Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
So my supervisor sent me an e-mail to a spamcopy.net page that contained the following:
255.255.255.255 = external internet IP address of our firewall at Rackspace; I made it up so as to hide our actual external IP and not publish it here on the forums in public
Here is the full message:
According to my supervisor, our IP address is not shared with anyone else and belongs to our own private pool at Rackspace. Behind this IP = only our equipment. We have a big vSphere-based setup in this private pool.
This is my question: how should I trace this down since all I have is that 4 days ago some SPAM had left 255.255.255.255. While spamcop.net says 255.255.255.255 is an open relay, my supervisor says this is not true as he had checked the firewall device (255.255.255.255) to make sure ports were locked down and that there wasn't anything strange.
I did an Intense Scan + TCP and UDP port scan on 255.255.255.255 from my laptop at my apartment, and it found literally nothing (0/zero/nada/zilch). I can't do it from my work laptop because ICMP seems to be blocked when I try to scan 255.255.255.255 from the inside of the network (I might get different results if I do it from one of the VMs, which I will proceed to do soon).
EDIT: I can tell you that we do have an Exchange server, but we are not using it for real e-mail yet because we have yet to do a migration from our very old IceWarp server (which runs off a totally different external IP and subnet, and is physically located at a local DC in town). In addition, every week we reset all our VDIs.
EDIT2: My supervisor has observed this to happen unpredictably. It might send out a handful of messages one day, and then go dark for 5-7 or so days before doing it again. Every time it is a different message, and to a different recipient.
255.255.255.255 = external internet IP address of our firewall at Rackspace; I made it up so as to hide our actual external IP and not publish it here on the forums in public
SpamCop v 4.7.0.111 © 1992-2013 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Skip to Reports
Return-Path: [email protected]
Received: from [255.255.255.255] ([255.255.255.255])
by mail.kabis.net
; Fri, 15 Mar 2013 08:48:25 -0700
Received: from apache by cabrioletrepuestos.com.ar with local (Exim 4.67)
(envelope-from <[email protected]>)
id 58XHC1-6S0Q7J-W2
for <x>
Cc: <x>; Fri, 15 Mar 2013 09:48:25 -0600
To: <x>
Cc: <x>
Subject: Direct Deposit payment ID 437915564773 rejected
X-PHP-Script: cabrioletrepuestos.com.ar/sendmail.php for 255.255.255.255
From: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Sender: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------09050200507010303040808"
Message-Id: <[email protected]>
Date: Fri, 15 Mar 2013 09:48:25 -0600
View entire message
Parsing header:
0: Received: from [255.255.255.255] ([255.255.255.255]) by mail.kabis.net ; Fri, 15 Mar 2013 08:48:25 -0700
No unique hostname found for source: 255.255.255.255
kabis.org received mail from sending system 255.255.255.255
Tracking message source: 255.255.255.255:
Routing details for 255.255.255.255
[refresh/show] Cached whois for 255.255.255.255 : [email protected]
Using abuse net on [email protected]
abuse net rackspace.com = [email protected]
Using best contacts [email protected]
Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Fri, 15 Mar 2013 08:48:25 -0700
Message is 4.0 days old
255.255.255.255 not listed in dnsbl.njabl.org ( 127.0.0.8 )
255.255.255.255 not listed in dnsbl.njabl.org ( 127.0.0.9 )
255.255.255.255 listed in cbl.abuseat.org ( 1 )
255.255.255.255 is an open proxy
255.255.255.255 not listed in accredit.habeas.com
255.255.255.255 not listed in plus.bondedsender.org
255.255.255.255 not listed in iadb.isipp.com
Finding links in message body
Recurse multipart:
Parsing text part
Parsing HTML part
Resolving link obfuscation
http://twowaysociety.nl/wp-content/plugins/wp_mod/wps.php?nacha
Tracking link: http://twowaysociety.nl/wp-content/plugins/wp_mod/wps.php?nacha
No recent reports, no history available
Host twowaysociety.nl (checking ip) = 85.158.203.17
Resolves to 85.158.203.17
Routing details for 85.158.203.17
[refresh/show] Cached whois for 85.158.203.17 : [email protected]
Using abuse net on [email protected]
No abuse net record for cyso.net
Using best contacts [email protected]
Finding IP block owner:
Routing details for 255.255.255.255
[refresh/show] Cached whois for 255.255.255.255 : [email protected]
Using abuse net on [email protected]
