Re: Blocked ip by spam

From: Winged (Winged_at_nofollow.com)
Date: 05/12/05


Date: Wed, 11 May 2005 21:44:52 -0500

Javier wrote:
>
> Hi
>
> My ip was black listed becuase somebody apparently spammed from it.
>
> As I'm not spamming I think may be there are a worm in some machines in
> the internal net or somebody is using an external smtp server from
> internal net to make spam.
>
> However, I need to stop this then I need to make something to avoid to
> be black listed again.
>
> I wonder if somebody out there was having a similar experience and could
> give me a clue to detect why or who is generating the problem.
>
> Thanks in advance
>
> J

If I were a betting man and the blocks were widespread I would suspect
the mail server is an open relay. Might check to see if it is listed here:

http://www.ordb.org/faq/

There is a relatively new vulnerability (4/20) for exchange hosts (2000,
2003) that can allow you mail host to be compromised, exploits are in
the wild. The vulnerability is caused due to a boundary error in the
"SvrAppendReceivedChunk()" function in "xlsasink.dll" when processing
X-LINK2STATE extended verb requests. This can be exploited to cause a
heap-based buffer overflow by connecting to the SMTP service and issuing
a specially crafted command. Essentially this allows the attacker to
run with system privileges.

More on this at:

http://secunia.com/advisories/14920/

Getting off blocked lists is far harder than getting on them.

You don't really provide enough data to troubleshoot your problem nor
how long the problem has existed. I am just providing starting look points.

Winged



Relevant Pages

  • Buffer Overrun in FTGate4 Groupware Mail server
    ... Package: FTGate4 Groupware Mail server ... Vulnerability Type: Remote Code Execution ... FTGate4 is a powerful Windowscommunication suite that combines ...
    (Bugtraq)
  • Re: Blocked ip by spam
    ... >> As I'm not spamming I think may be there are a worm in some machines in ... >> the internal net or somebody is using an external smtp server from ... > the mail server is an open relay. ...
    (alt.computer.security)
  • Re: Blocked ip by spam
    ... >> As I'm not spamming I think may be there are a worm in some machines in ... >> the internal net or somebody is using an external smtp server from ... > the mail server is an open relay. ...
    (alt.computer.security)
  • Re: Kerio Mail Server Multiple Security vulnerabilities
    ... Kerio.com mail server dev is claiming that kerio mail server is not ... the explanation in reproducing the vulnerability. ... Releasing Another SECURITY ADVISORY against newest version of Kerio ...
    (Bugtraq)
  • Email server
    ... I have been running a 220R, as a mail server for about ... Seems more than adequate under normal conditions. ... DOS attack. ... suggestions to reduce this type of vulnerability? ...
    (SunManagers)