Hello there.

My workstation was flooded with viruses and trojans. It got hacked last night (how they got through our firewall - past our scanner is another topic) Might be b/c I left my station on all night, or really don't. Anyway.. we was blacklisted by a fair few places, but I have now removed the offending machine from our network until we can be sure that all viruses/trojans/malware has been removed.

The only place, is seems, we are still blacklisted with is spamcop.

mail.prometheuspress.co.uk
81.138.66.153

We cannot send out any emails, we can receive of course. This is costing us money, and I'm getting calls and frowns every other minute. So you can understand why I do not want to wait 9 hours for Spamcop to remove us.

There is a quick option "Send delist confirmation email to:" but, lol, none of the emails listed in the drop-down box are registerd with our company - why can we not add in our own?

Anyway, is there a way to get delisted ASAP?

Thank you very much indeed. Forgive me if I proposed my question in the wrong format. This is like the 7th email I've had to make practically begging for some company to remove us, so we can stop losing money.

You can send out as many emails as you like. Spamcop has no control over your server. Whether the recipients will choose to receive them or not is another matter... Those using the SCBL in blocking mode (not recommended, but it's their server, their rules) will reject with a 5xx. Those using it to tag possible spam will find it their held mail. No business should rely on email alone to contact its customers. You could phone those you are having difficulty reaching and ask them to whitelist you.

Why can you not add your own? Because you could be just anybody! Only the registered abuse, postmaster etc. address for the IP can do it. If you are not he then talk to your provider about being registered. Do you work for prometheus press? or are they your upstream provider?

Edit: I see the BT are your upstream and that there is no registered abuse address: contact BT about this. Senderbase shows no evidence of the spew having halted.

Hello Derek - thank you very much for you response.

Yes, I do work for Prometheus Press - I'm the only IT guy in the establishment. Firstly, I'm all very new to this - so forgive my lack of knowledge. I know there are many forms of communications, and have asked users to send mail via a browser based client if the email is deemed to be very important.

I was just under the impression that once we got delisted from SpamCop users would be able to send email again. Just like they did yesterday, before we got attacked.

But, you have given me some useful information in that I can get users to contact the various compaines and ask them to add us to their whitelist. I can send emails to hotmail, but to all other addresses they are not getting through, with no indication that they are not getting through. Before I was delisted, from most other places, this morning I was receiving notifications that emails were not getting through. Now emails are not getting through, but with no indication - which is causing no-end of trouble.

Gah.. I don't know what to do. How can I get delisted from spamcop quicker? - it is not possible for me to get the email addresses listed in the drop-down box registered.

Thank you Derek for you help in this stressful time..

If you're not being refused at the time of the SMTP transaction with a 5xx then they are getting through but sitting in the recipient's 'held-mail', 'spam' or equivalent folder. I'm surprised that there is no postmaster[at]prometheus.co.uk. account. Can you simply not create one? Then you can express de-list BUT as I said in my edit above, Senderbase shows no sign yet of a slowing down of the spew so be VERY sure the problem really has been solved before using it. It's a one-time-only get-out-of-jail-free! If you hit the spamtraps again after de-listing you'll be listed for longer (second offence, mi'lud).

Spamcop is entirely automatic, de-listing happens within 24hrs of the last spam detected.

Hi
I have added a postmaster email address. But yes, as you expressed Senderbase does show that we are still spamming.. This is turning out to be a nightmare. The trojan that was loaded into my system was the win32/virut which has basically infected every single .exe rendering my main PC useless. Now I had to download another AV scanner for it to be noticed on my PC - therefore, this virus could have infected the whole company.

Today just gets worse and worse.

I will run a AV scan on all other PC's and see if I catch anything. If not, then I'll hit the confirmation button and hope.

thanks for the info

spencer

EDIT: Right, I have run scans on the rest of the PC's in our domain and have found no viruses/trojans. However, SenderBase still shows activity, and SpamCop has still blacklisted. Is there anything else I can do? I'm fairly knew to all this, therefore do not know what to do. I do not want to send the confirmation and get Mul'ad!

www.linuxmint.com and never worry about a trojan again

Do you have a firewall that can be set to block port 25 (SMTP) traffic from all but your email server? Does it log what machines are sending messages out on port 25?