abuse net rackspace.com = [email protected]
Using best contacts [email protected]
Reports regarding this spam have already been sent:
Re: 255.255.255.255 (Administrator of network where email originates)
Reportid: 5924088135 To: [email protected]
If reported today, reports would be sent to:
Re: 255.255.255.255 (Administrator of IP block - statistics only)
[email protected]
Re: http://twowaysociety.nl/wp-content/plugins/wp_m... (Administrator of network hosting website referenced in spam)
[email protected]
Here is the full message:
CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP
################################################################################
Return-Path: [email protected]
Received: from [255.255.255.255] ([255.255.255.255])
by mail.kabis.net
; Fri, 15 Mar 2013 08:48:25 -0700
Received: from apache by cabrioletrepuestos.com.ar with local (Exim 4.67)
(envelope-from <[email protected]>)
id 58XHC1-6S0Q7J-W2
for <x>
Cc: <x>; Fri, 15 Mar 2013 09:48:25 -0600
To: <x>
Cc: <x>
Subject: Direct Deposit payment ID 437915564773 rejected
X-PHP-Script: cabrioletrepuestos.com.ar/sendmail.php for 255.255.255.255
From: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Sender: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------09050200507010303040808"
Message-Id: <[email protected]>
Date: Fri, 15 Mar 2013 09:48:25 -0600
This is a multi-part message in MIME format.
--------------09050200507010303040808
Content-Type: text/plain; charset="us-ascii"; format=flowed
Attn: Chief AccountantWe regret to inform you, that your most recent Direct Deposit via ACH transaction (Int. No.563699049977) was rejected,because your business software package was out of date. The details regarding this matter are available in our secure section::Click here for more informationPlease refer to your financial institution to acquire your updated version of the software needed.Sincerely yoursACH Network Rules DepartmentNACHA - The Electronic Payments Association19777 Sunrise Valley Drive, Suite 336Herndon, VA 20170Phone: 703-561-6679 Fax: 703-787-3660
--------------09050200507010303040808
Content-Type: text/html; charset="windows-1250"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#ffffff" text="#000000">
Attn: Chief Accountant<BR><BR>
We regret to inform you, that your most recent Direct Deposit via ACH transaction (Int. No.563699049977) was rejected,because your business software package was out of date. The details regarding this matter are available in our secure section::<BR><BR>
<a href="http://twowaysociety.nl/wp-content/plugins/wp_mod/wps.php?nacha" title="Details">Click here for more information</a>
<BR><BR>
Please refer to your financial institution to acquire your updated version of the software needed.
<BR><BR>
Sincerely yours
<BR><BR>
ACH Network Rules Department<BR>
NACHA - The Electronic Payments Association<BR>
<BR><BR>
19777 Sunrise Valley Drive, Suite 336<BR>
Herndon, VA 20170<BR>
Phone: 703-561-6679 Fax: 703-787-3660<BR>
</body>
</html>
--------------09050200507010303040808--
According to my supervisor, our IP address is not shared with anyone else and belongs to our own private pool at Rackspace. Behind this IP = only our equipment. We have a big vSphere-based setup in this private pool.
This is my question: how should I trace this down since all I have is that 4 days ago some SPAM had left 255.255.255.255. While spamcop.net says 255.255.255.255 is an open relay, my supervisor says this is not true as he had checked the firewall device (255.255.255.255) to make sure ports were locked down and that there wasn't anything strange.
I did an Intense Scan + TCP and UDP port scan on 255.255.255.255 from my laptop at my apartment, and it found literally nothing (0/zero/nada/zilch). I can't do it from my work laptop because ICMP seems to be blocked when I try to scan 255.255.255.255 from the inside of the network (I might get different results if I do it from one of the VMs, which I will proceed to do soon).
EDIT: I can tell you that we do have an Exchange server, but we are not using it for real e-mail yet because we have yet to do a migration from our very old IceWarp server (which runs off a totally different external IP and subnet, and is physically located at a local DC in town). In addition, every week we reset all our VDIs.
EDIT2: My supervisor has observed this to happen unpredictably. It might send out a handful of messages one day, and then go dark for 5-7 or so days before doing it again. Every time it is a different message, and to a different recipient.
Last edited: