Help!!!

I recently started getting email bounce notifications to 2 of my domain address's. After tracing the header, it appears the spammer is on the NTL network.

I would dearly like to know who is doing this and why, but I understand that it would be more than somebody's job's worth to divulge that info.

I would however like to see the offending machine removed from the network.

Can anybody help me.

I am going to mail the NTL abuse address with the info, but I know that responses from AUP can be a little slow.

I have the octet and the long address and can either post it here if that's acceptable, or PM it to anybody that may be able to help.

Thanks in advance for any replies.

Tony

fill in the form at www.ntlworld.com/netreport

if someone is spamming from an ntl ip address the aup will soon pickup on it and get block them anyway.

If you have the ip address, pm it to me (and the full headers if you can), and i will have a look at this for you

MB

Thanks for the offer Monkey. I've PM'd you some details and I have also filled in the form.
I am interested in the originator of these spams, as they appear to be coming from a machine around Leeds, which is where I am.

I guess it could be that someone with my address in their address book has been compromised, and the spam engine is picking names at random. If that's the case, It will probably be me that has to go fix that machine.
I am the "free PC support" dude for several machines in Leeds. That would be an irony, would it not? Being Joejobbed from a PC I maintain!

What goes around, comes around.

LOL

I have passed the information to the appropriate people, but i can't give you any information about who the spam is coming from because of data protection, but hopefully it will all be fixed soon ;)

If someone has a virus on their pc then they will be given appropriate links to fix it and if it is deliberate spamming, then other action will be taken

MB

If only Fraz still posted here.......

If only Fraz still posted here.......
:confused: :confused:

You know, the guy who used to work for ntl's AUP....

Fully understand the DPA implications, I am in IT in a different context(Inhouse development/analysis on midrange machines).

I expect to get a call from a family member or friend in the next couple of days: " I'm can't access the 'net and I'm getting this page that says stuff I don't understand"
In which case all is well and I can go and fix it for them, If it isn't somebody I know with a compromised machine, then I'm at a loss to understand why anybody would (or even could) pick my private and personal email address to use as a return in a spam mailshot.

I intend to visit all my family/friends machines before the weekend, to eliminate them from my enquiries.

I have been receiving numerous e-mail notifications that messages I am supposed to have sent are undeliverable: almost all of these have been addressed to ntlworld.com recipients. I have not myself sent any of them. Several have had attachments which have been deleted as infected by Norton AV. Most have been "returned" as undeliverable because the recipient's mailbox is full or its quota has been exceeded -- which suggests that they have been receiving hundreds of virus-initiated messages, some or all of them infected. I receive around 200 spams every day addressed to my ntlworld.com address and around 10 to 15 of these contain viruses (mostly netsky) detected and quarantined by Norton AV. I delete them from my Inbox and from the quarantine folder in Norton.

I have been assuming that as Norton has eliminated all infected files that it has found, the messages supposedly sent from my PC have actually been sent from the PC of someone else who has my ntlworld.com address in his or her address book. But now NTL appears to be saying that the messages have actually come from my PC. A web page has appeared in my browser which appears to come from NTLHome (my ISP is ntlworld.com) containing the following message:
"Virus Infection Alert
You have been redirected to this page because we can see from messages coming from your internet connection that your computer has been infected with the NetSky virus.
This virus will not cause any serious damage, and you may not even know that your PC is infected. However because of the way the virus sends out masses of instructions onto the internet, it is slowing down your connection speed as well as causing congestion on our network, affecting the connection speeds of all our customers, and you must disinfect your computer before we can allow you to connect to the ntl network again.
Your computer can be disinfected and ready to browse the internet again in a few minutes by following this simple process. Please click on the link below to continue."

The NTL web page invited me to download and run a McAfee virus checker (stinger.exe) which I did. Before deciding whether to run stinger.exe, I did a virus scan with Norton AV of my whole hard disk. It found no infected files. I then ran stinger.exe which also didn't find any infected files. I was then able to access other websites.

My Windows XP firewall is activated, I use a dialup connection, and my Windows updates are up to date.

This seems to confirm that the infected messages which pretend to be coming from my PC are in fact coming from someone else's PC that has my e-mail address in its address book. If so, running stinger.exe on my own PC won't stop these messages from going out and I shall soon get blocked again by NTL and forced to run stinger.exe again (it took about 45 minutes to scan my HD). How do I convince NTL that my system is not infected in spite of all these messages going out in my name?

