Been reported by spamcop to my ISP, but need some advice

[dtb]

Hi.

First let me say I am not an internet security expert by any means, I have a fairly *rough* of what's going on, but primarily I'm an electronics engineer that has been using and working on computer systems since the late 70's.

Last week my ISP ( without warning ) cut of my broadband ( UK ISP ). After a brief phone call I was put through to the abuse dept and told I had a botnet on my computer that was sending spam and until I reformatted my hardrive I would not be allowed on.

Note* My ISP is well known for requesting re-installs and will not accept any sort of protection offered by Anti-Virus programs even though they sing their praises and offer a years free subscription on one.

I was sent the Spamcop report which my ISP acts on 100% without question:

I noticed two things :

1) The HELO response was from a computer named ( for example ) A, my computer is named B

2) The date range given for the spamming period is when we were doing some building work on the house and no router/computer was connected to our phone line.

The IP address given in the report is that of my ISP, obviously my ISP claim I had use of that IP number during that period.( even though we had nothing connected to the phone line ).

Finally, the computer has been checked over by a third party experienced in internet security and no virus's have been found. I use three AV programs and the firewall is permanently on. I know that's no guarantee, but its as secure has I can practically get it. My ISP does not debate these issues.

This has happened a few times with other users. Can anyone offer any other reason how the spamming was tracked back to an IP I was not using to a computer name not on my Windows network.

Many thanks.

[Wazoo]

Not enough specific data provided to go much further than to smply point to the various FAQs and Wiki entries that are already in place to offer up the background on these situations. You state that you have a link to a Report ... offering that up so that we could see what was actually reported would be a beginning. Not knowing just what you were sent is a possible issue .. if you were sent te 'actual Report, then there'd be a URL offered up for actions to be taken by an ISP .... I don't really want that posted. If this is what you've got, follow the next link titles something like How this tracks back to you and provide that URL .. that page should contain the This is your Tracking URL comment ....

You say "broadband" on one description, then talk about a "phone connection" in other dialog. Around thse parts, "broadband" usually indicates a 'cable' connection, so I'm guessing that you might be talking about a DSL type connection? Howeer, the question of who 'owned' an IP Address at the time would normally be well documented within the logs of the ISP .... not sure how to argue that situation at all, especially with so little data to go on.

The words "three antivirus tools" is a bit above the normal type of qualification, but have to note that nothing was said about updates. I have seen some systems show up here with both Norton and Macafee tools installed, but both had lapsed subscriptions from a few years prior. System owners believed that they were well protected, but ...... now they know better.

"the firewall is ..." doesn't qualify much either .... there are things called firewalls, then there are alleged real firewalls, and of course, there are real/actual firewalls. It is unknown just which you are trying to describe here. And of course, no one here knows just what 'rules' you might have put into place on whatever firewall you have running ... or just where in your network it might be placed.

BTW: interesting timing. I just recently lifted a ban on some sky.com IP Address blocks based on their abuse folks finally handling one of their spamming customers.

[Miss Betsy]

Without seeing the spamcop report, I doubt that anyone could make a guess. I am not sure if the report you get has a Tracking URL which is best. Information about the Tracking URL can be found by searching in the top search box. At least a copy of the headers (the entire spam is not needed) would be helpful.

Also, just the IP address would be helpful. Spamcop doesn't track back to your computer, just to the IP address. Perhaps you could find out how your ISP decided it was your computer that was online at that time.

As you say, it is unlikely to be your computer if your computer was not connected at that time. And it can't be your router if it was not connected either. (Wireless routers often are insecure).

I would say that your first course of action would be to contact your ISP and ask for an explanation of how they concluded it was your computer. Other people here might be able to help you with what to ask (I, too, am not technically fluent).

Miss Betsy

[Farelf]

...Can anyone offer any other reason how the spamming was tracked back to an IP I was not using to a computer name not on my Windows network.

Nope - SC only sends reports concerning the IP address, tracking down from there is the ISP's job, as has been said. The only address blocklisted in your immediate 'vicinity' that I can see is 90.220.195.91 but the odds of that being the actual address in question are not high.

