Telnet on port 25
in [Microsoft Exchange]
|
From: Jake on 2 Jun 2010 01:25 Can a telnet test get us on a DNS blacklist? It appears that several hours after I did a telnet (on port 25) session to test connectivity to client's mail server, my mail server public IP address got on DNS blacklists (Spamhaus and CBL). If this is true, we can no longer do connectivity test without worrying about getting blacklisted.
From: Ed Crowley [MVP] on 2 Jun 2010 16:49 I don't think so. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." .. "Jake" <someone> wrote in message news:ugC6AQhALHA.4920(a)TK2MSFTNGP04.phx.gbl... > Can a telnet test get us on a DNS blacklist? It appears that several hours > after I did a telnet (on port 25) session to test connectivity to client's > mail server, my mail server public IP address got on DNS blacklists > (Spamhaus and CBL). If this is true, we can no longer do connectivity test > without worrying about getting blacklisted. >
From: Rich Matheisen [MVP] on 2 Jun 2010 19:11 On Tue, 1 Jun 2010 22:25:22 -0700, "Jake" <someone> wrote: >Can a telnet test get us on a DNS blacklist? It appears that several hours >after I did a telnet (on port 25) session to test connectivity to client's >mail server, my mail server public IP address got on DNS blacklists >(Spamhaus and CBL). If this is true, we can no longer do connectivity test >without worrying about getting blacklisted. That would be very unlikely. It take a lot more than a single connection to get on either of those list -- but SpamHaus incorporates the CBL so if you're on any list it's probably the CBL. --- Rich Matheisen MCSE+I, Exchange MVP
From: Jake on 2 Jun 2010 23:19 "Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message news:n5pd069dub1pmmf6248so50jp7gt25bfn7(a)4ax.com... > That would be very unlikely. It take a lot more than a single > connection to get on either of those list -- but SpamHaus incorporates > the CBL so if you're on any list it's probably the CBL. IIRC I did 1 or 2 telnet connection tests on 2010:05:28 around 19:07 UTC. This matches the description from CBL (see their mail reply below). CBL website says that I have a Gheg bot infection. I have been watching my firewall logs for a few days. I don't see any suspicious port 25 outbound connections. Outbound mail traffic looks normal (less than 150 outbound SMTP connections in 18 hours). There's only 1 way out to the internet, that is; from my Exchange box thru the firewall out to the internet. I contacted CBL by email. Their reply is under the dashes below (first 2 lines are my question, followed by their reply) . I don't know how the come up with a gheg bot infection information but they confirm that a telnet session might get us on the blacklist. Scary, huh? ---------------------------------------------------------------------------------------------- > Could the manual connectivity test (telnet on port 25) > trigger a false detection and got us blacklisted? Yes, it is possible. boilerplate follows; The IP [my.exchange.PUBLIC.IP] is infected with spamware, most recently detected at: 2010:05:28 ~19:00 UTC+/- 15 minutes (approximately 4 days, 3 hours, 29 minutes ago) It will be one of the following scenarios: 1) It's a NAT firewall, in which case it is a NAT in front of a machine that is infected with spam sending spamware. 2) It's directly infested with spam sending spamware. This IP has or is NAT'ing for a gheg BOT infection Note that while this description may seem vague, be assured that there is NO POSSIBILITY that this listing was caused by any form of legitimate mail or network activity. Secondly, there is also NO POSSIBILITY that the IP address was spoofed. Thirdly, the presence or lack of anti-virus software in your mail server CANNOT and DOES NOT prevent this from happening, because most of these infections contain their own mail clients, and they bypass your mail server software. You will need to examine the machine for a virus or spam sending spyware/adware/worm. <truncated> ----------------------------------------------------------------------------------------------
From: Rich Matheisen [MVP] on 3 Jun 2010 20:33
On Wed, 2 Jun 2010 20:19:39 -0700, "Jake" <someone> wrote: > >"Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message >news:n5pd069dub1pmmf6248so50jp7gt25bfn7(a)4ax.com... >> That would be very unlikely. It take a lot more than a single >> connection to get on either of those list -- but SpamHaus incorporates >> the CBL so if you're on any list it's probably the CBL. > >IIRC I did 1 or 2 telnet connection tests on 2010:05:28 around 19:07 UTC. >This matches the description from CBL (see their mail reply below). CBL >website says that I have a Gheg bot infection. I have been watching my >firewall logs for a few days. I don't see any suspicious port 25 outbound >connections. Outbound mail traffic looks normal (less than 150 outbound SMTP >connections in 18 hours). There's only 1 way out to the internet, that is; >from my Exchange box thru the firewall out to the internet. > >I contacted CBL by email. Their reply is under the dashes below (first 2 >lines are my question, followed by their reply) . I don't know how the come >up with a gheg bot infection information but they confirm that a telnet >session might get us on the blacklist. Scary, huh? > >---------------------------------------------------------------------------------------------- >> Could the manual connectivity test (telnet on port 25) >> trigger a false detection and got us blacklisted? > >Yes, it is possible. This just has to be asked: are you using a static IP address? You'd have to do an awful lot of typing to be detected as a the source of spam. There is, of course, always the possibility of coincidence. You may have an infected client on your network that's using your server as a SMTP relay, or you haven't blocked clients from sending e-mail directly to the Internet and they're using a common NATed address shared by your server. > >boilerplate follows; >The IP [my.exchange.PUBLIC.IP] is infected with spamware, most recently >detected at: > >2010:05:28 ~19:00 UTC+/- 15 minutes (approximately 4 days, 3 hours, 29 >minutes ago) > >It will be one of the following scenarios: > >1) It's a NAT firewall, in which case it is a NAT > in front of a machine that is infected with spam > sending spamware. >2) It's directly infested with spam sending spamware. > >This IP has or is NAT'ing for a gheg BOT infection > >Note that while this description may seem vague, be assured that >there is NO POSSIBILITY that this listing was caused by any form >of legitimate mail or network activity. Secondly, there is also >NO POSSIBILITY that the IP address was spoofed. Thirdly, the >presence or lack of anti-virus software in your mail server >CANNOT and DOES NOT prevent this from happening, because most of >these infections contain their own mail clients, and they bypass >your mail server software. > >You will need to examine the machine for a virus or spam sending >spyware/adware/worm. > ><truncated> >---------------------------------------------------------------------------------------------- > --- Rich Matheisen MCSE+I, Exchange MVP |