I am not an admin but time spent in here leads me to suggest checking your firewall logs and making sure that NOTHING except your mailserver has access to port 25. AIUI many trojans install their own mailserver and don't go through the 'official' one so no other machine should be able to access the 'out' port. Or something like that. Someone who knows more about it will be along soon, I'm sure!

Edit: and as I typed someone did!

Hello Steve - thank you very much for taking the time to respond.

Unfortunately our firewall is run by a monthly paid IT company - I do not have access to this. And at present they are moving, so cannot provide any help.

I have read that stopping all SMTP traffic, apart from the mail server, will help - and will get this ammended as soon as possible.

I only have 10 users (Printing Factory) here. I have run AV scans on most of the PC's and nothing. So I do think that my PC (god, thats hurting - I left my pc on last night, had loads of windows open - I had logmein open, and a SSH window/connection - but both these are encypted.. Surely this did not give the trojan a open door?)

Anyhoo. I'm serioulsy thinking I should hit the send confirmation button and get an email sent. But I do not want to be without out-going mail for days.. People here are blaming me.. everyone's got the hump with me.. lol..

I'm hearing ya Derek - but, lol - I cannot touch our Router (BT's propriotory software) and I cannot access our Firewall.. My hands are cut off - I cannot install AVG on the work PC's because that is bothering everyone. I'm fairly new to IT, and having the worst day of my life

I'd rather have piles.

I hope you are not paying them for today...

Hi SpencerK!

This is surely a steep learning experience for you but there really is no short cut to resolving the problem.

You can't scan 'MOST' PCs. you have to do them all. In fact you should disconnect each PC until all have been scanned and confirmed as clean. Only then reconnect each one to your network. To me that sounds like you need to work late when many of the PCs are not being used.

If your colleagues want their Email and web access then they need to accept that you have to take drastic action to get them back online. If they will not let you install an anti-virus package then you need to convince them.

As for leaving logmein and an SSH session open... perhaps you need to give some serious thought to security regardless of whether this could be the route of infection. Your company has lax security and if you all continue this route then it will be no time at all before you get further problems.

Take a deep breath, do the necessary work to identify the offending machines, fix them and put security in place for the future.

From you description I can't imagine anyone with authority willingly delisting you.

Andrew

Hi Andrew - indeed I am staying late tonight. And I really do understand the necessity of security and feel somewhat ..erm, whats the word.. pissed? That it was my fault (to some extent) that this happened. I know leaving my PC with said apps open was not in best practice. But logmein is 232bit Encryption, and SSH is meant to be secure. This still does not make it acceptable. But I have been doing this for months, and suddenly this happens. What does grind me a bit though, I have said to my boss many times we need to update our ancient virus scanner Mac ver 7 Enterprise - it does not pickup viruses or trojans well. I have to go round and scan with MS-Tool, Malware bytes every 2 weeks.

I have spoken to our IT people, the first bloke did not really understand what I was saying, but I sent them a mail confirming that I wanted all traffic on port 25 restricted apart from our mail server.

I will wait until everyone has gone, then scan all PC's using AVG - as AVG found the win32/virut virus on my machine.. Still, this particular nasty virus does not send out spam emails.. Anyway, thanks for your support.

That definitely suggests another machine or machines is infected so hopefully your nocturnal efforts will pay dividends.

Andrew

Noted that at 18h38 gmt on 3 March - 81.138.66.153 not listed in bl.spamcop.net

Hello Andrew - well, did a scan on all other machines and found nothing. Did a backup while I was there.

So I basically think it was my PC alone that caused the issues. Which brings me to the point why, why suddenly did my PC get about 50+ Malware and numerable viruses - which I did nothing different then any other night.

