[vcf-midatlantic] OT: help needed with network problem

Ethan O'Toole telmnstr at 757.org
Mon Mar 28 15:29:40 UTC 2022


Make sure none of your user accounts are compromised. On 757.org we had 
one of the user's accounts get popped and outsiders were slow rolling 
spams through it.

Are you running web services on it? That is another potential point of 
entry. Outdated wordpress plugins and wordpress accounts, stuff like that.

It's a PITA to troubleshoot. And a PITA to get removed from blocks, 
especially O365 and Google.

 			- Ethan


On Mon, 28 Mar 2022, William Dudley via vcf-midatlantic wrote:

> This has naught to do with vintage computers, but I need help,
> and this audience likely has one or more folks who can help.
>
> I run my own mail server; I have for many years.
> Lately, spamhaus.org has blocked me for ONE suspect
> email from my network.
>
> Here is ALL the bad activity from my IP for the last three months:
>
> (IP address, timestamp (UTC), and HELO string)
> 98.109.205.15 2022-03-28 10:15:00 instructure.com
> 98.109.205.15 2022-03-15 08:05:00 instructure.com
> 98.109.205.15 2022-01-21 16:10:00 localhost
>
> It's a funny kind of malware that sends two messages 15 days apart.
>
> I can't figure out where it's coming from, and my knowledge of
> iptables and tcpdump is insufficient to do the following jobs:
>
> 1. figure out where this bad email is coming from
> 2. block port 25 outbound at my firewall except from
> the ONE machine authorized to send email.
>
> I am willing to PAY for help with this.
>
> Email me if you think you can help and would like to try.
>
> Thanks,
> Bill Dudley
>
> This email is free of malware because I run Linux.
>


More information about the vcf-midatlantic mailing list