TSGL: stopping services because of spam (I think)

Dave heydave at pacbell.net
Mon Sep 25 14:21:14 EDT 2006 

Hello Lum,
      It is very likely that his address is being "spoofed", i.e stolen 
and inserted into the
headers of spam messages. Forged headers are the rule rather than the 
exception in spam.
 It is also possible that someone at RR is not properly
ensureing that the complaints are legitimate, rather than reports solely 
based on
the "From" field in the supposed spam messages.

      The first thing I'd do is to request copies of all the full 
headers of the "supposed" spam
about which he's being accused.  It is the usual practice for spam to 
have forged headers
with bogus information inserted in the "From" or "Received" entries.  
Examine them
carefully for consistency and compare them with full headers of known 
"good" messages.

      If he is using a satic IP number (Client IP address),  confirm 
that it is the same as that appearing in those
spam headers.  Note that legitimate IP numbers are _always enclosed by 
brackets /within /parentheses,/ at least
once within the full header
/_

    e.g., in your TSGL message header this appeared:

        "X-Originating-IP: [24.137.9.11]
        Received: from ns1.cermaktech.com (ns1.cermaktech.com
        [24.137.9.11])".
         Note that the domain name is consistent, and the IP number matches.
        Spam nearly always has inconsistencies and bogus domain identies.

      There will likely be multiple "Received" entries, all of which 
will be logical in legitimate messages.
The domain names and IP numbers should be consistent when checked via a 
WHOIS..

    If he uses a dynamic IP (ADSL) that changes on each log-on, keep a 
record of what numbers
are being assigned. There is a security log that should provide useful 
information.

       1. Open Windows Firewall
          <EXEC=,firewall.cpl,%20CHM=ntshared.chm%20FILE=alt_url_windows_component.htm>.

       2. On the *Advanced* tab, under Security* Logging*, click
          *Settings*.
       3. Choose one of the following options:
              * To enable logging of unsuccessful inbound connection
                attempts, select the Log *dropped packets* check box.
              * To enable logging of successful outbound connections,
                select the Log *successful connections* check box.

To view the security log file

   1. Open Windows Firewall
      <EXEC=,firewall.cpl,%20CHM=ntshared.chm%20FILE=alt_url_windows_component.htm>.

   2. On the *Advanced* tab, under *Security Logging*, click *Settings*.
   3. Click *Browse*.
   4. Right-click pfirewall.log, and then click *Open*.


He could also use the Event Viewer to check details of activity to see 
what was going on on /his/ system
at the exact times of the purported spam submissions.

    * To open Event Viewer, click *Start*, click *Control Panel*, click
      *Performance and Maintenance*, click *Administrative Tools*, and
      then double-click *Event Viewer*.

   He has the right to demand that Roadrunner substantiate the 
accusations, and the more information he
can provide to them the better.

   One thing in your inquiry the begs a question is that you say he has 
three computers, but your
security checks mention OK results on TWO.  Well what about that third 
one?  Did he hook
it up again?  When you say they are "networked through Roadrunner" are 
you saying he does
not have a LAN set up? 
 
   Does he have a hardware firewall installed as well as the XP 
Firewall?  Is he running the usual gamut
of prophylactics such as Spybot, PestPatrol, and Ad-Aware? What 
antivirus is /always/ activated?
Does he have File Sharing disabled and/or specfically restricted to his 
systems?

   Has he tried installing ZoneAlarm Free as a more pro-active 
alternative to the Windows firewall?

   Lastly, from a totally cynical viewpoint: 
Are you SURE he isn't sending spam and trying to get you to unknowingly 
defeat the RR restrictions?
Do you know what sort of activity is going on with those three systems?

Personally I used to get a great deal of spam via Roadrunner, but it has 
decreased greatly in recent
months (whew!), as it appears that Roadrunner is actually "attending to 
business", unlike Comcast
and Verizon whose spam-relay or origination continues unabated and 
increasing.

Good luck,
dave r

uminosity wrote:
> I have a buddy who has three computers networked through Roadrunner.   
> Over the past two weeks, he has received notification from Roadrunner 
> that they've gotten reports that spam has been originating from his 
> computer.  They've shut down his account until he can fix it.  Three 
> times now.  (He opens his browser, and the RR security page comes up 
> with the notice, and he can't go anywhere else, but he can get email, 
> talk on AIM or chat on IRC, etc.  He just can't use his browser -- or 
> any browser-- which I think is... odd.)
>
> I've gone over there and checked it out.  I've talked to RR customer 
> service, which, as I'm sure y'all know, also entails spending *hours* on 
> hold and being shuttled from pillar to post.   Also, I've:
>
>     * disabled system restore on each computer
>     * run complete virus scans, and two of them checked out clean
>     * run trojan scans (using trojan hunter), and two of them checked
>       out clean
>     * run hijack this, and two of them checked out clean (well, clean
>       enough--there were a couple of blank buttons and stuff)
>     * run stinger (because RR said to), and two of them checked out clean
>     * made sure their firewall was up (they are using the SP2 firewall)
>     * reinstalled Windows XP back to factory defaults on the third
>       computer (an older one they don't use, but it was crawling with
>       bugs and dialers and trojans, etc., had no AV, and *was* networked
>       in, no matter what, so...), and then I had them just turn it off
>       and unplug it from the wall after the reinstall until I could get
>       back over there (it was late) and load up AVG
>     * rebooted the cable modem and the linksys network
>     * re-enabled system restore with a new restore point
>     * talked to RR and got a clean bill of health and his service was
>       restored
>
> I've done this entire thing *twice*, and the last time was last 
> Thursday.  My buddy calls this morning, and the browser notification is 
> back.  I don't know what to do other than just reformat every single 
> computer, but I worry that this is a sort of Malthusian solution.  OTOH, 
> he works at home, is not computer-savvy at all except for software that 
> he uses in his work (insurance), and this is costing him money and time.
>
> Obviously, I'm not a professional, but I keep a clean machine here at my 
> house, and I don't know what else to try.  Can y'all point me in the 
> right direction? 
>
> Thanks a lot,
>
> Lum
>
>
> _______________________________________________
> Tech Support Guy Mailing List
> http://www.tsgserver.com/list/
>
>

More information about the List mailing list