Spam block page again

Connection issues, drop outs or speed related faults for ADSL and ADSL2+ services
farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Spam block page again

Post by farah9 » Tue Jul 06, 2010 9:31 am

I'm getting sick and tired of this this, this is the third time this has happened now, I zero filled my drive the first time even though the virus that was detected by exetel, was not detected by any anti virus program or virus removal tool. Since then I have changed my log in password, What else can I do. Now I am blocked for three hours, Never had this problem in the last ten years i've used the internet. Trying to finalise a transaction on ebay for my wedding this weekend, and I wake up to the spam block page. I'm pretty sure this isn't a problem on my end.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Spam block page again

Post by Dazzled » Tue Jul 06, 2010 9:47 am

Going online in any version of Windows has risks. In viewtopic.php?f=288&t=36488 there is a comment about using Linux-based CDs and USB sticks to get a clean temporary connection for emergency use.

If you zero-filled the drive, using the Windows OS to write it, you may not have cleaned all malware. Re-partition, then reformat as though it were new bare hardware, using a self-booting CD, either one of the tools above, or the MS install CD.

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Tue Jul 06, 2010 10:00 am

I used partition wizard from a bootable cd, not in windows, using the DoD 5220.28-STD (7 passes) (very slow), and I did every drive on the computer.
Would it help to setup a new new email address and delete the old one. Or maybe uninstall my mail client and use the webmail page with a new email address.
Also it's very strange that no AV or spyware programs are picking anything up including virus remover programs.

Also is it normal not to be able to lodge a fault ticket while blocked.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Spam block page again

Post by Dazzled » Tue Jul 06, 2010 10:11 am

If the disk-scrubbing application wrote to the existing file system it won't necessarily get a root kit. That's why I suggested partitioning first, and treating the disk as new unformatted hardware. If a spammer has infected you a new email address will put him off for a while. One way to avoid many kinds of email exploit is to always display plain text, not html, in your mail client - then emails containing hidden malware, scripts etc can't get activated. Phishing scams don't work either. These things depend on the email being fed into html/javascript/java engines.

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Tue Jul 06, 2010 10:27 am

I never open an email from people I don't know, If spam comes through I just delete it straight away especially if it has an attachment.

An interesting thing is that the first time I got the block page it said that a virus was detected, now after zero filling, the page that comes up is a spam block, I have just noticed that when I changed my ADSL password I didn't change my email password. Could it be that I removed the virus with the zero fill, but because the password for the email wasn't changed they still had access to my email. I don't know how I overlooked that.

Thanks for the help.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Spam block page again

Post by Dazzled » Tue Jul 06, 2010 11:03 am

Exetel may have detected spam coming from your IP address, or it may have been detected elsewhere by someone who sent the headers back to Exetel. I'm not sure if external complaints take a while to ease off.

If your computer has become a zombie, it may have become a proxy for another machine, or could have an email server on board, so it won't need access to your Exetel ADSL or email passwords - all the zombie wants is a working internet.

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Tue Jul 06, 2010 11:19 am

Couple of things in no particular order:
* Yes, you should be able to log a ticket while blocked. Webmail should still be available as should https://helpdesk.exetel.com.au. If it isn't, you can follow up (now or later if you wish) as to why that is not the case
* Some of the blocks might be remnants of previous issues. That is, your computer, while infected, sent spam out which was detected and sent to Exetel. Exetel then actioned it (quarantined your connection) but only after you'd cleaned your computer
* While no system is perfect, I have not heard of a false positive from Exetel's spam / virus detection. You can try emailing residentialsupport@exetel.com.au to get up-to-date information on your blocking and ask whether it was an old report that simply took time to process, or a new spam / virus issues that caused your most recent block and if it was a new issue, ask for some details to help you hunt down the culprit
* I don't think that Exetel mind if you unblock yourself, even if it turns out that your computer is still infected. The whole process is there for education and the fact that you are actively trying to clean your system is good enough. So go ahead and unblock yourself and cross fingers that the most recent block was a residual one from days ago. If you get blocked again, it would strongly suggest your system is still compromised (so possibly a rootkit, or a compromised email password (which you have just changed), etc)
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Tue Jul 06, 2010 12:33 pm

okay thanks for the help.

