Hi - hope one of the forum moderators can help here. Like a few others I have a spambot warning notice. All the devices have been checked with - and were all running - Avira and Malwarebytes and nothing is showing so can I get some more details from Virgin please.
Thanks for the response. Virgin letter said that a device which they could not identify was sending spam emails from my internet connection. It would be good to have a few more details to try and track down the problem. This is a domestic connection, as well as checking the devices I've reset the hub, changed the passwords and blocked port 25. I've also switched off the hub Wi-Fi hot spot. So far I can't find any trace of malware or any virus on any device so it would be good to know if Virgin are able to provide some details - ideally exactly when this traffic is happening.
All the passwords changed - letter only added that Virgin would/could close down the connection under Acceptable Use and also advised that personal data, online financial transactions including credit card purchases could be at risk - so a fairly serious warning/advisory.
The advice was to go to virginmedia.com/spambot, which I have done, and to use anti-virus software - which I already do and which is still not showing any issues on the windows devices that are connected. Obviously the Ios devices - the phones - require slightly different treatment.
To add - I have also deleted all the additional virgin email accounts I had created so I only have one left. The advice on the spambot page suggests that the issue is a compromised email account. I thought that this would show up as sent items - as well as failed sends - in the account but I can't see any activity in either the deleted accounts or the one still active account. I'm keen to know if Virgin have traced the traffic directly to my Hub. If not then I assume that there are other some other potential ways that an email address and also an IP address can appear in spam.
The letter would have been because the particular issue had been traced back to your account's IP address. We would unfortunately be unable to identify which particular device was the cause for the infringement.
If you've taken all reasonable steps to follow this up then it is likely that you've been able to prevent any future occurrences.
I can see you've advised that you've checked your accounts for activity, have you checked all email accounts using in your household for any unusual activity?
Yes - the ones still on the network - one windows device is only occassionaly attached so I'll look at that when it comes back. I've also run wireshark on the main windows machine for a day or so and can't see any SMTP activity. This is after blocking port 25 so perhaps that is not surprising. I'm obviously quite concerned that there could be a compromised device/email account on systems that have full firewalls and anti-virus running and get fairly regular health checks. I realise that as any suspect device is LAN side of the public IP address it can't be identified but the email account can be so I would have thought Virgin could provide those details? If the report is for an IP address then that raises some other possibilities and it would be good to know if Virgin security are able to provide samples of the headers of the e-mails so that it's possible to see in a bit more detail what might be going on. It would also be helpful to know when this traffic occured and if it has now stopped. Not having any way to engage with the security team means that dealing with a problem I can't find is a bit challenging. The only way I can think of to check if anything has been fixed is to switch the Virgin box to modem mode, add some more network kit, fire up wireshark and sit back and watch for a few days/weeks?
Thanks for the reply and if you can shed any further light on Virgin security that would be very helpful.
As the header can potential contain personal information relevant to the email sender or recipient it isn't something we would necessarily divulge, the details provided are general and non-specific due to this.
If you've followed the advice provided you will have more than likely resolved the issue, in some circumstances the breach in question can occur on a device that is only temporarily connected to your network, such as a device belonging to someone who connected to your connection during a visit.
Unfortunately we wouldn't be able to furnish you with the details you requested, if this is something we'd provide as standard practice it would include in the letter you've received details on how to request this information.
If you can run checks on that occasionally connected device and ensure it is clean then it should be resolved.
If you do receive any of these emails again in the future warning of an additional strike I would recommend contacting us to let us know.
Thanks Tom - appreciate the Infosec issues. Looks like I'll just have to wait and see. I'd be happier if I'd found a root cause - unresolved security issues are not things I can leave alone so I'll need to carry on working on this. I assume Virgin can't give me either the time the traffic happened, the frequency or if it's stopped - all of which would be quite helpful. As you can see whilst I appreciate Virgin have their concerns my priority is the security of my systems in the face of a suggested breach.