PLEASE help me determine if I've got issues; I've done everything I know how to do!

C

CompleteNewb

This is long, but I want to give as much info and what I've done to try and
tackle this myself as possible. I really need some help at this point, so
I hope someone out there has the time and can provide some much needed and
much appreciated assistance/advice, etc.

I work at a pretty low-tech place with 8 PC's, all running XP, using
comcast's cable internet service, with file sharing set up so all users can
access a shared folder on one of the PC's. No user or group policies are
set up. All PC's use TrendMicro's pay service, we havy a Linksys router,
and I periodically run Spybot and a few other favorite virus/trojan/bad
stuff finders on all the PCS' (but TrenMicro is the only thing running
24/7). There's also one NetGear wireless access point for an in-office
laptop (it requires a web key to log into the network)

We use a webmail software located on our dedicated server at a hosting
company (where our website is) to do email the web server at the hosting
company is also the email server. Currently it's using SmarterMail (which
is apprently a pretty popular partnered email software with hosting
companies). So users use a web browser to log into their email, which is
housed on the dedicated server.

We've had some emails sent to yahoo email addreses come back with a
rejection notice due to yahoo user complaints about spam (not the users the
email was sent to, just users in general, apparnetly), and we've also had
undeliverable mail come back looking as if we sent it but we know we didn't
(there's spammy stuff in it). Also, Comcast recently disallowed all
outgoing traffic from our public IP (the router) that was looking for port
25, because they said they saw a lot of spammy-looking traffic leaving our
router as well.

Since it seemed like we had a real issue going on, I followed all the
directions SmarterMail has to make sure SMTP requires
authentication, etc., all the steps to minimize possible hijacking and
whatever. I used a few of these online websites where you put in the IP
address of the mail server and it sees if it looks like an open relay, and
they all reported negative. I had everyone change their passwords to
relatively strong ones for logging in t our mail server.

The problem seemed to remain. Then I turned on the outgoing log on the
Linksys router. About every ten seconds I see a couple outgoing packets
going to the same IP but with a different last number, then after about ten
of those it goes to another series of IP's with differnet last number.
For instance, I'd see outgoing to:

64.86.95.6
64.86.95.7
64.86.95.8
64.86.95.27
64.86.95.27
64.86.95.10
64.86.95.26
64.86.95.10
64.86.95.10

then there are bunch that are ("myserver" used instead of my actual web
server)

smtp.myserver.com
smtp.myserver.com
smtp.myserver.com

Some of these come from my own box's internal local IP, some come from the
other internal local IP's.

So, unless these are legitimate (like Windows update doing checks, trend
micro doing checks, etc.), it appears I actually DO have something sending
out IP traffic from inside. I looked up some of these IP's, and the most
numerous batch of outging IP's (starting with 64.86.95) show up as belonging
to:

Teleglobe Inc. TELEGLOBE (NET-64-86-0-0-1)
64.86.0.0 - 64.86.255.255
Akamai Technologies AKAMAI-TGB (NET-64-86-95-0-1)
64.86.95.0 - 64.86.95.255

I found one (and one only) reference to this IP and this company on the web,
where someone else was wondering about it, and it seemed like the assumption
was it was a place doing stuff for Microsoft's Windows update.

But when I turn off update, I still these outgoing traffic items in the
Linksys log.

I feel as if I've done everyhting I can and/or know how to do, so can anyone
out there tell me a good solid way to see if I have some kind of SpamBot on
our side of the router, or if someone has hacked our email server
externally? The problem's getting worse, it seems, and I don't know what I
can do when none of the popular security softwares find anything, but
comcast and yahoo and our inbox full of undeliverablre messages looking like
they were sent by us are pointing to us having a serious issue.

Please help, we rely on our ability to send emails to subscribers, and
they're getting rejected due to "user complaints", and we can't afford to be
blacklisted (and yes, we only send to subscribers, we follow all te opt-in
and opt-out stuff, and are very consciensious about keeping our mailing list
clean.

Please help!

Your time and assitance would be GREATLY appreciated. And thanks for
reading.
 
