Spam block page again

Connection issues, drop outs or speed related faults for ADSL and ADSL2+ services
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Spam block page again

Post by Dazzled » Wed Jul 07, 2010 5:29 pm

It is possible to hide away inside an NTFS file system and be undetectable by software that uses the file system. To be completely safe the MBR and the file system itself should be destroyed. I am not clear if farah9's scrubbing took place on bare metal or on the existing NTFS file system, but I suspect the latter. If he did go all the way down, I cannot imagine how he is still spamming.

I Googled up some code for peeking at NTFS alternate data streams at http://code.google.com/p/ntfs-streams/d ... ds_0.2.zip if you want to experiment (you'll need a bootable Linux CD that runs Perl and Zenity)

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Wed Jul 07, 2010 5:34 pm

Thank you for the help Corey,
This is the responce I got:Dear Sir,

Thank you for your verification e-mail.

According to the records we could see your service has been blocked for SPAM few occasions.

Currently there is no way to prevent spam. We recommend that Internet users to try the following methods to prevent spam:

1. E-mail addresses posted on Web sites or in newsgroups are being attacked by most spammers. So Avoid posting your E-Mail address in public websites (If it is possible).
2. Short e-mail addresses are easy to guess, and may receive more spam. We would recommend you to change you E-Mail addresses to an uncommon addresses (If it is possible).
3. You could use a powerful spam filter or if you wish you can apply for Exetel spam filter.

At the mean time please try to use a strong updated virus guard to protect your computer from virus/spam.

Not really anything to do with the problem, I outlined everything in the email including the steps I have taken and that was the responce I got, it's like the email wasn't even read through.

This is the other email I got:

I forward herewith the information regarding the recent restrictions on your account.

Customer IP:
Service Number:
Customer ID:
Contacts Emailed:

This is an email abuse report for an email message with the message-id of WRKNMWDOMXQADXJZNYEDWZ@sinamail.com received from IP address 22 on Mon, 28 Jun 2010 09:49:36 -0400 (EDT)

For information, please review the top portion of the following page:
http://postmaster.aol.com/tools/fbl.html

For information about AOL E-mail guidelines, please see
http://postmaster.aol.com/guidelines/

If you would like to cancel or change the configuration for your FBL please use the tool located at:
http://postmaster.aol.com/waters/fbl_change_form.html

=====================================================================================

Customer IP:
Service Number:
Customer ID:
Contacts Emailed:

This is an email abuse report for an email message with the message-id of BHFQHUIBADWTIBQDVEYC.KHNWjessiesara@yahoo.com.br received from IP address 220 on Mon, 5 Jul 2010 04:55:28 -0400 (EDT)

For information, please review the top portion of the following page:
http://postmaster.aol.com/tools/fbl.html

For information about AOL E-mail guidelines, please see
http://postmaster.aol.com/guidelines/

If you would like to cancel or change the configuration for your FBL please use the tool located at:
http://postmaster.aol.com/waters/fbl_change_form.html

=====================================================================================

Customer IP:
Service Number
Customer ID:
Contacts Emailed:

This is an email abuse report for an email message with the message-id of FUGRULOBANWAXXTBTAVYYJYLD@yahoo.com received from IP address 220 on Tue, 6 Jul 2010 06:04:56 -0400 (EDT)

For information, please review the top portion of the following page:
http://postmaster.aol.com/tools/fbl.html

For information about AOL E-mail guidelines, please see
http://postmaster.aol.com/guidelines/

If you would like to cancel or change the configuration for your FBL please use the tool located at:
http://postmaster.aol.com/waters/fbl_change_form.html

Dazzled wrote:It is possible to hide away inside an NTFS file system and be undetectable by software that uses the file system. To be completely safe the MBR and the file system itself should be destroyed. I am not clear if farah9's scrubbing took place on bare metal or on the existing NTFS file system, but I suspect the latter. If he did go all the way down, I cannot imagine how he is still spamming.
I zero filled from a bootable CD, not in windows,using the longest method possible with the program, is that what you meant ?
Thanks for your help.

I'll try my spare drive tonight, I've got a new program called killdisk, I'll give that a try on the old one also.

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Wed Jul 07, 2010 10:29 pm

So spam report incidents for 28 June, 5 July and 6 July. These last two were received after you scrubbed the drive, and the only explanation I can give for this is a MBR infection.

The issue is not with the scrubbing. These programs are specifically designed to wipe content and remove traces of the bits of data from a drive's surface by zero wiping or random writing to them. But a "zero fill" might simply replace the contents of a given partition with zeroes. The issue may well be that a virus has infected the partition itself, so you want to wipe the MBR of your drive. If you delete and recreate the partition on your drive, that should remove any MBR viruses.

But yeah, a spare drive is a faster and easier option. Once you've reinstall Windows on a fresh hard drive, and (hopefully) unblocked yourself without further incident, you can simply insert the spare drive via a USB caddy or as a secondary drive and use Windows Disk Management (under right click My Computer, Manage) to delete and recreate the partition and format the old drive fresh.