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Wed Jul 07, 2010 9:08 am

I don't believe it i've been blocked again, I left my computer off all night last night, wake up this morning to this. Tonight I'll be turning off my nodem as well, If tommorrow morning it's blocked again, it can't be from my end. I've tried everything
I can think of now. I did the zero fill from a bootable CD on the highest scan possible. Guess I can try one of my spare HDDS to see if I still get the same results.

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Wed Jul 07, 2010 9:28 am

Have you altered your email account password? I'd suggest you contact residentialsupport@exetel.com.au to get the time of the spam incident to check whether it was before or after you changed passwords.

Edit:Actually, I'm not sure but I think that if your email account was compromised, that email account only would get blocked. If your connection is blocked then it may be due to the offending spam's originating IP address matching yours. Again, use residentialsupport@exetel.com.au to confirm and liaise with them for suggestions on how to diagnose and resolve this issue.
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Wed Jul 07, 2010 12:26 pm

Yeah, I changed both my ADSL password and my email password, I've sent them an email now.

ShaminG
Exetel Staff
Posts: 960
Joined: Wed Jan 06, 2010 10:11 am
Location: Sydney, Australia

Re: Spam block page again

Post by ShaminG » Wed Jul 07, 2010 2:16 pm

Looking at the recent restrictions on your account, I could see your email account xxxxxxxxxx@yahoo.com has been detected with SPAM.

I have sent you a separate email containing this information.

To prevent further restrictions you could try setting-up a spam filter for your email account.

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Wed Jul 07, 2010 3:36 pm

ShaminG wrote:To prevent further restrictions you could try setting-up a spam filter for your email account.
?
But...an offending spam block indicates the computer itself is compromised, which is independent of any yahoo mail account. And a simple spam filter doesn't provide any protection against a compromised account or ensuing Exetel spam block
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

thejeg

Re: Spam block page again

Post by thejeg » Wed Jul 07, 2010 4:18 pm

HI All,
CoreyPlover wrote:
ShaminG wrote:To prevent further restrictions you could try setting-up a spam filter for your email account.
?
But...an offending spam block indicates the computer itself is compromised, which is independent of any yahoo mail account. And a simple spam filter doesn't provide any protection against a compromised account or ensuing Exetel spam block
Correct! if the whole computer is compromised; you can only beseech the help of a really good anti virus tool which detects and removes viruses / spam horse / and any malicious software.

A full virus scan with an up-to-date anti virus software is a MUST :wink:

Regards,
Theje 8)

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Wed Jul 07, 2010 4:52 pm

Theje,

First up, I'm just posting on farah's behalf, but if you look at early posts, you'll see that farah performed full system scans without any virus or malware detected and even performed a full format, but continues to get spam blocked. Hopefully, the email mentioned 2 posts up has some useful information that I'm not privy too, but in this particular case, generic advice advocating spam filters and virus scans does not seem to be of much particular help.

The unresolved issue here is whether the spam blocks are carry overs from old spam instances or whether there is evidence that farah's system is still compromised. If the later, this would represent a particularly nasty rootkit infection, seemingly resolved only by a low level format (including full repartitioning to wipe the master boot record clear too as this is pretty much the only place left for it to hide) or replacement of the hard drive for a new one.

farah, if you do have a spare hard drive (and time) available, while you await further info from residentialsupport you can switch the hard drive out, reinstall Windows on the fresh drive and unblock yourself once more. You can then put the original hard drive back in to restore your system, or connect it via USB to access old documents directly). This would also be a good test, as in a week's time you could simply reinstall the original hard drive and if you get blocked immediately, it is very clear evidence that the original hard drive has been (very deeply) compromised.
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

Post Reply