Video Screencast Help

SEP 11.x: IPS alerts, causing Internet spam blacklisting

Created: 01 Nov 2012 | 6 comments
MIXIT's picture

Hi all.  I have a client organiation who's IP address is being flagged as a spam sender.  Thus, emails to many of their contacts are bouncing back. 

SEP's scheduled daily full scan is not finding any spa bots on internal systems, however one thing I am seeing frequently is Intrusion Prevention System laerts from SEP going FROM our internal IP of the mail server, to a couple of Facebook, Inc's IP addresses. 

I will look through the IPS logs in SEPM to see if I can find anything useful, but in general am looking for any advice on how to deal with this overall problem. 

I am going to try to get the IP off any blacklists, but that won't mean much if the source of the problem still exists on the network at my client.  So far daily full scans are not picking anything up, and since the Exchange 2010 mail server is considered the source of those IPS issues, I'm not sure how to trace things back to the originating computer or mobile/handheld device. 

Any SEP-specific suggestions or general suggestions outside of SEP are welcome.  Thank you. 

Comments 6 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Did you find specify System detail ?

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

What's the name of the signature that is firing?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MIXIT's picture

Yeah I found the specifics. 

IPS:

[SID: 21596] Audit: Jabber IM Client Connection detected. Traffic has been allowed from this application: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe

There are no Active Response entries after these IPS notices. 

Upon further research, turns out users have put What's App on their BB devices, which uses the Jabber client and can integrated with BIS or BES so that explains that.  One of the flagged destintation IP's was 69.171.241.10 which belongs to FaceBook inc. 

So this might have nothing to do at all with this spam issue, however the fact that the source IP for the "attacks" is the internal IP of the Exchange (and BES) server, it still makes me wonder. 

According the The CBL, this client's public IP is listed and it's telling me they have the waledac spambot.  I honestly have no clue if this is at all accurate or not, or is The CBL just giving automated responses to characteristics of a spambot but in truth it's really Facebook's filters reporting these IPS alerts...or....er...mental failure....shutting down, brain overload limit reached...0x0000000!

Anyway, I have no clue so I'm also pursuing this as a real spambot issue on the network.  I've used SEPM to push a Full Scan to all systems.  50% completed with nothing found - 1 system had Error, but iI suspect it was mid-scan when the user flipped the laptop shut.  The other 47% of systems are probably laptops that are not online, since the daily Client Status report sent to me showed a full half of the computers not online. 

Anybody know a good "spam botnet removal" method? :) I'll read up on waledac now.  If the IPS or SEP angle can still be leveraged, pleaes feel free to advise.  Thanks again. 

.Brian's picture

Have you contacted RIM to find out what that process does? Seems odd to me that their service is being flagged.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MIXIT's picture

Nah,I passed on that.  I ended up finding out that a certain system on the LAN was firing off bursts of port 25 traffic and this was what was causing the blacklisting.  It was just very odd oincidence  (or so it seems) that the IPS thing started around the same time.

I set the network firewall to block port 25 outbound for all but the mail server and set logging to catch the offending system which it did. 

The IPS issues were from usrs having installed What's App on their BB devices.  I've seen other similar IPS alerts for another client of mine when people use Google Talk as well, Not sure why SEP is so concerned about these, wish I knew what exactly it is flagging.  I never want to dismiss something occuring but maybe I should just ignore these particular IPS alerts.  Also it's odd that they're seen as IPS outbound.  I would have thought SEP woudol just flag incoming traffic for IPS. 

 

.Brian's picture

Nope, goes both ways.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.