[dtb]

Many thanks for the replys.

The report ( or email ) my ISP sent me was a copy of the spam email with all the headers, it includes the HELO and then the originating IP.

I was unsure if that IP could be false by way of a proxy server ? Only the technical guys at Spamcop can tell me if the IP could be false.

Some other answers to your questions

The Anti-Virus I use is up to date ( current subs to both Norton and AVG ), I also have two malware programs, once again they are both up to date.

I'm in the UK and it is DSL

My ISP will determine which of its customers was using the suspect IP address at the time because we're on a dynamic IP. In this case they determined it was me ( even though my router was not even switched on and powered up).

If the non generic answer to HELO was my compuiter name then I would be scratching my head.

My router gets its password changed once a week and it had been changed the day prior to the spam starting.

I hope this helps a little further.

[rconner]

HELO names are never trustworthy in spam, so the fact that you see a HELO that you do not recognize doesn't let you off the hook, unfortunately.

Speaking strictly as a user, I find that SpamCop is pretty accurate in finding the IP address from which spam originated, that is, the machine that tried to pass it to the recipient's domain. In the case of dynamic IPs, it is then up to the accuracy of the ISP to trace this address to a particular user. Difficult to speculate on whether proxy servers are involved without specific info, but I'd tend to discount this.

You don't have WiFi, do you? It often happens that "guests" sneak on to wireless nets and send spam.

Not much else I can suggest without more specific info.

-- rick

[Wazoo]

Only the technical guys at Spamcop can tell me if the IP could be false.

?????? With the data provided thus far, no one can tell you much. It's a historical fact, I tend to get jumped on because my responses are so/too technical, typically no hand-holding involved.

[Miss Betsy]

There is a slim, to none chance that spamcop got the wrong IP address. However, no one can tell you anything until you post the tracking url or at least the IP address.

There is a greater chance that your ISP made a mistake (especially since your computer was not online at that time) or that you have WiFi than that spamcop made a mistake. You didn't mention anything about a firewall.

If you don't want to post the IP address in the forum, I suggest that you email the deputies - however they won't be able to help you either unless you provide the header information and IP address.

Miss Betsy

[dtb]

HELO names are never trustworthy in spam, so the fact that you see a HELO that you do not recognize doesn't let you off the hook, unfortunately.

You don't have WiFi, do you? It often happens that "guests" sneak on to wireless nets and send spam.

I am on a wireless network, in my last post when I made ref to changing my passwork "My router gets its password changed once a week and it had been changed the day prior to the spam starting" that would be my WiFi access password on WPA-PSK.

But even then, my nearest neighbour is too far away to pick up my signal and she is 92 years old and still thinks WW2 is on LOL !

However, no one can tell you anything until you post the tracking url or at least the IP address.

The IP address this was tracked back to is ( Easynet , the backbone to my provider SKY ) 90.221.142.236

[Miss Betsy]

Well, that's interesting. Didn't Wazoo say that sky just stopped a spamming customer?

I don't have time right now and as my boss says sometimes, 'It's time to go home, my brain quit working half an hour ago.'

We had a long discussion with someone who seemed to be a lot more techie than you who insisted that everything was ok and nothing could be coming from her - and she discovered it was the WiFi in the end. That's happened a couple of times - with people who were careful about updating, etc.

Wazoo is a great troubleshooter, but you have to give the information he asks for.

Miss Betsy

[Wazoo]

First let me say I am not an internet security expert by any means, I have a fairly *rough* of what's going on, but primarily I'm an electronics engineer that has been using and working on computer systems since the late 70's.

OK, electronics engineering terms ... you have told us about a grey box that's sitting in a building somewhere, suggesting that it was transmitting signal even though it was turned off. Eventually, you got around to stating that it was the third box in the rack (by tossing out an IP Address) ....

