Author Topic: SpamBot Virus?  (Read 7177 times)

0 Members and 1 Guest are viewing this topic.

Offline George Richardson

  • WxElement panel
  • Forecaster
  • *****
  • Posts: 1391
    • Smith Mountain Lake Weather
SpamBot Virus?
« on: May 15, 2009, 03:48:27 PM »
This has no place on a Weather WebSite, but if I don't get it fixed the boss won't let me play!

While I can't prove it, I expect the boss downloaded some crap installing a very bad spamBot (Cutwail spamBOT) on her computer and thus the network. We have been Black Listed by spamhaus.org (138.210.10.240)

None of my computers show any infection with Norton or Malwarebytes but we must be.

The reason for this post, does anyone know how to Block outgoing mail on Port 25 on a Lynksys WRT54g router. Some things I have read say this will solve the problem.

Any help will be greatly appreciated.

George

Offline ncpilot

  • Forecaster
  • *****
  • Posts: 937
    • Monkey Junction Weather
Re: SpamBot Virus?
« Reply #1 on: May 15, 2009, 11:17:22 PM »
Darn, no responses yet?

Earlier today I looked at the manual for the router on-line, and it's kinda tough to see how to block the port without hands-on. I've got a Dlink, but have worked on Linksys routers--I find the Linksys interface to be really hard to use compared to the Dlink.

If you block port 25, I think that will knock out your email completely. I read that there may be ways to only allow certain programs to use the port, but didn't really see a good set of instructions.

I also found suggestions that Microsoft's malware remover (the one they make available with auto updates) might get rid of that bot...
Marc
Wilmington, NC
"Monkey Junction Weather"
Davis VP2 wireless, WeatherLink

Offline George Richardson

  • WxElement panel
  • Forecaster
  • *****
  • Posts: 1391
    • Smith Mountain Lake Weather
Re: SpamBot Virus?
« Reply #2 on: May 16, 2009, 07:18:29 AM »
Marc,
I've done something and been "delisted" but I'm not sure its because I've gotten it solved or just because her computer has been shut down.

Got a ShinDig today so will be out. If I'm still good when I get home tonight I'll let you know how and what.

If anyone else KNOWS what I should do' don't be shy!

Thanks

George

Offline W Thomas

  • Welcome to my area!
  • Forecaster
  • *****
  • Posts: 1643
  • In Loving Memory Of Hooker The Weather Dog !
    • Smyth-Grayson Weather
Re: SpamBot Virus?
« Reply #3 on: May 16, 2009, 07:47:29 AM »
I have been in similar situations where I had to change the submission port in my individual email clients.Back when I had Comcast they decided I was a spammer because I moved a lot of data in a days time. I told them the reasoning behind that but they still considered me a spammer.

I changed the mail submission port from the standard 25 to port 26 I believe. In Thunderbird depending on the mail server you may get a Security Mismatch pop up but it's easily gotten through. I would think that if you block network traffic on port 25 you would totally alter your email availability.

No matter how much protection you have there is still no better preventative than "Sensible Browsing" and if it's like my work place you have a full time job
just getting that through to the users ! About once a month I have a cleaning and inoculation of several computers in the building! I feel like the Department of Health sometimes ](*,)

Good Luck


     Best Regards
     Wayne

CWOP CW8217
KVAWHITE22 Wunderground   Davis VUE &  Davis Vantage Pro 2  /   Dedicated Server
GR Level 3 ,Level 2 AE Radars  Weather Display 10.37P  Mid Atlantic Weather Network Member
SkyWarn & Spotter Network 6092

Offline George Richardson

  • WxElement panel
  • Forecaster
  • *****
  • Posts: 1391
    • Smith Mountain Lake Weather
Re: SpamBot Virus?
« Reply #4 on: May 16, 2009, 08:05:51 PM »
I hate to type, but here goes.The Boss must have picked up a spamBot virus. Her computer apparently was sending spam crap all over the world. We have Norton antivirus on all 5 of our networked computers. A virus called cutwail spamBot somehow got through our protection. We discovered this when spamhaus.org blacklisted our IP. We read all (most) of their How to get rid of the problem information. We ran Norton full system scan, Microsoft Malicious Software Removal Tool, and Malwarebytes' Anti-Malware on all 5 computers. Nothing showed up so we requested to be de Blacklisted. 30 minutes later we were off the BL! 3 hours later we were back on. Seems none of our anti virus scans found the cutwail. What to do?

Spamhause.org's Composite Blocking List says "If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers. Please see our recommendations on NAT firewalls" Everything says block OUTBOUND port 25 but nothing says how. I run a Linksys WRT54G wireless router and think is how I THINK I did it.

Use your browser to log into your router. Tab to Access Restrictions. In the Blocked Services section there are 2 drop down menus with "None" in them. In the top menu select SMTP and port 25 will default. Get out and we were good (So Far!) At this point I Hope this blocked outgoing port 25!

To Summerize:

1) Even with a anti virus software you can get infected.

2) We did not know our situation until we were prevented from sending email (Black Listed) by somebody known as spamhaus.org!

3) To clean up the mess can be a BITCH!

