Link to home
Start Free TrialLog in
Avatar of ensite31

asked on

How do I fine the source of SPAMing

My emails from my home location (Orange broadband) have been blocked by an organisation called Baracudda Central, who seem to monitor email traffic using some kind of algorythm which is all automated.

At first I though I might have been dealt a "rougue IP" from my ISP so reset my router to collect a new IP address.

This worked, but only a few days later same thing happened again !

So, I checked all 3 PC's in our home for latest MS updates, active firewall and good antivirus with clean scans (I use EST NOD32), and because my son uses his PC for gaming, instant messaging & such I completely re-installed his O/S (it was running slow anyway !), I also reset my router back to factory defaults and re-entered all my ISP details, and created a new WEP key for wireless access.

All to no avail, twice more I have been blocked.

Any ideas how to monitor each PC to find the source of the SPAM which I now have to conclude is real (Baracudda central can't be that bad can they ? )

Any advice on "next steps" would be appreciated !
Avatar of ken2421
Flag of United States of America image

Once you get blacklisted you have to contact them directly to get whitelisted again.

I suspect that you have malware running an smtp server on one of your pcs.

Lets start with Malwarebytes.    download and run the free version. I always do a quick scan and if anything pops up I do a deep scan.

Are any of the PCs XP

Avatar of Alan Hardisty
If you are using a Dynamic IP Address, you are going to be on one Blacklist or another because Spammers don't want fixed IP Addresses, or they would not be able to operate.
If you have a problem on a PC, I would recommend the download, installation and quick scan with Malwarebytes -
This usually finds all manner of things you didn't know about.
Sorry ken2421 - didn't see you had posted malwarebytes.  Still - always good to have confirmation of your suggestions : )
Avatar of ken2421
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ensite31


thanks for the input and suggestions.

I'm assuming because I get a different IP dynamically when I reset the router, thus I don't need to request to get whitelisted ? - does Baracudda Central not identify me though the IP address.?

I've used malwarebytes before and it is a good free product, although I have noticed that it can show "false positives", I use the paid version of NOD32 by ESET which has a good reputation in the IT community, so I'm relying on it's results that I dont have malware sending SPAM, I'll download Malwarebutes to see if it can find anything and post any results.

Two PC's are running XP Pro and the other XP home.

Do you know of any software that can monitor my network activity so that I can confirm if I am sending SPAM ?

Thanks again, appreciate your thoughts and input.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That said try running combo fix

Run combo fix 

The link is 2/3 down the page blue highlighted bleepingcomputer link. This is a must have program for xp. Follow the wizard as it runs in widows in a dos emulator. If you can't disable your antivirus no sweat.

to monitor traffic here is some shareware that will get it done.

We have a Barracuda Webfilter protecting our enterprise. I would goto - get your current ip - then call, email or even chat with barracuda ( to find out exactly why they have blacklisted your home network and ask if you are still doing what got you blacklisted in the first place. Next, there are live linux cd's (You download the cd iso / burn it to disk then go into bio and set the cd rom as first boot device - then you get linux live from the cd with nothing installed on your hard drive) that have very good FREE network traffic analyzers. There was one linux program I had once that showed like a pie chart sorta thing with the ip's on my network and lines going to various places on the internet - I think it was nmap or something like that and was real easy to use.  Good luck and let us know how it turns out.

Oh.. and perhaps I should elaborate on working with Barracuda. One, they have great support. Two.. well I have seen them have small (but quickly fixed if you let them know) problems with their traffic blocking rules.
An update to the SPAMing problem.
Firstly, thanks for all the advice, I'll be working my way through the suggestions until we hit a fix (hopefuly).

I ran Malwarebytes Anti Malware program (MBAM) on all 3 computers, 2 ran clean and the third (my son's) had 2 reported infected files, which really surprised me as I use NOD32 (they claim to never have missed an "in the wild" virus in 12 years !), although both infections are described as Adware so may not be responsible for my issues.

Anyway here is the log of the results before I let MBAM delete the files. I'm now goint to restart my router, collect a new IP address and watch if I get blocked by barracuda central again... watch this space !!

Malwarebytes' Anti-Malware 1.46

Database version: 4615

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/09/2010 21:54:47
mbam-log-2010-09-14 (21-54-47).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 179354
Time elapsed: 50 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shopperreports.reporter (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\shopperreports.reporter.1 (Adware.ShopperReports) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{0d82acd6-a652-4496-a298-2bde705f4227} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7025e484-d4b0-441a-9f0b-69063bd679ce} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{8258b35c-05b8-4c0e-9525-9bccc70f8f2d} (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a89256ad-ec17-4a83-bef5-4b8bc4f39306} (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602f07d-8bf3-4c08-bdd6-dddb1c48aedc} (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\srs_it_e879027eb7765b5236a997 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ross\Local Settings\Temp\sai12.exe (Adware.QuestDns) -> No action taken.
C:\WINDOWS\Temp\QUE2B.tmp\upgrade.exe (Adware.Dropper.Gen) -> No action taken.

Go ahead and start getting removed from the list.

