Solved

How do I fine the source of SPAMing

Posted on 2010-09-13
28
771 Views
Last Modified: 2013-11-30
My emails from my home location (Orange broadband) have been blocked by an organisation called Baracudda Central, who seem to monitor email traffic using some kind of algorythm which is all automated.

At first I though I might have been dealt a "rougue IP" from my ISP so reset my router to collect a new IP address.

This worked, but only a few days later same thing happened again !

So, I checked all 3 PC's in our home for latest MS updates, active firewall and good antivirus with clean scans (I use EST NOD32), and because my son uses his PC for gaming, instant messaging & such I completely re-installed his O/S (it was running slow anyway !), I also reset my router back to factory defaults and re-entered all my ISP details, and created a new WEP key for wireless access.

All to no avail, twice more I have been blocked.

Any ideas how to monitor each PC to find the source of the SPAM which I now have to conclude is real (Baracudda central can't be that bad can they ? )

Any advice on "next steps" would be appreciated !
0
Comment
Question by:ensite31
  • 10
  • 8
  • 7
  • +1
28 Comments
 
LVL 9

Expert Comment

by:ken2421
ID: 33665548
Once you get blacklisted you have to contact them directly to get whitelisted again.

I suspect that you have malware running an smtp server on one of your pcs.

Lets start with Malwarebytes. www.malwarebytes.org    download and run the free version. I always do a quick scan and if anything pops up I do a deep scan.

Are any of the PCs XP
Ken

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33665668
If you are using a Dynamic IP Address, you are going to be on one Blacklist or another because Spammers don't want fixed IP Addresses, or they would not be able to operate.
If you have a problem on a PC, I would recommend the download, installation and quick scan with Malwarebytes - www.malwarebytes.org.
This usually finds all manner of things you didn't know about.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33665684
Sorry ken2421 - didn't see you had posted malwarebytes.  Still - always good to have confirmation of your suggestions : )
0
 
LVL 9

Assisted Solution

by:ken2421
ken2421 earned 150 total points
ID: 33665755
ensite31

This is the link that you will need to request being whitelisted.

 http://www.barracudacentral.org/rbl/removal-request

First let's make sure your machines are clean. I would like to have you run another malware fix but I need to know what OSs they have.

Thanks,
Ken
0
 

Author Comment

by:ensite31
ID: 33666051
thanks for the input and suggestions.

I'm assuming because I get a different IP dynamically when I reset the router, thus I don't need to request to get whitelisted ? - does Baracudda Central not identify me though the IP address.?

I've used malwarebytes before and it is a good free product, although I have noticed that it can show "false positives", I use the paid version of NOD32 by ESET which has a good reputation in the IT community, so I'm relying on it's results that I dont have malware sending SPAM, I'll download Malwarebutes to see if it can find anything and post any results.

Two PC's are running XP Pro and the other XP home.

Do you know of any software that can monitor my network activity so that I can confirm if I am sending SPAM ?

Thanks again, appreciate your thoughts and input.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 200 total points
ID: 33666113
Barracuda Central will list your IP if you have a dynamic IP Address, so will many others.
Visit www.whatismyip.com and check your current IP Address, then feed the IP Address into www.mxtoolbox.com/blacklists.aspx and see what lists you are on, then click on the links and see the details (if they exist).  Hopefully one of the listngs will say when the latest spam mail was received from your IP Address.
I've never seen any false positives with Malwarebytes.
 
0
 
LVL 9

Expert Comment

by:ken2421
ID: 33666148
That said try running combo fix

Run combo fix http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The link is 2/3 down the page blue highlighted bleepingcomputer link. This is a must have program for xp. Follow the wizard as it runs in widows in a dos emulator. If you can't disable your antivirus no sweat.


Ken
0
 
LVL 9

Expert Comment

by:ken2421
ID: 33666184
to monitor traffic here is some shareware that will get it done.

http://www.vicman.net/download/16540/

Ken
0
 
LVL 1

Expert Comment

by:DanSpecht
ID: 33673476
We have a Barracuda Webfilter protecting our enterprise. I would goto ipchicken.com - get your current ip - then call, email or even chat with barracuda (http://www.barracudanetworks.com) to find out exactly why they have blacklisted your home network and ask if you are still doing what got you blacklisted in the first place. Next, there are live linux cd's (You download the cd iso / burn it to disk then go into bio and set the cd rom as first boot device - then you get linux live from the cd with nothing installed on your hard drive) that have very good FREE network traffic analyzers. There was one linux program I had once that showed like a pie chart sorta thing with the ip's on my network and lines going to various places on the internet - I think it was nmap or something like that and was real easy to use.  Good luck and let us know how it turns out.

