.263ms asymm 17 
23:  212.162.45.10 (212.162.45.10)                        396.537ms asymm 16 
24:  unnasigned-reverse-148.250.newcom.ro (89.165.148.250) 397.598ms asymm 17 
25:  no reply
What's important though is you get blocked for what you send. Have these pests found a relay, or does the culprit lie elsewhere?

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 9:21 pm
by phoenixx
Dazzled wrote:Another ISP - how's your Romanian?
I did a tracepath for a change to this bizarre little beauty:

What's important though is you get blocked for what you send. Have these pests found a relay, or does the culprit lie elsewhere?
None of the machines on my network are reporting any outbound data, other than my remote desktop connection to the mail server. Relay (even tho it was SMTP encrypted connects only) has been turned off on that server for a very long time. Mail server is not even sending out bounce messages (which can also be a trick they use to make it relay when you use client side software "fake user not found" reply type anti-spam tools.)

The logs on the server around the time the spamblock fired off originally only show the usual inbound "viagra" style spam from south america.

(I always wonder what is in it for them for those viagra spams, they almost never have any sort of real contact details. So it is either deliberate nuisance email (thus my earlier comment) or just for "brand awareness" i've never heard of "cialis" except for the spams on it. I also get a lot of just gibberish rubbish, which only has nuisance value. )

The only machine on the network at all that might have potential for any zombie-ware (has all my steam games on it, steam uses IE) has been unplugged and in bits up until about 4 hours into the spam block. And it's firewall reports nothing suspicious on there either.

The towns public wifi network which ran a separate partitioned 128k slice when it was working, is not even physically wired TO the network, thanks to a big chunk of water damaged gear, and the mikrotik was set so it blocked all email traffic other than incoming anyway. It had to allow some email access as truckies could pull over and check their email in theory. So even if the wireless mast was working by some divine intervention through my waterlogged unplugged netgear POE "paper weight", its not someone sending that way either.

Are the logs of the trigger event even available anymore? I know exetel lost a lot of its more one to one technical people when they stopped being the new underdog ISP years ago, and made it big! lol So is their enough of the "personal touch" left in the original company staff to dig out the logs? Or were they all replaced by a bunch of uni grads who don't care like most other ISPs when they grow too fast. I know in the early days their customer service was awesome, as the guys running the company also owned it, and did the support.

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 9:42 pm
by Dazzled
I hate to think that they are Windows boxes, and a root kit won't show up in logs and firewalls. If the games box was in bits, either Exetel is deceived or the other machines are doing it. Good luck with the Exetel logs, otherwise, start up that gateway....Untangle, ClarkConnect, Astaro, smoothwall, m0n0wall, etc. The first is the most Windows-like if Linux is rusty. http://www.untangle.com/Demos-Screenshots

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 10:14 pm
by phoenixx
Dazzled wrote:I hate to think that they are Windows boxes, and a root kit won't show up in logs and firewalls. If the games box was in bits, either Exetel is deceived or the other machines are doing it. Good luck with the Exetel logs, otherwise, start up that gateway....Untangle, ClarkConnect, Astaro, smoothwall, m0n0wall, etc. The first is the most Windows-like if Linux is rusty. http://www.untangle.com/Demos-Screenshots
Well mikrotik (look it up) has a graphical front end i use way too much, an updated version may fix the pppoe port forward troubles i have. Or i could move more services off site to a hosting server. I also have a machine covered in dust setup for freesco somewhere. They both have the necessary capabilities. I could also recommission my winroute gateway, utilising a PPPoe dial up connection in leu of the modem it used to run off; so i have alternatives in that regard. I also have the adsl gateway itself on a separate network section, so running a man in the middle bridge with a packet monitor would be easy enough there too.

All this would be not needed if i just got the log of the trigger event tho!

Re: SPAM Block AUP link

Posted: Sun Nov 22, 2009 10:43 pm
by Dazzled
I looked up the RouterOS documentation, and apart from the kernel being quoted often, it's hard to tell which common "base" distro it resembles. Good luck with finding where the crap is lurking.