# IP Infected



## casanova246 (May 14, 2008)

Hello
I am using BSNL GPRS connection via MMX 300G USB modem since 6 months here in india.Yesterday I found out that my IP has been infected.I tried to confirm it got below mentioned messege..I recently installed Norton security suite 4.1.0.32, Vendor Name: Comcast

IP Address 218.**.**.**

currently listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2010-05-30 01:00 GMT (+/- 30 minutes), approximately 2 hours ago.

This IP is infected (or NATting for a computer that is infected) with a spambot we have not yet been able to identify. For the time being we refer to it as the unknown0207 spambot. 

Please help me resolve this problem...

Thank You


----------



## dvk01 (Dec 14, 2002)

your IP isn't "infected" but it is listed as an IP that has been used by spammers 

unfortunately India is well known for spammers where people get paid a few pennies an hour for siting in front of a computer all day long & post spam to forums or via email 

your ISP is well known for having these spammers and as a big ISP, there is no cure 

Your ISP alocates IP numbers dynamically & at random , so one day you might get that particualtr number & another day a different IP number


----------



## perfume (Sep 13, 2008)

DEAR CASANOVA246,
Whether you are in India or in the USA,what steps have you taken to block outright-port 25 and if you roam--port 587? Just don't blame the ISP!The Chinese and Russians do more damage, don't they? I would very much like to know why you decided that your PC has become a SPAMBOT?


----------



## dvk01 (Dec 14, 2002)

Perfule , have you read what you have written

if he blocks port 25 on his computer , he can't send emails

he isn't running a server & port 25 is OUTBOUND only on a home computer 

ISPs block port 25 inbound on their servers to stop a user using their own mail server. The ISP filters traffic so the only port 25 traffic allowed is to the ISP own mail server & if he isn't using that mail server with teh correct user name or password, he will be rejected

His PC isn't a spambot ( or probably isn't) but his dynamically allocated IP has been detected by Norton as being listed in Block lists for spamming 

Norton should NOT be detecting that IP on his own computer


----------



## Snagglegaster (Sep 12, 2006)

It looks to me as though the computer might have an infection which is trying to connect to a malicious site. There are a couple of ways you can get more info on the IP address in question You could search the CBL database for the address, and that will give you more information about the site and why it is listed, and you could possibly find some additional information about the IP address by doing a WHOIS search.

And, of course, it's possible that this alert is a false positive, but personally, I'd try to gain as much info as possible on the IP address in question, while assuming the machine is infected and take steps to clean it.


----------



## dvk01 (Dec 14, 2002)

Snagglegaster
have you even read the post

It is HIS IP addressNOT some remote IP being connected to

The whole IP range is listed in the CBL as it gets used by spammers

Those spammers who are paid to sit in an office all day & post comment spam to forums etc 

Now both You & Perfume can learn to read teh posts before replying & not make stupid comments when you don't know what you are talking about


----------



## perfume (Sep 13, 2008)

dvk01 said:


> Snagglegaster
> have you even read the post
> 
> It is HIS IP addressNOT some remote IP being connected to
> ...


Dear sir,
I request you to kindly peruse this excerpt from CBL as to how to secure an ip and i quote from http://cbl.abuseat.org/nat.html

