Menu
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
879 Views
Message 1 of 29
Flag for a moderator

Spambot traffic

Hi, I may have a bot infection on one of my devices. I can see an explanation for detecting on a windows pc but not on a Mac . Apple device. 

anyone help? 

thanks in advance. 

0 Kudos
Reply
Highlighted
  • 5.18K
  • 578
  • 1.83K
Very Insightful Person
Very Insightful Person
859 Views
Message 2 of 29
Flag for a moderator

Re: Spambot traffic

Read Share the Internet connection on Mac with other network users and be aware the port shared cannot be used for internet access, for example if you share Wi-Fi then another port, likely Ethernet, will be needed to provide internet access.

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

 Use Kudos to say thanks

 Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
827 Views
Message 3 of 29
Flag for a moderator

Re: Spambot traffic

Hi, and thank you for your reply. 

however I don’t understand how sharing my connection will help me detect a potential BOT infection. 

https://support.apple.com/en-gb/guide/mac-help/mchlp1540/mac

can you clarify please? 

thanks. 

0 Kudos
Reply
Highlighted
  • 1.43K
  • 202
  • 672
Very Insightful Person
Very Insightful Person
790 Views
Message 4 of 29
Flag for a moderator

Re: Spambot traffic

The basic idea is fairly straightforward but to get it to work requires a bit of background understanding of how Ethernet networks function and the practicalities can be a bit fiddly to do.

In essence though imagine that you have a number of devices on your network, they all connect via wifi or cable to the hub and out to the internet, now imagine that one of them (and we don't know which one) gets infected with a bit of malware and starts sending out spam email. From the outside world's point of view, they can't see what device on your network is doing it all they can see is spam coming out of your internet connection, ie your WAN IP address. VM have a policy (and we can argue the rights and wrongs of doing this), that if this is detected then when your email client tries to connect to their network and send a perfectly legitimate message, VM checks to see if your address is on the 'naughty list', so to speak, and if so simply denies the connection. Most email clients can't tell what the actual reason for this is, all the know is that they can't connect and tend to just throw up a generic (and often confusing) 'password' error.

Now VM nor anyone else can say what device on your network is actually responsible, the onus is entirely on you to find it and eliminate it, if you simply ask for your address to be delisted without finding the culprit first then it will be a very short term fix as you will simply get listed again.

Here's a list of things which absolutely won't work;

Screaming at VM to 'just fix my email' - they won't!
Threatening to sue - good luck with that one!
Demanding that Spamhaus (the third party company which actually compile the list) remove you from it permanently - you will politely be told to 'do one'
Threatening Spamhaus with legal action - it's been tried, got nowhere, see above

And things which will (eventually) work

Work out which of your devices is responsible, eliminate the cause and then request a de-listing
Throw out every internet connected device you have into the nearest skip, purchase all new equipment and never install anything on them.

Option one is generally preferred!

So all we know is that something is sending traffic out to the internet on a specific 'port', this is SMTP traffic on port 25, the standard VM hub doesn't have any traffic logging features which some third-party routers do, if it did then it would be easy to have a look through the logs, see something like 'device with IP address 192.168.0.23, connected to <some mailserver address> on port 25'. You would then check which of your devices had an IP address on 192.168.0.23 and that would be the culprit. But since the hub can't do that, we need an alternative method.

Wireshark is an an immensely powerful piece of software for analyzing network traffic and telling you exactly where it has come from (the source address), where it is trying to get to (the destination address) and the type of traffic (the port number). So if you were to install this on a PC (there is a Mac version) and set it running, and leave it, if your PC happened to have the malware on it, you will see Wireshark logging outgoing traffic on port 25 and you woudl know that the PC has a problem. The issue is that Wireshark can only display traffic going through the device it is installed on, or more specifically the network interface (wifi, ethernet etc) that it has been told to monitor - it can't see what other devices are doing. So you could have it happily logging on your PC with no results at all and an Amazon Firestick (for example) right next door is spamming the entire world right under your nose. And the reason is that the Firestick is talking directly to the VM Hub and out to the internet, completely by-passing the PC doing the scanning!

So we need to set things up so that instead of your wifi devices connecting to the internet directly via the Hub, they connect instead to the PC and then out to the Hub, in this way Wireshark on the PC can monitor all the traffic coming from them and eventually see which one is responsible. It might take some time, the modern versions of the 'spambots' try to keep under cover, they stay dormant for a while, send out a couple of spam emails and then go back to sleep in an attempt to avoid detection. So you need to keep the logging running and catch them when they light up.

How this is done depends on the equipment you have but the basic principal is the same. Connect your Mac or PC to the internet and first use Wireshark to be be sure that it isn't actually this which is the issue. There is a test you can do using a telnet command to simulate sending out spam email (without actually sending any), if Wireshark picks this up then you know you have everything set up correctly.

The next step is to 'share' this internet connection and then disconnect all of your wifi devices from the VM Hub's wifi (in fact if you can turn off the Hub's wifi entirely) and connect them to your 'shared' connection instead. That way they all connect to the internet as normal but your PC and Mac is now in a position to analyze all the traffic from all of your devices, once Wireshark detects outgoing port 25 traffic, it will tell you the IP address of the offending device, you can then check which device was given that address and act accordingly. Once you have found the source of the spam you can disconnect and clean up the device (factory reset, uninstall any dodgy applications etc.) and put everything back to normal.

It's not actually as hard as it might sound once you have gotten your head around the underlying method and what it is you are trying to achieve and why.

John 

Highlighted
  • 17
  • 0
  • 1
On our wavelength
778 Views
Message 5 of 29
Flag for a moderator

Re: Spambot traffic

That’s brilliant John, I’ll give it a go and feedback

 

thank you  

 

 

Highlighted
  • 17
  • 0
  • 1
On our wavelength
771 Views
Message 6 of 29
Flag for a moderator

Re: Spambot traffic

Can you advise which wire shark package I should download plz? 

capture packets or to add system paths as well. 

0 Kudos
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
731 Views
Message 7 of 29
Flag for a moderator
Helpful Answer

Re: Spambot traffic

Select both.

Adding system path variables will mean that you can launch wireshark from a terminal window without navigating to the actual location of the executable

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 17
  • 0
  • 1
On our wavelength
719 Views
Message 8 of 29
Flag for a moderator

Re: Spambot traffic

Hi all, still really struggling. I Have Wireshark running but as I have no email (unable to authenticate) therefore Im not getting any SMTP traffic. 

Maybe Spamhous will release me from the list and I will be able to set up email at some point.

Would an option be to recover IOS Catalina? Or would I have to wipe and reload?

 

Thanks

 

 

0 Kudos
Reply
Highlighted
  • 230
  • 7
  • 132
Superfast
689 Views
Message 9 of 29
Flag for a moderator

Re: Spambot traffic

Hi Mjward,

If I understand correctly ... if everything is set up, Wireshark should see attempts to pass spam traffic through port 25 (from an active spambot), even though you're essentially blocked. It'll show up if it's "sending".

Hope I understood your question correctly?

Highlighted
  • 17
  • 0
  • 1
On our wavelength
678 Views
Message 10 of 29
Flag for a moderator

Re: Spambot traffic

Yes I’m sure you do. Ok well that makes sense. So I’ll leave wireshark running and see if it picks anything up. 

thanks. 

0 Kudos
Reply