“From their account” and “from their IP” are usually separate things. Probably
need to determine if someone actually determined it was from their IP, or just
assumed that.
It used to be common to plant a spambot on a compromised computer, but so many
ISPs block outbound traffic to port 25 that this method is much less common
these days. The more common method now is to get hold of someone’s email
credentials and use those to relay spam through the email host’s mail relay,
often from a botnet, but not from the compromised customer’s computer or IP
address. Once you have their credentials, you can relay spam from any IP
address through the legitimate MX server which trusts those credentials, at
least until the account gets suspended. So maybe the computer is infected with
malware and part of a botnet, but likely it would be sending spam on port 587
using SMTP AUTH and a list of stolen usernames and passwords.
All the time we get customers who assume their computer is infected because
their email credentials are being used to send spam, they don’t understand once
someone has their credentials the spam can come from anywhere.
From: David
Sent: Wednesday, February 10, 2016 10:52 AM
To: af@afmug.com
Subject: Re: [AFMUG] Odd situation
Sounds like a typical compromised email account with a trojan running the whole
thing.
Secure email account
then disinfect machine with lysol and should be good LOL
On 02/10/2016 10:31 AM, Glen Waldrop wrote:
Rural customer. Just about the only neighbor that could have gotten on their
WIFI just died in their early 90s.
No idea.
I think it is just a 100% misdiagnosis by non-IT guys. I’m trying to get the
info myself.
From what I’ve been able to put together it sounds like someone has their
login and password to their email accounts.
Still need all of the info.
I guess that 90+ year old could have been taking in side money as a spammer,
but...
From: That One Guy /sarcasm
Sent: Tuesday, February 09, 2016 10:01 PM
To: af@afmug.com
Subject: Re: [AFMUG] Odd situation
dish probably connected some smart tv/roku/wifi extender in an unsecured
fashion to their network and never told the customer about it, and it has since
been hijacked and is relaying spam
On Tue, Feb 9, 2016 at 9:38 PM, Glen Waldrop <gwl...@cngwireless.net> wrote:
First and foremost my office is a computer service, so bugged computers
come through here 24/7. It is my job.
The whole point of that was to monitor what it was doing.
Digging in to the IP’s it was communicating with, the secure connection was
to Microsoft. Windows 8 and 10 have to call home to big brother constantly. Not
a fan.
Looks like yet another “the sky is falling, fix it, it is pwned beyond
belief” was sent to my office with pretty much nothing wrong with it. I went
through it multiple times, all I found was the Inbox toolbar. Watched it on
torch for 5 hours, nothing but Microsoft and the SNMP traffic, no emails, nada.
The SNMP queries coming from it still puzzle me, though it is likely the
laptop is trying to monitor his home security system or something.
Long story short, the laptop was sent to me because supposedly they’re
sending 17k spam a day from their IP. Problem is they’re on my Internet and the
IP in question belongs to Dish network, which they do have as a backup, but
wasn’t even connected at the time.
Looks like a whole lot of misdiagnosis by non-IT guys.
From: Eric Kuhnke
Sent: Tuesday, February 09, 2016 4:37 PM
To: af@afmug.com
Subject: Re: [AFMUG] Odd situation
only the second most preposterous part of the movie, after the part where
javier bardem escapes and detonates the floor of a london tube tunnel at
precisely the right time, causing the train to chase bond...
Q is supposed to be a genius level intellect and network security/blackhat,
yet he plugs the device into their secure network?
nevermind all the fancy eye candy GUI hacking crap which is required
because it's hollywood...
On Tue, Feb 9, 2016 at 2:35 PM, Cameron Crum <cc...@wispmon.com> wrote:
Didn't this happen in Skyfall?
On Tue, Feb 9, 2016 at 4:33 PM, Josh Luthman
<j...@imaginenetworksllc.com> wrote:
+1
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Feb 9, 2016 5:29 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote:
you brought a known-infected laptop into your office and plugged it
into your LAN? uhhh... okay.....
http://www.dban.org/
the port 443 connection is probably command and control for some
variety of rootkit/APT.
On Tue, Feb 9, 2016 at 10:00 AM, Glen Waldrop
<gwl...@cngwireless.net> wrote:
I’ve got a customer with a bugged laptop. Not biggie, sending spam.
I haven’t quite tracked that down yet, looks like it is logging
into a remote server on 443, nothing obvious.
What I’ve noticed that brought me to bring this to the list is that
it is currently 192.168.0.50 on my office network, probing 192.168.1.4 through
6 on SNMP (doesn’t exist on my network, only on my sandbox that this laptop
can’t see at all, nothing has been on my sandbox in weeks), also pinging my
edge, though not my local edge, my network edge on it’s internal IP of
10.0.11.1.
The customer’s IP address is on the 10.0.22.0/24 subnet, two hops
to 10.0.11.0/24. At my office it is two hops from 192.168.0.0/24 to 10.0.11.1.
If it was some form of a hack you’d figured they’d go by my public
IP, though I suppose they’re looking for the possibility of not being secured
on the inside.
Just throwing this out there, looked interesting and weird to me.
--
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.
