Jump to content

This is a scam


PamelaDelafield

Recommended Posts

It is not WiFi. I am not using WiFi in a public place. I am using 3G at home. There is no WiFi where I am and if there was, I would get on that WiFi signal and not be paying for 3G which is expensive in Mexico. If you don't know anything about 3G internet connection on a computer, 3G is a data card. The Sim can be used in Blackberry, iPod and other 3G satellite, cellular phones.

Let's turn that around. As I stated before, if you knew anything about networking, the Internet, DHCP, etc. you would know that anything connected to the Internet has to have it's own unique identifier, called an IP Address.

You apparently know about IP Addresses, as you pointed out that you had changed yours somehow .... but have yet to get around to stating how you did that. All that can be seen thus far 'here' is just what I've pointed out ..... massive traffic flow has followed your changing IP Addresses. If you want to stand on the fact that only you and you alone are connecting via whichever IP Address you're posting from, then it is a matter of fact that your computer is in fact the system sending out that traffic.

My computer is not spewing out spam.

Once again, the evidence says otherwise.

I don't send spam and I have no desire to take the time and effort to send spam.

These days, "you" don't have to do anything once your system is infected/compromised/screwed .. pick your word .... after that point, all you have to do is "turn it on"

If you don't know anything about a 3G connection, just say so and stop guessing. Obviously a cellular connection operates differently than a DSL or other land-line connection and 3G is not sending the same signals back to your server.

No idea as to just what "signals back to your server" might mean .... the only "signals to this server" are the data you post here. As to the rest of the story, SenderBase is seeing much traffic from whichever IP Address you are connected to, and based on all the BL listings, it isn't too hard to calculate that the majority of this traffic is spam spew e-mail. The other 'obvious' clue seems to be that "traffic first seen" date for both IP Addresses involved thus far. You plugged in your card, e-mail traffic was seen coming from that IP Address. You changed IP Addresses, that 'new' IP Address started sending out tons of e-mail. Now that you've switched back, the increased traffic patterns/quantities are shifted back to the original IP Address, with the second IP Address still showing a drop in traffic. It just doesn't get any more obvious.

With all your alleged past experience, it seems a bit silly to ask about any anti-virus, anti-spyware, anti-malware, etc. (and no, just one tool doesn't cover all the threats these days) but you haven't said a word about any of these types of tools. You make no mention of any kind of firewall in use. Worst case, use some of that hard-earned past knowledge to work and throw on some network-traffic analysis software and check the outgoing packets for the e-mail traffic in question to prove it to yourself.

Link to comment
Share on other sites

It seems pretty clear that the IP addresses from which you are posting are at this minute associated with very high levels of spam. This info comes not just from SpamCop but from several independent sources. One of these (Spamhaus PBL) indicates that your address is by policy of your provider NOT supposed to be sending out SMTP mail, so the fact that any such mail appears at all is very odd. We even see that someone here has received a penis spam from one of these addresses.

I believe you when you say you are not sending the spam. So, this leaves us with two alternatives: either your computer is sending the spam under remote control by a stranger (i.e., it is a zombie or bot), or someone else who shares your address somehow is responsible for the spam. Some of us were speculating that WiFi was somehow involved; they were actually attempting to be charitable to you by trying to find a way to put the blame on someone else. You might consider this in light of your contemptuous response to this line of inquiry.

Since the spam activity is going on right now, it might pay you to get hold of a copy of Wireshark (formerly Ethereal) and set it to look at outgoing port 25 traffic from your computer. Since you tell us that you have the requisite experience, I am certain that you will understand how to do this. If you see any traffic there (and you are not sending mail yourself at the time), then you can use the "follow TCP stream" feature to get a look at what your computer is sending. If you find spam, you may need to deal with a malware infection on your computer(s). On the other hand, unfortunately, not seeing any activity doesn't automatically get you off the hook; your scan might simply coincide with the botherder's taking your machine out of the rotation.

-- rick

Link to comment
Share on other sites

I am not sure if you really are looking for help or just want to vent. But I am going to assume that you do want some real help. But if anyone here is going to be able to provide real help then you need to help us first.

So what are the facts that you have told us so far.

