[CS-FSLUG] How could this be happening

Tue May 11 21:15:48 CDT 2010

Hi,
Clicking on details for the various "details" one gets to this URL:
http://cbl.abuseat.org/lookup.cgi?ip=174.101.105.47
It claims that the computer is running a particular spambot:
/"This IP is infected (or NATting for a computer that is infected) with 
the rustock spambot."
/
Looking up that spambot and you find that it is a windows-based spambot. 
(whew)

That leaves a few different options.
1) It is when she boots into windows that things are sent out.
2) She rebooted her router and got an IP that was previously owned by 
someone having that spambot
3) She has a computer that she is un-aware of on her network...  ;)

Again, regardless of whether or not the contact from Roadrunner was sent 
for a valid reason, you should still consider her request as valid.  As 
you mentioned, she wants Linux uninstalled, regardless of whether or not 
the notice from Roadrunner was valid.  If you simply tell her she is a 
fool, she will not trust you, nor your operating system.  If you do 
track down the actual problem or respond in a gentle way, then you may 
be able to regain her trust.  The same goes with Roadrunner.  If you 
yell at them, they will probably not respond.  But when you go through 
the paces of issue verification, you can usually get an apology out of a 
company if they actually did make a mistake.

But, since the issue the blacklist lookup found was on Windows, you 
should at least check out her Windows again.  Since we know the name of 
the spambot, you should be able to google the various ways to know for 
sure if the computer has it.

     - Tim Young

On 5/11/2010 9:18 PM, David McGlone wrote:
> On Tuesday 11 May 2010 20:30:54 Tim Young wrote:
>    
>> I would treat her request, and the request from Road Runner as being valid.
>>      
> It was a simple basic install, there was no server software installed, and no
> ssh installed.
>
> I just looked at her previous e-mail headers and got the IP and plugged it
> into the website you suggested and I have no clue what I'm looking at. Here
> are the results:
>
>    We notice you are on a blacklist.  Click here for some suggestions
>
>
> Checking 174.101.105.47 against 105 known blacklists...
> Listed 7 times with 3 timeouts.
> Blacklist	Status	Reason	TTL	ResponseTime
> BARRACUDA	 LISTED	Detail
> Return codes were: 127.0.0.2	675	94
> CBL	 LISTED	Blocked - see Detail
> Return codes were: 127.0.0.2	3375	94
> NIXSPAM	 LISTED	Spam sent to the mailhost mx.selfip.biz was detected by NiX
> Spam at Tue, 11 May 2010 22:09:16 +0200, see Detail
> Return codes were: 127.0.0.2	60	296
> PSBL	 LISTED	Listed in PSBL, see Detail
> Return codes were: 127.0.0.2	1875	94
> SORBS-DUHL	 LISTED	Dynamic IP Addresses See: Detail
> Return codes were: 127.0.0.10	3375	94
> SPAMCOP	 LISTED	Blocked - see Detail
> Return codes were: 127.0.0.2	1875	109
> Spamhaus-ZEN	 LISTED	Detail
> Return codes were: 127.0.0.10, 127.0.0.4	675	218
>
> The rest of the page under status says Ok, only the first 7 I included above
> say they are listed.
>
> It's possible since she has dynamic IP, the IP that was assigned to her was
> blacklisted before she aquired it.
>
> She's hardly ever on her computer and always keeps her modem unplugged when
> she's not using the Internet.
>    