[CS-FSLUG] How could this be happening

David McGlone david at dmcentral.net
Tue May 11 20:18:31 CDT 2010

On Tuesday 11 May 2010 20:30:54 Tim Young wrote:
> I have removed a number of spam-sending agencies off Linux computers.
> The majority of them came in through vulnerabilities in web-servers, but
> I have seen them come in through ssh servers and a few other routes.
> Most of them would have been classified as worms, and the others were
> the result of malicious human attackers (script-kitties).
> I have also seen ISPs contact people who were sending out spam,
> notifying them that something on their network was doing that.  All that
> portion of your sister's report is something I have run into
> previously.  Most spam reporting engines blacklist the IP address, not
> email address, but a non-technical user would not really understand the
> difference.
> If you happen to have a recent email from her, you could probably look
> at the headers to find the IP address that she has on her computer, and
> plug that IP address into: http://www.mxtoolbox.com/blacklists.aspx  If
> she has had that IP address for long enough then you may actually be
> able to see a copy of one or more of the emails being sent out of the
> computer.
> Removing a spam-sending agency from a Linux computer is often relatively
> easy, if you can find it.  The problem is that it is usually a lot more
> effort than one would expect, and having a non-techie person trying to
> remove it is a real pain.  If you can ssh into her computer, then you
> can probably clean it off in no time.  But if it is going to be up to
> her to do it, her best bet would be to do a fresh reinstall (making sure
> she updated her computer).
> I would treat her request, and the request from Road Runner as being valid.

It was a simple basic install, there was no server software installed, and no 
ssh installed.

I just looked at her previous e-mail headers and got the IP and plugged it 
into the website you suggested and I have no clue what I'm looking at. Here 
are the results:

  We notice you are on a blacklist.  Click here for some suggestions

Checking against 105 known blacklists...
Listed 7 times with 3 timeouts.
Blacklist	Status	Reason	TTL	ResponseTime
Return codes were:	675	94
CBL	 LISTED	Blocked - see Detail
Return codes were:	3375	94
NIXSPAM	 LISTED	Spam sent to the mailhost mx.selfip.biz was detected by NiX 
Spam at Tue, 11 May 2010 22:09:16 +0200, see Detail
Return codes were:	60	296
PSBL	 LISTED	Listed in PSBL, see Detail
Return codes were:	1875	94
SORBS-DUHL	 LISTED	Dynamic IP Addresses See: Detail
Return codes were:	3375	94
SPAMCOP	 LISTED	Blocked - see Detail
Return codes were:	1875	109
Spamhaus-ZEN	 LISTED	Detail
Return codes were:,	675	218

The rest of the page under status says Ok, only the first 7 I included above 
say they are listed.

It's possible since she has dynamic IP, the IP that was assigned to her was 
blacklisted before she aquired it.

She's hardly ever on her computer and always keeps her modem unplugged when 
she's not using the Internet.
David M.

More information about the Christiansource mailing list