Re: [qmailtoaster] general e-mail issue
I've had this at customer locations before. Can you get a copy of the spam message and get the IP of the sending machine from the header info? Most likely it's a rogue machine with a virus. Then you know the culprit. OR Big hammer cure: turn off / block port 25 outbound for any machine except the legitimate post offices. This might be a good thing to do now anyhow until you can track down the offender. It will keep you from getting re-listed. Run a packet sniffer before the router to see where the port 25 traffic is coming from. You'll need to do this before blocking 25 though. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 13:57:58 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] general e-mail issue This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from the network and their IT staff is cleaning it up. As of this morning they were not on any blacklists and were e-mailing away. I checked again a little while ago and they are again on blacklists. I'm wondering how you guys would deal with this issue. They are setup so the main campus has an exchange server behind the qmail server. They have two satellite sites that connect to the exchange server to download their e-mail via POP and they send e-mail through the qmail server. Now, I don't think it's possible for someone from the satellite sites to be the culprit but I'm not sure. Have any of you ran into this issue before/ how would you go about identifying the infection? Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] general e-mail issue
Phil, Unfortunately, the Spam Police don't provide any evidence off the spam. I understand this as spammers could probably use that information to detect their spam traps. That is a good point to block port 25, I'm going to do that right now. That would probably block anyone using other POP accounts from sending mail also, wouldn't it? What packet sniffer would people recommend? I've been using iptraf to look at some traffic but I can't pin down where traffic on port 25 is coming from. Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. -Original Message- From: Phil Leinhauser [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 1:34 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] general e-mail issue I've had this at customer locations before. Can you get a copy of the spam message and get the IP of the sending machine from the header info? Most likely it's a rogue machine with a virus. Then you know the culprit. OR Big hammer cure: turn off / block port 25 outbound for any machine except the legitimate post offices. This might be a good thing to do now anyhow until you can track down the offender. It will keep you from getting re-listed. Run a packet sniffer before the router to see where the port 25 traffic is coming from. You'll need to do this before blocking 25 though. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 13:57:58 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] general e-mail issue This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from the network and their IT staff is cleaning it up. As of this morning they were not on any blacklists and were e-mailing away. I checked again a little while ago and they are again on blacklists. I'm wondering how you guys would deal with this issue. They are setup so the main campus has an exchange server behind the qmail server. They have two satellite sites that connect to the exchange server to download their e-mail via POP and they send e-mail through the qmail server. Now, I don't think it's possible for someone from the satellite sites to be the culprit but I'm not sure. Have any of you ran into this issue before/ how would you go about identifying the infection? Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.6/1229 - Release Date: 1/17/2008 11:12 AM - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] general e-mail issue
Yes, the downside of blocking port 25 is that the users that have external accounts will also be blocked. Sometimes you need to do what you have to do for the moment. It's not permanent. For a sniffer, look at www.ethereal.com. To sniff the network you need to keep 2 things in mind, you need to put a netowork HUB not a switch between the router and the network. Then plug your sniffer machine into the HUB. You cannot sniff from a switch unless you have a manged switch with port replication (Expensive). Also, you'll need to open 25 back up and let the connection happen otherwise your sniffer won't see anything. Ethereal is a great scanner and FREE. Like any good scanner, it will take time to get used to but you should be able to quickly get this much going. It would be worth your time to learn how to really use it so when something else happens you have a handy tool in your arsenal. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 15:10:36 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] general e-mail issue Phil, Unfortunately, the Spam Police don't provide any evidence off the spam. I understand this as spammers could probably use that information to detect their spam traps. That is a good point to block port 25, I'm going to do that right now. That would probably block anyone using other POP accounts from sending mail also, wouldn't it? What packet sniffer would people recommend? I've been using iptraf to look at some traffic but I can't pin down where traffic on port 25 is coming from. Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. -Original Message- From: Phil Leinhauser [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 1:34 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] general e-mail issue I've had this at customer locations before. Can you get a copy of the spam message and get the IP of the sending machine from the header info? Most likely it's a rogue machine with a virus. Then you know the culprit. OR Big hammer cure: turn off / block port 25 outbound for any machine except the legitimate post offices. This might be a good thing to do now anyhow until you can track down the offender. It will keep you from getting re-listed. Run a packet sniffer before the router to see where the port 25 traffic is coming from. You'll need to do this before blocking 25 though. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 13:57:58 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] general e-mail issue This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from the network and their IT staff is cleaning it up. As of this morning they were not on any blacklists and were e-mailing away. I checked again a little while ago and they are again on blacklists. I'm wondering how you guys would deal with this issue. They are setup so the main campus has an exchange server behind the qmail server. They have two satellite sites that connect to the exchange server to download their e-mail via POP and they send e-mail through the qmail server. Now, I don't think it's possible for someone from the satellite sites to be the culprit but I'm not sure. Have any of you ran into this issue before/ how would you go about identifying the infection? Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL
RE: [qmailtoaster] general e-mail issue