Well, I think that some of the factory "lads" have come up to my office and had their way with my machine. I noticed the door closed, when I leave my office open.. Other little things I noticed as well. No way would having a SSH open + logmein active cause all these trojans to become active - hell, I would have to actually click on something.. I will investigate this further. Shame my main PC is totally buggered now, could have looked at the logs.

Anyway, I hit the confirmation button, and received the email - then confirmed the email. Fingers crossed it works. All machines in my workplace where shutdown. So if we are producing spam its only coming from the main server. I just hope this works, then I can try to save all my work on my main PC. I only have access to the task manager.. There was a barracuda site also that our "rep" was bad on - but I sent them a mail.

What a whole knew world this spam prevention is..

Anyhoo - thank you very much for your help, will note here if all is alright. Don't think I could stand another "My emails come back to me".

Hi, SpencerK!...Probably an analogous reason to why although I brush my teeth twice a day every day, I had no cavities all last year but one cavity the first checkup this year. The bacteria (spammers) finally caught up with me (you)....Sounds like you might need to not only keep your door closed but locked. If you use MS Windows, you might benefit from setting the password-protected Screen Saver feature of Windows with a timeout (Windows key - L will lock your PC if your version of Windows and your keyboard are of relatively recent vintage).
...Good luck. And thanks for taking this anti-spam and anti-malware security stuff so seriously! Wish your predecessor(s) had!

Coming into this late, having to note that except for agsteele's and tueretzer's last posts, all were edited to remove excessive vertical whitespace and excessively quoted material. Default display has the whole list of posts displayed, so if the entire content of a previous post has to be seen, one can simply scroll a bit back up the page .... editing down the quoted material to just the line being responded to shortens up that required scrolling motion and usually removes the need entirely.

Primary reason for this post is to set a data-point ... there has been talk about SenderBase numbers, but showing up late, I have no idea what those numbers were, much less if they are on a downward trend yet ....

http://www.senderbase.org/senderbase_queri...g=81.138.66.153
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 3.2 .. 204%
Last month .. 2.7

WHOIS data; can't recall ever seeing a .biz address used to provide DNS for a .com Domain .. weird ...???
Domain name: prometheuspress.co.uk
Registrant: Minotaur Group PLC
Registrar: LCN.com Ltd [Tag = LCN]
URL: http://www.lcn.com
Name servers:
ns0.lcn.biz
ns1.lcn.biz

Some confusion, maybe that's because it is confusing ... you're the only IT guy, but ..... firewall not under your control, router not under your control, corporate/IT policies and rules not under your control .... definitely not an envious position to be in .... maybe needs to be pointed out to someone, if you've got the title, responsibility, and are the person that gets hammered, then you also need "the power" to do something about all this stuff.

Relying on a single tool to handle "all security" is a fool's game these days, and that's even ignoring the fact that anti-virus tools are reactionary for the most part .. i.e., finding the infection only occurs 'after' it's out in the wild, has been captured by someone, submitted to the anti-virus analysis team, code worked up to identify it, possibly remove it, add it to the database, publish the updated database, which then has to be downloaded and installed by the end-user .... lots of time in that process for bad things to happen ... and that's only for the things that the particular tool actually looks for and recognizes. Virus infection is not the same as malware infection, which also doesn't necessarily address a root-kit infection, on and on .... the reason for needing multiple tools ...

1720% all afternoon (GMT). OP and I both in UK on GMT.

Thanks Derek .... much appreciated .... makes things look very good at the moment then.

Being in Delhi this week, I can easily add a middle of the night (for the UK) reading:

At 02h06 gmt still not listed. Senderbase score for last day= 3.1 and 153% change

Andrew

Thank you very much for the information there. And you sure are right about me not having "the power". I'm working at a printing factory that basically has no IT infrastructure - we are running Windows Server 2000, our router is 6 years old and we cannot access the interface to enable port restrictions, we have cables stuck in place by tape. Our switch is so unstable that if you remove a single RJ-45 plug from one floor outlet, place into another, it could short out any particular connection/phone connection. Our firewall, exchange server is handled by an IT company - which means to get anything done I have to call them and deal with their less than cheerful support personnel.

