Dangerous E-mails
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Dangerous E-mails
I've noticed a sudden increase in the number of bogus invoices, account statements and the like - all looking as if they could be genuine (but from firms I've never dealt with). From none over several months, I'm now receiving a dozen or so each day, to various different addresses including some that have hitherto not been spammed.
Most contain attachments that are either Word documents or Excel spreadsheets, with hostile macros which I'm sure would run and enrol my PC in a Botnet or worse. I've not tested that bit.
Time to check the anti-virus is working, and to be extra careful, methinks.
Most contain attachments that are either Word documents or Excel spreadsheets, with hostile macros which I'm sure would run and enrol my PC in a Botnet or worse. I've not tested that bit.
Time to check the anti-virus is working, and to be extra careful, methinks.
Join Date: Mar 2010
Location: UK
Age: 76
Posts: 620
Likes: 0
Received 0 Likes
on
0 Posts
I have received several e-mails from amazon.com saying that there has been unusual activity on my account and that I must log in to avoid my account being terminated. The only problem is that I don't have an amazon.com account.
Join Date: Aug 2007
Posts: 647
Likes: 0
Received 0 Likes
on
0 Posts
Spam
I have covered my experiences on another thread here but likewise I have received some E Mails from a variety of sources where I have had no previous contact.
I checked with the MXtoolbox Site and my IP Address was associated with SPAM by an organisation - I have had to re set my EM access password with my provider and I monitoring the situation for further developments.
This is a recent event and I am as careful as anyone in this respect.
CAT III
I checked with the MXtoolbox Site and my IP Address was associated with SPAM by an organisation - I have had to re set my EM access password with my provider and I monitoring the situation for further developments.
This is a recent event and I am as careful as anyone in this respect.
CAT III
Join Date: Jan 2008
Location: lancs.UK
Age: 77
Posts: 1,191
Likes: 0
Received 0 Likes
on
0 Posts
Today, I had "HMRC. NO REPLAY "
Yep, they got the last bit right!
Youngest son worked for a couple of major ISP's , working/running their Abuse Dept. His job was to trap and trace spambots and malware. he often had flat denials from the machine owners and delighted in repeating verbatim the most salacious and pornographic adverts their machine was sending.....he then said, I will give you 24 hours to get your machine cleaned, after that, your Internet Connection WILL be terminated and you will be barred from all UK ISP's.
AFAIK, he never had to terminate anybody.
Yep, they got the last bit right!
Youngest son worked for a couple of major ISP's , working/running their Abuse Dept. His job was to trap and trace spambots and malware. he often had flat denials from the machine owners and delighted in repeating verbatim the most salacious and pornographic adverts their machine was sending.....he then said, I will give you 24 hours to get your machine cleaned, after that, your Internet Connection WILL be terminated and you will be barred from all UK ISP's.
AFAIK, he never had to terminate anybody.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
my IP Address was associated with SPAM by an organisation - I have had to re set my EM access password with my provider and I monitoring the situation for further developments.
You've got a bit more to do than simply resetting your email password my friend !
Join Date: Aug 2007
Posts: 647
Likes: 0
Received 0 Likes
on
0 Posts
Hello Mixture
I have contacted my ISP: to get my router external IP Address changed (I think you can do this by leaving the thing (Router) off for a few days allowing the lease to lapse)
The E mail passwords were not compromised (but I changed them anyway).
Re installed Linux from scratch x 2, and re configured it, router password changed and strengthened. ISP E Mail password changed and strengthened. As a measure against a Root Kit re Linux. Yes they Do exist.
Win 8.1 reinstalled from my original USB created at initial install (A pain) - The Anti Virus checks; ESET, Norton etc. Were all negative.
The listings where I was black listed were spamhaus.org and SORBS Blacklist Details (dnsbl.sorbs.net) - Obviously I have no connection with this site but as a precaution give it a go. try: here. Blacklist Check
Edit: So far I have had no E Mails bounced, but I an acting on the side of Caution.
CAT III
The E mail passwords were not compromised (but I changed them anyway).
Re installed Linux from scratch x 2, and re configured it, router password changed and strengthened. ISP E Mail password changed and strengthened. As a measure against a Root Kit re Linux. Yes they Do exist.
Win 8.1 reinstalled from my original USB created at initial install (A pain) - The Anti Virus checks; ESET, Norton etc. Were all negative.
The listings where I was black listed were spamhaus.org and SORBS Blacklist Details (dnsbl.sorbs.net) - Obviously I have no connection with this site but as a precaution give it a go. try: here. Blacklist Check
Edit: So far I have had no E Mails bounced, but I an acting on the side of Caution.
CAT III
Last edited by Guest 112233; 31st Jan 2015 at 14:03. Reason: Clarification
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
spamhaus.org
The only exception to that is if you were on the one specific Spamhaus feed that is a list of ISP broadband connections which is used as a guidance list to flag up possibly suspicious mails, rather than a specific spam filtering list.
SORBS are not bad either, they've been around a while but Spamhaus beats most lists heads down for quality and low-false positives.
But I digress, enough about spam filtering lists, good to hear you did the right thing and re-installed from scratch.
