Mailserver an T-Business-Anschluss in cbl

[basstscho]

Hallo zusammen,

ich möchte gerne einen Mailserver an einem T-Business-DSL-Anschluss mit fester IP betreiben. Leider habe ich gerade von einem empfangenden Mailserver die Fehlermeldung bekommen, dass die Mail auf Grund der cbl.abuseat.org geblockt worden ist - das ist der Meldungstext:

This IP is infected with, or is NATting for a machine infected with s_other

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_other Command and Control server, with contents unique to s_other C&C command protocols.

To find these infections, search for TCP/IP connections going to IP address 87.255.51.229 or 82.165.47.44, usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-12-27 05:59:24 (GMT - this timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall it, your IPs will remain infected, and they will still be able to download from real command & control servers run by the bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.

The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.

Es ist richtig das der Port 25 per NAT an den Mailserver durchgereicht wird. Ist das ein Problem?

Grundsätzlich hätte ich ja noch die Möglichkeit den Relay-Server der Telekom, oder einen eigenen Relay-Server zum Versenden der Emails zu verwenden. Wie konfiguriere ich dann die MX-Einstellungen? Aktuell weißt diese ja auf den Hostname der festen IP. Wenn ich nun eine E-mail über einen Relay-Server versende, der keinen MX-Eintrag im DNS hat (ich möchte die Mails ja nicht über diesen Empfangen), baue ich mir dann nicht wieder ein Problem auf? Oder wird i.d.R. nicht überprüft, ob ein sendender Mailserver auch einen MX-Eintrag der Domain hat? Ich dachte gerade über SPF-Einträge wird mittlerweile auch auf soetwas wert gelegt.

Besten Dank für eure Auskunft,
Johannes

 

[Thunderbyte]

Hast Du denn mal den Hauptinhalt der Mail mit allen zur Verfügung stehenden Mitteln überprüft? Nämlich dass Du einen TROJANER auf dem Rechner hast????

Solange dieser Verdacht nicht ausgeräumt ist, brauchst Du Dich um anderes noch überhaupt nicht zu kümmern, außer vielleicht ob Dein SMTP Server ein "open relay" ist und munter Spams verschickt.