"The listed IP is a NAT. Now what do I do to secure it? In a nutshell, you *must* to find a way to prevent these viruses and spam tools managing to connect directly from the infected machine through the NAT. 
You *MUST* do this, because the CBL will *NOT* make exceptions for a NAT IP under any circumstances. We will give you breathing space to fix the problem, but we will not permanently delist a NAT. 
There are a variety of ways to do this. 
The simplest and most effective way to stop this is to configure your NAT to prohibit connections to the Internet on port 25 except from real mail servers. Not only does this stop all of these viruses and spams dead in their tracks, the NAT logs will immediately tell you the LAN address of the infected machine. 
There's a growing list of examples of how to do this at the end of this page. 
This can sometimes cause problems with customers with unusual requirements. But the benefits are huge - large providers report a *enormous* dropoff in complaints and virus problems once they do this. For example, going from a million virus complaints/problems in a month to less than a dozen. 
*The internet Provider industry now considers port 25 blocking of CUSTOMER IP POOLS to be "Best current practice"*. *You block port 25 access BY DEFAULT and only enable port 25 access ON REQUEST for static IP addresses that you believe are well run mail servers. * 
To aid in this, we point you to documentation from the Canadian Federal Anti-Spam Task Force. This contains, in part, a "Best Current Practises" for Network Managers:  Companion Document to Recommended Best Practices for Internet Service Providers and Other Network Operators, specifically item 2. 
You may also find  Full FASTF Report useful (or at least interesting). While this BCP obviously applies to Canada specifically, it is a good model to follow everywhere. 
The Messaging Anti-Abuse Working Group (MAAWG) has a document on managing port 25 that is also of interest. 
You should have a mail server that customers can use (via "smart host" or "outbound SMTP server" settings in their mail readers) to send email to the Internet. This solves almost all of the issues with port 25 blocks. 
For those customers who "roam" (particularly if your NAT is related to wireless connectivity) or use mail service provided by someone else, their mail providers should have a non-port-25 method of sending email - ie: "SMTP SUBMIT" on port 587 using SMTP authentication. Or, if there aren't many of those, you can exempt connection _to_ those mail providers from your outbound port 25 blocking. 
The above is described in somewhat more detail in the MAAWG document. 
You can also encourage your customers to use their mail provider's webmail interface if they have one. 
There are other ways to prevent outbound port 25 connections from viruses and spam, such as "outbound port 25 intercepter/filtering" arrangements and network level anti-virus "appliances". If selected and carefully configured, these can work. But they cannot be as effective as outright port 25 blocking. 
Most large providers have come around to understanding that port 25 blocking is the *ONLY* way to get a handle on compromised computers. 
Except in unusual environments (eg: wireless portals), providers report that less than 1% of their customers are affected by implementing port 25 blocking. 
You can always arrange to have an outbound mail server for your customers that isn't behind the same NAT - correctly configured customers won't have problems with their email. However, this means that your NAT will continue to be listed, and those customers who don't switch will continue to be blocked. We do not believe this to be the right thing to do, because it continues to subject the rest of the Internet to viruses spewing from your network, and those customers that don't switch may still experience problems with email. However, it is a good way to move to a fully secured NAT and allow you to gradually move customers with unusual requirements. 
Once you have implemented port 25 blocks in your NAT, delist your IP.


----------



## TerryNet (Mar 23, 2005)

*perfume*, *dvk01 *has already patiently summarized all that stuff that you quoted. He also pointedly told you to read the posts and stick to what you know about. I have given you a 7 day ban while I ask around to see why you haven't already been banned.


----------



## dvk01 (Dec 14, 2002)

To make it perfectly clear to Perfume & anyone 
The poster has NO control over that IP number
To make it 1000% clear, every post from the original poster has come from a different IP number within the same range & he has never used the same IP number twice

It is a dynamically assigned IP number. That means in plain & simple English, that the ISP allocates the IP number to a customer at random. A customer logging on, might get that IP number 1 time, a different one the next time he logs on & a different one the time after, or he might get the same one twice in a row
@Perfume, what you have quoted is a guideline to an ISP not to an end user. Learn to read in context & stop making a fool of yourself 


> The internet Provider industry now considers port 25 blocking of CUSTOMER IP POOLS to be "Best current practice". You block port 25 access BY DEFAULT and only enable port 25 access ON REQUEST for static IP addresses that you believe are well run mail servers.


----------



## dvk01 (Dec 14, 2002)

casanova246 you say you are using Comcast version of Norton. That has been configured for US cable customers of Comcast & that would indicate to me that you are using a stolen or pirated version & that is why you are getting the alerts 

Please explain how a customer in India using wirelss is legitimately using a comcast version of Norton


----------



## Snagglegaster (Sep 12, 2006)

dvk01 said:


> Snagglegaster
> have you even read the post
> 
> It is HIS IP addressNOT some remote IP being connected to
> ...


