Outgoing Mail Blocked BY Spamhaus & Others

Hi...

I would be grateful for some update on the situation as has been described to you !

I have a severely compromised position in respect to my email communications and am currently trying to progress contracts involving 8 figure sums. 

I would appreciate if a resolution to this matter could be idntified and implemented.

Regards

Mark

Hi Richard. Thank you very much for taking the time to write and I apologize for the delayed response. My name is Shawn and I am writing to you on behalf of the AVG Senior Support team.

I have read through the chain of exchanged dialogue, and I understand you suspect your computer is compromised, as you are experiencing a disruption sending email from your computer.

I further understand you have since performed various AntiVirus scans of your computer. Can you clarify if you have yet performed a boot scan, https://is.gd/kRzHD7, which scans for known types of malware and removes threats before the operating system and other services run.

Additionally, from what I have read and I understand, your email address is associated to your domain. Have you yet contacted your domain host, to ensure your domain email address is not compromised from on their end?

Let me know how this works for you. Regards, Shawn

Hi Santosh...   My apologies for the delayed response.   The issues have co-oincided with a very busy period of work, so the inpact of this problem is severe.

Firstly - The browser works fine...  I can currently use the internet at all times...

Secondly  - This si not a threat message.   My IP Address is being blocked by an organisation called Spamhaus, whose rollis to help protect the internet from spammers.  My email account has been compromised and is apparently sending out spam !    However I am unable to see this. Even if I go to my email account on the web, I still have no indication of malicious activity.  I have contacted my ISP for help but the support personnel really did not understand the issue.

The message I get from SpamHaus is as follows

Message from Spamhaus that appears if I try to email

This message appears every time I try to send email.  i.e.  My Outgoing mail server has been blocked from accessing the internet by Spamhaus.

No scans have revealed any issues...   I also tried a Malware bytes and Norton Power Eraser which Spamhaus recommends for resolving problems with Spambots.

Each time I get no threats flagged by any scanning or anti spybot software....   So I apply to Spamhaus to remove the block.  They do this within 30 mins or so, but due to the fact that the problem remains, the block is reapplied within a reatvely short period.

The levek of the issue has now escalated as I suspect tht Spamhaus have increaded the level of the block that has been applied...  So now I can no longer even collect ny incoming emails.

There is clearly an issue somewhere...  I can't find it !     

 

 

 

 

web  My ISP has not bee 

 

HI Mark,

We are sorry to hear this.

We will help you to resolve the issue.

Are you getting this message in all the browser?

Could you share us the screenshot of the threat message to investigate further?

You can post the screenshot here in your topic. Click on "Answer" & then click on the "Image" [mountain symbol] & follow the instructions.

Keep us posted.

Over the last 2 weeks my outgoing mail has been repeatedly  blocked by Spamhaus (SBL) with additional appearances in CSS and XBL Blocklists.

I have updated my AVG and repeatedly run various scans... Deep Scans / RootKit Scans etc... all of which show that my PC is free of any threats or malicious files.

I did suffer from a series of attempted attacks on two or three occasions over the last two weeks which AVG advised on each occurrence that it had caught the threat and quarantined as necessary.

Despite all of these assurances my outgoing mail has been blocked a few days later.

Having run all scans each time and duly applied for the block to be lifted...  The blocks reappear within 12 hours or so and I am back to square one ! 

Help !  

Hi Richard. Thank you very much for taking the time to write and I apologize for the delayed response. My name is Shawn and I am writing to you on behalf of the AVG Senior Support team.

I have read through the chain of exchanged dialogue, and I understand you suspect your computer is compromised, as you are experiencing a disruption sending email from your computer.

I further understand you have since performed various AntiVirus scans of your computer. Can you clarify if you have yet performed a boot scan, https://is.gd/kRzHD7, which scans for known types of malware and removes threats before the operating system and other services run.

Additionally, from what I have read and I understand, your email address is associated to your domain. Have you yet contacted your domain host, to ensure your domain email address is not compromised from on their end?

Let me know how this works for you. Regards, Shawn

Hi Santosh...   My apologies for the delayed response.   The issues have co-oincided with a very busy period of work, so the inpact of this problem is severe.

Firstly - The browser works fine...  I can currently use the internet at all times...

Secondly  - This si not a threat message.   My IP Address is being blocked by an organisation called Spamhaus, whose rollis to help protect the internet from spammers.  My email account has been compromised and is apparently sending out spam !    However I am unable to see this. Even if I go to my email account on the web, I still have no indication of malicious activity.  I have contacted my ISP for help but the support personnel really did not understand the issue.

The message I get from SpamHaus is as follows

Message from Spamhaus that appears if I try to email

This message appears every time I try to send email.  i.e.  My Outgoing mail server has been blocked from accessing the internet by Spamhaus.

No scans have revealed any issues...   I also tried a Malware bytes and Norton Power Eraser which Spamhaus recommends for resolving problems with Spambots.

Each time I get no threats flagged by any scanning or anti spybot software....   So I apply to Spamhaus to remove the block.  They do this within 30 mins or so, but due to the fact that the problem remains, the block is reapplied within a reatvely short period.

The levek of the issue has now escalated as I suspect tht Spamhaus have increaded the level of the block that has been applied...  So now I can no longer even collect ny incoming emails.

There is clearly an issue somewhere...  I can't find it !     

 

 

 

 

web  My ISP has not bee 

 

Thank you Santhosh ( and apologies for my previous error on spelling your name).

I thought the following information from one of the reports issued by CBL which shared some of the Results of their Lookup Report, may be of assistance to your senior team.   

RESULTS OF LOOKUP
109.249.187.31 is listed
This IP address was detected and listed 52 times in the past 28 days,and 10 times in the past 24 hours. The most recent detection was at Sat Nov 21 20:15:00 2020 UTC +/- 5 minutes

This IP address was self-removed 2 times in the past week.

This IP is infected (or NATting for a computer that is infected) with aninfection that is emitting spam.

Note: 109.249.187.31 appeared to be suspicious because it was using the following name to identify itself during email connections (port 25) via the HELO/EHLO smtp commands: ".".  Which is:
􀃝.
an illegal name according to the RFC2821 SMTP mail protocol standards. RFC2821 requires that the machines claim names that are a fully qualifed domain names or IP addresses enclosed in square brackets, and/or
􀃞.
a name or pattern used very heavily by professional spammers via compromised machines.

You will need to investigate whether your mail server was indeed doing it, and fix it, or,  find and fix the infection.
                    ______________________________________________________

I can forward the complete document from this together with the Spamhasu CSS correspondence if this would be of assistance.      

Kindest regards...    Mark

 

Hi Avinash... 

Is this any different from them removing the block...  See my email above "Each time I get no threats flagged by any scanning or anti spybot software....   So I apply to Spamhaus to remove the block.  They do this within 30 mins or so, but due to the fact that the problem remains, the block is reapplied within a relatvely short period".   

The problem appears to be that something is sending spam from my email account, so because I am not clearing it, Spanhaus detect that the problem still exists and reappllies the block.

They are even telling me how many occurences of spam mail are sent within each period of infringement.

The problem appears to be detecting the particular Malware / Contamination / Virus / Spambot and removing it !   

Hence my request to AVG to help !

 

 

Hi Guys... 

Have you abandoned the support in respect of this query...   

I have had no further communication from AVG in respect of a resolution to this matter for three days.

In the interim I have almost zero communication capability 

Hi...

I would be grateful for some update on the situation as has been described to you !

I have a severely compromised position in respect to my email communications and am currently trying to progress contracts involving 8 figure sums. 

I would appreciate if a resolution to this matter could be idntified and implemented.

Regards

Mark

Hi Santosh... 

The reson that I am in the Spamhaus CBL / CSS databases is because my PC is infected...

They have made it clear that I need to resolve the problem on my machine before this matter can be effectively resolved. 

Can you please escalate this to senior members of your team, as it is becoming increasingy clear to me that your team is not understading the situation.

I attach for your further information, an extract from the communication received from CSS who have now refused to unblock my machine... The extract below is designed to help you identify the problem.

A device (likely to be a computer or mobile phone), that is using your IP is infected, insecure or compromised.  It is making SMTP connections to Spamhaus systems on port 25, with forged HELO values.  There is a proxy installed on a device - an Android mobile or a Windows computer - that is using your IP to send spam DIRECTLY to the internet via port 25.

If you run your own mailserver, it is NOT your mailserver !

Consider the implications of a malicious proxy being active on your network:  Spam is
what WE see coming from it, but proxies can be used for all sorts of malicious activities,
and they are inside your firewall.

Please close port 25 and secure your network and device(s).
The observed forged HELO identification was 2d1PO8BO.mokitmkoqzrh.yN72u2cYA0D.
The last detection occurred at : November 20 2020, 14:59 (UTC timezone, +/- 1 minute)

What should be done about it ?
The device that caused this issue should be found and cleaned. We recognize that this is
often not an easy task. The following information may help:
We are seeing some mobile devices turned into spam proxies as a result of installing heavily monetized or unofficial/sideloaded apps.  Spamhaus has a WiFi and Home Networks FAQ with tips and links to help in this situation.

Preventively blocking port TCP 25 outbound on your router or gateway will prevent these listings, but will not fix the underlying problem.

Calling your ISP or taking your machine to a competent tech support service might also be useful.

I hope that the above extracts are useful to you...   The example sources of infection above have removed refereces to wifi doorbells, servers, office environements etc...as we do not have any of these.
I look forward to your further response... and suggestions as to how this issue can be resolved.

Mark, could you confirm if it is a web based email or do you use any email client (like Outlook)?

Thank you the information.

As per your request, we have escalated the case to our senior team. They will investigate the issue further and get back to you as soon as possible.

Your patience is appreciated.

HI Mark,

We are sorry to hear this.

We will help you to resolve the issue.

Are you getting this message in all the browser?

Could you share us the screenshot of the threat message to investigate further?

You can post the screenshot here in your topic. Click on "Answer" & then click on the "Image" [mountain symbol] & follow the instructions.

Keep us posted.