I've noticed a sudden increase in the number of bogus invoices, account statements and the like - all looking as if they could be genuine (but from firms I've never dealt with). From none over several months, I'm now receiving a dozen or so each day, to various different addresses including some that have hitherto not been spammed.

Most contain attachments that are either Word documents or Excel spreadsheets, with hostile macros which I'm sure would run and enrol my PC in a Botnet or worse. I've not tested that bit.

Time to check the anti-virus is working, and to be extra careful, methinks.

I have received several e-mails from amazon.com saying that there has been unusual activity on my account and that I must log in to avoid my account being terminated. The only problem is that I don't have an amazon.com account.

I have covered my experiences on another thread here but likewise I have received some E Mails from a variety of sources where I have had no previous contact.

I checked with the MXtoolbox Site and my IP Address was associated with SPAM by an organisation - I have had to re set my EM access password with my provider and I monitoring the situation for further developments.

This is a recent event and I am as careful as anyone in this respect.

CAT III

Today, I had "HMRC. NO REPLAY "
Yep, they got the last bit right!

Youngest son worked for a couple of major ISP's , working/running their Abuse Dept. His job was to trap and trace spambots and malware. he often had flat denials from the machine owners and delighted in repeating verbatim the most salacious and pornographic adverts their machine was sending.....he then said, I will give you 24 hours to get your machine cleaned, after that, your Internet Connection WILL be terminated and you will be barred from all UK ISP's.
AFAIK, he never had to terminate anybody.

my IP Address was associated with SPAM by an organisation - I have had to re set my EM access password with my provider and I monitoring the situation for further developments.

YOUR IP address associated with spam ?

You've got a bit more to do than simply resetting your email password my friend ! :eek:

I have contacted my ISP: to get my router external IP Address changed (I think you can do this by leaving the thing (Router) off for a few days allowing the lease to lapse)

The E mail passwords were not compromised (but I changed them anyway).

Re installed Linux from scratch x 2, and re configured it, router password changed and strengthened. ISP E Mail password changed and strengthened. As a measure against a Root Kit re Linux. Yes they Do exist.

Win 8.1 reinstalled from my original USB created at initial install (A pain) - The Anti Virus checks; ESET, Norton etc. Were all negative.

The listings where I was black listed were spamhaus.org and SORBS Blacklist Details (dnsbl.sorbs.net) (http://whatismyipaddress.com/blacklist/sorbs) - Obviously I have no connection with this site but as a precaution give it a go. try: here. Blacklist Check (http://whatismyipaddress.com/blacklist-check)

Edit: So far I have had no E Mails bounced, but I an acting on the side of Caution.

CAT III

spamhaus.org

If you made it into Spamhaus then its pretty much guaranteed you were really sending out spam. Spamhaus are very well respected and have an incredibly low false-positive rate (infact I've seen no false-positives caused by Spamhaus, and that's on various busy mail servers where a Spamhaus data feed subscription is in place). They take their work very seriously and as far as possible they aim manually review anything that's borderline before it gets into their database.

The only exception to that is if you were on the one specific Spamhaus feed that is a list of ISP broadband connections which is used as a guidance list to flag up possibly suspicious mails, rather than a specific spam filtering list.

SORBS are not bad either, they've been around a while but Spamhaus beats most lists heads down for quality and low-false positives.

But I digress, enough about spam filtering lists, good to hear you did the right thing and re-installed from scratch.

I'm having a look with EtherApe on a regular basis just to be on the safe side.

CAT III

I'm on open DNS and have been for the last 12 Months.

Thank you for the advice.

OK A warning for all - I've done a chase up re Spamhous - Not Good

" ***.***.***.** is listed in the PBL, in the following records:

"It is the policy of * that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to * customers."

A warning to all.

If you made it into Spamhaus then its pretty much guaranteed you were really sending out spam. Spamhaus are very well respected and have an incredibly low false-positive rate (infact I've seen no false-positives caused by Spamhaus, and that's on various busy mail servers where a Spamhaus data feed subscription is in place). They take their work very seriously and as far as possible they aim manually review anything that's borderline before it gets into their database.