That's rude. Does the forum have a different set of rules for moderators?


----------



## TerryNet (Mar 23, 2005)

One set of rules, *Snagglegaster*. I don't see how anybody can interpret the entire quoted post as rude, so maybe if you point out to dvk01 the specific part(s) that you find rude he will respond to you. Not likely for hours, considering his time zone. Such hurt feelings as a result of a moderator's comments are usually better handled by PM to him/her. If no resolution that way the issue can be addressed to an Administrator (again, privately).


----------



## Snagglegaster (Sep 12, 2006)

dvk01 said:


> Snagglegaster
> have you even read the post
> 
> It is HIS IP addressNOT some remote IP being connected to
> ...


Well, might as well be hung for a sheep as a lamb. I think there are some misconceptions about CBL being distributed on this thread. Let's go right to the Composite Blocking List homepage and see what they have to say. Let's look at a couple of excerpts:

*"The CBL only lists individual IPs, it NEVER lists ranges.*

The CBL does NOT care whether an IP is dynamic or not, if connections the IP makes indicate that it's infected, it is listed regardless."

CBL.org also has the following remark about dynamic IP addresses:

"As we've mentioned earlier, CBL listings that interfere with legitimate email are almost ALWAYS as a result of virus-infected machines.

The difficulty with dynamic IP addresses is that you may not have had this IP address at the time the virus was infected, so there is nothing you can do to prevent a relisting. Furthermore, the next time you connect, you may well get a new IP address that's already listed."

In other words, if you are using an Internet Service Provider that has many infected computers connected to it, you might find your IP address continually listed. Of course, there are certainly many pieces of malware that can generate a false IP address on an infected computer. Overall, while perhaps having some second thoughts about some bit of malware redirecting the IP address, I still think the local computer is infected.


----------



## dvk01 (Dec 14, 2002)

Snagglegaster

you haven't read his post carefully enough or understood about cbl lists

he has a version of Norton, that has been customized for Comcast USA customers. It will alert on IP numbers outside the comcast range for one thing

It is extremely unlikey his computer is infected. The poster has posted 14 posts all with different IP numbers from the same IP range

Every one of those numbers as is every other number in that IP range is listed in the cbl lists because they are used by professional spammers. There may well be infected computers on that network as well but that ISP is well known for having open proxies & is also well known as an ISP that professional spammers use 
The Indian companies see it as legitimate marketing techniques 

we see it as spam and deal with it as spam

90% of the IP numbers listed in the CBL list coming from India are not due to infected machines but due to a team of people sitting in an office being paid pennies per hour to post spam to forums or email lists


----------



## Snagglegaster (Sep 12, 2006)

dvk01 said:


> Snagglegaster
> 
> you haven't read his post carefully enough or understood about cbl lists
> 
> ...


Good enough. I don't have any way to view the IP addresses of anyone posting on the forum. Perhaps, to avoid future misunderstandings, it might be worthwhile to make the issue explicit. I understand you have access to resources I don't, as well as perhaps more experience.


----------



## dvk01 (Dec 14, 2002)

Snagglegaster said:


> Good enough. I don't have any way to view the IP addresses of anyone posting on the forum. Perhaps, to avoid future misunderstandings, it might be worthwhile to make the issue explicit. I understand you have access to resources I don't, as well as perhaps more experience.


That is why it is a good idea to walk on past topics that have been answered already, unless you have something beneficial to add to it

There are always countless unanswered posts on the forum, so to attempt to answer a topic that has already been answered with wrong/misleading information is pointless and just makes you look foolish 
Take time to read all the posts in a topic fully and completely before posting advice that is contrary to what has been posted


----------



## valis (Sep 24, 2004)

snaggle:

A good (very good) rule of thumb to follow is that if you see someone who has a shield next to their name is to cede way. They've worked extremely hard to get that shield, and in the case of dvk01, there are few, if any, better at malware removal than he. 

If you see a post wherein a shielded member who is ALSO a moderator, it's best just to let them handle it, as I can guarantee you that they will know more about the situation than you or I.

thanks, 

v


----------

