Jump to content

Need Help


dra007

Recommended Posts

Wazoo....

I have been following the spam flow in the past few days...Seems I have shut down the flow through Global Crossing pipeline to nearly ziltch, I am however, still getting some from Level 3. Since both seem to be close to the above spammer, should I make anything of this pattern?

Link to comment
Share on other sites

Perhaps not as directly as you'd like ... but Level3 isn't exactly beloved by the anti-spam side of the house. So it is possible that Global has done some modification of its peering "priorities" assigned to traffic from your favorite folks. I don't think that there's a way to actually try to verify something like this from "our" status of just internet users ...

Link to comment
Share on other sites

Probably not...But I used to get quite a bit of spam from GX, and I know for certain they opened/ confirmed reciept of my detailed complaint, though they never answered directly to it. As for the guilty IPs, a whole range of them was completly shut down at the source, for a while anyways.

Link to comment
Share on other sites

  • 3 weeks later...

Not there, no idea of what you're really describing, so not a wise move to critique another tech's work / prices from afar ... However, ...

Had spent several hours going through a client's system a couple of weeks back, according to some notes here, 27 porn dialers, 147 "interesting" items in the Run section of the Registry, over 3 Gig recovered in hard drive space when I was done .... got a call yesterday that it wouldn't even boot, and just prior to trying to re-boot, it was running very slowly. End of the story turns out to be the new girl-friend doing a bit of 'snooping' .. found all these deleted e-mails, and fell for the social-engineering of all the spam ... she had just started clicking away on all those links, looking to see just what kind of stuff "he'd" been looking at ... Firewall, anti-virus, anti-spyware, on and on .... no match for the strength of a powerful mouse-button clicking finger!!!! <g>

Trust me .. that was a long conversation <g>

Link to comment
Share on other sites

Do you suppose that dra007 has a saboteur in hir office? Someone who sneaks in and clicks on all the links in her spam and virus laden email? Maybe the same person was responsible for planting hir email address in spammers' lists??? Probably knows exactly which websites to go to get trojans, too.

Miss Betsy

Link to comment
Share on other sites

Wazoo:

I kept running several anti spyware programs and antivirus programs on a regular basis prior to the last incident, I use this computer for my work mainly and I don't surf except for business to trusted sites..Last Friday I finally had a warning from the antivirus that someone was palanting a virus that could not be repaired or quarantined, it just poped up, so it was not from an e-mail or website, but I presume pinged or ftp-ed. Turns out there were 20 of them by the time I got it fixed.

I have a hard time to believe that of 3-4 antivirus programs I used, none were able to detect the viruses. Only after the attack on last Friday I couldn't run the operating system or update the virus deffinitions..

Firewall, anti-virus, anti-spyware, on and on .... no match for the strength of a powerful mouse-button clicking finger!!!!

Well...by the time they were done all I had was a black screen and unable to even start the bios...had to take it to a shop, reformat the hard drive and re-install several programs I use in my work...As soon as I put up my firewall I had a hacker alert:

Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024).

Inbound TCP connection

Local address,service is (0.0.0.0,1024)

Remote address,service is (localhost,1133)

Process name is "C:\WINDOWS\Explorer.EXE"

and several attempts immediately after that one.. I called my ISP and the tech told me he gets that type of junk all the time... Obviously, they cannot track the origin... this is not an accident or random action... I have been under constant attack for a long time..

Do you suppose that dra007 has a saboteur in hir office? Someone who sneaks in and clicks on all the links in her spam and virus laden email? Maybe the same person was responsible for planting hir email address in spammers' lists??? Probably knows exactly which websites to go to get trojans, too.

Miss Betsy, I am a scientist in a medical school. I have no problems with my computers at work. It is the one at home which was attacked. At work we are behind several firewalls but hackers did get through on other computers to download music files and the like, not in my office though. The computer in question I use at home and uses a different provider. They are slow as molases to react to complains and I have to back them up with more data. I guess having a log of hacking attempts will help.. I already have a mile long collection of virus attached e-mails (defanged) but clearly identified by my ISP's filters.

Link to comment
Share on other sites

Miss Betsy, I am a scientist in a medical school. I have no problems with my computers at work. It is the one at home which was attacked. At work we are behind several firewalls but hackers did get through on other computers to download music files and the like, not in my office though. The computer in question I use at home and uses a different provider. They are slow as molases to react to complains and I have to back them up with more data. I guess having a log of hacking attempts will help.. I already have a mile long collection of virus attached e-mails (defanged) but clearly identified by my ISP's filters.

Sorry, I assumed that it was the one at work since that was the one that you had posted problems about before. It is possible to get viruses and trojans via a network, I believe. My computer at work had problems that stemmed from a collegue's computer who had several malware programs and a couple of viruses. If someone had breached the university firewall to download music, it is possible that your problems at work stemmed from that.

