Understanding Private IP Addresses and a lesson Spamhaus should learn

I recently had a customer who runs an internal mail server get blacklisted by Spamhaus.org.

That's usually because some internal machine has become infected and has managed to bypass all the defenses we put in and found a way to send spam email out. That's not easy, but they had apparently pulled a very ancient box out of the dust bin and hooked it up to the network. It must have done something exceedingly clever, because we block everything at the router except the mail server itself from using mail related ports, but nevertheless, the evidence was plain: Spamhaus had blocked their IP, so something had gotten out.

However, we didn't find this out immediately because I was a little careless when the customer informed me of the block. Because we had been through this before in the past, I told him to just type his mail server IP in at Spamhaus and that they would give him specifics. Once he knew what the actual problem was, he could ask them to unblock his address.

He called me back an hour later to tell me that Spamhaus said his IP was not blocked.



I was a bit surprised, but not totally.  It is possible for this to happen.  I really should have been more insistent right then, but, as I said, this customer had been through this type of thing previously, so I thought he knew what he was doing.  I also foolishly assumed that Spamhaus had better software in place than they do.

The upshot of all this is that I arrived on site to examine the problem two days later.  That's two days where the customer had to suffer annoying blocks.  Here's what happened:


Private vs. Public


When my customer visited the Spamhaus Blocklist Removal Center, he typed in what he thought was his mailserver IP address: 192.168.2.120. That IS the address, but it is the internal, private IP address. What he should have put in is the public IP address - the address of the MX record for his domain.

We'll see in a minute that while it might be understandable that my customer made this mistake, Spamhaus never should have. Their website software should have known he had erred and should have told him that instantly. Let's see why I say that.

Here are the private IP ranges:

  • 10.0.0.0 throuugh 10.255.255.255
  • 172.16.0.0 through 172.31.255.255
  • 192.168.0.0 through 192.168.255.255

You can't use the beginning or end of a range. That is, if you are planning to use 192.168.2 addresses, you cannot use 192.168.2.0 or 192.168.2.255 for a computer or printer.  The first is reseved to refer to the network itself and the last is a subnet mask.

I don't want to get into subnetting here because it can get very confusing. If you are a home user or a small business, you are unlikely to need to worry about that.

Those are addresses you can use inside a private network.  They cannot be used on the Internet - they will not route.  Your Internet router has one or more true, public IP adresses that are not in these ranges and part of its function is to translate your internal addresses to public addresses.  You'll here that commonly referred to as "NAT" or "masquerading" (purists will argue about precise meaning and say it's probably "DNAT" - they are right, but that's not important for most of us).

That's why I say that Spamhaus should have recognized the error.  A mailserver can NOT have a public address of 192.168.2.120 - that is obviously an internal address.

Try This


Find out what your machines addresses are. First, go to WhatIsMyIP.com. That will show you your public IP address. Next, ask your computer what its IP is.

Here's how to tell with Windows: do Start->Run and then type "cmd" (on older systems type "command"). That opens up a "DOS box", or "command window" as we old geeks call it. In that box, type "ipconfig". You'll get back something like this:

 

Windows IP Configuration

Ethernet Adapter Local Area Connection:
       Connection-specific DNS Suffix:
       IP Address....................: 192.168.2.4

(and more, but it's the IP Address we want)

Network Settings on a Mac.  Note the IP is 192.168.11.2
Network Settings on a Mac. Note the IP is 192.168.11.2

You may also know how to get that from the Windows interface. Similar information is available on Macs - you might open up Terminal and run "ifonfig en0" or use System Preferences to examine your settings.

Warning: If your computer network shows the same address as that WhatIsMyIP site, you are directly connected to the Internet and that is usually a very unsafe condition for a home computer.



What really happened


When I typed in his public IP, we got back confirmation from Spamhaus. Following the provided link gave us very specific information.



This IP is operating (or NATting for a computer that is operating) the "sendsafe" bulk emailing malware. This software is exclusively used for sending "Nigerian 419"/"advance fee" frauds or phishing attempts.

Sendsafe works by acquiring userid and password (usually stolen) for a valid email account on a mail server. Then, a machine compromised by sendsafe (in this case your IP) makes a SMTP connection to that mail server, authenticates with the compromised email login credentials, and proceeds to send Nigerian 419 scam emails.

One way to look for this is to look for authenticated outbound SMTP connections from this IP address either on port 25 or port 587. This particular detection was of a SMTP connection made from your IP address to IP address (removed for confidentiality).

In some cases it turns out to be a SSH login account (with a weak or compromised password) used to proxy inbound connections to outbound SMTP connections. Check your SSH logs for logins from unusual places (such as Nigeria).

A recent case turned out to be a copy of "Mass Sender" (aka "Advanced Mass Sender 4.3"). This appeared have been installed via some sort of remote desktop connection (such as RDT or VNC), and operated by the remote desktop connection. The criminal had gained access to the remote desktop connection via stolen/cracked/keylogged userid/password. First check Windows Installed applications (eg: Control Panel => Add or Remove programs...) and see if anything unexpected is there.

On a NAT, it could be any windows computer on your LAN. Examining your firewall logs for remote desk top connections from outside may help identify which computer it is.