S

S. Pidgorny

Capture the traffic to see what's sent.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"CompleteNewb" <CompleteNewb@comcast.net> wrote in message
news:zoSdnXXjP9_QyDfanZ2dnUVZ_jqdnZ2d@comcast.com...
> This is long, but I want to give as much info and what I've done to try
> and tackle this myself as possible. I really need some help at this
> point, so I hope someone out there has the time and can provide some much
> needed and much appreciated assistance/advice, etc.
>
> I work at a pretty low-tech place with 8 PC's, all running XP, using
> comcast's cable internet service, with file sharing set up so all users
> can access a shared folder on one of the PC's. No user or group policies
> are set up. All PC's use TrendMicro's pay service, we havy a Linksys
> router, and I periodically run Spybot and a few other favorite
> virus/trojan/bad stuff finders on all the PCS' (but TrenMicro is the only
> thing running 24/7). There's also one NetGear wireless access point for
> an in-office laptop (it requires a web key to log into the network)
>
> We use a webmail software located on our dedicated server at a hosting
> company (where our website is) to do email the web server at the hosting
> company is also the email server. Currently it's using SmarterMail (which
> is apprently a pretty popular partnered email software with hosting
> companies). So users use a web browser to log into their email, which is
> housed on the dedicated server.
>
> We've had some emails sent to yahoo email addreses come back with a
> rejection notice due to yahoo user complaints about spam (not the users
> the email was sent to, just users in general, apparnetly), and we've also
> had undeliverable mail come back looking as if we sent it but we know we
> didn't (there's spammy stuff in it). Also, Comcast recently disallowed
> all outgoing traffic from our public IP (the router) that was looking for
> port 25, because they said they saw a lot of spammy-looking traffic
> leaving our router as well.
>
> Since it seemed like we had a real issue going on, I followed all the
> directions SmarterMail has to make sure SMTP requires
> authentication, etc., all the steps to minimize possible hijacking and
> whatever. I used a few of these online websites where you put in the IP
> address of the mail server and it sees if it looks like an open relay, and
> they all reported negative. I had everyone change their passwords to
> relatively strong ones for logging in t our mail server.
>
> The problem seemed to remain. Then I turned on the outgoing log on the
> Linksys router. About every ten seconds I see a couple outgoing packets
> going to the same IP but with a different last number, then after about
> ten of those it goes to another series of IP's with differnet last number.
> For instance, I'd see outgoing to:
>
> 64.86.95.6
> 64.86.95.7
> 64.86.95.8
> 64.86.95.27
> 64.86.95.27
> 64.86.95.10
> 64.86.95.26
> 64.86.95.10
> 64.86.95.10
>
> then there are bunch that are ("myserver" used instead of my actual web
> server)
>
> smtp.myserver.com
> smtp.myserver.com
> smtp.myserver.com
>
> Some of these come from my own box's internal local IP, some come from the
> other internal local IP's.
>
> So, unless these are legitimate (like Windows update doing checks, trend
> micro doing checks, etc.), it appears I actually DO have something sending
> out IP traffic from inside. I looked up some of these IP's, and the most
> numerous batch of outging IP's (starting with 64.86.95) show up as
> belonging to:
>
> Teleglobe Inc. TELEGLOBE (NET-64-86-0-0-1)
> 64.86.0.0 - 64.86.255.255
> Akamai Technologies AKAMAI-TGB (NET-64-86-95-0-1)
> 64.86.95.0 - 64.86.95.255
>
> I found one (and one only) reference to this IP and this company on the
> web, where someone else was wondering about it, and it seemed like the
> assumption was it was a place doing stuff for Microsoft's Windows update.
>
> But when I turn off update, I still these outgoing traffic items in the
> Linksys log.
>
> I feel as if I've done everyhting I can and/or know how to do, so can
> anyone out there tell me a good solid way to see if I have some kind of
> SpamBot on our side of the router, or if someone has hacked our email
> server externally? The problem's getting worse, it seems, and I don't
> know what I can do when none of the popular security softwares find
> anything, but comcast and yahoo and our inbox full of undeliverablre
> messages looking like they were sent by us are pointing to us having a
> serious issue.
>
> Please help, we rely on our ability to send emails to subscribers, and
> they're getting rejected due to "user complaints", and we can't afford to
> be blacklisted (and yes, we only send to subscribers, we follow all te
> opt-in and opt-out stuff, and are very consciensious about keeping our
> mailing list clean.
>
> Please help!
>
> Your time and assitance would be GREATLY appreciated. And thanks for
> reading.
>
 
Back
Top Bottom