There is a site that tracks hackers (someone else can tell you how to submit logs since I decided it was too complicated for the time I have to do that kind of thing). However, I have thousands of attempts that were blocked on my home computer. I think everyone does. It is generally suggested that one ignore the logs (turn off the notifications that an attempt has been blocked) unless you really understand what kind of attempts are being made. I also don't believe that your home ISP can do anything about hacker attempts. If you have DSL or cable, you probably should have a router that blocks those hacker attempts. They are much stronger than the software firewalls, I understand.

I hope that everyone at home also understands about computer safety.

Miss Betsy

Link to comment
Share on other sites

The last alert was pretty simple....someone was trying to plant a virus and managed to breach and disable my firewall and virus block software, took me a few more days to fix...it didn't take them long...

I suspect it was ping-ed or telneted (couldn't tell from the logs)... I discussed the logs with the ISP tech rep who said that the hacker appeared as if it originated on the nerwork with no trackable IP...I was on a dsl line at home..

Since my last post I got bombarded with a few dozens viruses and reject/mail delivery failures containing mime exploits..seems this hacker is quite determined and spends too much time on internet...Perhaps upset I have the ordacity to fight him/her...(though judging from the aggresivity most likely a testosteron loaded him)...

Link to comment
Share on other sites

Hey dra007, just thought I'd comment since I was very interested on what's going on here. First of all I'd like to commend you on your efforts, you are probably helping out 1000's of others who have received spam from these bastards. Even if only for a week or two before they move.

I've only recently started to join the anti-spam fight. I starting using the Spamcop reporting service a few months back and am now using its BL to filter all the spam my company receives. It's working great so far, however I want to achieve better results.

I usually have plenty of time (and company resources) to do the sort of fighting you've been doing, so I guess I'm asking, how did you do what you are doing? I understand how most of the basics. From looking up the network contacts in a whois type setting.

But you actually call the network admins? What do you say to them? How do you know if they are just lying bastards? How do you get the upstream providers to do anything?

Basically I'm highly motivated to become a soldier in the spam battle and I need a battle to be thrown into. I just need some BASIC training first.

If you feel it is unnecessary to post such details here, feel free to email me through Spamcop.

Thanks for your time dra and everyone else,

Jimemac

Link to comment
Share on other sites

I usually have plenty of time (and company resources) to do the sort of fighting you've been doing, so I guess I'm asking, how did you do what you are doing? I understand how most of the basics. From looking up the network contacts in a whois type setting.

Basically I only got replies from them after starting to cuss in their own language, exchanged a few e-mails, enough to find out who they were. The e-mails from them got abusive as soon as I confronted them with the evidence. Now they are blocking even the spamcop reports. As far as upstream go, they kept very quiet and never directly (except for automated acknowledgements) have they answered my queries. That is rather strange since I have only attempted to contact them after accumulating plenty of evidence and sorting through it.

So it seems to fight these bastards somehow you always have to stay on top of them, which for me was rather difficult since I started from scratch and had to self-teach myself the basics.

Link to comment
Share on other sites

Well...since I have tightened up my firewall and removed all voulnerable accounts I have had a few dozen hacker/trojan attacks blocked...untraceable unfortunately...

It's a lot of work checking and configuring each program manually, ...can be frustrating, but hopefully I am protected

..that remains to be seen..

Link to comment
Share on other sites

It is interesting to note that since the end of July I have collected over 43 virus infected e-mail (identified by Postiny), mostly from RDSnet controlled IPs...

PS. Not just venting, I directed a couple of administrators to read the post...deleted as per Wazoo request...

Link to comment
Share on other sites

I take most of his recent posts as venting and ignore them.

I too get viruses caught by postini all the time. I take the headers and send a polite email off to the administrator (usualkly found using spamcop) explaining that I received a virus from IP address x. I have gotten several return emails that the customer was notified and help provided in removing the virus. If the messages don't stop from specific IPs , I block the IP for 30 days (I am the administrator for the network). No more viruses.

Link to comment
Share on other sites

If the viruses were random from a number of sites, I may understand that comment...but getting 4-6 viruses a day from the same IPs for 7 months and having it continue despite repeated requests to their admins to end is far from random...

Link to comment
Share on other sites

If the viruses were random from a number of sites, I may understand that comment...but getting 4-6 viruses a day from the same IPs for 7 months and having it continue despite repeated requests to their admins to end is far from random...

15057[/snapback]

If the messages don't stop from specific IPs , I block the IP for 30 days (I am the administrator for the network). No more viruses.

Talk to the administrator of the postini account for the domain. They can block the IP address sending the virus for up to 30 days and program the block message (from 4 choices) to let the sender know (if it is an actual server) their messages are not welcome.

