Help finding which computer is causing us to be blacklisted?

[eggedd2k]

According to a number of internet dns blacklists at 9am today a
computer on our customer's network sent out enough spam to land us on
a blacklist. They don't say which internal computer in particular,
just that it came from our network's IP address.

I've done two different virus scans plus a malwarebytes scan on every
single computer on the network (20 of) plus on our server. No
viruses, no malware found whatsoever.

There's obviously something on one of the computers causing this
problem but I don't want to request delisting from the blacklists
until I'm absolutely sure i've fixed the problem computer.

Is there anything else I can try? Checking 21 systems as you'd expect
is a big job!

I have some packet monitoring software on the server but there's
nothing obvious appearing in the logs (unless I need to look for
something specific).

I've checked and double checked to make sure we don't have an open
relay either - which we dont.

thanks in advance!

 

[eggedd2k]

I have installed WireShark on the server (gateway). What should I be
looking for in particular??

 

[David W. Hodgins]

According to a number of internet dns blacklists at 9am today a
computer on our customer's network sent out enough spam to land us on
a blacklist. They don't say which internal computer in particular,
just that it came from our network's IP address.

Which ip address, and which blocklist? The ip you're posting from belongs
to as43234.net

Some blocklists provide more information. For example
http://www.uceprotect.net/en/rblcheck.php?asn=43234
shows AS43234 - CPWBBSERV-AS Carphone Warehouse Broadband Services
has 3,083 ip addresses that have sent enought spam to spamtraps, in the
last seven days, to get listed. One of the ranges, 92.0.0.0/13 has sent
enough spam, that the entire /13 is now listed.

The above url allows you to check by individual ip addresse, or by
the asn.

 

[eggedd2k]

In terms of how they have their server and internet configured, they
have the server (2k3 SBS) which the workstations have as their gateway
ip for internet access, the server in turn is configured (originally
via the internet setup wizard) to send internet traffic on to a
Draytek Vigor 2500 series router.

I have installed WireShark on their server. Presumably my next step
is to monitor traffic for a period of time and then filter it to show
TCP ports 21 and 25 OUTBOUND?

These are the blacklists they're on:

CBL LISTED Blocked - see Detail
Return codes were: 127.0.0.2 3600 969
DNSBLNETAUT1 LISTED Blocked - see Detail
Return codes were: 127.0.0.2 10800 1984
LASHBACK LISTED Sender has sent to LashBack Unsubscribe Probe
accounts
Return codes were: 127.0.0.2 3600 1812
MSRBL-Combined LISTED Virus Sending Host - see Detail
Return codes were: 127.1.0.2 2100 1781
MSRBL-Viruses LISTED Virus Sending Host - see Detail
Return codes were: 127.1.0.2 2100 1765
RATS-Dyna LISTED SPAMRATS IP Addresses See: Detail
Return codes were: 127.0.0.36 3600 1672
Spamhaus-ZEN LISTED Detail
Return codes were: 127.0.0.4 1800 1562


This is the extra info that MSRBL gave me - seems like a particular
email:

Return-Path: <EMAIL@REMOVED>
Received: from host217-41-16-85.in-addr.btopenworld.com
(host217-41-16-85.in-addr.btopenworld.com [217.41.16.85])
by smtp.sd73.bc.ca (Postfix) with ESMTP id 2C67C1A000B11
for <EMAIL@REMOVED>; Wed, 27 Aug 2008 02:12:57 -0700 (PDT)
Received: from [217.41.16.85] by mx0.arionboard.de; Wed, 27 Aug 2008
11:52:11 +0000
Date: Wed, 27 Aug 2008 11:52:11 +0000
From: <EMAIL@REMOVED>
X-Mailer: The Bat! (v3.5.25) Professional
Reply-To: <EMAIL@REMOVED>
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: <EMAIL@REMOVED>
Subject: Corel draw! just at best price
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------CDACD39B0946731"


thanks again for all your help so far!

 

[eggedd2k]

for info, part of our nat table log:

-------------------------------------------------------------------------
Private IP ort #Pseudo Port Peer IP ort Ifno
Status
-------------------------------------------------------------------------------
192.168.0.37 1752 34814 216.178.7.253 25 3 0
192.168.0.254 51174 34881 213.123.26.23 110 3 0
192.168.0.37 2451 33602 67.96.97.67 25 3 0
192.168.0.37 2763 33616 208.42.184.11 25 3 0
192.168.0.37 1753 32967 216.178.7.253 25 3 0
192.168.0.37 4369 33147 66.118.65.197 25 3 0
192.168.0.254 47079 33148 213.123.26.23 110 3 0
192.168.0.37 1048 35193 206.190.53.191 25 3 0
192.168.0.37 1451 33421 72.16.164.44 25 3 0
192.168.0.37 1812 34659 64.71.166.195 25 3 0
192.168.0.14 2413 34396 195.55.72.130 443 3 0
192.168.0.37 2523 34931 216.178.7.253 25 3 0
192.168.0.37 4315 33427 216.178.7.253 25 3 0
192.168.0.37 3345 34458 12.71.144.199 25 3 0
192.168.0.37 4651 34163 72.66.23.173 25 3 0
192.168.0.37 3903 35182 193.252.22.153 25 3 0
192.168.0.37 4001 35070 149.174.40.55 25 3 0
192.168.0.37 1499 34849 216.178.7.253 25 3 0
192.168.0.37 1227 33779 69.49.109.14 25 3 0
192.168.0.37 2524 34087 216.178.7.253 25 3 0
192.168.0.37 2012 35059 216.178.7.253 25 3 0
192.168.0.37 4316 33361 216.178.7.253 25 3 0
192.168.0.37 3277 33018 68.75.244.12 25 3 0
192.168.0.37 1050 33219 206.190.53.191 25 3 0
192.168.0.37 3946 35188 66.113.1.111 25 3 0
192.168.0.37 2175 33002 64.164.137.90 25 3 0
192.168.0.37 1346 34668 64.129.101.151 25 3 0
192.168.0.37 2494 35250 216.157.145.27 25 3 0
192.168.0.37 4060 33342 216.178.7.253 25 3 0