Menu
Reply
Drick
  • 16
  • 0
  • 2
On our wavelength
1,743 Views
Message 1 of 8
Flag for a moderator

Identifying device infected with spam bot

I've had a problem with my emails being blocked because my IP has been registered as sending spam.

I followed the advice I found on the forum as best as I could but I'm having a problem identifying the rogue device. 

I've used wire shark to test the mobile phones in the house with no luck and as I've only got a windows pc it not practical to bring all the internet connected devices into the room to test through its mobile hotspot.

The other problem is that the information I've received from Spamhaus suggests it is an Android device and that there has been only three occurrences of spam being sent in the last 2 months. This would make testing a very long drawn out process. 

'There is a proxy installed in an app or on a device that is that is running an SMTP relay without your knowledge, and using your public facing IP to send spam DIRECTLY to the internet via port 25; it is making SMTP connections on port 25, with forged HELO values. This problem is most commonly seen on Android-based mobiles, streaming devices, smart doorbells, and sometimes also on Windows computers. Here is the recent history of your IP making connections on port 25, with signatures typical of a compromised Android (sometimes Windows) device'

And they've quoted the follwing most recent incidents (I've x out my IP address)

'(IP, UTC timestamp, forged HELO value)

xx.xx.xxx.x 2021-01-10 07:30:00 outlook.com

xx.xx.xxx.x 2021-01-01 01:00:00 xlraizpfofqpv.com

xx.xx.xxx.x 2020-11-29 17:10:00 outlook.com'

They've also confirmed the first detection was on 29/11/20

'The first detection was (UTC) 2020-11-29 17:10:00 The last detection was (UTC) 2021-01-10 07:30:00'

If there any way I can get a notification when a incident occurs so I can check what devices are active at the time or somehow get a log of connected devices from the Virgin Hub that I can compare with these times from Spamhaus.

Any advice would be appreciated.

0 Kudos
Reply
legacy1
  • 17.1K
  • 733
  • 1.71K
Alessandro Volta
1,727 Views
Message 2 of 8
Flag for a moderator

Re: Identifying device infected with spam bot

You need a lot more hardware to find the device.

Might be easier to reset and format everything.

---------------------------------------------------------------
0 Kudos
Reply
Drick
  • 16
  • 0
  • 2
On our wavelength
1,703 Views
Message 3 of 8
Flag for a moderator

Re: Identifying device infected with spam bot

That's quite a big rabbit hole to start going down. How far do I go with devices. We've got phones, tablets, PC,  games consoles, alexa's, Chromcasts,smart plugs, smart bulbs, smart meters for gas and electricity, thermostat and probably other things I've not thought of. Is there any of these things I can eliminate from the search and is there a way to get a list of what devices are linked to the wifi, so I can work through them and not miss any out. 

0 Kudos
Reply
legacy1
  • 17.1K
  • 733
  • 1.71K
Alessandro Volta
1,696 Views
Message 4 of 8
Flag for a moderator

Re: Identifying device infected with spam bot


@Drick wrote:

That's quite a big rabbit hole to start going down. 


It gets worse what if other devices more then one get infected!

You could get a firewall to block and log outgoing port 25 like this:

Zyxel ZyWALL 1.0 Gbps Wireless AC UTM Firewall, recommended for up to 75 users - Hardware only [USG6...

You then need to fine the devices MAC for the IP it on.   

---------------------------------------------------------------
0 Kudos
Reply
Drick
  • 16
  • 0
  • 2
On our wavelength
1,651 Views
Message 5 of 8
Flag for a moderator

Re: Identifying device infected with spam bot

Thats a much to expensive route to go down. The description says its for a small business, I'm just a family home. I can't be the first person this has happened to, there must be other options.

0 Kudos
Reply
bolgerp
  • 133
  • 1
  • 18
Up to speed
1,617 Views
Message 6 of 8
Flag for a moderator

Re: Identifying device infected with spam bot

I am having exactly the same problem. I am unable to send email using Outlook on my laptop or Apple mail on my iPhone/iPad. However webmail or sending behind a VPN works fine. 
This only started about three weeks or so ago. 
I read several posts giving advice on here and some other online suggestions. Similar to yourself I get the following from Spamhaus: “forged helo value keqakku.com. A device (computer, server, mobile phone, etc), or an app on a device that is using your IP is infected, insecure or compromised. It is making SMTP connections with forged HELO values on port 25.”

however I’m not able to see when the first instance of this occurred? Do I need to open a ticket with Spamhaus to find this out?

I have deep scanned each device on my network using System Mechanic.  They are all clean. I used net Analyzer to see what is using port 25 on the router.  But that tells me port 25 on the router is closed. So I am a bit stumped to be honest. I can work around the problem using webmail or a VPN but I’m a bit concerned there’s something lurking somewhere that I can’t find. And it’s just my btinternet.com email that’s affected. Gmail works fine through outlook and Apple mail. All other internet access is absolutely fine. I’m stumped. 

0 Kudos
Reply
Drick
  • 16
  • 0
  • 2
On our wavelength
1,610 Views
Message 7 of 8
Flag for a moderator

Re: Identifying device infected with spam bot

I think I did have to raise a ticket with Spamhouse. They emailed me back with the info about the spam they had detected and some links to some advice. When I emailed them back for some clarification they got back to me very quickly. They confirmed that the pattern of spam they'd detected was unusual and made some suggestions as to what could be causing it. One thing they asked was if I'd downloaded an app called Mobdro. I had that app on two devices and when I used followed the instructions on this forum for using Wireshark I found some positive uses of port 25. Spamhause confirmed that just deleting the app should cure the problem and when I re checked with Wireshark I didn't have any more positive results. So hopefully everything is sorted. My advice is raise a ticket with Spamhause and have an email chat with them, they seem really friendly and helpful.

bolgerp
  • 133
  • 1
  • 18
Up to speed
1,603 Views
Message 8 of 8
Flag for a moderator

Re: Identifying device infected with spam bot

I’ll drop them an email and see if I can get the date of first occurrence. That’ll help me narrow it down. 

0 Kudos
Reply