Having spent years as a Systems Analyst, I'll point out that it's a bit hard to talk about whats been going inside that allegedly turned-off box with nothing more to go on. You suggest that you have something that resembles a partial set of schematics, but suggesting that the issue is somehow possibly related to U3 on the MUX board doesn't help much from this side of the screen .. especially when it seems like you are asking us to explain the use of a zener 'seen' over by the U115 chip over on the PROC board. (and yes, I date back to the discrete componenets days of yore.)

It took several posts to come up the wireless mode of a router .... yet nothing still mentioned on the actual network configuration. Nothing said about checking logs, yes, I know you said everything was turned off, but .... this does seem to fly in the face of your ISP's apparent data logs.

Now that a wireless network has been invoked, the location, placement, and actual firwall now most definitely comes into play. For example, if you are considering Microsoft's 'built-in' firewall on a single computer as doing something to protect your network, you are in for even more surprises. (Of course, you haven't clearly stated how many computers may be on your network.)

Your "too far away" statement is actually funny .... numerous articles on how to build free/cheap, or buy expensive parts that can extend the reach to several miles (many kilometers) .. read that as high-gain/directional antennas in most cases) A previous issue brought up by another user dealt with his location on top of a nountain with a link to his provider "down in the valley" .. and yes, the interloper causing his spam-sending issue was located somewhere in-between those antennae.

There is the spector that, like 'here' ... the 'computer' is sitting in front of me, I have several routers all over the house, the cable modem is "over there" .... Is it possible that you are going with "turning the computer off" disconnects everything else? Again, not knowing how you've got things hooked up, plugged in, etc. I'll admit that it's geting tiring dealing with all the possibilities based on the lack of hard data. I would thing that your electronic engineering background would have involved situations like this, but then again, that makes it look like I'm making assumptions yet again .....

Well, that's interesting. Didn't Wazoo say that sky just stopped a spamming customer?

Noting that the lowlife has already risen from the fead on yet another (thus far clueless) ISP/Host .... it was the dialog I had with the abuse Admin for easynet/sky, newsgroup traffic from that same individual, etc. that has me more believing that his/their analysis was not lacking.

[Farelf]

... my nearest neighbour is too far away to pick up my signal and she is 92 years old ...

Then she has seen and known things you cannot even imagine. If she remembers any of it, she may have totally unexpected capabities . Sorry, the devil made me do it.

...The IP address this was tracked back to is ( Easynet , the backbone to my provider SKY ) 90.221.142.236

OK, if that was on the SCBL it has since timed off. It is within the range 90.220.0.0 - 90.221.255.255 that SKY says should probably not be used for outgoing mail in any event - http://www.spamhaus.org/pbl/query/PBL251585. Just a minor 'factoid' at this stage, pending further development of the story.

[Wazoo]

The IP address this was tracked back to is ( Easynet , the backbone to my provider SKY ) 90.221.142.236

Exactly one Report generated in the last 90 days;

Submitted: Thursday, March 12, 2009 2:17:14 PM -0500:

RE: Discount Message 04669

3936384841 ( h ttp://say xuriw.cn/ ) To: abuse[at]china-netcom.com

3936384822 ( h ttp://say xuriw.cn/ ) To: abuse[at]cnc-noc.net

3936384789 ( h ttp://say xuriw.cn/) To: postmaster[at]china-netcom.com

3936384779 ( h ttp://say xuriw.cn/) To: postmaster#cnc-noc.net[at]devnull.spamcop.net

3936384758 ( 90.221.142.236 ) To: abusesky[at]abuse.noc.uk.easynet.net

On the other hand, as farelf noted, there is no current listing on the SpamCopDNSBL, so no way for any of the volunteers to know about possible spamtrap hits during that timeframe .. yet, there are no Reports generated for spamtrap hits .... that data would only have been available under an ISP Summary Report against the IP Address.

[dtb]

Lots of info here people. But some ( the majority I may add ) is out of my technical understanding.

With regards to my wireless router and computer, they were not only switched off, but the router was not even plugged into the telephone socket. In fact it was packed away in a box .

I use zonealarm as my firewall.