Join Date: Aug 2007
Posts: 647
Likes: 0
Received 0 Likes
on
0 Posts
To whom ......
I'm on open DNS and have been for the last 12 Months.
Thank you for the advice.
OK A warning for all - I've done a chase up re Spamhous - Not Good
" ***.***.***.** is listed in the PBL, in the following records:
"It is the policy of * that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to * customers."
A warning to all.
Thank you for the advice.
OK A warning for all - I've done a chase up re Spamhous - Not Good
" ***.***.***.** is listed in the PBL, in the following records:
"It is the policy of * that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to * customers."
A warning to all.
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts
If you made it into Spamhaus then its pretty much guaranteed you were really sending out spam. Spamhaus are very well respected and have an incredibly low false-positive rate (infact I've seen no false-positives caused by Spamhaus, and that's on various busy mail servers where a Spamhaus data feed subscription is in place). They take their work very seriously and as far as possible they aim manually review anything that's borderline before it gets into their database.
The only exception to that is if you were on the one specific Spamhaus feed that is a list of ISP broadband connections which is used as a guidance list to flag up possibly suspicious mails, rather than a specific spam filtering list.
SORBS are not bad either, they've been around a while but Spamhaus beats most lists heads down for quality and low-false positives.
But I digress, enough about spam filtering lists, good to hear you did the right thing and re-installed from scratch.
The only exception to that is if you were on the one specific Spamhaus feed that is a list of ISP broadband connections which is used as a guidance list to flag up possibly suspicious mails, rather than a specific spam filtering list.
SORBS are not bad either, they've been around a while but Spamhaus beats most lists heads down for quality and low-false positives.
But I digress, enough about spam filtering lists, good to hear you did the right thing and re-installed from scratch.
Anyone wanting to check themselves out could do worse than checking with Multi-RBL Check | The Anti-Abuse Project
FWIW, I think on Thursday a major botnet was halted, as we saw a dramatic reduction in spam (like 75% down). We've seen a lot less spam in January than we did in Nov/Dec anyway.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
" ***.***.***.** is listed in the PBL, in the following records:
"It is the policy of * that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to * customers."
"It is the policy of * that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to * customers."
And its a very good thing that home users are blocked from sending email from their own servers...... for the very reason you've just demonstrated to us, such users are prone to exploits making spam sending zombies out of their computers.
I have to clean false-positives from them roughly once every quarter.
If you're using their public DNS service, then you may be inadvertently caching somewhere along the lines .... either in your DNS resolvers or your anti-spam software.
Rsync users get updates every 60 seconds, so even modest caching of their public DNS service could be what's causing your false-positives.
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts
Is that on sites where you take an Rsync feed from Spamhaus ?
If you're using their public DNS service, then you may be inadvertently caching somewhere along the lines .... either in your DNS resolvers or your anti-spam software.
Rsync users get updates every 60 seconds, so even modest caching of their public DNS service could be what's causing your false-positives.
If you're using their public DNS service, then you may be inadvertently caching somewhere along the lines .... either in your DNS resolvers or your anti-spam software.
Rsync users get updates every 60 seconds, so even modest caching of their public DNS service could be what's causing your false-positives.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
Also Mike might be worth ensuring your return code checks up to date ? There was a point in time where certain redirectors such a bit.ly got caught up in Spamhaus, but they've made various changes and added extra return codes now.
Not defending Spamhaus, I use other resources in conjunction with theirs, I'm genuinely surprised to hear about your false positive rates !
Not defending Spamhaus, I use other resources in conjunction with theirs, I'm genuinely surprised to hear about your false positive rates !
Join Date: Aug 2007
Posts: 647
Likes: 0
Received 0 Likes
on
0 Posts
OK Asking a stupid question.
Have Open DNS Servers been compromised even on a Temp basis or have blocks of IP addresses been impersonated ?
Re the Earlier posting of a bot net been brought down last week ?
I'm carefully checking my Limited EM contact List to see if there have been any problems -GMail is not the culprit at this stage.
CAT III
Re the Earlier posting of a bot net been brought down last week ?
I'm carefully checking my Limited EM contact List to see if there have been any problems -GMail is not the culprit at this stage.
CAT III
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
Have Open DNS Servers been compromised even on a Temp basis or have blocks of IP addresses been impersonated ?
Impersonation of IP blocks is trivial if you can put the right pieces together, but there are ways and means to minimise the impact.
Re the Earlier posting of a bot net been brought down last week ?
So whilst perhaps not compromised as such, I'm sure OpenDNS see and have seen their fair share of DDoS attacks.
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts
Not sure about compromised, would need to do a little research.
Impersonation of IP blocks is trivial if you can put the right pieces together, but there are ways and means to minimise the impact.
One of the biggest use of botnets is launching DDoS attacks, and one very popular form of attack is DNS reflection.
So whilst perhaps not compromised as such, I'm sure OpenDNS see and have seen their fair share of DDoS attacks.
Impersonation of IP blocks is trivial if you can put the right pieces together, but there are ways and means to minimise the impact.
One of the biggest use of botnets is launching DDoS attacks, and one very popular form of attack is DNS reflection.
So whilst perhaps not compromised as such, I'm sure OpenDNS see and have seen their fair share of DDoS attacks.