Menu
Reply
Tmatic
  • 21
  • 0
  • 0
Joining in
696 Views
Message 1 of 43
Flag for a moderator

SpamBot Letter - How to identify the device responsible?


I have received a letter from Virgin stating that they have received a report that a SpamBot may be active on my connection.
Like others here, I have good subscription security (BitDefender), and regularly use free scanning services like MalwareBytes, so this is a very unwelcome surprise. No details were given of the problem, which makes investigation difficult.
All devices are behaving normally.


I have run a full system scan on my three PC's with BitDefender, and with MalwareBytes, and with the Eset tool suggested by Virgin, as well as the similar Kaspersky tool, and Trend Micro Housecall, and found nothing. BitDefender HomeScanner doesn't show any unexpected connections to the network.
I also have two Apple devices, normally considered unlikely malware victims, and two Android devices with BitDefender free scanner installed - nothing found on the latter. There is also an Amazon FireStick and a "smart" TV - no idea how to secure or disinfect those !

If I could find exactly what the alleged SpamBot activity was, and could monitor it, I could for example switch devices on one by one to identify the culprit, which would be a start.
How can I do this?


I have seen ravenstar68's post re using WireShark, "Searching for Spambots on your network" on ‎22-10-2019, but I'm rather daunted by the process outlined.   In any case it didn't seem to work for the person quoting it, and, worryingly, neither can I see anyone here with any removal solution which worked for them...


Does Virgin have some guidance online?
Can anyone help, please?
Thanks!

 

0 Kudos
Reply
HowardML
  • 11.92K
  • 1.39K
  • 5.58K
Very Insightful Person
Very Insightful Person
682 Views
Message 2 of 43
Flag for a moderator
Helpful Answer

Re: SpamBot Letter - How to identify the device responsible?

If you had searched the Forum you would have discovered that the Wireshark method is the only reliable way of detecting a device which may have an active spam bot on it. Yes it is daunting but since most spam bots successfully hide from AV and malware scanners there is nothing else. And @ravenstar68 went out of his way to devise the most straightforward way he could think of to sort the issue.

And you would also have seen that a very common culprit implicated in spam bots are android devices and Amazon Firesticks which have been added to with free software designed to access services that might be considered risky. Examples are apparently free tv services. 

You'd do well to start there. If you have added such software you should remove it and restore Firesticks to factory condition. 

The usual result of such spam bots is that VM will decline to let you send mail via its SMTP (outgoing) mail servers with a VM305 error code. Spam bots work surreptitiously and completely outside your mail sending system. So it is entirely natural that you would see nothing. That's why scammers and spammers love them. However their activity is detectable by spam honeytraps and the millions of us plagued with spam from such devious devices.



I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Tmatic
  • 21
  • 0
  • 0
Joining in
658 Views
Message 3 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?

Thanks for your reply.
I have searched the forum, and I did find ravenstar68's helpful article, as I mentioned.
I have to say though that as a non-technical person I'm still not clear exactly how to use Wireshark on several devices, via wifi and ethernet, even after careful reading. I will persist however, and assume I can post any questions re that here if that's appropriate? I'm new to the forum (- any forum!)


I am a little surprised that there seems to be little direct help available from Virgin on what can't be an uncommon problem for ordinary users struggling with a new universe.


Surely there must also be some information on the type and amount of traffic reported, and crucially, when it was first observed.


Re Firestick and smart TV - I haven't made any alterations to the devices as delivered, apart from setting them up at the outset, so I haven't knowingly introduced anything alien that way.
Thanks again for your comments.

0 Kudos
Reply
HowardML
  • 11.92K
  • 1.39K
  • 5.58K
Very Insightful Person
Very Insightful Person
634 Views
Message 4 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?


@Tmatic wrote:

Thanks for your reply.
I have searched the forum, and I did find ravenstar68's helpful article, as I mentioned.
I have to say though that as a non-technical person I'm still not clear exactly how to use Wireshark on several devices, via wifi and ethernet, even after careful reading. I will persist however, and assume I can post any questions re that here if that's appropriate? I'm new to the forum (- any forum!)

Bear this in mind. At the moment each of your devices connects separately to your VM Hub. The Wireshark trick is to use a windows PC - pref win 10 - and then to check that it is clear of infection and then by connecting each of your devices to a wifi hot spot set up on the PC to check that they are clear by looking for outgoing traffic to port 25.


I am a little surprised that there seems to be little direct help available from Virgin on what can't be an uncommon problem for ordinary users struggling with a new universe.

I'm not. VM are not responsible for what happens on your devices. They will tell you that illicit traffic has been spotted  coming from your segment of their network - from your IP address, ie your Hub  but the rest is up to you. 


