-
January 13th, 2004, 12:38 PM
#1
Junior Member
blocked ISP due spam
Hi all
My ISP suspended my account due to spamming. It looks like I am the innocent party here, I never been involved in spamming. Did someone hack my e-mail address? I have the Norton AVS and zonealarm running, and no viruses were found. I signed up to different ISP now... Any ideas what's going on?s
-
January 13th, 2004, 01:15 PM
#2
Without further information it's impossible to answer this.
I know you say the ban is for spam, but have you being doing anything such as port scanning or vunerability profiling from that account. If so that may be the 'real' reason for the ban. What is you ISPs policy about this?
Can you tell us exactly what your ISP has written to you, informing you about this ban. If they haven't told you anything contact them and ask. Once you have the information, contact them and politely explain that this was not done with your knowledge and ask them for you account back and then ask them for their help to prevent this from happening again.
Is your AV up to date with its defrinition files. If not you may have a virus and not know about it. How is zonealarm confgured, since it is possible your computer is compromised and someone has set up your system to spam.
Are you DSL or dial Up
Do you have fixed IP or dynamic
If you are dial-up or dynamic IP its possible that your username and password for your ISP have been compromised, or your PC has been compromised.
Were you running a mail server - If so what was the mail server, and how have you configured it to prevent it from being an open relay.
Have you had any other unusual behaviour from your PC
Wee need more to help.
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
January 13th, 2004, 04:40 PM
#3
Hi
Another couple of questions:
1. is this a PC or a server?
2. Is it always switched on and connected to the net.
If the answer to those is "yes" then you need to check that your setting prevent it being used as a router for the spam?
Cheers
-
January 13th, 2004, 06:24 PM
#4
If your ISP gave you any of the mail headers from the SPAM, I would also want to see those as well. Many worms/viruses (especially mail flooders), spoof the sender of the mail to be from people harvested from the infected persons computer. I can't tell you how many times I have had to walk irate, but clueless, admins through the process of examining the mail headers closer to show that they were forged...
Anyway, post them here, with as little changed as possible (I understand if you want to hide your username) and I will have a look at them...
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
January 13th, 2004, 08:03 PM
#5
Some ISP's have entire ranges of IP addresses blocked by "Spamhaus.org" (been there - done that !!) You may be in on of those ranges.
I would thing as nebulus200 says....you are most likely infected with something.
Norton/AVG/MCaFee etc don't always catch files that enter through netBios ports 135-139.
(Is file sharing turned on ?)
-
January 14th, 2004, 04:13 AM
#6
close all programs and windows then run netstat -an see if you have any listening ports or a connection to 6667. Alot of spammers use infected homeusers as spambots and use IRC to control these spam bots. Aside from 6667 just look for any connection that shouldnt be there. Sometimes virus' arent picked up by any AV cause the signature is not in any AV database.
And please, get a firewall. Do the internet a favor and get a firewall. Spam is evil man, i would ****ing cry if my box was spewing spam.
It is better to be HATED for who you are, than LOVED for who you are NOT.
THC/IP Version 4.2
-
January 14th, 2004, 07:31 AM
#7
Junior Member
Thanks for all replies guys
Here is the e-mail from ISP about spam:
Subject: UCE: " H()t MHOMS-SALUTvS - fujckL, suvck (incNestS)m"
From: *****@XXXXX.ac.uk (*****)
Date: Fri, 21 Nov 2003 11:35:05 +0000 (GMT)
To: dialup-xxxxxxxxxacc02-waym-adl.comin...m.au@abuse.net
Reported address: XXXXXX
Incident time: 21 Nov 2003 11:42:00 +0000
Logon (utc): 20031121100542
Logoff (utc): 20031121132200
CLI: XXXXXX
DNIS: 142320198333466
Username: *****@bigblue.net.au
bref: GLOBALCEN
cref: GLOBALCEN
Ticket: 42505
I use dial-up to connnect , so I guess its dynamic IP address, have not notice any unusual behaviour lately on PC
I run netstat here are the results:
System 4 0.0.0.0 445 LISTEN UDP
System 4 0.0.0.0 1028 LISTEN TCP
System 4 0.0.0.0 445 LISTEN TCP
lsass.exe 496 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe
svchost.exe 656 0.0.0.0 135 LISTEN TCP C:\WINDOWS\system32\svchost.exe
svchost.exe 700 203.23.152.190 2234 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 700 203.23.152.190 123 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 700 127.0.0.1 3003 LISTEN TCP C:\WINDOWS\System32\svchost.exe
svchost.exe 700 127.0.0.1 3002 LISTEN TCP C:\WINDOWS\System32\svchost.exe
svchost.exe 700 0.0.0.0 1025 LISTEN TCP C:\WINDOWS\System32\svchost.exe
svchost.exe 848 0.0.0.0 3060 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 848 0.0.0.0 3059 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 848 0.0.0.0 3037 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 928 203.23.152.190 1900 LISTEN UDP C:\WINDOWS\System32\svchost.exe
svchost.exe 928 0.0.0.0 5000 LISTEN TCP C:\WINDOWS\System32\svchost.exe
alg.exe 1268 127.0.0.1 3001 LISTEN TCP C:\WINDOWS\System32\alg.exe
SAgent2.exe 1284 0.0.0.0 1027 LISTEN TCP C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
SAgent2.exe 1284 0.0.0.0 1026 LISTEN TCP C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
ccApp.exe 1916 127.0.0.1 3004 LISTEN TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
msmsgs.exe 3396 203.23.152.190 3361 LISTEN UDP C:\Program Files\Messenger\msmsgs.exe
msmsgs.exe 3396 0.0.0.0 3360 LISTEN UDP C:\Program Files\Messenger\msmsgs.exe
-
January 14th, 2004, 02:03 PM
#8
Logon (utc): 20031121100542
Logoff (utc): 20031121132200
CLI: ************
Is this your phone number?
If not someone knows your password. Is your password a 'strong password' - Mixed case, mixed numbers and letters and not a word in a dictionary. If not it could have been 'brute forced'
Were you really online from 5.42am to 22.00pm - it seems a long time to be online for a dial up. Did you expect to be online for that time. If not this could suggest a number of things.
Forgive me I'm not a windows port expert, but others will comment, I'm sure. Port 1028 might be of interest, and more research into this: http://cert.uni-stuttgart.de/archive.../msg00031.html may be worthwhile.
Is your windows patched and up to date?
Are you sure your virus definitions up to date?
Steve
Edit : Home phone number removed!
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
January 14th, 2004, 02:28 PM
#9
Junior Member
Hmmm thats interesting.. I am on dial up and max session is up to 4hr so i its not posssible I was connected for all this time.... the phone no. is correct, windows and virus definitions are up to date.
-
January 14th, 2004, 03:10 PM
#10
Antares65 - I've PMed you about this, but it looks like you haven't read it.
Can you edit this post: http://www.antionline.com/showthread...371#post710171 (click the little purple edit box on the top of the post!)
And remove Mr Pollard's email address. He's the person that originally complained about the spam and since you have posted his email address then it is likely to become harvested and he'll receive even more spam.
Steve
edit/
It might also be a good idea to remove the IP Addresses you show, since that may make them become a target for our less than moral readers of these forums.
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|