Urgent advice would be welcome!

Brian

ntl will work out who is sending spam/virus infected mails by ip address, not the name appearing on the email.

Wait and see if you get put back on the walled garden service again.

ntl will work out who is sending spam/virus infected mails by ip address, not the name appearing on the email.

Wait and see if you get put back on the walled garden service again.

If thats the case then it's probably nothing to do with brianlb, I thought that dialup IP's are assigned dynamically as people logon.

In whcih case the solution provided by NTL of moving that IP to a walled garden area until they have run anti virus stuff is not going work for the dial up subscribers. (might not even work for BB but a BB subscriber is still likely to retain the same IP each day)

If thats the case then it's probably nothing to do with brianlb, I thought that dialup IP's are assigned dynamically as people logon.

In whcih case the solution provided by NTL of moving that IP to a walled garden area until they have run anti virus stuff is not going work for the dial up subscribers. (might not even work for BB but a BB subscriber is still likely to retain the same IP each day)

Ah hah... misread that he was a dialup cmr. The ip address from the headers of the emails are checked and the appropriate account that had that ip address at the time is located. I am not excatly sure how the process works for DU cmrs, but i can assure you that there are processes to ensure that the right cmr is put into the walled garden.

Ah hah... misread that he was a dialup cmr. The ip address from the headers of the emails are checked and the appropriate account that had that ip address at the time is located. I am not excatly sure how the process works for DU cmrs, but i can assure you that there are processes to ensure that the right cmr is put into the walled garden.
I'm only a dialup customer because (although I'm in the heart of London) I can't get BB either from BT (the exchange is BB enabled but more than 6 km away) or NTL (which I use for telephone, TV and internet access but which hasn't been upgraded for broadband and seems unlikely ever to be upgraded, since it would cost NTL money...).

But that's another story. For the time being, my internet access has been restored (hence this message!). Watch this space....

Thanks for the comments. I'm still at a loss to know how NTL knows which PC infected messages are coming from if the IP changes every time I dial up. And if they really have a way of identifying the infected PC, why do they tell me that they have detected an infection in my PC when there pretty evidently isn't one? Is puzzlement.

Brian

I'm only a dialup customer because (although I'm in the heart of London) I can't get BB either from BT (the exchange is BB enabled but more than 6 km away) or NTL (which I use for telephone, TV and internet access but which hasn't been upgraded for broadband and seems unlikely ever to be upgraded, since it would cost NTL money...).

But that's another story. For the time being, my internet access has been restored (hence this message!). Watch this space....

Thanks for the comments. I'm still at a loss to know how NTL knows which PC infected messages are coming from if the IP changes every time I dial up. And if they really have a way of identifying the infected PC, why do they tell me that they have detected an infection in my PC when there pretty evidently isn't one? Is puzzlement.

Brian
My guess would be that they can match your MAC address to your customer details, in which case you should not have been walled.
If they just wall the IP address (despite it being returned to the pool and re-leased) then there is a problem with the way they identify compromised machines.

Or it could be that the IP was walled while it was leased by the spammer, who then released it and was picked up by you with the restrictions still in place.

I'm guessing.:dunce:
Perhaps someone who really knows how it works will post a reply.

Dialup modems don't have a mac address - I guess the way they trace it is by the login - presumably the login for each IP address is recorded.

Dialup modems don't have a mac address - I guess the way they trace it is by the login - presumably the login for each IP address is recorded.

urm... am i wrong in thinking that every device that connects to the internet has a mac address??

I thought the dua worked in a similar way to the usb connection- the usb will create a mac address one character different to the cable modem it is connected to.

I may well be wrong though :shrug: and yes i would assume, although i dont know that each login attempted is recorded.

MB

Every ETHERNET device has a MAC address, but dialup modems don't (do ADSL USB devices have a MAC address?).
NOW I'm baffled, my PPP adapter (the modem I'm not using) shows a MAC address in winipcfg - 44:45:53:54:00:00 - I suspect it may be faked by Windows.

In ADSL, I believe there IS an authentication - it seems to operate like a "Dialup networking" connection.

In NTL CABLE, you have your MAC address, and your typically 99% consistent IP address.