One other option: have you tried Malwarebytes (http://www.malwarebytes.org/) I reckon that is one of the best current scanners and a couple of Google hits show success using it on MBR rootkits.
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Thu Jul 08, 2010 12:35 am

Thanks,
I'll try that program if it doesn't work i'll try my spare drive tomorrow arvo, got side tracked with other things tonight.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Spam block page again

Post by Dazzled » Thu Jul 08, 2010 7:44 am

One extra check - the router hasn't been mentioned. Disable wireless in the router, and use an ethernet connection only, just in case there is a neighbourhood zombie hijacking you.

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Thu Jul 08, 2010 9:51 am

Dazzled wrote:One extra check - the router hasn't been mentioned. Disable wireless in the router, and use an ethernet connection only, just in case there is a neighbourhood zombie hijacking you.
Yeah thats possible, but I change the WEP2 key regularly

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Spam block page again

Post by Dazzled » Thu Jul 08, 2010 10:25 am

Even if it's not the wireless at fault now, when this is sorted change to WPA and use a very long pass phrase - 20 characters is practically uncrackable. WEP is too easy to break, and the tools are in nearly every Linux distro. Some tools run at least partially under Windows as well, eg http://www.aircrack-ng.org/documentation.html,
http://www.aircrack-ng.org/doku.php?id= ... 4e27db6d50
http://lifehacker.com/5305094/how-to-cr ... -backtrack
http://www.willineedit.com/2009/08/spoo ... king-tool/

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Thu Jul 08, 2010 11:25 pm

Dazzled wrote:Even if it's not the wireless at fault now, when this is sorted change to WPA and use a very long pass phrase - 20 characters is practically uncrackable. WEP is too easy to break, and the tools are in nearly every Linux distro. Some tools run at least partially under Windows as well, eg http://www.aircrack-ng.org/documentation.html,
http://www.aircrack-ng.org/doku.php?id= ... 4e27db6d50
http://lifehacker.com/5305094/how-to-cr ... -backtrack
http://www.willineedit.com/2009/08/spoo ... king-tool/
Yeah, I might just run a cable to my PS3 and forget about wireless all togeather.
Not really getting anywhere with the exetel staff the last email I got asked me what "zero fill" meant. Then they told me to update my AV prog, which I explained to them that I had up to date software and had tried removal tools already. The last program that Corey suggested found a malisous file and deleted it, so far so good.

James
Exetel Staff
Posts: 2013
Joined: Mon May 09, 2005 10:27 pm

Re: Spam block page again

Post by James » Thu Jul 08, 2010 11:39 pm

It probably isn't your PC, it's probably another device connected via wireless to your router.

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Fri Jul 09, 2010 8:44 am

James wrote:It probably isn't your PC, it's probably another device connected via wireless to your router.
If that was the case wouldn't that device show up on my network map.

I know it's possible, but highly unlikley considering I live in a culdesac and know most of my neighbours, I have a main road behind me. Whats the rough range of a wireless N router?

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Fri Jul 09, 2010 9:06 am

I think that we should be applying Occam's Razor here.

In this case, I think there is very little chance of a computer connected surreptitious to the network. Even if WEP is easily broken, I have yet to here of a neighbour that has the ability enough to crack it, and malicious enough to seek out to do so, whose own computer is also responsible for spamming. Even though it might fit the symptoms, it is just too improbable. If you really wish to, disable wireless completely and see if you once again get spam blocked. That will rule out (or possibly rule in) this unlikely culprit.

I also find the (rather useless) generic advice you've been getting from Exetel a little unacceptable, I thought that Exetel's helpdesk were savvy enough to recognise individual circumstances, and you have clearly demonstrated that you've tried multiple virus scanner and formatting to no avail. Having said that, I do think that it is much more probably (by a few orders of magnitude) that there was a hidden rootkit, so the advice is probably sound even if it seems unhelpful. Hopefully the virus picked up by Malwarebytes has cleared the spam issue for you now but if so (and especially if not), it is a particularly nasty virus infection that no virus scanner seems able to detect and that makes the generic "scan your system for viruses" advice a lot less helpful.

So, have you unblocked yourself now? No new spam reports yet? With or without the new hard drive?
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

farah9
Posts: 33
Joined: Sun Jan 10, 2010 11:14 pm
Location: N.S.W

Re: Spam block page again

Post by farah9 » Sat Jul 10, 2010 6:30 pm

Looks like the program you suggested done the trick, still on the same HDD, and no spam block for a couple of days now. Heres hoping.
Your help was greatly appreciated.
Now I can get back to building my jukebox for my wedding this weekend.

JoeSoap
Posts: 13
Joined: Wed Aug 11, 2004 9:05 am
Location: Brisbane, QLD
Contact:

Re: Spam block page again

Post by JoeSoap » Tue Jul 13, 2010 3:22 pm

have you tried to change your ip ? As it seems to think that specific ip has spam coming from it.

CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Spam block page again

Post by CoreyPlover » Tue Jul 13, 2010 4:51 pm

I remember reading a post from a while ago about the very low false positives of spam reports. If the spam report says that IP address is sending out spam, it almost certainly is. Also, I'm pretty sure Exetel lookup the originating IP in their records, after allowing for IP changes in the interim. So the whole system is pretty accurate and is always (to my knowledge) reaffirmed by an infection of some sort being found on the offending machines.
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

Post Reply