Dan
0
 
LVL 1

Expert Comment

by:DanSpecht
ID: 33673557
Oh.. and perhaps I should elaborate on working with Barracuda. One, they have great support. Two.. well I have seen them have small (but quickly fixed if you let them know) problems with their traffic blocking rules.
0
 

Author Comment

by:ensite31
ID: 33677911
An update to the SPAMing problem.
Firstly, thanks for all the advice, I'll be working my way through the suggestions until we hit a fix (hopefuly).

I ran Malwarebytes Anti Malware program (MBAM) on all 3 computers, 2 ran clean and the third (my son's) had 2 reported infected files, which really surprised me as I use NOD32 (they claim to never have missed an "in the wild" virus in 12 years !), although both infections are described as Adware so may not be responsible for my issues.

Anyway here is the log of the results before I let MBAM delete the files. I'm now goint to restart my router, collect a new IP address and watch if I get blocked by barracuda central again... watch this space !!

==============================================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4615

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/09/2010 21:54:47
mbam-log-2010-09-14 (21-54-47).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 179354
Time elapsed: 50 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shopperreports.reporter (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\shopperreports.reporter.1 (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{0d82acd6-a652-4496-a298-2bde705f4227} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7025e484-d4b0-441a-9f0b-69063bd679ce} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{8258b35c-05b8-4c0e-9525-9bccc70f8f2d} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a89256ad-ec17-4a83-bef5-4b8bc4f39306} (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602f07d-8bf3-4c08-bdd6-dddb1c48aedc} (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\srs_it_e879027eb7765b5236a997 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ross\Local Settings\Temp\sai12.exe (Adware.QuestDns) -> No action taken.
C:\WINDOWS\Temp\QUE2B.tmp\upgrade.exe (Adware.Dropper.Gen) -> No action taken.
0
 
LVL 9

Expert Comment

by:ken2421
ID: 33678123
ensite31

Go ahead and start getting removed from the list.

 http://www.barracudacentral.org/rbl/removal-request

To be absolutely certain run a Combo Fix to be sure. This only runs on XP machines. NO ONE PROGRAM gets them all. If there was ONE that could do it then there would only be one. I do this week after week with tons of users. Repeatedly, I run both and am often amazed at what is left.

Run combo fix http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The link is 2/3 down the page blue highlighted bleepingcomputer link. This is a must have program for xp. Follow the wizard as it runs in widows in a dos emulator. If you can't disable your antivirus no sweat.

Ken
0
 

Author Comment

by:ensite31
ID: 33680121
Hi ken2421,

thanks for all the advice - I'll try combo fix to see if it reveals anything else.
with regards Baracudda Central, I assumed if I made my router collect a new IP address I effectively get a "clean bill of health" from Baracudda Central since it uses the IP address as the source reference.?
Is there any advantage in getting a dynamic IP removed from the list ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33680340
If you collect a new Dynamic IP Address, the cleanliness of the IP Address will depend on the last user of the IP Address.  If they were sending out spam, the IP will be Blacklisted on many sites, if not, then only on a few sites.
Either way, with a Dynamic IP address, you are likely to have blacklisting problems on one site or another.
You won't be able to remove a Dynamic IP Address from any Blacklists - they will get removed off the ones that automatically listed them if no more spam is received from that IP Address, but they will still be listed in the Dynamic IP Address Block Lists and no amount of bargaining will get you off one of those lists.
If you want a clean IP Address, get a fixed IP Address.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:ensite31
ID: 33686605
Latest development - even though I was assigned a new IP address about 12 hours ago, 1st time I try to send email from Outlook I get blocked by Baracudda Central - even though all PC's are now showing clean scans with Malwarebytes and ESET NOD32 AV scanners ?

Is it possible Baracuda Central follow the newly assigned IP address and ban that too even before they detect any further SPAM - here is the Outlook message ...

What on earth can I do next ?

Task 'info@%%%%%.co.uk smtp.orangehome.co.uk smtp.ntlworld.com - Sending' reported error (0x800CCC78) : 'Cannot send the message. Verify the e-mail address in your account properties.  The server responded: 553 5.3.0 Spam blocked see: http://www.barracudacentral.org/lookups'

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33686908
What is your current IP Address?
0
 

Author Comment

by:ensite31
ID: 33687210
Thanks Alan for your latest comment and hi everyone, looks like I may have found a solution.

It may be that Baracudda Central is blocking my email because of the SMTP port I use for my email.
My hosting company provide an SMTP port on port 587 for my domain so that I can simply use POP3 & SMTP settings in Oulook as mail.mydomain.co.uk (where mydomain is the actual domain name of my website and email accounts plus webmail),
Some time ago ago I made this change to port 597 because I was sick and tired of changing the SMTP in Oulook between "smtp.oranhome.co.uk" when I was at home and "smtp.ntlworld.com" when I was at work, as most ISP's now block email through port 25 when not using their mail servers.

