Have you been hijacked?
On December 29, 2006 I tired to leave a comment on a friend's blog. The comment was denied because my IP was a spammer.
A visit to a site that lists IPs that have been flagged for spamming confirmed that my IP had been flagged.
WTF!
I spent the next few hours before I went to see Lewis Black trying to track down any trojan or other program that someone could be using to send out that crap from my IP.
I found. . . nothing.
I scanned my computer for exploits…everything was clean.
I scanned my computer for AnalogX (an open proxy that cannot be made secure)… not on my computer.
Wingate? Same results. Squid? Same results.
I ran Netsky, MyDoom, and Beagle removal tools. All three worms were not found on my computer.
I ran WebDefender (anti-virus program from Microsoft), clean.
I ran SpyBot Search & Destroy and found a bunch of tracking cookies but not much else.
I paid for and downloaded Ad-Aware SE Plus and ran that program. If found a lot of suspicious possibilities mostly associated with IE.
Ad-Aware SE Plus comes with a program called Ad-Watch SE Plus that basically is a live scan for anyone trying to hijack your computer. It's the reason I decided to cough up the extra money instead of downloading Ad-Aware for free.
So what did I find out after all of that? Well, one site (dnsbl.sorbs.net) informed me that the IP was first flagged way back in October 2003. I didn't have a problem until December 2006.
In other words, it's a damn Dynamic IP that someone else was using when one of two things happened: 1) their computer was hijacked; 2) they sent the spam themselves.
Now I'm paying for the problem.
My IP is not as Dynamic as I'd like to think. A truly dynamic IP would be changed every time I logged off and then back on. I've had this particular IP since at least Dec. 29.
I have a broadband cable internet connection. I've unplugged the modem and unscrewed the cable connection. I still come back to the same IP. My next step is to contact my provider, let them know about the problem, and hope that they reset the IP.
UpdateI just got done chatting with a person from RoadRunner and tonight I will unplug the modem and leave it unplugged until the morning. I might not need to leave it unplugged for that long but it should ensure that the bad IP is no longer mine in the morning. I'll probably run a virus scan tonight while the modem is unplugged as well. Just to be on the safe side.
The NY Times has a very interesting article today about how spammers are hijacking computers to send out their junk. It seems the spammers are winning right now.
Attack of the Zombie Computers is Growing Threat
Want to see what your IP is? Go to IP Chicken
Want to check to see if your IP has been listed as a potential spammer? Go to DNSStuff.com Put your IP address in the first box in the middle column and click Lookup.
Big Gay Al:
I ran into this same problem when I went to send email one day last month (Dec. 2006). That's when I first found out about sorbs.net. I recommend you check out http://en.wikipedia.org/wiki/SORBS . Specifically, changing your IP address will not necessarily fix your problem.
Something you need to know, the previous user of you IP address may not have done any sort of spamming with it. Sorbs just likes to flag entire blocks of DYNAMIC IP addresses. I found out that virtually all of my ISP's IP addresses are on their list.
My email provider's solution, change the port from 25 to 587. I was mad at my email provider/webhost for going with sorbs in the first place, so I switched to a different company after I checked with them to see if they were going to use sorbs.
In any event, good luck.
7 January 2007, 8:30 pmLaura:
Thanks for the information, Al. I wasn't aware of the issue with SORBS. When I entered the IP into DNSstuff I found that it was also listed with spamhaus and njabl. While similar to SORBS, I couldn't find information about any controversy connected to them. Granted, I didn't look through all the hits I found at Google.
jan:
I had a regular reader who was suddenly told by Typepad that she might be a spammer. When I told Typepad about the problem they said they "had been working on this problem and were close to a solution." Don't you love it? She hasn't had any problem since then. So they apparently fixed it. Maybe the problem isn't with you at all.
Since I haven't had trouble with spam, I don't have my commenters put in a code, but sometimes Typepad will take it on themselves to ask for a code. I don't mean to complain about Typepad since they have been really worry free and very responsive.
Too much football this weekend. I hope some of this makes sense.
7 January 2007, 11:09 pmKyle Korleski:
I wonder if my site/IP has been flagged as well…
7 January 2007, 11:54 pmTylonius:
I'm not trying to turn this into a Mac vs. PC debate, but it is worth noting that Macs don't have these sorts of problems.