Your situation could mean the admins you are contacting are incompetent or unwilling to fix the problem or don't understand the message you are sending them (I've had that problem with admins in China I have contacted where they did not understand English and I did not understand Chinese). Contacting their upstream got the problem resolved. It could also mean as you have stated this is something personal. I tend to think I'm not important enough for someone to have a grnd against me. B)

I have had 1 dialup customer of bluewin.ch who has sent me 2 viruses within minutes of each other every time he has connected to the internet. Always the same virus and always to the same exact order of distribution to many of my companies email addresses. The IP's change because it is dialup. I ended up blocking all of bluewin.ch IP space (5 separate IP ranges) after ~45 days of sending the information to abuse<at>bluewin.ch and getting their automatic reply (which is in Chinese, English, and Spanish if I remember properly).

Link to comment
Share on other sites

I have heard of other people who have gotten viruses regularly from the same IP address for long periods of time. All that means is that there is someone who is infected (and may have infected their friends at the same IP address) and that the admin will not disconnect them. The admin may not even pass the information along to the infected party.

Once your email address is picked up by the virus, until the infected machine is disconnected or cleaned, you will continue to get viruses. Usually, one or two notifications to the proper IP address stops them (especially if you can name the virus). But as Stephen pointed out, sometimes it takes longer.

It appears that you have encountered one of those abuse desks that will not be cooperative (or possibly they have a policy of notification, but the person with the infected machine will do nothing and they don't have a policy of disconnecting).

I know that you have said that you get a virus in response to an abuse report and that the incidence is too high to be coincidental. At a quick glance, not all of the posts seemed to be viruses from the one place. In fact, some of them looked to be spam with perhaps an attachment.

I hope that the administrators you asked to look at them will be able to sort them out.

Miss Betsy

Link to comment
Share on other sites

If they do start up again, I've found that having a FriedSpam.net party with 10 of your friends for a couple weeks usually knocks a clue into the spammer's thick skull.

Hitting their website about 100,000 times a day per FriedSpam participant tends to do that. What I've found to be extremely effective is to contact the spammers and TELL them that you'll be hitting their sites, and tell them to never send spam to your domain again.

I've only gotten 3 spams so far this week. Of those three, one was from a newbie spammer, and two were from USA Lenders Network (ironically, they give their address as being in Canada), whose sites I've been working on / mauling for a while now.

12957[/snapback]

That is superb! Finally a way to give the bastards what they want! I love it! Some creative thinking went into that one.

Link to comment
Share on other sites

Talk to the administrator of the postini account for the domain. They can block the IP address sending the virus for up to 30 days and program the block message (from 4 choices) to let the sender know (if it is an actual server) their messages are not welcome.

That is why I posted the collection here and directed 2 of my admins to read that in context with the background I build over time here.. As for talking to Postini it is up to my admins who use their service to do it. They are aware of the problem.

Your situation could mean the admins you are contacting are incompetent or unwilling to fix the problem or don't understand the message you are sending them (I've had that problem with admins in China I have contacted where they did not understand English and I did not understand Chinese). Contacting their upstream got the problem resolved. It could also mean as you have stated this is something personal. I tend to think I'm not important enough for someone to have a grnd against me. 

The admins of the offending IPs are all under RSNnet (Romanianan Data Systems..) discussed in previous threads. I have exchanged e-mails with several of them, at different levels, in their mother tongue. Went as far as their ministry responsible for internet in that country...the abuse abided for short periods only to restart more aggressively every single time.

Note that RDSnet is a noted spamgang hub in spamhause..... There was no sign of incopetence when I reached the appropriate levels, my own suspition is that, that banana republic is so corupt that silence is bought cheaply.. It is the same pattern as the repeated spam we get from hanaro, dot cn and dot br spammers, nothing ever stops it!

The abuse has been going on since last December and it was what brought me to spamcop in the first place!

Link to comment
Share on other sites

Once your email address is picked up by the virus, until the infected machine is disconnected or cleaned, you will continue to get viruses. Usually, one or two notifications to the proper IP address stops them (especially if you can name the virus). But as Stephen pointed out, sometimes it takes longer.

If you followed up the threads here, the idea behind it was to find upstream ISPs, since the ISP of origin was not only unresponsive but abusive as well.. All I got so far was automated replies and a promise that a whole range of IPs would be disabled...They were but that block missed the most offending of them... Not only they continued the attack aggressively, but they called me twice trying to sell me their phone cards..

Obviously they looked into my identity after complaining to their admin..

Here is their IP: Offending phone company

They not only send 4-6 viruses a day, they send spam:

217.156.87.150 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

SpamCop users have reported system as a source of spam about 20 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

In the past 57.7 days, it has been listed 10 times for a total of 36.1 days

Link to comment
Share on other sites

My point was that it is more possible that you are one of thousands on their list rather than being attacked specifically. If they are on the scbl for that long, more people than you have been reporting them. Many more have blocked them.

If I were you, I would have a talk with your IT department and ask them to block that IP address. Even if there is a scientist or researcher who is using that IP address to correspond with someone at your university, s/he should be willing to use an alternate method of email to avoid the numbers of spam and viruses that you are reporting. Just be sure that the IT department understands that a message is to go to the sender when they reject email from that IP address. If there is a legitimate sender, perhaps s/he will get more action out of the abuse desk.

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...