This therfore must be another step to make our life difficult which looks like it has recently been applied to my service ?? .. What I don't understand though is if  I collect a new IP address by re-setting my router I am able to send mail for up to several days before I become blocked again ??

So, looks like it's back to the old method of changing SMTP in Outlook twice a day, unless anyone has any ideas ?
Well, at least I know my 3 PC's are all clean now - LOL !!
Computers, you gotta love them ??
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33687256
Blacklists are there not because of a Port that you are using, but because the IP address you have is either a Dynamic IP Address or it is a fixed IP Address and is sending out spam.
If you are a home user and are sending out emails, you either need to send mail out via your ISP's mail servers or via a 3rd party mail server (with authentication).
Some (not all) ISP's block TCP port 25 outbound on Dynamic IP Addresses because of the risk of spam.  They may offer TCP Port 587 as an alternative port to use because spammers use port 25.
You should not have to switch your SMTP Server on a regular basis.  Use your ISP's mail server onTCP Port 587 or find an SMTP server that you can use permanently that also user TCP Port 587.
Block TCP port 25 outbound in your Router / Firewall (if you can) and this should stop any nasties from spewing out rubbish should you become infected (or if you are still infected and don't know it).
0
 
LVL 9

Expert Comment

by:ken2421
ID: 33687273
You could set up two separate pop accounts as you describe. Then make these changes. Tools, options, mail settings, send and receive. Create two profiles. Uncheck the one you don't need based upon at work or not. It beats the mess you are having.

Ken
0
 

Author Comment

by:ensite31
ID: 33687508
Thanks again for suggestions folks,
Ken, yes I tried that back in the dark days when I was switching between SMTP setting in Outlook - had 2 profiles, one for home, one for work, so I was collecting all my mail twics and bigger problem was "sent" mail was split between two profiles, so started copying myself to document what I sent !! - nightmare !!

Alan, I too had always worked on that principle - Barracuda is blocking emails because of SPAM - so it's been driving me crazy over last few days, re-installing O/S's, running AV scans, using multiple AV's, re-setting my router to factory defaults, all to no avail - suddenly, tonight I change back to port 25 and change smtp to my ISP at home ad "hey presto" mail is sending again.
So I concluded that if baracudda Central blocked my IP it wouldn't mattrer which port or which SMTP mail server I used. ?

Just to be clear, I have several email accounts being collected by a single MS Outlook profile, if send right now from any EXCEPT the one I've changed back to port 25 smtp.orangehome.co.uk (the ISP I am using at this exact moment), the mail gets rejected with the nessage I posted above which ends  "The server responded: 553 5.3.0 Spam blocked see: http://www.barracudacentral.org/lookups'"

but if I use smtp.orangehome.co.uk on port 25 - hey presot - mail sends.

I dunno the answer, just hypothosising ! - open to any suggestion
0
 

Author Comment

by:ensite31
ID: 33687608
Update:
I entered my current IP address on the Baracudda Central website and it is listed as "Poor"

I filled out the form "Request for Removal" and submitted - got the following generated message.


Request Received
Thank you for submitting your request. If this is your first request, your IP address will have its reputation increased to "normal" for 48 hours while we investigate. It may take up to 1 hour for the reputation increase to propagate to all Barracuda Spam Firewalls globally. We appreciate your patience and apologize for any inconvenience.

Your confirmation number is BBR21284594889-62827-7791.
0
 
LVL 1

Assisted Solution

by:DanSpecht
DanSpecht earned 150 total points
ID: 33687623
Did you try chatting with them? If you do give them the confirmation number above. There is a chance nothing was wrong with your computers and someone was spoofiing your isp's range of ip's. Just a thought, but if you can speak/chat with them you might be able to find out for sure.
0
 

Author Comment

by:ensite31
ID: 33687735
Hey Dan,
Thanks for the suggestion, so I called them to see if they could help (not expecting much) and Im pleased to report that the Tech Support guy was extremely helpful and spent some time explaining what the possible causes are and even took the time to monitor my IP for several minutes to see if they could detect SPAM - fortunately it was OK - that's not to say it could be Spamming though at other times.