1) you have a computer that use to be connected to the internet 6 months ago

2) you install a new G3 cellular networking card into the computer

3) you are located in Mexico

4) you tried to register on a web site based in Texas and was denied

5) you are not a spammer

So what are the facts that we have from our side of the connection

1) you have made a total of 6 posts to this thread and it is the only thread you have posted to

2) posts #1,2,3,4,6 have been recorded as being posted by IP address 200.95.162.52

3) post # 5 was recorded as being posted by IP address 201.144.87.40

4) there has been a very large amount of spam that has been sent using both of these addresses.

So what do we really know? Not much

What do we need to know to help you?

1) What is the IP address of you computer? try the old DOS ipconfig command or anything else that will tell you what your real IP address is.

Note: the IP address of the machine I am writting this from is 10.10.35.12 - a local non-routable address which of course is not the IP address recorded here.

2) How does your G3 card get its IP address.

a- you manually program it

b- it goes out on its own as selects the first available one.

So how about telling us what your real IP address for your computer is.

My gut feeling is that it is a local network IP address (like mine) and not a real internet routeable address which is what we see here as the address you are posting from.

The next very basic question (which has been asked before by others) is: what is the web address of the web site based in Texas that denied your registration. (a copy of the message that is your source of information that you were denied would be off a very great help)

And the last question for right now, did you make all 6 posts here from the same computer?

Link to comment
Share on other sites

From yesterday; (1 Jan 09)

http://www.senderbase.org/senderbase_queri...g=200.95.162.52

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 4.0 .. 42%

Last month ... 3.8

http://www.senderbase.org/senderbase_queri...g=201.144.87.40

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day .......4.4 .. 952%

Last month .. 3.4

From today; (2 Jan 09)

http://www.senderbase.org/senderbase_queri...g=200.95.162.52

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.4 205%

Last month 3.9

http://www.senderbase.org/senderbase_queri...g=201.144.87.40

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.4 802%

Last month 3.5

Today (4 Jan 09)

http://www.senderbase.org/senderbase_queri...g=200.95.162.52

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.3 144%

Last month 4.0

http://www.senderbase.org/senderbase_queri...g=201.144.87.40

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.2 241%

Last month 3.6

Both IP Addresses showing reducing numbers .... leading to the next additional question .. was the computer turned off today?

Link to comment
Share on other sites

Both IP Addresses showing reducing numbers .... leading to the next additional question .. was the computer turned off today?

And then turned on 'today' with the same IP Address as the starting Post?

http://www.senderbase.org/senderbase_queri...g=200.95.162.52

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.6 244%

Last month 4.1

http://www.senderbase.org/senderbase_queri...g=201.144.87.40

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 3.8 37%

Last month 3.7

Link to comment
Share on other sites

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 4.6 244%

Last month 4.1

I take this to mean that yesterday this address sent 244% more e-mail (or spam specifically?) than it did on the same day last month. If so, this looks pretty conclusive to me.

-- rick

Link to comment
Share on other sites

I take this to mean that yesterday this address sent 244% more e-mail (or spam specifically?) than it did on the same day last month.

No, I don't think that's exactly what is meant. I think the "Last Month" in the title of that stat refers to the daily average, not to any particular day. And the statistical basis for the numbers on this IP are a bit weak, in that the first traffic was only seen by the Ironport system starting on 2008-12-23.

The more speculative posts we make in the absence of the OP, the less likely that she'll be able to take it all in upon her return and participate in the discussion. Let's let it rest until she comes back...if she ever does.

DT

Link to comment
Share on other sites

...Let's let it rest until she comes back...if she ever does.
Well, a week is not 'forever' except when your IP(s) has been spamming virtually without remission the whole while. Not at all sure this is the work of one computer/connection but guess we'll never know:

201.144.87.40 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Listing History

In the past 12.3 days, it has been listed 3 times for a total of 10.4 days

200.95.162.52 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Listing History

In the past 16.2 days, it has been listed 2 times for a total of 16.2 days

Link to comment
Share on other sites

Well, a week is not 'forever' except when your IP(s) has been spamming virtually without remission the whole while. Not at all sure this is the work of one computer/connection but guess we'll never know:

Funny .. I had just looked at the SenderBase numbers yesterday, figured I'd wait a bit more before making another post, but ... those numbers go along with your SpamCopDNSBL results. I'm once again having to make the assumption that the computer in question is turned off on the week-ends.

Link to comment
Share on other sites

I was tempted to say long ago "another munchkin troll beat the dust"!
Then your reticence does you great credit :P. O/P not active since Jan 3, no indication that all that advice posted subsequently has been seen, far less that it was heeded - pretty much another case of "veni, vidi, venti" indeed, it would seem.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...