Saturday, April 27, 2024
Homepage · smtp
 Popular · Latest · Hot · Upcoming
32
rated 0 times [  32] [ 0]  / answers: 1 / hits: 8246  / 2 Years ago, tue, december 28, 2021, 2:48:11

Main question:



Is it even possible to be be infected with a bot/spamming software on Ubuntu (or any other distro)?



Details:



My ISP blocked my port 25 (and 465) for outgoing connections (outbound connections, from home to remote server) to SMTP, so I can't use my business emails from home right now. Their reasoning for blocking me is: "because of you sending spam" which I'm not and they told me that if I'm not sending then my OS is probably infected...



I could use a comprehensive list of tools and guides to check the system (Ubuntu 13.10 14.04 64bit) for any infiltrates/malware/rootkits.



P.S.




  • I also have Windows 8.1 (64bit) installed just because I also like to
    game on my home computer... but that's what I only do on
    Windows...when I have time...


  • Wireless is off and even if it's on it's pass protected.


  • Scanning of windows didn't reveal anything nor should have since

    there's windows and games installed there.


  • I can connect to other ports for SMTP but our server uses 25 and that
    cannot change


  • I also tested connecting to port 25 from windoze (using thunderbird)


  • I use thunderbird for email client on ubuntu and tested a few others
    just to verify that it was not a misconfig of thunderbird.


  • Telneting also outputs connection timeout...




EDIT:

My ISP still refuses to unblock me...
Maybe I'll have to open up 587 on the server, since that isn't blocked at the moment (I can still use Gmail)



EDIT 2:



I guess today I was connected with another tech from my ISP's support and told me that there isn't a block from them... I was furious!!! I don't know what was the previous tech doing... maybe he is new and was reading from a script..



So I tested another ISP via tethering from my phone and I successfully managed to send emails through port 25. Essentially I didn't change anything, only the ISP. Are they kidding me? Maybe the tech-support doesn't know how to interpret what they looking on their screens for my account or could it be something else?



Another step I took was to fully reset my router to it's default settings and get another dynamic IP. Still no connection to port 25.



I'm planning to get a used router from some friend or something to test with another router just to be sure the problem lies with my ISP.



EDIT 3:
It's been awhile since my last update to this question.
I moved back to my old house (which is in a different part of the country) where I have the same internet provider. The same company!! My settings just work as expected. I can send emails just fine using port 25. I bet the problem was with that nasty ZTE router that the ISP hands out to new customers.


More From » smtp
 Answers
7

Is it even possible?


Why wouldn't it be? Ubuntu is a really flexible system that shares many problems with most other operating systems:



  • Software in Ubuntu can be exploited

  • You don't need root to run a spam daemon.

  • People can crack weak authentication

  • Ubuntu users can be convinced into installing/running just about anything

  • Once in, hackers can upload/remote-download more software to send spam


Let's just be realistic about security here. A cross-platform Flash exploit could easily translate into a dropper loading and installing a spam daemon that runs itself on login. It doesn't need root.


Double-check the ISP's story


"But my ISP wouldn't lie to me!" said nobody ever. Many home ISPs do habitually block port 25 and others force you to use their SMTP servers (that's the only outgoing p25 connection they'll allow).


Being a moderator allows me to see your IP and I've checked your home ISP. If you google their name and "port 25" or "smtp", you'll see a lot of other people in similar situations. And they do have a central SMTP server.


I know you said this is a new issue but just double check it's not your ISP (or needing the right settings while on your ISP). The workaround at the end should still work for you.


Finding the problem


Though possible, I'm still not sure it's the most likely target. If you're anything like me, you're surrounded by internet connected devices and you need to look at them all.


I would start by asking the ISP for some evidence. Timestamps at the bare minimum but it would be great to see what they're using to make sure it's not an auto-flag gone wrong.



  • It could be that somebody has flagged a work email with the ISP's abuse department.



  • You need to know what OS you were using at the time. Both Ubuntu and Windows keep auth logs so compare them against any evidence they can send you.



  • Log outgoing port 25 activity with something like:


     iptables -I OUTPUT -p tcp --dport 25 -j LOG --log-prefix "mail connection"

    I'm honestly not sure if that will work if you're being blocked already but it's worth a shot. Various Windows firewalls will offer you various logging alternatives.



  • Note that any device on your connection could be sending emails, not just your computer. Phones, wifi-enabled toasters, naughty neighbours, etc. Finding whatever is sending this mail could require a network level packet interception and logging. This is all possible but it's a pain in the rear.



  • Once you've exhausted more likely avenues, take your pick of Linux antivirus software. I can't personally speak for any of them or their detection rates.




Working around a block immediately


If you need to carry on, the easiest way to carry on sending email is through some sort of obfuscated or encrypted connection. If you have access to a SSH server (eg at work) that can often be the best method.


ssh -D9100 user@host

Then just alter your email client to use a SOCKS proxy address localhost, port 9100. Your ISP won't be able to interfere with this and I'd be very surprised if whatever's sending the spam could guess the SOCKS configuration.


What's most likely in this case...?


Check to see if you can send email through your ISP's SMTP server. I've checked, yours has one. They might be forcing all their users to use it as that's very common. The tech support person might just be confused.


Ask another user (with another account, on another telephone line) to try connecting to your company's SMTP. This can be done quickly with telnet example.com 25.



  • If they can't connect, assume this is ISP-wide —not just your account— so it's probably not a security issue... It's just something you'll have top work with or work around.



  • If they can connect, you're back at square one. There has been something sending email from your network that has triggered your ISP to block you. Virus sweeps, traffic monitoring and paranoia are your best friends here.




[#26348] Tuesday, December 28, 2021, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
tonhorn
Add To Favorites
Follow
Total Points: 196
Total Questions: 118
Total Answers: 95
Location: Vanuatu
Member since Fri, May 13, 2022
2 Years ago
tonhorn questions
Tue, May 10, 22, 12:01, 2 Years ago
Sat, Dec 18, 21, 06:23, 2 Years ago
Thu, Jun 16, 22, 04:03, 2 Years ago
Fri, Apr 1, 22, 05:23, 2 Years ago
Tue, Jan 18, 22, 18:56, 2 Years ago
View All
;