[CS-FSLUG] How could this be happening
David McGlone
david at dmcentral.net
Tue May 11 20:18:31 CDT 2010
On Tuesday 11 May 2010 20:30:54 Tim Young wrote:
> I have removed a number of spam-sending agencies off Linux computers.
> The majority of them came in through vulnerabilities in web-servers, but
> I have seen them come in through ssh servers and a few other routes.
> Most of them would have been classified as worms, and the others were
> the result of malicious human attackers (script-kitties).
>
> I have also seen ISPs contact people who were sending out spam,
> notifying them that something on their network was doing that. All that
> portion of your sister's report is something I have run into
> previously. Most spam reporting engines blacklist the IP address, not
> email address, but a non-technical user would not really understand the
> difference.
>
> If you happen to have a recent email from her, you could probably look
> at the headers to find the IP address that she has on her computer, and
> plug that IP address into: http://www.mxtoolbox.com/blacklists.aspx If
> she has had that IP address for long enough then you may actually be
> able to see a copy of one or more of the emails being sent out of the
> computer.
>
> Removing a spam-sending agency from a Linux computer is often relatively
> easy, if you can find it. The problem is that it is usually a lot more
> effort than one would expect, and having a non-techie person trying to
> remove it is a real pain. If you can ssh into her computer, then you
> can probably clean it off in no time. But if it is going to be up to
> her to do it, her best bet would be to do a fresh reinstall (making sure
> she updated her computer).
>
> I would treat her request, and the request from Road Runner as being valid.
It was a simple basic install, there was no server software installed, and no
ssh installed.
I just looked at her previous e-mail headers and got the IP and plugged it
into the website you suggested and I have no clue what I'm looking at. Here
are the results:
We notice you are on a blacklist. Click here for some suggestions
Checking 174.101.105.47 against 105 known blacklists...
Listed 7 times with 3 timeouts.
Blacklist Status Reason TTL ResponseTime
BARRACUDA LISTED Detail
Return codes were: 127.0.0.2 675 94
CBL LISTED Blocked - see Detail
Return codes were: 127.0.0.2 3375 94
NIXSPAM LISTED Spam sent to the mailhost mx.selfip.biz was detected by NiX
Spam at Tue, 11 May 2010 22:09:16 +0200, see Detail
Return codes were: 127.0.0.2 60 296
PSBL LISTED Listed in PSBL, see Detail
Return codes were: 127.0.0.2 1875 94
SORBS-DUHL LISTED Dynamic IP Addresses See: Detail
Return codes were: 127.0.0.10 3375 94
SPAMCOP LISTED Blocked - see Detail
Return codes were: 127.0.0.2 1875 109
Spamhaus-ZEN LISTED Detail
Return codes were: 127.0.0.10, 127.0.0.4 675 218
The rest of the page under status says Ok, only the first 7 I included above
say they are listed.
It's possible since she has dynamic IP, the IP that was assigned to her was
blacklisted before she aquired it.
She's hardly ever on her computer and always keeps her modem unplugged when
she's not using the Internet.
--
Blessings,
David M.
More information about the Christiansource
mailing list