In this case, it was "Mass Sender 4.3". If you find anything like that, delete it. Then, to make sure it doesn't happen again, secure your remote desktop connection as tightly as possible. Close the firewall to that port if possible. Change all passwords etc.

In other cases it appears to be a virus infection that may have disabled your Anti-Virus software. If you have Anti-Virus software, make sure it's operational and up-to-date.


That's very helpful. They also gave us the time the spam was last seen, which was five days back. My customer immediately remembered briefly putting up that ancient box on that day.

I remained concerned about how this box had bypassed our defenses. It should not have been able to send direct email out on those ports as those are blocked by the router for all machines except the actual mailserver. It might have used the internal mailserver (using credentials found on the machine), but I found nothing in the logs there.

Oh, well. I asked the customer to keep checking Spamhaus every week just in case the virus had managed to spread, but after six weeks, there has been nothing else, so I'm reasonably confident it has not. I also asked him to not resurrect five year old machines that should have gone to recycling long ago!


Do you know someone who should be reading this? Click the Share button below to send it to them easily or to post it to Facebook or Twitter.


More by this Author


Comments 13 comments

Frank Senase 6 years ago

The summary of this posting is simple:

An idiot system admin (Pcunix) sets up a customer's network badly allowing infected machines to spew spam to the internet. The idiot customer puts a wrong IP into Spamhaus and Pcunix expects Spamhaus to correct his error. Pcunix does nothing for days until the customer complains some more, then both idiots discover that Spamhaus was right: there was a badly set up trojan-infected PC on the network spewing spam to millions of people! By this time the idiot customer should at least have considered firing the idiot system admin. I would have.


Pcunix profile image

Pcunix 6 years ago from SE MA Author

No.

As I noted above, the routers (which are not controlled by me, by the way) are set to block outbound email ports from all machines except the mailserver.

Small customers don't have system admins. The person who pulled out that old box is a manager.

And no, it wasn't "millions" of emails. As far as we can tell, the centralized virus scanning nullified that machine very quickly anyway and if not it was taken off the network the same day.

Finally, yes, Spamhaus SHOULD trap that. I bet "idiots" (your ignorant term) make that error frequently. Spamhaus could help prevent longer terms of spamming machines with that simple code change.

No "idiots" here. Except perhaps you.


f_hruz profile image

f_hruz 6 years ago from Toronto, Ontario, Canada

Yehhh, very good report ... and don't get too upset if some idiots come around just to post sh.it to show how little culture they actually have! :)


Pcunix profile image

Pcunix 6 years ago from SE MA Author

Oh, I don't. Stuff like that is always someone with some other axe to grind. He could work for Spamhaus or dislike me for some other real or imagined offense.


Frank Senase 6 years ago

"My customer immediately remembered briefly putting up that ancient box on that day" - and this caused a load of spam to the internet from your 'secure' network, nice!

"When I typed in his public IP, we got back confirmation from Spamhaus. Following the provided link gave us very specific information" - well that's what happens when you put in the right IP :) Blaming Spamhaus for not correcting you when you put in a wrong IP is stupid! It's not their job to baby-sit you.

"I remained concerned about how this box had bypassed our defenses" - that's easy, some idiot had set the customer's network up so the defenses could be bypassed. Might I guess who that was? Sure, you, right? :)


Pcunix profile image

Pcunix 6 years ago from SE MA Author

Did you not understand when I said I don't support the routers? I have checked them by attemting outgoing connections, and that was blocked, so I do remain puzzled by how this machine got out. I guess you can't understand that, either.

You don't think Spamhaus should reject private ip's???


Frank Senase 6 years ago

"You don't think Spamhaus should reject private ip's???"

No, because some private IPs ARE on Spamhaus BLs (127.0.0.2 for example and many others in 127.*), instead they should tell the truth if an IP is listed or not, which is what they do already.

Most users don't even know what a 'private IP' is and if they don't have enough clue to put their mail server's correct IP into a Spamhaus search do you think they have any clue what to do with the result either way. If they don't know enough to know their IP address they have no business anywhere near a mail server or a router, they should employ a competent mail server administrator to do it.


Pcunix profile image

Pcunix 6 years ago from SE MA Author

You are confused, Frank. No 127 address can be in a blacklist because no 127 address can route on the Internet.

You probably misinterpreted this: http://netwinsite.com/surgemail/help/rbl.htm

Those are return codes, not ip's.


Manna in the wild profile image

Manna in the wild 5 years ago from Australia

Check your definitions of RFC1918 private IP addressing


Pcunix profile image

Pcunix 5 years ago from SE MA Author

I imagine you are referring to the fact that I say

10.0.0.1 to 10.254.254.254 ?

Yeah, I know: the RFC defines it as 10.0.0.0 to 10.255.255.255

But I'm not talking about networks here, I'm talking about IP addresses that you'd use to assign to devices in a private network.


Pcunix profile image

Pcunix 5 years ago from SE MA Author

And yes, I realize it's still not completely right. I suppose I should just change it to match..


Manna in the wild profile image

Manna in the wild 5 years ago from Australia

Yup. There is no way to depict the wire and broadcast address for every possible subnet that could be used.

But it's a very useful chunk of work here all up. Thanks.


Pcunix profile image

Pcunix 5 years ago from SE MA Author

I know. I wanted to avoid subnetting here if I could, and I really can't entirely.

Oh, well. I changed it as you can see.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working