Surely there must also be some information on the type and amount of traffic reported, and crucially, when it was first observed.

VM probably don't get that and there probably isn't anyway. In any event it couldn't identify the offending device. That is because all the outside world sees is traffic coming from your Hub. Nothing that goes on behind your Hub is visible externally.


e Firestick and smart TV - I haven't made any alterations to the devices as delivered, apart from setting them up at the outset, so I haven't

knowingly introduced anything alien that way.

Good, that means those items should be clear of infection.


Thanks again for your comments.


Try looking at what's on your Android phone? And you are always free to post for further advice.



I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Tmatic
  • 21
  • 0
  • 0
Joining in
600 Views
Message 5 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?

Thank you for that.
Baby steps, amid totally alien terms and concepts !

Anyway, ravenstar68's instructions are beginning to make sense. I have installed Telnet and Wireshark on my oldest Win 10 computer with WiFi, run the Telnet test successfully, and am now letting Wireshark run for a few hours on that machine as per instructions, before moving on to other WiFi connected devices via local hotspot, ditto.


Incidentally, Wireshark install options included "Support Raw 802.11 traffic...", and "Install NPcap in WinPcap API-compatible mode...". I didn't select these, as not mentioned in the instructions - correct?


I did install just NPcap, as I don't currently have eny USB WiFi or Ethernet devices installed - unless my Firestick counts - I assume not, as it isn't USB, just HDMI.


If I need to test my single Ethernet-only connected desktop, would it be simpler just to install Wireshark on that and run it from there, rather than setting up a USB wiFi connector and then having to somehow install WinUSBcap on the macine I'm using now?


Thanks for your patience and help!!

0 Kudos
Reply
jem101
  • 1.53K
  • 217
  • 717
Very Insightful Person
Very Insightful Person
594 Views
Message 6 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?


@Tmatic wrote:

Snip…


If I need to test my single Ethernet-only connected desktop, would it be simpler just to install Wireshark on that and run it from there, rather than setting up a USB wiFi connector and then having to somehow install WinUSBcap on the macine I'm using now?


Thanks for your patience and help!!


Yes you can do that and it would be easier.

0 Kudos
Reply
Tmatic
  • 21
  • 0
  • 0
Joining in
573 Views
Message 7 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?

Thanks jem101.

Well, that worked - loads of traffic on Port 25 on my main Ethernet connected desktop.
Alternately from its local IP address (192. etc ), and from one beginning 62.254....


What now? I have scanned thoroughly with the installed AV and MalWareBytes, and found nothing.
Where do you suggest I go for cleaning advice, please?

0 Kudos
Reply
carl_pearce
  • 4.75K
  • 405
  • 713
Superstar
556 Views
Message 8 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?


@Tmatic wrote:

Thanks jem101.

Well, that worked - loads of traffic on Port 25 on my main Ethernet connected desktop.
Alternately from its local IP address (192. etc ), and from one beginning 62.254....


What now? I have scanned thoroughly with the installed AV and MalWareBytes, and found nothing.
Where do you suggest I go for cleaning advice, please?


Follow the guide here:

https://veerasundar.com/blog/2009/10/how-to-check-which-application-is-using-which-port/ 

So it the command prompt it would be:

netstat -aon | findstr 25

then

tasklist | findstr 12964

 

12964 is an example.

0 Kudos
Reply
ravenstar68
  • 18.75K
  • 1.09K
  • 8.08K
Very Insightful Person
Very Insightful Person
537 Views
Message 9 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?

Did you close telnet before re-running Wireshark.

$ nslookup smtp.blueyonder.co.uk
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: smtp.blueyonder.co.uk
Address: 62.254.26.220

As long as Telnet is open you'll keep seeing Keep-Alive messages.  The purpose in running the test is to make sure that you can see traffic on port 25, so you know that the capture filter you put in is working.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Tmatic
  • 21
  • 0
  • 0
Joining in
513 Views
Message 10 of 43
Flag for a moderator

Re: SpamBot Letter - How to identify the device responsible?

carl-pearce: Thanks for that. I'll have a look at that link.


I assume that procedure returns the name of the app sending the spam ?


I'm beginning to wonder though if it would be easier and safer to restore my boot SSD (with Windows and programs which insist on being there, like AntiVirus) from a 6 month old backup, just to be sure of removing it, as it seems well hidden from MalwareBytes and BitDefender etc.


Tim - ravenstar68 - many thanks for your invaluable Wireshark guide ! ....
I didn't realise I needed to close Telnet though. (Network stuff is a Dark Art to me).


Does it do any harm having left it open? Will the Wireshark scans after that Telnet test have still worked OK ?


(Maybe that info should be in your instructions, for people like me, who barely know what they are doing!... )

0 Kudos
Reply