Jump to content

Spamcop after virus / spyware attack


sroberts

Recommended Posts

i will have to turn it back on to get the ip address.. should i do that now?

Pinging 192.168.2.4 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.2.4:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Link to comment
Share on other sites

  • Replies 114
  • Created
  • Last Reply

I have to leave for now.

But your need to do the following.

Be sure both computers are "clean", not infected and sending out unwanted mail.

Tighten up the settings on the router so that only your computers can connect to it.

Keep in mind, by "your computers" I am also talking about any printers, scanners, etc that use the wireless connection to connect to your PC's

Link to comment
Share on other sites

but that "Date of first message" seems at odds with the statistics ....only two days to get to this level of e-mail traffic?  This doesn't quite jive with the typical use of a "home PC" ....????

41120[/snapback]

It actually finally is starting to make sense.

Something new has connected to the the modem on March 7th that is acting like an SMTP server.

It could be an unwanted external device connecting via the wireless router or one of the two PC's have become infected and fired up as an SMTP server.

If you want to send mail, make sure you connect to an SMTP server other than you web hosting provider who may be blocking your mail due to the excessive traffic comming from your IP address.

But you still need to fix the problem. Find the source of the spam and cut it off.

Link to comment
Share on other sites

how do i get to the page that shows these stats

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.3 .. 13704%

Last 30 days .. 2.7 ..... 223%

Average ........ 2.2

so i can see which pc it is ..

also what is the best software for locating hidden smtp servers?

thanks again for all the help

Link to comment
Share on other sites

how do i get to the page that shows these stats

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.3 .. 13704%

Last 30 days .. 2.7 ..... 223%

Average ........ 2.2

so i can see which pc it is ..

41168[/snapback]

That page is at http://www.senderbase.org/search?searchString=82.41.221.43, which currently shows:

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 13750%

Last 30 days 2.7 223%

Average 2.2

Link to comment
Share on other sites

Do your computers connect to your wireless router using wireless or wired connections?

If either one or both connect using wireless connections (or you expect any visitors that might use wireless), please implement security on your wireless connections. The simplest security would be 64-bit WEP (Wireless Encryption Protocol).

If both connect using wired connections and you aren't expecting any wireless visitors, you should be safe in turning off the wireless capability of your wireless router.

If you check the DHCP (Dynamic Host Control Protocol) leases given out by your wireless router, and you find one given to a NIC (Network Interface Card) you don't possess (the offending MAC (Media Access Control) Address), you should be able block that offending MAC Address.

If you have any difficulty with the above, it would be very helpful to know the manufacturer, make, model, and version of your wireless router and your cable modem.

Link to comment
Share on other sites

how do i get to the page that shows these stats

so i can see which pc it is ..

41168[/snapback]

Jeff G. already gave the link.

You are making the assumption that it is one of your 2 PC's. This may not be the case. If you can disconnect both PC for a few hours (overnight) you should be able to tell if the problem is your PC's or something else connecting to the router.

If you are able to log connection attempts to the router, you will find that information very useful.

I would not rest until I were sure of the exact cause and source of the traffic. It may simply stop on its own, but it could just as easy start up again. So unless you can find out the exact cause and plug it, the simple fact of the spew stopping may not be enough in the long run.

Link to comment
Share on other sites

Folks,

I'm sorry I was late into this conversation... I have exactly the same setup as the OP. Telewest/Blueyonder broadband with router etc.

The ip address is a dynamic cable modem IP with rDNS 82-41-221-43.cable.ubr13.edin.blueyonder.co.uk

As well as being listed in the SCBL it is, unsurprisingly, listed in Dynablock as well.

The OP isn't apparently using the Blueyonder SMTP servers to send the stuff being identified as spam.

My best guess is that this PC is compromised and being used by a spammer by means of a trojan to spew out spam. But I agree it could be someone pirating his wireless connection as well. The security in the wireless router needs to screwed down as tight as possible.

It will be no comfort to the OP that Blueyonder abuse are pretty proactive and his cable connection is likely to be cut off quite soon until he gets the problem fixed.

Despite all the software installed the source of the spew hasn't been fixed.

If he contacts abuse[at]blueyonder.co.uk he is likely to be offered access to the package of software they give away to prevent infections but my experience is that it isn't particularly good at fixing a problem once infected.

Andrew

Link to comment
Share on other sites

It is scary that the last day magnitude continues to increase. Current reading

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.5 .... 14188%

Last 30 days .. 2.8 ..... 224%

Average ........ 2.3

Link to comment
Share on other sites

Select Programs from the Start menu and then select Command Prompt.

Type ipconfig /release in the Command Prompt window and press Enter.

You should get a message telling you that the IP address was successfully released.

Type ipconfig /renew in the Command Prompt window and press Enter. You should get a new IP Address.

Make sure the IP is different from your last IP and you will see the numbers start going up again.

Link to comment
Share on other sites

What brand and model wireless router are you using?

Have you emailed the spamcop deputies to try and get a hint as to what kind of messages are going to the spamtraps? They can usually identify these pretty easily if you send them an email, and that information could be VERY helpful to us.

Link to comment
Share on other sites

Select Programs from the Start menu and then select Command Prompt.

Type ipconfig /release in the Command Prompt window and press Enter.

You should get a message telling you that the IP address was successfully released.

Type ipconfig /renew in the Command Prompt window and press Enter. You should get a new IP Address.

Make sure the IP is different from your last IP and you will see the numbers start going up again.

41177[/snapback]

If releasing and renewing any DHCP lease is going to help Steve, it will only be releasing and renewing the DHCP lease that the wireless router is getting from Telewest through the cable modem. The exact model and version of the wireless router would certainly help in advising how to do that.

Steve could also try sending mail through a Telewest or Blueyonder recommended SMTP server, rather than a webhost recommended SMTP server.

Link to comment
Share on other sites

Couldn't he get the MAC address from his two cards and set the router to only allow them?

41185[/snapback]

Yes, but:
  • If he were to forget what he did and then get a new NIC (or have a visitor with a NIC), the NIC new to his network wouldn't be able to connect.
  • His IP Address would still be listed by the SCBL for at least 21 hours.

Link to comment
Share on other sites

If you aren't using the wireless connections, I would strongly recommend disabling wireless at the router altogether.

If you are using Wireless, then enabling WEP at the router would be a good start.

I would also make a note of the MAC addresses by going to both computers, opening a command prompt (Start->Run->cmd) and typeing "ipconfig /all".

The MAC address is a 12-digit hexadecimal number broken up into 6 groups of 2 digits. It should look something like "01-23-45-67-89-AB". There will be one for EACH network card in the computers, so if they have both a wired network card, and wireless network card, write down both MAC addresses.

Next, go to your router, and find where it lists its DHCP leases. You still haven't provided a model number for the router, so I can't refer to the docs to help you with where you might find this, but it should be in your documentation for the router. The DHCP list should show the MAC addresses of all computers currently connected to your router (both wired and wireless). If there are any listed that don't belong to your 2 computers, you've got a wireless hijacker somewhere in your area (generally less than 300 feet, but can be more if they have a high-power wireless card).

If this is the case, I would lock down your wireless connection to ONLY allow your MAC addresses.

Link to comment
Share on other sites

sorry the model number for the router is f5d7231-4.

i am using the wireless router for both machines ...i have not started outlook for the last few hours ...

Last day 4.5 14151%

Last 30 days 2.8 225%

Average 2.3

and it looks to be going down ..

is there any outlook specific virus/spyware that i should look for ?

thanks for all the help folks.

Steve

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...