The only exception to that is if you were on the one specific Spamhaus feed that is a list of ISP broadband connections which is used as a guidance list to flag up possibly suspicious mails, rather than a specific spam filtering list.

SORBS are not bad either, they've been around a while but Spamhaus beats most lists heads down for quality and low-false positives.

But I digress, enough about spam filtering lists, good to hear you did the right thing and re-installed from scratch.

Spamhaus is 'alright', but certainly not as high as you claim. I have to clean false-positives from them roughly once every quarter. They are better than Sorbs though. Uceprotect is another good one. My filters are set to check 10 of the top RBLs and discard if there's 2 or more hits anyway. Spamassassin deals with the rest. (you can see what I spend a large amount of my time doing).

Anyone wanting to check themselves out could do worse than checking with Multi-RBL Check | The Anti-Abuse Project (http://www.anti-abuse.org/multi-rbl-check/)

Today, I had "HMRC. NO REPLAY "
Yep, they got the last bit right!
This one started last Thursday, and we had a few hits. I wrote a custom rule to get rid of them but within an hour they were in the RBLs and Spamassassin updates.

FWIW, I think on Thursday a major botnet was halted, as we saw a dramatic reduction in spam (like 75% down). We've seen a lot less spam in January than we did in Nov/Dec anyway.

" ***.***.***.** is listed in the PBL, in the following records:

"It is the policy of * that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to * customers."

Indeed PBL is the guidance list I mentioned.

And its a very good thing that home users are blocked from sending email from their own servers...... for the very reason you've just demonstrated to us, such users are prone to exploits making spam sending zombies out of their computers. :cool:

I have to clean false-positives from them roughly once every quarter.

Is that on sites where you take an Rsync feed from Spamhaus ?

If you're using their public DNS service, then you may be inadvertently caching somewhere along the lines .... either in your DNS resolvers or your anti-spam software.

Rsync users get updates every 60 seconds, so even modest caching of their public DNS service could be what's causing your false-positives.

Is that on sites where you take an Rsync feed from Spamhaus ?

If you're using their public DNS service, then you may be inadvertently caching somewhere along the lines .... either in your DNS resolvers or your anti-spam software.

Rsync users get updates every 60 seconds, so even modest caching of their public DNS service could be what's causing your false-positives.

It's public DNS but i've had them on the list for more than 24hrs straight and my filters reload their cache daily.

Also Mike might be worth ensuring your return code checks up to date ? There was a point in time where certain redirectors such a bit.ly got caught up in Spamhaus, but they've made various changes and added extra return codes now.

Not defending Spamhaus, I use other resources in conjunction with theirs, I'm genuinely surprised to hear about your false positive rates !

Have Open DNS Servers been compromised even on a Temp basis or have blocks of IP addresses been impersonated ?

Re the Earlier posting of a bot net been brought down last week ?

I'm carefully checking my Limited EM contact List to see if there have been any problems -GMail is not the culprit at this stage.

CAT III

Have Open DNS Servers been compromised even on a Temp basis or have blocks of IP addresses been impersonated ?

Not sure about compromised, would need to do a little research.

Impersonation of IP blocks is trivial if you can put the right pieces together, but there are ways and means to minimise the impact.

Re the Earlier posting of a bot net been brought down last week ?

One of the biggest use of botnets is launching DDoS attacks, and one very popular form of attack is DNS reflection.

So whilst perhaps not compromised as such, I'm sure OpenDNS see and have seen their fair share of DDoS attacks.

Not sure about compromised, would need to do a little research.

Impersonation of IP blocks is trivial if you can put the right pieces together, but there are ways and means to minimise the impact.



One of the biggest use of botnets is launching DDoS attacks, and one very popular form of attack is DNS reflection.

So whilst perhaps not compromised as such, I'm sure OpenDNS see and have seen their fair share of DDoS attacks.

Google DNS was the target of a very strange 'attempt' at DoS last week. Users would have seen blank webpages and a strange self-signed SSL cert.