Everything you said is correct for detecting that a regular mailserver is running on the system that allows for incoming email. However the ISP complained about email send (not received) by "Kentucky Joe". If his computer is infected with a trojan/virus the software will use a mail client to transmit the email or have an embedded mail server solely for sending email with bothering to receive email. Looking for any ports in listening state is still useful, because the trojan/virus may have established a backdoor to allow remote control of the computer. However that backdoor may not be listening on standard email ports.
Assuming that the ISP correctly identified "Kentucky Joe's" internet connection as the source of the spam and further assuming he isn't deliberately sending spam the two most likely explanations are: 1.) one (or more) of the computers on his home network is(are) infected and need to be cleaned up. 2.) someone else in the neighborhood is making unauthorized use of his wireless network. -- Got some spare cpu cycles ? Join Team Helix or Team Starfire!
1.) one (or more) of the computers on his home network is(are) infected and need to be cleaned up. 2.) someone else in the neighborhood is making unauthorized use of his wireless network.
Yes, good analysis. These possibilities are what the OP needs to check.
Attempting to block the outgoing mail would just be a bandaid solution, and probably not very effective. Securing the wireless network (if one is used), and cleaning out the malware on all computers on the home LAN is the way to deal with this problem. -- AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10
·
·