Of course, now that I've said that…
Seriously, though, were I a Microsoft customer (beyond my use of WinXP via Parallels), I would be outraged at their inability to stem the tide of viruses, spyware and other malicious software.
Especially knowing how my many Mac servers over the years have run trouble-free for months on end (and with static IPs), and such attacks have never been an issue.
The solution, I believe, is to demand more from Microsoft; or else break on through to the other side.
8 January 2007, 9:03 amBig Gay Al:
This has nothing to do with Macs or PCs, it has to do with a company scamming the rest of us by labeling our dynamic IP addresses as possible SPAMMERS. This effects email and possibly other settings as well. IF your email client uses port 25 (and most do) then you could be blocked from sending email. It's a minor pain in the butt.
8 January 2007, 10:07 amTylonius:
Big Gay Al wrote:
Yes and no.
In istances where and IP address from your ISP's stable has been legitimately flagged as being that of a spammer, it's as likely as not that the person who had it at the time it was flagged was not actively engaged in sending spam.
Rather, their computer may have been host to one of the thousands of malicious programs out there that take advantage of Windows' sloppy infrastructure to send out spam in the background, or during the machine's idle cycles.
Whether or not SORBS is a scam isn't really relevant. If Microsoft would take the necessary steps to make Windows less susceptible to such attacks, SORBS itself would become irrelevant.
To be fair, a Mac is not the only alternative to such failings. Linux is likewise realatively virus, spyware and botnet-free. The UNIX underpinnings of both of these OSs provide for a hostile environment for such nasty buggers, unlike the petri dish that is Windows.
Again, I would demand more from Microsoft than yet another "security patch."
8 January 2007, 2:00 pmBig Gay Al:
Except, they don't just block ONE IP address. They block EVERY Dynamic IP address from ONE ISP. In my case, AT&T (Used to be SBC). And they target mostly Dynamic IP addresses, so in my mind, that makes it a scam. Specially since you have to make a "donation" to get "de-listed."
8 January 2007, 2:34 pmBes:
That is scary. The current way of blocking ip's is starting to be annoying. If a network has a single ip [like in a computer library with over a 100 computers], then having all the computers blocked from a certain site because of one spammer is very annoying. Did Ad-Aware SE Plus tell you that the ip was blocked?
Roadrunner packages may have a dynamic ip if you request them. Depending on which area you are located in and which company in the vicinity they gobbled up [Adelphia or Comcast], your ip may change automatically soon because of being transitioned onto the new network. This will require a small power cycle; turn off the modem for 3 minutes and turn computer on too. then turn the modem on and after a minute or two turn the computer back on. I usually turn everything off and on right away and it works.
8 January 2007, 6:57 pmBig Gay Al:
The sad part is, it's likely not just one IP address from that ISP. There's probably an entire string, if not the entire network that's blocked.
8 January 2007, 9:35 pmTylonius:
I found that my static IP (formerly part of a stable of dynamic IPs) was listed with SORBS. I filled out a small form and my request was processed the same day. At no time was I asked for any money.
The "donation request" appears to be limited to active spammers:
9 January 2007, 8:35 amJoefish:
This is the only kind of zombie I don't really like. I've dealt with that sort of thing before. But for me, but you know, I'm a fix-it guy.
9 January 2007, 12:14 pmBig Gay Al:
Ok, but I'm not a spammer, never have been, never will be, they refused to de-list my IP address. If I've never spammed anyone, why should I pay a fine?
Sorry, it's a scam. In my opinion that is.
9 January 2007, 1:43 pmLaura:
Sorry Tylonius, but I'm going to agree with Al that SORBS is a scam. I filled out their form and was declined. If they are forcing 'net providers to deal with them to clear their dynamic IPs (which seems to be the case in my situation) than they must be getting something from their actions. I also have to agree that it isn't right of any group to blacklist entire IP strings.
Joefish, I think I've told you this before. You need to move near me so you can fix my computer whenever I have problems like this. Yeah, I know I could (and did) do it myself, but it would be nice to have my own personal computer repair guy at my beck and call.