July 2008

IT Security30 Jul 2008 07:13 pm

I continued reviewing my computer and installed SPAMBOT S&D to look for the remains of a nasty little SPAMBOT on my computer, with still no signs of it.   I have my network snoop still running and dont see any traffic leaving my system and checking netstat -ab doesn’t show any rogue processes binding a port to listen.   Who knows.  Maybe AV freaked out on my computer and started spewing emails out the Internet pipe, since the product does have the functioanlity to scan and forward emails to the Internet.    I’m going to start googling for info on Norton AV freaking out and sending SPAM on port 25.    If there was a bot on my computer it must have left something behind.  More details as they develop.

IT Security29 Jul 2008 06:56 am

I spoke with the Comcast Abuse/Legal department this morning, and they did indeed confirm that Comcast blocked TCP/25 outbound from my Internet connection, because SPAM email was coming from my connection for 1 day.  Its nice to know that they are monitoring Internet connections from their subscribers, but, its kind of big brother ish to think that they are blocking TCP ports without telling anybody.

And, there is no going back.   Comcast said that they, and the other ISP’s will be blocking TCP/25 permanently to reduce the amount of SPAM eminating from home users, forcing their customers to use TCP/465 and SSL authentication.    I was just ahead of the curve since I triggered an anti-spam monitor from my house.  I reconfigured all of my POP accounts to use authentication and its working fine.   But, TCP/25 SMTP will be gone from home ISP’s shortly.

Norton reports no virus on my computer, and I checked one of the other home computers and found no viruses.  I’m going to continue to search for what was on my computer that was able to send spam, and then manage to hide itself and disappear when the computer was rebooted.

development29 Jul 2008 05:39 am

I placed an ad on a couple of Internet sites looking for a Microsoft Vista PC Image build expert for my client who needs to upgrade 21,000 desktops.    Next came the steam of emails from job applicants looking for a job.   I’m not 100% sure that I got the virus from one of those emails, but I will describe the behavior I noticed.

When I attempted to open a word document, I got a message that my Norton anti-virus was having trouble and could not open the email to scan it.   Something had shut down my Norton anti-virus, or at least caused to to quirk out  I was not particularly worried, but, I figured to fix the problem when I had a bit of time.

Flash forward a day later, I get home from work, and my wife tells me she can not send email.  I check my computer and sure enough, it can’t send emai either.  Time to figure out whats going on.   I check my Norton anti-virus on my computer, which tells me that it is hopelessly screwed up, and I need to completely uninstall and re-install it.    Now what could cause Norton to blow up on my computer I still have no clue.  But, I proceed to uninstall it.   After that process, Norton informs me that it needs to reboot.  I tell it to do it, and it starts shutting down everything on my computer.  Right before it reboots, word pops up on my screen, with an action box, that has a long string of asian characters, and an OK button.   Very strange.

I reboot the computer, download a fresh copy of Norton antivirus and go through the install process.  I then scan the computer, do a live update, and scan the computer again.   Norton sees no sign of a virus.

I called Comcast twice the night before to ask why SMTP outbound was blocked, and the level 1 support person had no clue what I was talking about.   When I called this morning, and explained the issue as, I may have had a computer virus that was sending email, and now I can’t send SMTP, the tech this morning said I would need to call the Abuse/Legal department when they opened later today.  It was very silly that when they did block outbound SMTP I didn’t get a notification, a call, an email, or at least they update their system so the techs you call for support know that it was blocked.

I still don’t know what virus or spambot was running on my machine to generate SPAM and cause Comcast to block SMTP outbound.   I scanned the computer twice,  and live updated a couple of times.  It will be interesting to find out as I continue to chase this down if it was a transient virus that left no trace when the computer was rebooted and the antivirus software uninstalled and re-installed.

The fun will continue this morning when I speak with the Comcast legal/abuse department about turning back on my ability to send SMTP email.