I truely hope this doesn't help any of you, that is, I hope you don't get into this mess.

George

Offline DanS

  • Chiang Mai weather
  • Forecaster
  • *****
  • Posts: 5434
    • ThaiWx
Re: SpamBot Virus?
« Reply #5 on: May 16, 2009, 09:29:51 PM »
George,
Thanks for that information. I too run a (smaller, 3 computer) network using a WRT54GL and see in it's menu where you're talking about. I'll keep this on file if/when the need arises.
Regards,

Dan

p.s. your boss going to give you a promotion now for all this crap you had to go through?  :roll:

Offline W Thomas

  • Welcome to my area!
  • Forecaster
  • *****
  • Posts: 1643
  • In Loving Memory Of Hooker The Weather Dog !
    • Smyth-Grayson Weather
Re: SpamBot Virus?
« Reply #6 on: May 16, 2009, 11:16:30 PM »
Glad you've got everything under control from this mess!
It's a shame with all the firewall and AV protection one has that you can still get infected!

I'm with Dan after clearing up this you deserve a promotion of some sort!


     Best Regards
     Wayne

CWOP CW8217
KVAWHITE22 Wunderground   Davis VUE &  Davis Vantage Pro 2  /   Dedicated Server
GR Level 3 ,Level 2 AE Radars  Weather Display 10.37P  Mid Atlantic Weather Network Member
SkyWarn & Spotter Network 6092

Offline George Richardson

  • WxElement panel
  • Forecaster
  • *****
  • Posts: 1391
    • Smith Mountain Lake Weather
Re: SpamBot Virus?
« Reply #7 on: May 17, 2009, 07:20:34 PM »
Well, it stayed good for 40 hours. I found an email address which I sent them a warm note. If I don't pay my IP I understand being cut off, but someone somewhere has the power to kill my paid for emailing privileges because they claim I'm doing something that I can't replicate is just too much.

If I didn't hate typing so much I'd shoot some gripes to my congressman. Who does control the internet anyway.

Offline racenet

  • Forecaster
  • *****
  • Posts: 1306
    • NH Weather Data
Re: SpamBot Virus?
« Reply #8 on: May 17, 2009, 10:34:02 PM »
Who does control the internet anyway.

In reality, no one does. It is a beast of its own. If anyone says they do control it, they are lying.  ;)

www.theamericanflagstore.com - The American Flag Store



www.nhweatherdata.com - NH Weather Data

Offline ncpilot

  • Forecaster
  • *****
  • Posts: 937
    • Monkey Junction Weather
Re: SpamBot Virus?
« Reply #9 on: May 17, 2009, 11:12:46 PM »
Al Gore? Didn't he invent it??
Marc
Wilmington, NC
"Monkey Junction Weather"
Davis VP2 wireless, WeatherLink

Offline racenet

  • Forecaster
  • *****
  • Posts: 1306
    • NH Weather Data
Re: SpamBot Virus?
« Reply #10 on: May 18, 2009, 11:12:10 AM »
Al Gore? Didn't he invent it??

LOL

I should have know that one would pop up.  ;)

LOL
www.theamericanflagstore.com - The American Flag Store



www.nhweatherdata.com - NH Weather Data

Offline Anole

  • Forecaster
  • *****
  • Posts: 585
    • http://pineislandweather.com
Re: SpamBot Virus?
« Reply #11 on: May 18, 2009, 11:54:24 AM »
So all your scans show no infections? Do you have a way to pull the disks from the machine and scan them using another computer to be certain that there actually is an infection?

One of the things that can cause a false-positive is a machine or firewall that is creating backscatter (ie bouncing the spam messages back to the indicated sender). The CBL detects that as spam since the contents of the message are spam. Bouncing spam back serves no purpose since the sender listed didn't actually send it to start with. it just wastes more bandwidth. I've seen this happen a couple of times on networks with a firewall appliance that has a bounce back feature.

Offline George Richardson

  • WxElement panel
  • Forecaster
  • *****
  • Posts: 1391
    • Smith Mountain Lake Weather
Re: SpamBot Virus?
« Reply #12 on: May 18, 2009, 05:10:07 PM »
Well, a lot more cursing. A lot more reading words and acronyms I have no idea what mean. My rear feels like I ate half the hot peppers in Mexico yesterday but since I didn't, I guess its just from all the smoke blown up my .... Oh well. I just wish I could understand WHY. Do people actually send these guys real money. OK, Status report. I called everyone whose telephone number I could find. The only difference between them and me is I don't get paid for not knowing JACK! I did find an email address of one of my tormentors and spent about an hour typing a three sentence query. The kicker was that after all that sweat blood and tears this request form defaulted to Microsoft Outlook Express which I don't have on my computer. I guess they assume that anyone that gets a virus must be using a Microsoft product. Probably 99% true. Got a reply that said again that it was MY Responsibility to block port 25.
Finally got on a Linksys chat help line that didn't throw me off because I wouldn't go to the basement, break out the 8 foot stepladder, flashlight and other climbing gear to get them a serial number. Linksys said I had correctly blocked the port but the firmware was a very old version and I had to upgrade. Its done. We'll see.

 

anything