My computer was in the same state ( except not packed away on a box, but placed in a spare room while building work commenced ).

Sky use Google email I believe.

This is looking like Sky have checked there logs to see who was using 90.221.142.236 at some specific point in time and mistakenly come up with my details.

Wazoo : Many thanks for you time in trying to explain this to me.

[agsteele]

The report ( or email ) my ISP sent me was a copy of the spam email with all the headers, it includes the HELO and then the originating IP.

I was unsure if that IP could be false by way of a proxy server ? Only the technical guys at Spamcop can tell me if the IP could be false.

It seems, from the very small amount of information available, that you face one of two scenarios... (I'm not suggesting which one is correct)

1. The report received by your ISP is entirely correct, somehow your DSL line did get hijacked by one of the means described by others here and the ISP has correctly disconnected you. They insist you take the the necessary action to clean your system before you can be reconnected.

2. Your ISP has incorrectly identified your 'system' as the source of the spam. They may have mis-tracked the IP that they received as a report. They may not have received the report from SpamCop but an alternative spam reporting service or whatever. But they have acted without due diligence and disconnected you. They insist you take the necessary action to clean your system before you can be reconnected.

Either way, you face the same choice. Take action, lie and say you've taken action or enter into a protracted correspondence whilst you remain disconnected and probably end up with the lie or taking the action.

Sadly those of us who are here and willing to help cannot give you much advice. It seems to me that whatever the scenario you need to take the action to check your system is clean which, from what you say, you have done. Your regular changing of your wireless password is very impressive.

You could block all traffic on port 25 through your router which should prevent trojans getting out should you ever get an infection. Of course you'll need an SMTP mail server for your legitimate Email that accepts mail on a different port but many ISPs offer that facility.

In the end you need to confirm to your ISP that you've taken action. Personally, I'd look for an alternative ISP that may be more willing to be careful in the action they take before cutting you off permanently.

Andrew

[dtb]

You could block all traffic on port 25 through your router which should prevent trojans getting out should you ever get an infection. Of course you'll need an SMTP mail server for your legitimate Email that accepts mail on a different port but many ISPs offer that facility.

In the end you need to confirm to your ISP that you've taken action. Personally, I'd look for an alternative ISP that may be more willing to be careful in the action they take before cutting you off permanently.

My ISP re-connected me within the hour once I had explained I was going to remove the computer and replace it with another. Which I did, I then scanned the computer several times and also had another person double check. Nothing could be found. I still have not put the original computer back on line.

But if I get another report then I doubt my ISP would be willing to listen to reason, hence why I would like to establish what has happened.

I blocked Port 25 on the router quite a while ago, my ISP use Google mail which goes out via Port 465 on SSL via my outlook. But I mainly use web based mail through my website hosting company.

[agsteele]

I blocked Port 25 on the router quite a while ago, my ISP use Google mail which goes out via Port 465 on SSL via my outlook. But I mainly use web based mail through my website hosting company.

Then my view would be that you face scenario 2 of my list and that the ISP did not give much attention to accuracy of the report or the reasonableness of the action they took.

Personally I'd look for an alternative ISP that you feel would be more helpful.

Andrew

[dtb]

Then my view would be that you face scenario 2 of my list and that the ISP did not give much attention to accuracy of the report or the reasonableness of the action they took.

Personally I'd look for an alternative ISP that you feel would be more helpful.

I have 10 months left with this one at present

But due to the help, advice and input from the people this forum and spamcop , Im positive that my ISP have made the mistake.

Many thanks for all your help in this.

[michaelanglo]

But due to the help, advice and input from the people this forum and spamcop , Im positive that my ISP have made the mistake.

I would suggest that you check weekly what the IP Address of your ADSL line is and record the evidence.

I think that both a webmailer and GoogleMail SMTP record this in the email headers so sending a email weekly to a spare or suitable mailbox may suffice.

And in fact if you can find some old emails you may be able to show evidence of what the IP Address was before you put the router on the shelf !

If the IP Address before and after the hiatus was the same then your ISP may have cause for its "mistake".