I have a weird problem and I wonder if anyone can help me as I really don't know what else to do.
I'm administering a Linux server (Fedora 17), for a SMB company (~100 LAN computers). This server handles e-mail (Postfix), DNS, Web, FTP, SQL, etc.
To cut the story short, the problem started two days ago, when I noticed that we were blacklisted on cbl.abuseat.org. I was surprised because I've been administering many servers for many big/medium companies in the course of more than 8 years, so I THOUGHT that I knew a thing or two about e-mail security… apparently I was wrong.
First of all, a few details: The e-mail server's IP has a PTR (RDNS) record, and I've configured SPF, DomainKeys, DKIM, DMARC, greylisting. Ports 25 and 53 (TCP/UDP) are blocked for all computers inside the LAN, and logging is activated. When I checked the log, there was NOTHING. No computers inside the LAN were trying to send e-mail. But then I checked CBL and this is what their message says:
This IP is infected () with the cutwail >spambot. In other words, it's participating in a botnet.
we have two methods for detecting cutwail. One of the methods is by detecting the spams >that cutwail sends. The other method does not work that way. This means that even if you >block outbound port 25 from non-mail-servers on your local network, we can still detect a >cutwail infection on your local network. This means that if you implement port 25 >restrictions, you should implement logging so that you can detect what internal machines >are being blocked by it and are thereby probably cutwail infections.
So… let me get this straight: even if the infected computer can't send forged e-mail, my IP will still be blacklisted? OK, I was pretty angry at first, but, having a few more public IPs, I immediately NATed the whole LAN on a whole different public IP, just to clear the first one so I'd have more time to investigate. As expected, the second IP was blacklisted in a matter of minutes and I also removed the first IP from the blacklist. Let's assume that 88.88.88.88 is the first IP and 88.88.88.89 is the second IP.
So now my POSTROUTING in iptables looked something like:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.11.0/24 -j SNAT --to-source 88.88.88.89
So, you would think that the first IP, which is also listed as MX, should be safe now, right? WRONG… After 3 hours the first IP was listed again, even though, like I said, the whole LAN is NATed through the second one now.
I was starting to think that the server had been compromised, but after thorough checking (tripwire, wireshark, netstat, etc) I've eliminated this posibility. I've also tried delisting again the IP after 12 hours and, yet again, after a few hours it was relisted. Oh, I forgot to add that we also scanned a few computers inside the LAN (the ones that we thought were suspicious), but we found no infection using 3 different antivirus software products.
Does anyone have a clue about what could cause this, because I really don't know what else to try. Thank you!
Best Answer
The problem has been solved. Indeed, there was a computer inside the network with strange http/dns requests and after running a few AV programs, two trojans were found and removed and then, blacklisting stopped. I'm assuming that the first IP (which was also the main DNS server) continued to be blacklisted because of the strange DNS requests to various worldwide IPs.