Anyway, he gave me a great web address to lookup the current status of an IP address, it is:
mxtoolbox.com
Unfortunately when I put my current IP address in it shows as blacklisted by multiple services, the tech Support said it could be my ISP is giving out poor reputation IP addreses, here is my report, Im gonna get another dynamic IP and test it on mxtoolbox first to see if it's "Clean"

Checking 95.145.97.174 against 105 known blacklists...
Listed 6 times with 4 timeouts.
Blacklist Status Reason TTL ResponseTime
BARRACUDA  LISTED Detail
Return codes were: 127.0.0.2 828 281
SORBS-WEB  LISTED Exploitable Server See: Detail
Return codes were: 127.0.0.7 3529 265
Spamhaus-ZEN  LISTED Detail
Return codes were: 127.0.0.11 828 265
Tiopan  LISTED Return codes were: 127.0.0.2 2029 312
UCEPROTECTL2  LISTED Net 95.144.0.0/13 is UCEPROTECT-Level2 listed because 1608 abusers are hosted by ORANGE-PCS Orange PCS Limited/AS12576 there. See: Detail
Return codes were: 127.0.0.2 2029 281
UCEPROTECTL3  LISTED Your ISP ORANGE-PCS Orange PCS Limited/AS12576 is UCEPROTECT-Level3 listed for hosting a total of 2335 abusers. See: Detail
Return codes were: 127.0.0.2 2029 281
AHBL  OK   0

0
 
LVL 9

Expert Comment

by:ken2421
ID: 33688050
This whole thing with ISPs blocking ports and bouncing mail is amazing. I called AT&T the other day and they will offer no help for anything but webmail. They will escalate the call for a fee but even then they support web mail only. When I asked to talk with a supervisor that person confirmed no assistance whatsoever was the new policy regarding email clients.

ensite31, I hope you get a speedy resolution as I know you have burnt some real brain cells on this deal. I started to suggest earlier that you turn off your router over night in the hopes of getting a new IP. Based upon what you have said that wasn't as dumb an idea as I thought at the time.

Ken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33689139
>> but if I use smtp.orangehome.co.uk on port 25 - hey presto - mail sends <<
Repeating what I stated earlier (http:#a33687256):
"If you are a home user and are sending out emails, you either need to send mail out via your ISP's mail servers or via a 3rd party mail server (with authentication)."
You are a home user using Orange and are on a Dynamic IP.  You HAVE to send via orange otherwise mail will fail.  Alternatively, you HAVE to send mail via another ISP with authentication (username and pasword) and then it should send too.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33689175
Extract from the Spamhaus-ZEN  Blocklist as to why you are listed:
95.144.0.0/14 is listed on the Policy Block List (PBL)
Outbound Email Policy of The Spamhaus Project for this IP range:

This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.
About The PBL

The Spamhaus Policy Block List ("PBL") is an international anti-spam system maintained by The Spamhaus Project in conjunction with Internet Service Providers and is used by Internet networks to enforce inbound email policies. The PBL database lists end-user IP address ranges which should not be delivering unauthenticated email to any mail server except those provided for specifically for that customer's use. The PBL lists only IP addresses (not domains or email addresses).
If you are sending mail via a Server, you will have to configure the server to send via your ISP's (Orange) mail servers.
0
 

Author Comment

by:ensite31
ID: 33739565
UPDATE:
OK folks, firstly, thanks for all your help with your very good comments and suggestions.
Almost a week later I can still freely send emails either through my own domain hosting service and / or through my ISP (orangehome.co.uk)
I checked my IP address and it isn't yet re-blacklisted by Barracuda Central although as usual my IP is blacklisted by four anti-spam vendors because I am using Orange as my ISP thus:

===================================
Spamhaus-ZEN  LISTED Detail
Return codes were: 127.0.0.11 900 421
Tiopan  LISTED Return codes were: 127.0.0.2 2100 328
UCEPROTECTL2  LISTED Net 95.144.0.0/13 is UCEPROTECT-Level2 listed because 1585 abusers are hosted by ORANGE-PCS Orange PCS Limited/AS12576 there. See: Detail
Return codes were: 127.0.0.2 2100 374
UCEPROTECTL3  LISTED Your ISP ORANGE-PCS Orange PCS Limited/AS12576 is UCEPROTECT-Level3 listed for hosting a total of 2373 abusers. See: Detail
Return codes were: 127.0.0.2 2100 374
================================================
So, in reflection, I don't think I'm sending out SPAM and never was, I think I eventually get onto Baracudda Central's blacklist because their algorythm takes into consideration results from other blacklists (see above).

Of course, I can send out mail through my own ISP SMTP because they obviously don't blacklist their own customers who only have a "poor reputation" IP  because of their own harbouring of known spammers !!

maybe it's time to look around for another ISP but Im currently waiting a response from Orange broadband provider regarding my concerns about the whole issue I put to them.

Thanks again folks, although I doubt I've seen the end of this.
0
 

Author Closing Comment

by:ensite31
ID: 33739576
thanks again for all your help
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now