Why is it like this? Well, because my employer simply does not want to spend any money. He has got me in here simply on the "cheap" option because he is launching an online print procurement bit of software that he needs someone to run, me. I have been studying for 6 years, and have little to no relevant work experience.. Well, I have a lot more now then when I started 5 months ago.

I do indeed run Malware Bytes, Windows security tool, various apps every 2 weeks to keep on top of things - the most we have ever had was 3/4 trojans.. Now this situation was totally different - firstly only my machine was infected - went round and installed AVG (ignored our enterprise AV) and found nothing.

Now, like I said, my machine is locked down for the most part - no RPC, Spybot running, NETBIOS turned off. Firefox + no scri_pt - then general light security preventions. In all the many years I've been working with comps I have only had one virus/trojan - that was b/c I clicked something I should not have. My only, idiotic, mistake was leaving my PC unlocked. That certainly wont happen again...

What I need to understand, so this does not happen again, is how could a trojan be downloaded onto my machine, then run, apparently this would mean I would have to have had a trojan on my pc to enable someone to take control - it must have been someone downloading, working, on my PC when I was not in my office.

How could a hacker gain control of my PC, that would mean he penetrated our firewall + NAT and specifically targeted the one of the 4/5 PC's that is left on each night. He targeted my PC, then proceeded to upload multiple trojans and viruses. It is possible sure.

Or was it a case of the factory staff having a walk about late at night, found my PC - turned on the monitor and started visiting certain sites. Which they have been found to do before on the Data Capture units in the factory floor. Why not go to another PC where they will not get found out..

Anyway, we can send and receive mail now. All I have to do is try and salvage my main PC with all my work on it. The virus I had infected every .exe - and when I run AVG it healed all of them - which is said it would not heal critical files - so I only have a blank desktop and access to Task Manager - no windows services are running, there are no valid paths to anything. I can see my files through the CMD, so hopefully I can remove the HD and set it as slave, then extract all the data.

This was a good learning experience I must say.. Just hope next time it's a bit easier.. If I had hair, I would have pulled it out!



Thanks for listing and your help, and have a wonderful day!\

EDIT: Not sure if you are interested, but found this page which basically describes how one could get infected with my particular virus.. Boy, this bugger is nasty - unless you power cycle it could stay around after you have deleted/created a new partition.

http://community.ca.com/blogs/securityadvi...-the-loose.aspx

That pretty much describes the process of getting my particular trojan - accessed by visiting a hijacked HTML page. Funny thing is, IE was open on my PC when I first entered my office - I never use IE unless to test HTML code for websites.. I use Firefox with no scri_pt! So my pc was not hijacked, I got in this mess by someone visiting a hijacked page..

Geeze .. imagine my reaction to seeing my words about editing quoted material, suggestion to not quote an entire previous post, even citing the simple action of scrolling up and down a web-page being .. being quoted in it's entirety a couple of (short) posts later .... actually has left me not wanting to reply to that post at all. Yet here I am talking 'about' it.

http://www.senderbase.org/senderbase_queri...g=81.138.66.153
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 2.5 .. -33%
Last month .. 2.7

I almost took it out! But I thought it would be enabling.

But you have to remember, Wazoo, that the poor fellow has had an overload of new information lately! I know that if I were in his shoes, I wouldn't be paying attention to details not immediately relevant to my problem! Maybe now that he has figured out that he didn't download the trojan, he will be more open to figuring out how to use the forum.

Miss Betsy

Wazoo, I am sorry - I honestly didn't realize you was addressing me in your previous post. It is not a case on figuring out how to use the forum, as this issue of quoting (rightly or wrongly) has never been raised in any forum I have used.

But, I do apologize. If there was a way to edit my post and remove the offending quote, I would.