There's a PC out there somewhere in the internet (well I know in Australia at least), that's infected with a virus. It's sending masses of emails to us and no doubtedly to many others.

In the spirit of trying to help, how could I let the user know they are infected? It's a dynamic IP, but starts at least once a day from the same ISP. e.g. I now know it's current IP address.

I tried to net send, but that seems to not work. I thought it was NetBeui only anyway apparently it's TCP.

Any suggestions? Normally I'd let it slide, but this is beyond a joke now - it's been going on for a month and just recently it seems to have acquired the I-Worm.Bagle.au as well.

All I want to do is get a message to them that they are infected. Although that would look like a scam to me, this person obviously has no clue and would probably do what I tell them.

Contact their ISP?

Yeah forgot to mention I tried that. They didn't want to know.

nmap gave me this:

25/tcp filtered smtp
80/tcp open http
81/tcp open hosts2-ns
111/tcp filtered sunrpc
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
635/tcp filtered unknown
1025/tcp open listen
1026/tcp open nterm
3128/tcp filtered squid-http
5000/tcp open fics
6667/tcp filtered irc

Interesting port 25 is filtered. Can't work out what's on port 80 and 81 though.

Just my challenge task for the day

Hmmm, what are the contents of the message? For several weeks I was getting 4-5 virus-laden messages from [email protected] (Blue Cross Blue Shield of Tennessee). I wasn't sure if it was legitimately coming from them or if the address was spoofed.

Don't know exactly since my email server removes virii from emails. It's definitely spoofing email addresses though because I can see from the header it's coming from the the same IP address, but the sender address changes.

Almost all email virii these days are spoofed using addresses stolen from the user's address book.

If you can't find the user specificaly, make the ISP *want* to know. Go to their upstream provider and tell them the ISP is willingly letting a mail attack propagate. When they get their service cut off, they'll care.

Bruno

we had a similar problem a few months ago except we were being Joe Jobbed, with 30% of the mails coming from verifiable Comcast addresses.
In the end we had around 200-300K emails and our external mail system was crawling for a few days.
So far Comcast have yet to reply to our requests.

All it means for us is that next time it happens, we just drop anything from the comcast subnets.

You might get lucky searching for the hostname or IP address in google and getting a real email address, but in general it's useless.

Seriously, there has to be a way to get these ISPs to care. The ISPs seem like such a single point of success for blocking so much of the malicious traffic that's coming from zombie home user DSL/cable connected PCs.

Why can't they block SMTP on their residential user subnets? Are home users really allowed to "run mail servers"? And why leave open 135, 137, 445, etc. Couldn't these ports be "open by request to ISP" instead? Would make it more labor intensive for malicious users to harass the world.

If ISPs were just good neighbors and instituted some reasonable policies, it would help to squash the spam-sending, viri-propogating, DDoS-running zombie organized crime botnets taking advantage of every insecure XP Home connected to a nonfirewalled Cable modem.

(and, within the last week or so, IPs in austrailia sent me at least two highly targeted phishing e-mails to my consumer DSL e-mail address)

My ISP explicitly allows this. I would be pissed off if they changed their policy, as it's a large reason I chose them. I don't want someone playing mother hen. I know how to run my own computers and network, thanks. On the other hand, it might make sense for the AOL-type ISPs out there to block this sort of stuff, at least by default.

Ditto Rob. I run a mail server on a dynamic IP cable modem. Acceptable Use Policy doesn't say I can't. They were talking about blocking port 25 outbound which would stop this problem (different ISP though to the one in question) but as far as I am aware they haven't yet.

I think however they should block by default and then allow users to request ports be opened. That would at least stop the majority of the problem IMO. Some ISPs do that here already.

I'd also be pissed off if they blocked incoming ports since I run a webserver and SMTP server. An outgoing block on 25 is no big deal - I already send all mail via the ISPs mail server anyway.

I don't. All mail is sent to my mail server which does the right thing with it. I suppose I could set up my ISP's mail server as a smarthost, but why?

When I had Verizon DSL, it was in the TOS that servers not be run on your line. There was nothing they did to stop it though. We have Verizon Business DSL at the office and anything goes there.

I remember having an issue with one of my ISPs about running something over port 80. I think it was Verizon DSL. I really can't remember though. That was just plain stupid because almost anyone savvy enough to run a webserver at home can figure out how to make it listen on another port.

My parents have Optimum Online and you can only use optonline.net to send outgoing mail. Any other traffic on port 25 just hangs there. That's not horrible, but I don't like it.