In NTL (or any other) dialup, authentication (probably wrong to call it log in) is performed, so they must have the capability to log which user an IP was assigned to at that time, to be able to do anything about abuse.

[snip] In NTL CABLE, you have your MAC address, and your typically 99% consistent IP address.
In NTL (or any other) dialup, authentication (probably wrong to call it log in) is performed, so they must have the capability to log which user an IP was assigned to at that time, to be able to do anything about abuse.
So it may be relevant that I'm using an NTL cable (telephone) connection *and* NTL dialup.

Incidentally I'm still getting lots of messages purporting to have come from my (virus-free) PC and "returned" to me as undeliverable for various reasons -- mainly exceeding the recipient's mailbox quota. So no doubt NTL soon will be cutting me off and demanding that I debug my computer again. And there seems to be nothing I can do about it apart from changing my e-mail address, which for various reasons would be incredibly inconvenient.

The whole thing seems wrapped in a mystery inside an enigma, though, even for all you tecchie chaps.

Cheers!
Brian

Most of the ones i get are from some address called SamSeventy.

urm... am i wrong in thinking that every device that connects to the internet has a mac address??

Well yes, and no. ;)

Dialup modems do not have a MAC address - but when you connect to a network they are assigned a dummy one by DUN.


Incidentally I'm still getting lots of messages purporting to have come from my (virus-free) PC and "returned" to me as undeliverable for various reasons -- mainly exceeding the recipient's mailbox quota. So no doubt NTL soon will be cutting me off and demanding that I debug my computer again.
All the netsky and a few other worms spoof the sender address from the address books on the infected pc - so someone who has you in their address book is infected. You should be able to trace the IP of the infected machine(s) from the e-mail headers. It is nothing to do with your machine and NTL should be well aware of this fact.

All the netsky and a few other worms spoof the sender address from the address books on the infected pc - so someone who has you in their address book is infected. You should be able to trace the IP of the infected machine(s) from the e-mail headers. It is nothing to do with your machine and NTL should be well aware of this fact.
Thanks. I've tried to work that out but without success. If I were to post here the full source code of one of these "returned" messages, would you be able to spot the IP of the infected machine? It would make for a rather lengthy message, is all...

Cheers
Brian

Thanks. I've tried to work that out but without success. If I were to post here the full source code of one of these "returned" messages, would you be able to spot the IP of the infected machine? It would make for a rather lengthy message, is all...

Cheers
Brian

If you are using outlook express, right click on the message and chose properties then details. Copy and post what is in there and i will tell you which ip address you are looking for ;)

MB

Oh well.

I filled in the form, I Sent an email to abuse, and all I got form my troubles was an autoresponse, with an incident number.

I'm still getting the mails with virus' attached to them. These do, however come from a different machine, but still in Leeds on the NTL network

Luckily, so far I've had nobody screaming abuse at me, but I guess it's only a matter of time.

Nice of NTL to get back to me with what they are doing about this.:td:

ntl will probably be receive thousands of these reports per day because the netsky and bagle viruses are so prominent at the moment. So don't expect to get a reponse from the abuse department.

But trust me things are being done so the problem shouldn't go on for too much longer. ;)

ntl will probably be receive thousands of these reports per day because the netsky and bagle viruses are so prominent at the moment. So don't expect to get a reponse from the abuse department.

But trust me things are being done so the problem shouldn't go on for too much longer. ;)
I know mate, It's just infuriating to not get a response. I know as users of the network it's in our interests to report this kind of thing, but we are acting as the eyes and ears for NTL. It would be nice just to be able to get closure on incidents that we report, just to reassure ourselves that the form filling is worthwhile.

Look at mynetwatchman for example, many ISP's report back to them with the action they have taken to remove problem machines from the web. It's satisfying to know that another abuser has been removed for all our sakes. If others can do it, then I'm sure NTL could if they had the motivation.

I had some Email correspondence with a guy called Michael James who works in Technical support a while back. He was very helpful and tried to answer my questions, but skipped over my question about mynetwatchman.

Even if it was just a simple web page that aggregated the incidents reported and commented on the resolutions.

I'm sure there are many fine people doing what they can to keep the network a secure place, but unless there is feedback, there will be cynics like me moaning about lack of action!:bigcry: