Someone hacking our mail server?

hcl-bot · August 26, 2010, 1:54am

In the domino server’s logfile, mail routing events, I found entries like these:26-08-2010 05:20:42 SMTP Server: Remote host 113.169.158.82 (.) found in blacklist at zen.spamhaus.org

26-08-2010 05:20:42 SMTP Server: Message from 113.169.158.82 (.) rejected by DNS blacklist filter

26-08-2010 05:20:42 SMTP Server: . (113.169.158.82) connected

26-08-2010 05:20:44 SMTP Server: . (113.169.158.82) disconnected. 0 message[s] received

Entries like these repeat several time a day with different ip-addressess, and this is happening for some weeks. Also on Domino servers of customers.

When I do a trace route to such an ip-address it starts with the local host name of the computer where I perform the tracert and it end at vdc.vn

SMTP mail is working normally (till now!).

Is someone trying to hack these servers?

hcl-bot · August 26, 2010, 4:48am

Subject: Unless you have contacts in Vietnam, it is probably spammers looking for an open relay . . .

Have a look at WHOIS for their IP (113.169.158.82) e.g. at Whois - IP Address - Domain Name Lookup

If you put an SMTP server onto the Internet you are going to see this from time to time. You could consider hiding behind a mail cleansing service (‘in front’ of your SMTP server) e.g. Message Labs.

hcl-bot · August 27, 2010, 1:12am

Subject: Resolves to a local host

Thanks for your reply. I checked the ip-address and found this:IP Address: 113.167.67.115

Host: localhost

Location: VN VN, Vietnam

Organization: VietNam Post and Telecom Corporation

The host “localhost” seems strange to me, because when I resolve our organisation’s ip-address, I found our ADSL provider’s host.

I also find this strange because the maillserver with this issue seems to resolve the ipaddress 113.167.67.115 to our local host:

Remote host 113.167.67.115 (<our server’s hostname>..local).

hcl-bot · August 31, 2010, 1:51am

Subject: Could be forged DNS data (but IPs still work)

A quick check using some tools shows they did not like the DNS responses:

Trace 113.167.67.115 …

1 192.168.1.1 2ms 0ms 1ms TTL: 0 (No rDNS)

…

6 80.91.247.103 193ms 193ms 194ms TTL: 0 (hnk-b1-link.telia.net probable bogus rDNS: No DNS)

7 213.248.93.118 194ms 228ms 193ms TTL: 0 (vptc-ic-130050-hnk-b1.c.telia.net ok)

8 No Response * * *

9 No Response * * *

10 No Response * * *

11 123.29.6.86 510ms 495ms 499ms TTL: 0 (vdc.vn fraudulent rDNS)

12 113.167.67.115 520ms 498ms 515ms TTL:243 (localhost fraudulent rDNS)

but according to APNIC the IP block is registered to VietNam Post and Telecom Corporation :

role: VDC IPADMIN GROUP
address: Internet Building, Block II, Thang Long Inter Village
address: Nguyen Phong Sac str, Cau Giay Dist, Ha Noi
country: VN
phone: +84-912-800008
fax-no: +84-4-9430427
e-mail: hathm@vdc.com.vn
trouble: send spam reports to abuse@vdc.com.vn
trouble: and abuse reports to abuse@vnn.vn

so try starting with them since its their IP block.