The qmail server is the gateway so all the traffic goes through it anyway. I should be able to user ethereal right on the server then, right? Does it only have a gui or does ethereal accept command line Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. -Original Message- From: Phil Leinhauser [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 2:45 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] general e-mail issue Yes, the downside of blocking port 25 is that the users that have external accounts will also be blocked. Sometimes you need to do what you have to do for the moment. It's not permanent. For a sniffer, look at www.ethereal.com. To sniff the network you need to keep 2 things in mind, you need to put a netowork HUB not a switch between the router and the network. Then plug your sniffer machine into the HUB. You cannot sniff from a switch unless you have a manged switch with port replication (Expensive). Also, you'll need to open 25 back up and let the connection happen otherwise your sniffer won't see anything. Ethereal is a great scanner and FREE. Like any good scanner, it will take time to get used to but you should be able to quickly get this much going. It would be worth your time to learn how to really use it so when something else happens you have a handy tool in your arsenal. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 15:10:36 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] general e-mail issue Phil, Unfortunately, the Spam Police don't provide any evidence off the spam. I understand this as spammers could probably use that information to detect their spam traps. That is a good point to block port 25, I'm going to do that right now. That would probably block anyone using other POP accounts from sending mail also, wouldn't it? What packet sniffer would people recommend? I've been using iptraf to look at some traffic but I can't pin down where traffic on port 25 is coming from. Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. -Original Message- From: Phil Leinhauser [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 1:34 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] general e-mail issue I've had this at customer locations before. Can you get a copy of the spam message and get the IP of the sending machine from the header info? Most likely it's a rogue machine with a virus. Then you know the culprit. OR Big hammer cure: turn off / block port 25 outbound for any machine except the legitimate post offices. This might be a good thing to do now anyhow until you can track down the offender. It will keep you from getting re-listed. Run a packet sniffer before the router to see where the port 25 traffic is coming from. You'll need to do this before blocking 25 though. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 13:57:58 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] general e-mail issue This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from the network and their IT staff is cleaning it up. As of this morning they were not on any blacklists and were e-mailing away. I checked again a little while ago and they are again on blacklists. I'm wondering how you guys would deal with this issue. They are setup so the main campus has an exchange server behind the qmail server. They have two satellite sites that connect to the exchange server to download their e-mail via POP and they send e-mail through the qmail server. Now, I don't think it's possible for someone from the satellite sites to be the culprit
[qmailtoaster] general e-mail issue
This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from the network and their IT staff is cleaning it up. As of this morning they were not on any blacklists and were e-mailing away. I checked again a little while ago and they are again on blacklists. I'm wondering how you guys would deal with this issue. They are setup so the main campus has an exchange server behind the qmail server. They have two satellite sites that connect to the exchange server to download their e-mail via POP and they send e-mail through the qmail server. Now, I don't think it's possible for someone from the satellite sites to be the culprit but I'm not sure. Have any of you ran into this issue before/ how would you go about identifying the infection? Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] general e-mail issue
I've never run Ethereal on Linux. I have an old laptop that I only use as a network scanner. It's got Windows on it and ethereal. I doubt there is a CL version. When you run it in windows you'll see data that I think would be hard to deal with in CL. -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 16:02:57 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] general e-mail issue The qmail server is the gateway so all the traffic goes through it anyway. I should be able to user ethereal right on the server then, right? Does it only have a gui or does ethereal accept command line Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. -Original Message- From: Phil Leinhauser [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 2:45 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] general e-mail issue Yes, the downside of blocking port 25 is that the users that have external accounts will also be blocked. Sometimes you need to do what you have to do for the moment. It's not permanent. For a sniffer, look at www.ethereal.com. To sniff the network you need to keep 2 things in mind, you need to put a netowork HUB not a switch between the router and the network. Then plug your sniffer machine into the HUB. You cannot sniff from a switch unless you have a manged switch with port replication (Expensive). Also, you'll need to open 25 back up and let the connection happen otherwise your sniffer won't see anything. Ethereal is a great scanner and FREE. Like any good scanner, it will take time to get used to but you should be able to quickly get this much going. It would be worth your time to learn how to really use it so when something else happens you have a handy tool in your arsenal. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 15:10:36 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] general e-mail issue Phil, Unfortunately, the Spam Police don't provide any evidence off the spam. I understand this as spammers could probably use that information to detect their spam traps. That is a good point to block port 25, I'm going to do that right now. That would probably block anyone using other POP accounts from sending mail also, wouldn't it? What packet sniffer would people recommend? I've been using iptraf to look at some traffic but I can't pin down where traffic on port 25 is coming from. Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. -Original Message- From: Phil Leinhauser [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 1:34 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] general e-mail issue I've had this at customer locations before. Can you get a copy of the spam message and get the IP of the sending machine from the header info? Most likely it's a rogue machine with a virus. Then you know the culprit. OR Big hammer cure: turn off / block port 25 outbound for any machine except the legitimate post offices. This might be a good thing to do now anyhow until you can track down the offender. It will keep you from getting re-listed. Run a packet sniffer before the router to see where the port 25 traffic is coming from. You'll need to do this before blocking 25 though. Phil -Original message- From: Jacob Billingsley [EMAIL PROTECTED] Date: Thu, 17 Jan 2008 13:57:58 -0500 To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] general e-mail issue This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from
Re: [qmailtoaster] general e-mail issue
Jacob Billingsley wrote: This is not specific to qmail, but I think you guys could still help me. I have a customer that showed up on some blacklists yesterday. I spent some time removing them from the lists and searching for the culprit. I've had this issue once before and it was an infected PC spewing out spam. So we found one very infected PC which we removed from the network and their IT staff is cleaning it up. As of this morning they were not on any blacklists and were e-mailing away. I checked again a little while ago and they are again on blacklists. I'm wondering how you guys would deal with this issue. They are setup so the main campus has an exchange server behind the qmail server. They have two satellite sites that connect to the exchange server to download their e-mail via POP and they send e-mail through the qmail server. Now, I don't think it's possible for someone from the satellite sites to be the culprit but I'm not sure. Have any of you ran into this issue before/ how would you go about identifying the infection? Jacob Billingsley MCR Technologies, Inc. 2674 Kraft Ave SE Grand Rapids, MI 49546 Office: 616-942-7244 ext: 205 Fax: 616-942-5988 The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] stop all connections to port 25 from inside and do a port logging to see what computer is trying to access outside email server (ofcorse you let them to access qmail server) - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]