Kentucky Joe
@insightbb.com
| ISP Blocked my access because of spam
I am troubled because my internet provider blocked my access because they report that my external ip address sent 10,000 emails at 8am.
They can't tell me what was sent or what mac/ip address that it was sent from or even give me a log of the emails. They can only tell me that if I do it happens 3 more times they will suspend my service for 30 days...if it happens a 5th time they will disconnect my service.
They told me the way they found out is that 10,000+ emails went through their mail server...and I questioned why my emails would even be going through their email server and he said that they scanned the port and saw it.
I believe email uses a certain port so I guess the question is how can I block email from leaving my home?? We normally only use webmail like gmail etc....
My provider is insight here in Northern Kentucky and while they have been helpful it btohers me that when I ask for logs or proof just because I am curious they refer me to their legal department and say that they aren't even sure the legal department has logs...
I am sure they could disconnect me without reason and I wouldn't have a legal foot to stand on but I am really wanting t figure out how to block these emails from leaving my home...yes antispyware,antimalware,antivirus should do the trick but I don't trust it enough to put my 10meg connection on the line. |
|
bofkentucky
join:2009-03-30
Louisville, KY
1 edit | Start with the basics
1) Do you have a router in between your cable modem and your computer(s)?
2) Does the router have a DMZ port turned on?
3) Does the router have a firewall turned on?
4) Is the router wireless?
5) Is the wireless secured (SSID isn't broadcast and requires a wpa key)?
6) I'm guessing you're running windows. On each computer in your house do the following to see if you have a mail server running
click on start
click on run
type cmd.exe in the open box
hit enter
You should have a dos prompt open now
in that you need to type netstat -an
If you see a line like the next two (x.y.z.a and b.c.d.e are ip addresses like 0.0.0.0 or 192.168.1.20 or 74.128.17.114 for example)
TCP x.y.z.a:25 b.c.d.e LISTENING
or
TCP x.y.z.a:587 b.c.d.e LISTENING
You do have a mail server running on that computer. It's time to antivirus/antispyware that computer until those ports aren't listening. Check for programs that we're installed recently. |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| reply to Kentucky Joe
the easiest way would be to sign up for a account
@ »www.opendns.com/ then get insight's email servers by name and manually blacklist those servers wola problem solved and you will have the logs to tell insight to get bent when they say you did it again.
but you have to hard code open dns servers in your modem in your router and on your computer so that nothing can be used for dns servers besides open dns.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!!The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!!!! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to Kentucky Joe
said by Kentucky Joe :
antispyware,antimalware,antivirus should do the trick but I don't trust it enough to put my 10meg connection on the line.
make sure it is doing the trick
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009 |
|
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL |  reply to Kentucky Joe
Are you sure your PC is not infected? |
|
leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
clubs: 
| reply to bofkentucky
Everything you said is correct for detecting that a regular mailserver is running on the system that allows for incoming email.
However the ISP complained about email send (not received) by "Kentucky Joe". If his computer is infected with a trojan/virus the software will use a mail client to transmit the email or have an embedded mail server solely for sending email with bothering to receive email.
Looking for any ports in listening state is still useful, because the trojan/virus may have established a backdoor to allow remote control of the computer. However that backdoor may not be listening on standard email ports.
Assuming that the ISP correctly identified "Kentucky Joe's" internet connection as the source of the spam and further assuming he isn't deliberately sending spam the two most likely explanations are:
1.) one (or more) of the computers on his home network is(are) infected and need to be cleaned up.
2.) someone else in the neighborhood is making unauthorized use of his wireless network.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| said by leibold  :1.) one (or more) of the computers on his home network is(are) infected and need to be cleaned up. 2.) someone else in the neighborhood is making unauthorized use of his wireless network. Yes, good analysis. These possibilities are what the OP needs to check.
Attempting to block the outgoing mail would just be a bandaid solution, and probably not very effective. Securing the wireless network (if one is used), and cleaning out the malware on all computers on the home LAN is the way to deal with this problem.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 |
|
The Snowman
Premium
join:2007-05-20
·Verizon Online DSL
| reply to Kentucky Joe
I am troubled because my internet provider blocked my access because they report that my external ip address sent 10,000 emails at 8am.