To be absolutely certain run a Combo Fix to be sure. This only runs on XP machines. NO ONE PROGRAM gets them all. If there was ONE that could do it then there would only be one. I do this week after week with tons of users. Repeatedly, I run both and am often amazed at what is left.

Run combo fix 

The link is 2/3 down the page blue highlighted bleepingcomputer link. This is a must have program for xp. Follow the wizard as it runs in widows in a dos emulator. If you can't disable your antivirus no sweat.

Hi ken2421,

thanks for all the advice - I'll try combo fix to see if it reveals anything else.
with regards Baracudda Central, I assumed if I made my router collect a new IP address I effectively get a "clean bill of health" from Baracudda Central since it uses the IP address as the source reference.?
Is there any advantage in getting a dynamic IP removed from the list ?
If you collect a new Dynamic IP Address, the cleanliness of the IP Address will depend on the last user of the IP Address.  If they were sending out spam, the IP will be Blacklisted on many sites, if not, then only on a few sites.
Either way, with a Dynamic IP address, you are likely to have blacklisting problems on one site or another.
You won't be able to remove a Dynamic IP Address from any Blacklists - they will get removed off the ones that automatically listed them if no more spam is received from that IP Address, but they will still be listed in the Dynamic IP Address Block Lists and no amount of bargaining will get you off one of those lists.
If you want a clean IP Address, get a fixed IP Address.
Latest development - even though I was assigned a new IP address about 12 hours ago, 1st time I try to send email from Outlook I get blocked by Baracudda Central - even though all PC's are now showing clean scans with Malwarebytes and ESET NOD32 AV scanners ?

Is it possible Baracuda Central follow the newly assigned IP address and ban that too even before they detect any further SPAM - here is the Outlook message ...

What on earth can I do next ?

Task ' - Sending' reported error (0x800CCC78) : 'Cannot send the message. Verify the e-mail address in your account properties.  The server responded: 553 5.3.0 Spam blocked see:'

What is your current IP Address?
Thanks Alan for your latest comment and hi everyone, looks like I may have found a solution.

It may be that Baracudda Central is blocking my email because of the SMTP port I use for my email.
My hosting company provide an SMTP port on port 587 for my domain so that I can simply use POP3 & SMTP settings in Oulook as (where mydomain is the actual domain name of my website and email accounts plus webmail),
Some time ago ago I made this change to port 597 because I was sick and tired of changing the SMTP in Oulook between "" when I was at home and "" when I was at work, as most ISP's now block email through port 25 when not using their mail servers.

This therfore must be another step to make our life difficult which looks like it has recently been applied to my service ?? .. What I don't understand though is if  I collect a new IP address by re-setting my router I am able to send mail for up to several days before I become blocked again ??

So, looks like it's back to the old method of changing SMTP in Outlook twice a day, unless anyone has any ideas ?
Well, at least I know my 3 PC's are all clean now - LOL !!
Computers, you gotta love them ??
Blacklists are there not because of a Port that you are using, but because the IP address you have is either a Dynamic IP Address or it is a fixed IP Address and is sending out spam.
If you are a home user and are sending out emails, you either need to send mail out via your ISP's mail servers or via a 3rd party mail server (with authentication).
Some (not all) ISP's block TCP port 25 outbound on Dynamic IP Addresses because of the risk of spam.  They may offer TCP Port 587 as an alternative port to use because spammers use port 25.
You should not have to switch your SMTP Server on a regular basis.  Use your ISP's mail server onTCP Port 587 or find an SMTP server that you can use permanently that also user TCP Port 587.
Block TCP port 25 outbound in your Router / Firewall (if you can) and this should stop any nasties from spewing out rubbish should you become infected (or if you are still infected and don't know it).
You could set up two separate pop accounts as you describe. Then make these changes. Tools, options, mail settings, send and receive. Create two profiles. Uncheck the one you don't need based upon at work or not. It beats the mess you are having.

Thanks again for suggestions folks,
Ken, yes I tried that back in the dark days when I was switching between SMTP setting in Outlook - had 2 profiles, one for home, one for work, so I was collecting all my mail twics and bigger problem was "sent" mail was split between two profiles, so started copying myself to document what I sent !! - nightmare !!

Alan, I too had always worked on that principle - Barracuda is blocking emails because of SPAM - so it's been driving me crazy over last few days, re-installing O/S's, running AV scans, using multiple AV's, re-setting my router to factory defaults, all to no avail - suddenly, tonight I change back to port 25 and change smtp to my ISP at home ad "hey presto" mail is sending again.
So I concluded that if baracudda Central blocked my IP it wouldn't mattrer which port or which SMTP mail server I used. ?

Just to be clear, I have several email accounts being collected by a single MS Outlook profile, if send right now from any EXCEPT the one I've changed back to port 25 (the ISP I am using at this exact moment), the mail gets rejected with the nessage I posted above which ends  "The server responded: 553 5.3.0 Spam blocked see:'

but if I use on port 25 - hey presot - mail sends.

I dunno the answer, just hypothosising ! - open to any suggestion
I entered my current IP address on the Baracudda Central website and it is listed as "Poor"

I filled out the form "Request for Removal" and submitted - got the following generated message.

