Menu
Reply
Highlighted
  • 230
  • 7
  • 132
Superfast
538 Views
Message 11 of 29
Flag for a moderator

Re: Spambot traffic

Ah, good .... and yes - leave it running. The vile little spambot I'd inherited took hours to decide to show itself and get spotted 😉 I initially thought nothing was going to happen when I saw a blank screen for hours on end.

0 Kudos
Reply
Highlighted
  • 5.18K
  • 578
  • 1.83K
Very Insightful Person
Very Insightful Person
531 Views
Message 12 of 29
Flag for a moderator

Re: Spambot traffic


@Mjward wrote:

Yes I’m sure you do. Ok well that makes sense. So I’ll leave wireshark running and see if it picks anything up.


Did the telnet command confirm Wireshark setup for capture is correct?

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
524 Views
Message 13 of 29
Flag for a moderator

Re: Spambot traffic

Thanks once more. I’m camped out staring at the monitor!! 

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
522 Views
Message 14 of 29
Flag for a moderator

Re: Spambot traffic

I’ve struggled with telnet. Couldn’t work out to use it. 

0 Kudos
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
508 Views
Message 15 of 29
Flag for a moderator

Re: Spambot traffic

All you need to do is run the command telnet smtp.blueyonder.co.uk 25 - However I think later versions of MacOS removed the telnet client.

If however it is installed you'll see the following:

220 know-smtprelay-4-imp cmsmtp ESMTP server ready

 Just type in quit as below

220 know-smtprelay-4-imp cmsmtp ESMTP server ready
quit
221 2.0.0 know-smtprelay-4-imp cmsmtp closing connection


Connection to host lost.

Even if the server isn't listening on pot 25 you'll still see the outbound connection attempts - Here's what my Wireshark trace looks like.

wireshark 2.PNG

The above was taken from an earlier telnet session hence the server greeting is slighty different.  If you are seeing these then you know the capture is set up correctly.

Note that in my case the IP address 192.168.1.105 is the PC and 62,254.26.220 ins smtp.blueyonder.co.uk - So this shows you're listening on the right adapter.

Here's a trace from a capture after I installed Hola Free VPN on my PC

holawireshark.PNG

Again we see here a local address of 192.168.1.105 - but this is mail traffic that's being sent via Hola by spammers.  The mail server sees my public address as the connecting address rather than the spammers hence we see the server respond Hello {My public IP}.  If the spam had connected to a honeypot while I was testing then Spamhaus would have registered the positive.  Multiple positives would have seen my IP blacklisted.on the CSS - needless to say I didn't leave the Hola Free VPN software installed for longer than 5 minutes.  What I saw convinced me NEVER to use that company as a VPN provider again.

The  important thing is that if you look at the second trace you can see what sort of traffic you'll see - You don't have to understand it, (although it's not that mysterious - honest) The main thing to understand is that if you do see such traffic your looking for the local IP.  Depending on your router you'll see

192.168.x.x - most routers
10.x.x.x - Commonly used in Apple routers.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 5.18K
  • 578
  • 1.83K
Very Insightful Person
Very Insightful Person
504 Views
Message 16 of 29
Flag for a moderator

Re: Spambot traffic


@ravenstar68 wrote:

All you need to do is run the command telnet smtp.blueyonder.co.uk 25 - However I think later versions of MacOS removed the telnet client.


Good point. Instead of telnet use curl, type the following command in a terminal windows whilst Wireshark is running:

curl smtp://smtp.blueyonder.co.uk

The following output will be shown in the terminal window and you should see some activity in Wireshark:

214-2.0.0 This is cmsmtp ESMTP service help
214-2.0.0 To contact postmaster send email to postmaster@virginmedia.com.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 end of HELP info

 

Highlighted
  • 17
  • 0
  • 1
On our wavelength
493 Views
Message 17 of 29
Flag for a moderator

Re: Spambot traffic

Thanks again. I’ll work though the instructions, carefully and no doubt slowly! 

 

 

0 Kudos
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
491 Views
Message 18 of 29
Flag for a moderator

Re: Spambot traffic

@用心棒 

Good call - I keep forgetting about curl being used to test other types of connections instead of just web ones.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 1.43K
  • 202
  • 672
Very Insightful Person
Very Insightful Person
476 Views
Message 19 of 29
Flag for a moderator
Helpful Answer

Re: Spambot traffic

Indeed telnet is missing entirely in recent versions of MacOS, I assume Apple just think we should be connecting via ssh instead!

Netcat works though so

nc smtp.blueyonder.co.uk 25

gives the expected response (need to terminate it with a Ctrl-c)

Highlighted
  • 17
  • 0
  • 1
On our wavelength
442 Views
Message 20 of 29
Flag for a moderator

Re: Spambot traffic

hi again, entered into terminal as suggested and received the correct response . Also seeing in Wireshark. 

nc smtp.blueyonder.co.uk 25

I'll continue to watch the reports in Wireshark

 
0 Kudos
Reply