__________________________
Is the Op speciafically saying that 10,000 emails were sent at SPECIFICALLY 8 a.m. ?
ok, what am I missing here ? Microsoft by default sets the OS to have FOUR (4) OUTBOUND connections at any given time......this was done to control the spred of virues....( an takes a registry tweak to change)
So how is it possible for a normal, un-tweaked , operating system to mass email 10,000 spams specifically at 8 a.m. ?
Surely this would not have gone un-noticed by the OP ......the computer would have made a massive slow down until all spam emails were sent.........an 10, 000 emails don't just pop-out from a computer in a few seconds....
|
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| I assumed the 8am was an approximate time.
Where does this "FOUR (4) OUTBOUND connections at any given time" limit come from? I often have more than 4 ssh (putty) connections. My browser often has a bunch of connections, and at the same time as the putty connections are open. And this with XP home on my laptop. I don't recall running into a connection limit.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
 ·Shaw
| reply to The Snowman
I'm thinking it was a spoof using his SMTP, and email addie.
I use various other SMTP servers when I travel instead of webmail, for my convenience. Of course, I don't spam from them, I do a few emails. It can, and has been done.
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous |
|
heels_fan
1.20.09 The start of Socialism
Premium
join:2003-02-07
Columbia, TN
| reply to Kentucky Joe
he probably has some type virus or spyware that has his email login information.
Then it is authenticating to the mail server and sending out that way.
We have has several of our customers reply to these emails that say that they are from the email admin and that we need the users username and password, and like dummies they reply. At that point, the spammer or whoever has access the the users webmail account and starts spamming.
When this happens, I change the user's password and then place a friendly call to the customer to tell them.
--
everyone is born ignorant. some are born stupid, others achieve stupidity and the rest have stupidity thrust upon them. |
|
pog
Premium
join:2004-06-03
Kihei, HI
·Hawaiian Telcom
| reply to Kentucky Joe
said by Kentucky Joe :
... They told me the way they found out is that 10,000+ emails went through their mail server... They are presumably talking about their smtp server... does it require a login before use? Do you, in fact, have it set up as your outgoing server for your default email client? Do you even use a traditional email client (outlook, eudora, etc) or do you stick with webmail?
and I questioned why my emails would even be going through their email server and he said that they scanned the port and saw it.
If they scanned your ports and found something, I'm wondering if they meant that you had a server listening on your end... in which case, your system may have been spewing email directly out to the world. Still abusive but maybe having nothing to do with their email server directly.
Anyway, I think you have two primary areas of concern...
1) your relationship with your ISP
2) the state of your own PC's security
If you exclusively use webmail, then you can take care of 1) fairly simply... at your router block all access to ports 25 and 465 (IIRC). This will ensure that, despite anything else, nothing using your network can actually send anything out that will upset your ISP.
The next concern is in 2)... your own security... make sure no one else is using your connection via wireless, make sure to clean out malware, etc.
--
My Site |
|
ToLateToLogin
@verizon.net
| reply to Kentucky Joe
NwRICKERT.
this is the best I could do on short notiice but will give you a rough idea.......however..its not complete...Google if you want more.
»www.everything-mdaemon.com/mdaem···n-limits
There is a lot of misinformation and confusion about how the 10-connection limit applies to XP sp2. I can discuss the technical limitations, although not any EULA implications, nor hacks around this restriction. The same restrictions apply to Vista’s TCP stack as well.
From a technical point of view, there are NO new restrictions on simultaneous users, or even TCP sessions. Rather, it’s the number of half-complete outbound TCP sessions which are allowed simultaneously. Windows XP sp2 will throttle you if you attempt to have more then 10 half-open sessions at once.
So what is a half-open session? This is where a connection has been attempted, but not yet actively accepted or refused by the server. This most commonly occurs when you connect to a server which isn’t online, or when the recipient is running a firewall configured to DROP or “stealth” ports, rather then simply refusing the connection.
So in terms of MDaemon running on a Windows XP sp2 or Vista machine as a service, inbound connections (other PCs accessing SMTP/POP3/IMAP sessions, or WorldClient/WebAdmin) aren’t counted or throttled at all, only outbound connections by MDaemon (SMTP-out, MultiPOP, DomainPOP, Dequeue, LDAP) will be affected, and then only if at least 10 sessions are in the process of connecting but not completing connections fast enough.
UDP traffic is not delayed at all, so neither DNS look ups nor minger are affected.
In a practical implementation, if you intend to use MDaemon on Windows XP, turn the number of SMTP threads down to 8 or below (lower if there are users or other applications/servers on the same machine) and you won’t be affected in most circumstances.
When it does occur, a new event, with ID 4226, appears in the system’s event log. Once throttling has started, outbound connections may still succeed, but you’ll see delays or potentially even connection timeouts. |
|
leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
clubs:
| reply to The Snowman
said by The Snowman :So how is it possible for a normal, un-tweaked , operating system to mass email 10,000 spams specifically at 8 a.m. ? Take a plain text spam email message (up to 2 KB) * 10,000 and you need to transmit somewhere in the area of up to 160,000,000 bits.
Given that the poster is talking about a 10Mbps Internet connection I'm assuming that it is residential service with 1Mbps of upstream bandwidth.
This means that it is taking at most 3 minutes to transmit those email messages and that is generously assuming each is send individually. It will take far less time if the spam program is smart enough to send the same message body to multiple recipients at once. If every message is addressed to 10 recipients the transmission that started exactly at 8:00 can be finished before 8:01 (not that I believe that the ISP meant that time to be taken that literal).
There is no need for concurrent socket connections either.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire! |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| reply to pog
said by pog : They are presumably talking about their smtp server... does it require a login before use? Precisely. If you don't have to authenticate, you're home-free.
I don't have to authenticate, which is why I use the other SMTP servers. Again, I'm not malicious though.
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous |
|
ToLateToLogin
@verizon.net | reply to Kentucky Joe
Ok..thanks for explaining.....I did not think it was possible.........obviously it is......thank you. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to ToLateToLogin
There is a lot of misinformation and confusion about how the 10-connection limit applies to XP sp2. I can discuss the technical limitations, although not any EULA implications, nor hacks around this restriction. The same restrictions apply to Vista’s TCP stack as well. 10 is better than the 4 mentioned earlier. Thanks for that correction.
Rather, it’s the number of half-complete outbound TCP sessions which are allowed simultaneously. The mail apparently went out through the ISP mail server. You can pump a lot of email messages through a single connection, depending on what (if any) limits are imposed by the server. So I don't expect that 10 half-complete connections would have been a problem.
The spammers often use their own spamware to send out spam. It is pretty likely that their spamware is built to fit within any limitations imposed by Windows.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| said by nwrickert : The spammers often use their own spamware to send out spam. It is pretty likely that their spamware is built to fit within any limitations imposed by Windows. How true. There are a number of UI's to tweak svchost.exe to allow that.
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous |
|
Kentucky Joe
@insightbb.com
| reply to Kentucky Joe
There are a lot of questions here but let me answer one or two
1. Wireless is password protected
2. Yes they said that 10,000+ emails (they had an exact count and said it happened at 8am (they had an exact hour and minutes)). When I asked for proof they said I would ahve to contact their legal department and even then they might not have the infomation.
3. If someone had my login information for my email address I probably would have received one or two replies back for undeliverable or someone calling me an arse for sending it.
I need to re-read some of the replies...blocking the ports sounds like the best way to go, but how to I test blocking ports from the inside???
I wish I knew why it only happened one time...you'd think if it was some kind of an infection that it would have happened multiple times...
Is there anyway to log every single even that occurs going out of my home?? right now I have The Computer - LinksysRouter - Cable Modem...not sure if I can put something before the linksys that would allow me to capture everything? |
|
ff1324
Everybody Goes Home
Premium
join:2002-08-24
On Four Day
| reply to Kentucky Joe
I agree with Cudni . Check the computer for trojans, viruses, and spyware thoroughly first. It the most likely culprit.
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
--
Remember the 2008 firefighters and police LODD's in St. Louis:
PO Ballman, Sgt. Biggs, FF Hummert, Sgt. King, FF Riggins... all murdered...RIP brothers. |
|