Request Received
Thank you for submitting your request. If this is your first request, your IP address will have its reputation increased to "normal" for 48 hours while we investigate. It may take up to 1 hour for the reputation increase to propagate to all Barracuda Spam Firewalls globally. We appreciate your patience and apologize for any inconvenience.

Your confirmation number is BBR21284594889-62827-7791.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hey Dan,
Thanks for the suggestion, so I called them to see if they could help (not expecting much) and Im pleased to report that the Tech Support guy was extremely helpful and spent some time explaining what the possible causes are and even took the time to monitor my IP for several minutes to see if they could detect SPAM - fortunately it was OK - that's not to say it could be Spamming though at other times.

Anyway, he gave me a great web address to lookup the current status of an IP address, it is:
Unfortunately when I put my current IP address in it shows as blacklisted by multiple services, the tech Support said it could be my ISP is giving out poor reputation IP addreses, here is my report, Im gonna get another dynamic IP and test it on mxtoolbox first to see if it's "Clean"

Checking against 105 known blacklists...
Listed 6 times with 4 timeouts.
Blacklist Status Reason TTL ResponseTime
Return codes were: 828 281
SORBS-WEB  LISTED Exploitable Server See: Detail
Return codes were: 3529 265
Spamhaus-ZEN  LISTED Detail
Return codes were: 828 265
Tiopan  LISTED Return codes were: 2029 312
UCEPROTECTL2  LISTED Net is UCEPROTECT-Level2 listed because 1608 abusers are hosted by ORANGE-PCS Orange PCS Limited/AS12576 there. See: Detail
Return codes were: 2029 281
UCEPROTECTL3  LISTED Your ISP ORANGE-PCS Orange PCS Limited/AS12576 is UCEPROTECT-Level3 listed for hosting a total of 2335 abusers. See: Detail
Return codes were: 2029 281
AHBL  OK   0

This whole thing with ISPs blocking ports and bouncing mail is amazing. I called AT&T the other day and they will offer no help for anything but webmail. They will escalate the call for a fee but even then they support web mail only. When I asked to talk with a supervisor that person confirmed no assistance whatsoever was the new policy regarding email clients.

ensite31, I hope you get a speedy resolution as I know you have burnt some real brain cells on this deal. I started to suggest earlier that you turn off your router over night in the hopes of getting a new IP. Based upon what you have said that wasn't as dumb an idea as I thought at the time.

>> but if I use on port 25 - hey presto - mail sends <<
Repeating what I stated earlier (http:#a33687256):
"If you are a home user and are sending out emails, you either need to send mail out via your ISP's mail servers or via a 3rd party mail server (with authentication)."
You are a home user using Orange and are on a Dynamic IP.  You HAVE to send via orange otherwise mail will fail.  Alternatively, you HAVE to send mail via another ISP with authentication (username and pasword) and then it should send too.
Extract from the Spamhaus-ZEN  Blocklist as to why you are listed: is listed on the Policy Block List (PBL)
Outbound Email Policy of The Spamhaus Project for this IP range:

This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.
About The PBL

The Spamhaus Policy Block List ("PBL") is an international anti-spam system maintained by The Spamhaus Project in conjunction with Internet Service Providers and is used by Internet networks to enforce inbound email policies. The PBL database lists end-user IP address ranges which should not be delivering unauthenticated email to any mail server except those provided for specifically for that customer's use. The PBL lists only IP addresses (not domains or email addresses).
If you are sending mail via a Server, you will have to configure the server to send via your ISP's (Orange) mail servers.
OK folks, firstly, thanks for all your help with your very good comments and suggestions.
Almost a week later I can still freely send emails either through my own domain hosting service and / or through my ISP (
I checked my IP address and it isn't yet re-blacklisted by Barracuda Central although as usual my IP is blacklisted by four anti-spam vendors because I am using Orange as my ISP thus:

Spamhaus-ZEN  LISTED Detail
Return codes were: 900 421
Tiopan  LISTED Return codes were: 2100 328
UCEPROTECTL2  LISTED Net is UCEPROTECT-Level2 listed because 1585 abusers are hosted by ORANGE-PCS Orange PCS Limited/AS12576 there. See: Detail
Return codes were: 2100 374
UCEPROTECTL3  LISTED Your ISP ORANGE-PCS Orange PCS Limited/AS12576 is UCEPROTECT-Level3 listed for hosting a total of 2373 abusers. See: Detail
Return codes were: 2100 374
So, in reflection, I don't think I'm sending out SPAM and never was, I think I eventually get onto Baracudda Central's blacklist because their algorythm takes into consideration results from other blacklists (see above).

Of course, I can send out mail through my own ISP SMTP because they obviously don't blacklist their own customers who only have a "poor reputation" IP  because of their own harbouring of known spammers !!

maybe it's time to look around for another ISP but Im currently waiting a response from Orange broadband provider regarding my concerns about the whole issue I put to them.

Thanks again folks, although I doubt I've seen the end of this.
thanks again for all your help