Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: blocked ISP due spam

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    5

    Question blocked ISP due spam

    Hi all

    My ISP suspended my account due to spamming. It looks like I am the innocent party here, I never been involved in spamming. Did someone hack my e-mail address? I have the Norton AVS and zonealarm running, and no viruses were found. I signed up to different ISP now... Any ideas what's going on?s

  2. #2
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Without further information it's impossible to answer this.

    I know you say the ban is for spam, but have you being doing anything such as port scanning or vunerability profiling from that account. If so that may be the 'real' reason for the ban. What is you ISPs policy about this?

    Can you tell us exactly what your ISP has written to you, informing you about this ban. If they haven't told you anything contact them and ask. Once you have the information, contact them and politely explain that this was not done with your knowledge and ask them for you account back and then ask them for their help to prevent this from happening again.

    Is your AV up to date with its defrinition files. If not you may have a virus and not know about it. How is zonealarm confgured, since it is possible your computer is compromised and someone has set up your system to spam.

    Are you DSL or dial Up

    Do you have fixed IP or dynamic

    If you are dial-up or dynamic IP its possible that your username and password for your ISP have been compromised, or your PC has been compromised.

    Were you running a mail server - If so what was the mail server, and how have you configured it to prevent it from being an open relay.

    Have you had any other unusual behaviour from your PC

    Wee need more to help.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi

    Another couple of questions:

    1. is this a PC or a server?
    2. Is it always switched on and connected to the net.

    If the answer to those is "yes" then you need to check that your setting prevent it being used as a router for the spam?

    Cheers

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If your ISP gave you any of the mail headers from the SPAM, I would also want to see those as well. Many worms/viruses (especially mail flooders), spoof the sender of the mail to be from people harvested from the infected persons computer. I can't tell you how many times I have had to walk irate, but clueless, admins through the process of examining the mail headers closer to show that they were forged...

    Anyway, post them here, with as little changed as possible (I understand if you want to hide your username) and I will have a look at them...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    Some ISP's have entire ranges of IP addresses blocked by "Spamhaus.org" (been there - done that !!) You may be in on of those ranges.

    I would thing as nebulus200 says....you are most likely infected with something.

    Norton/AVG/MCaFee etc don't always catch files that enter through netBios ports 135-139.
    (Is file sharing turned on ?)

  6. #6
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    close all programs and windows then run netstat -an see if you have any listening ports or a connection to 6667. Alot of spammers use infected homeusers as spambots and use IRC to control these spam bots. Aside from 6667 just look for any connection that shouldnt be there. Sometimes virus' arent picked up by any AV cause the signature is not in any AV database.

    And please, get a firewall. Do the internet a favor and get a firewall. Spam is evil man, i would ****ing cry if my box was spewing spam.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  7. #7
    Junior Member
    Join Date
    Jan 2004
    Posts
    5
    Thanks for all replies guys
    Here is the e-mail from ISP about spam:

    Subject: UCE: " H()t MHOMS-SALUTvS - fujckL, suvck (incNestS)m"
    From: *****@XXXXX.ac.uk (*****)
    Date: Fri, 21 Nov 2003 11:35:05 +0000 (GMT)
    To: dialup-xxxxxxxxxacc02-waym-adl.comin...m.au@abuse.net

    Reported address: XXXXXX
    Incident time: 21 Nov 2003 11:42:00 +0000
    Logon (utc): 20031121100542
    Logoff (utc): 20031121132200
    CLI: XXXXXX
    DNIS: 142320198333466
    Username: *****@bigblue.net.au
    bref: GLOBALCEN
    cref: GLOBALCEN
    Ticket: 42505

    I use dial-up to connnect , so I guess its dynamic IP address, have not notice any unusual behaviour lately on PC
    I run netstat here are the results:
    System 4 0.0.0.0 445 LISTEN UDP
    System 4 0.0.0.0 1028 LISTEN TCP
    System 4 0.0.0.0 445 LISTEN TCP
    lsass.exe 496 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe
    svchost.exe 656 0.0.0.0 135 LISTEN TCP C:\WINDOWS\system32\svchost.exe
    svchost.exe 700 203.23.152.190 2234 LISTEN UDP C:\WINDOWS\System32\svchost.exe
    svchost.exe 700 203.23.152.190 123 LISTEN UDP C:\WINDOWS\System32\svchost.exe
    svchost.exe 700 127.0.0.1 3003 LISTEN TCP C:\WINDOWS\System32\svchost.exe
    svchost.exe 700 127.0.0.1 3002 LISTEN TCP C:\WINDOWS\System32\svchost.exe
    svchost.exe 700 0.0.0.0 1025 LISTEN TCP C:\WINDOWS\System32\svchost.exe
    svchost.exe 848 0.0.0.0 3060 LISTEN UDP C:\WINDOWS\System32\svchost.exe
    svchost.exe 848 0.0.0.0 3059 LISTEN UDP C:\WINDOWS\System32\svchost.exe
    svchost.exe 848 0.0.0.0 3037 LISTEN UDP C:\WINDOWS\System32\svchost.exe
    svchost.exe 928 203.23.152.190 1900 LISTEN UDP C:\WINDOWS\System32\svchost.exe
    svchost.exe 928 0.0.0.0 5000 LISTEN TCP C:\WINDOWS\System32\svchost.exe
    alg.exe 1268 127.0.0.1 3001 LISTEN TCP C:\WINDOWS\System32\alg.exe
    SAgent2.exe 1284 0.0.0.0 1027 LISTEN TCP C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    SAgent2.exe 1284 0.0.0.0 1026 LISTEN TCP C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    ccApp.exe 1916 127.0.0.1 3004 LISTEN TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    msmsgs.exe 3396 203.23.152.190 3361 LISTEN UDP C:\Program Files\Messenger\msmsgs.exe
    msmsgs.exe 3396 0.0.0.0 3360 LISTEN UDP C:\Program Files\Messenger\msmsgs.exe

  8. #8
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Logon (utc): 20031121100542
    Logoff (utc): 20031121132200
    CLI: ************
    Is this your phone number?

    If not someone knows your password. Is your password a 'strong password' - Mixed case, mixed numbers and letters and not a word in a dictionary. If not it could have been 'brute forced'

    Were you really online from 5.42am to 22.00pm - it seems a long time to be online for a dial up. Did you expect to be online for that time. If not this could suggest a number of things.

    Forgive me I'm not a windows port expert, but others will comment, I'm sure. Port 1028 might be of interest, and more research into this: http://cert.uni-stuttgart.de/archive.../msg00031.html may be worthwhile.

    Is your windows patched and up to date?

    Are you sure your virus definitions up to date?

    Steve

    Edit : Home phone number removed!
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  9. #9
    Junior Member
    Join Date
    Jan 2004
    Posts
    5
    Hmmm thats interesting.. I am on dial up and max session is up to 4hr so i its not posssible I was connected for all this time.... the phone no. is correct, windows and virus definitions are up to date.

  10. #10
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Antares65 - I've PMed you about this, but it looks like you haven't read it.

    Can you edit this post: http://www.antionline.com/showthread...371#post710171 (click the little purple edit box on the top of the post!)

    And remove Mr Pollard's email address. He's the person that originally complained about the spam and since you have posted his email address then it is likely to become harvested and he'll receive even more spam.

    Steve

    edit/

    It might also be a good idea to remove the IP Addresses you show, since that may make them become a target for our less than moral readers of these forums.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •