Calling computer nerds...

[Pete Zaria]

I'm having the weirdest computer problem I've ever run across.
If you don't have a very in-depth background with computers, don't bother reading this.

I know this is a gun-oriented forum but I didn't get any replies on my usual IT forum, so I thought I'd C&P this here. I know there are a few other network administrators on this forum.

A little background info:

I'm a network administrator, self-employed for a small IT consulting firm in the Seattle, WA area. I'm Cisco and A+ certified, and I'd like to think I know what I'm doing

The Problem:

For the last few days, on my home network, I've been receiving a generic SMTP error when I try to send email through my primary account (hosted on Site5).

Anyone that's self employed knows the following feeling: By the time I get home from work every day, the *last* thing I want to do is troubleshoot MY network. So I've been doing it in bits and pieces for the last few days.
I tried reinstalling my mail client (Thunderbird), double-checking all of the mail settings, tried alternate ports, tried checking my firewall (and router, which is actually a Linux box but hey) for blocked traffic... Finally I gave up and called Site5 and asked what was up.

They then informed me that my IP address has been blacklisted for spamming.

My jaw dropped.

I have five machines running at my home IP address, which is provided to me via Comcast, a 12 megabit cable connection I cough up $50 a month for. I have two Linux boxes and three Winblows boxes, of which 2 are always on.

My first inclination was "Holy cow, maybe one of the boxes here has a virus/spyware/etc... problem and is broadcasting email without my knowledge".
So I checked. Thoroughly. I checked startup lists, config files, ran HiJackThis (great tool if you're not familiar with it), even WireShark'ed some traffic.

It's all squeaky clean. I even read through a few dozen pages worth of traffic logs, and I see nothing remotely spam-like.
I know my wifi is not being abused by war-drivers; I'm running WPA2 with rotating keys and MAC authentication, and I checked the router logs just to be sure.

Before I call Comcast and ask them to change my IP address, or call Site5 and tell them that they're insane, does anyone have an idea for anything I may have overlooked?

Thanks for your time

Peace,
Pete Zaria.

[DefensiveCarry.com]

[PaulJ]

can you post logs?

[Pete Zaria]

can you post logs?

Which logs? Router logs, firewall logs, system event logs?

Peace,
Pete Zaria.

[PaulJ]

whatever logs you have that show the error (mail logs, system logs should do) ;-) maybe a link to a tcpdump file with a connection attempt?

[Pete Zaria]

I think I just found the problem.

Checking my modem logs, my IP was changed (by Comcast's DHCP system) several days ago, around the same time the problem started.

I think, by chance, whoever had this IP address before I got it, had been broadcasting spam and was blacklisted by Site5 (and probably other hosts). When the IP's changed, I got this one assigned by random, and through some bad luck....

I'll call Comcast and ask for a new IP and report back.

Peace,
Pete Zaria.

[PaulJ]

i you got a dynamic IP, try this:
- turn off the modem (remove power cord)
- change the mac address of the system connected to the modem
- turn off that system
- turn the modem back on
- power up the system
depends a bit on the system you are on with comcast. It may also help if you configure the comcast mail server as a your "smarthost" to relay all your mail through.

To check if you are blacklisted anywhere: mailradar.com/rbl
(or relays.osirusoft.com/cgi-bin/rbcheck.cgi)

[Pete Zaria]

I already hard-reset my modem twice and was issued the same IP each time.

I'll check out that mailradar site now, thanks.

I'm on hold with Comcast as we speak.

Peace,
Pete Zaria.

[sph33r]

FWIW .. I always get the same IP from Comcast. They say it's dynamic but I've had a dyndns account pointed at this IP for 7 months and it's never changed. I imagine they're going to have to do something on their end to have their DHCP server hand you a new IP.

[Pete Zaria]

Confirmed:

Comcast changed my IP and the problem went away. I think my theory was correct, the previous owner of this IP address was spamming, or had a virus that was broadcasting spam.

What a weird and unlucky problem to run across.

Thanks, guys.

Peace,
Pete Zaria.

[doobie]

Check your sendmail(or other mail server logs), if you had an open mail server someone else might have used it to spam from it.... depending on which service blacklisted you it could be anywhere from easy, to not worth your trouble to un-blacklist your IP addr.

[FN1910]

I think I just found the problem.

Checking my modem logs, my IP was changed (by Comcast's DHCP system) several days ago, around the same time the problem started.

I think, by chance, whoever had this IP address before I got it, had been broadcasting spam and was blacklisted by Site5 (and probably other hosts). When the IP's changed, I got this one assigned by random, and through some bad luck....

I'll call Comcast and ask for a new IP and report back.

Peace,
Pete Zaria.

Saved me a post as I just read this. That is the first thing I though of. I have a static IP address on my home account so if I get blacklisted I am in trouble. I wonder why your IP was changed if you didn't log off. Normally even if you log off and back on within a reasonable time (couple of hours) you usually get the same IP back. Of course with the cable companies they may change the entire class without warning and reason. Did I mention I hate Time Warner and AOL.

[PaulJ]

your IP may change at any time. Some operators (e.g. Comcast) usually don't change it, other change it daily. But even Comcast will change your IP at times if they re-organize the network. E.g. they may be short of IPs in some area or they add a new address block to yours.

If you have a home based business, and are reasonably computer literate, checkup the Comcast business plan. Its a bit more expensive, but has options like multiple static IP addresses. Service is much better in my experience. You typically have a truck in front of your door in a couple hours and you get to talk to the next level tech support right away.

[dnowell]

The ideal way to avoid this kind of problem in the future is to relay your mail through someone who you pay for that service. Also you should consider a backup MX service if you don't have one already, in case your DSL goes down, so that undeliverable mail gets delivered once the connection comes back up. Shouldn't have to cost a whole lot unless you get and send tons of mail.

[Pete Zaria]

The ideal way to avoid this kind of problem in the future is to relay your mail through someone who you pay for that service. Also you should consider a backup MX service if you don't have one already, in case your DSL goes down, so that undeliverable mail gets delivered once the connection comes back up. Shouldn't have to cost a whole lot unless you get and send tons of mail.

I don't think you understand; I do pay a host (Site5) to host my POP3 and SMTP servers; I do not host them at home for exactly the reason you mentioned.

Thanks for the input, everyone.

It was a weird, one-in-ten-thousand problem, and I should have thought of it before.

Peace,
Pete Zaria.

[dnowell]

Gotcha - I thought you were hosting it yourself - sorry about that.