“From their account” and “from their IP” are usually separate things. Probably need to determine if someone actually determined it was from their IP, or just assumed that.
It used to be common to plant a spambot on a compromised computer, but so many ISPs block outbound traffic to port 25 that this method is much less common these days. The more common method now is to get hold of someone’s email credentials and use those to relay spam through the email host’s mail relay, often from a botnet, but not from the compromised customer’s computer or IP address. Once you have their credentials, you can relay spam from any IP address through the legitimate MX server which trusts those credentials, at least until the account gets suspended. So maybe the computer is infected with malware and part of a botnet, but likely it would be sending spam on port 587 using SMTP AUTH and a list of stolen usernames and passwords. All the time we get customers who assume their computer is infected because their email credentials are being used to send spam, they don’t understand once someone has their credentials the spam can come from anywhere. From: David Sent: Wednesday, February 10, 2016 10:52 AM To: af@afmug.com Subject: Re: [AFMUG] Odd situation Sounds like a typical compromised email account with a trojan running the whole thing. Secure email account then disinfect machine with lysol and should be good LOL On 02/10/2016 10:31 AM, Glen Waldrop wrote: Rural customer. Just about the only neighbor that could have gotten on their WIFI just died in their early 90s. No idea. I think it is just a 100% misdiagnosis by non-IT guys. I’m trying to get the info myself. From what I’ve been able to put together it sounds like someone has their login and password to their email accounts. Still need all of the info. I guess that 90+ year old could have been taking in side money as a spammer, but... From: That One Guy /sarcasm Sent: Tuesday, February 09, 2016 10:01 PM To: af@afmug.com Subject: Re: [AFMUG] Odd situation dish probably connected some smart tv/roku/wifi extender in an unsecured fashion to their network and never told the customer about it, and it has since been hijacked and is relaying spam On Tue, Feb 9, 2016 at 9:38 PM, Glen Waldrop <gwl...@cngwireless.net> wrote: First and foremost my office is a computer service, so bugged computers come through here 24/7. It is my job. The whole point of that was to monitor what it was doing. Digging in to the IP’s it was communicating with, the secure connection was to Microsoft. Windows 8 and 10 have to call home to big brother constantly. Not a fan. Looks like yet another “the sky is falling, fix it, it is pwned beyond belief” was sent to my office with pretty much nothing wrong with it. I went through it multiple times, all I found was the Inbox toolbar. Watched it on torch for 5 hours, nothing but Microsoft and the SNMP traffic, no emails, nada. The SNMP queries coming from it still puzzle me, though it is likely the laptop is trying to monitor his home security system or something. Long story short, the laptop was sent to me because supposedly they’re sending 17k spam a day from their IP. Problem is they’re on my Internet and the IP in question belongs to Dish network, which they do have as a backup, but wasn’t even connected at the time. Looks like a whole lot of misdiagnosis by non-IT guys. From: Eric Kuhnke Sent: Tuesday, February 09, 2016 4:37 PM To: af@afmug.com Subject: Re: [AFMUG] Odd situation only the second most preposterous part of the movie, after the part where javier bardem escapes and detonates the floor of a london tube tunnel at precisely the right time, causing the train to chase bond... Q is supposed to be a genius level intellect and network security/blackhat, yet he plugs the device into their secure network? nevermind all the fancy eye candy GUI hacking crap which is required because it's hollywood... On Tue, Feb 9, 2016 at 2:35 PM, Cameron Crum <cc...@wispmon.com> wrote: Didn't this happen in Skyfall? On Tue, Feb 9, 2016 at 4:33 PM, Josh Luthman <j...@imaginenetworksllc.com> wrote: +1 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Feb 9, 2016 5:29 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote: you brought a known-infected laptop into your office and plugged it into your LAN? uhhh... okay..... http://www.dban.org/ the port 443 connection is probably command and control for some variety of rootkit/APT. On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop <gwl...@cngwireless.net> wrote: I’ve got a customer with a bugged laptop. Not biggie, sending spam. I haven’t quite tracked that down yet, looks like it is logging into a remote server on 443, nothing obvious. What I’ve noticed that brought me to bring this to the list is that it is currently 192.168.0.50 on my office network, probing 192.168.1.4 through 6 on SNMP (doesn’t exist on my network, only on my sandbox that this laptop can’t see at all, nothing has been on my sandbox in weeks), also pinging my edge, though not my local edge, my network edge on it’s internal IP of 10.0.11.1. The customer’s IP address is on the 10.0.22.0/24 subnet, two hops to 10.0.11.0/24. At my office it is two hops from 192.168.0.0/24 to 10.0.11.1. If it was some form of a hack you’d figured they’d go by my public IP, though I suppose they’re looking for the possibility of not being secured on the inside. Just throwing this out there, looked interesting and weird to me. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.