An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
Spam Advisory from ATT
#37988 12/25/15 12:19 AM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
I got this email earlier tonight. Anyone have any ideas what this is or what I should do? (I X-out the IP address)

Dear Customer,
AT&T has received information indicating that one or more devices using your Internet connection may be sending unsolicited commercial email (spam). Spam originating from the IP address XXXXXXXXX was sent on Dec 24, 2015 at 5:15 PM EST. Our records indicate that this IP address was assigned to you at this time.

A total of 269 similar incidents occurring between December 24, 2015 5:18 AM EST and December 24, 2015 5:15 PM EST have been reported on this account.

If you have a device that has been infected with malicious software, it may be sending spam without your knowledge. An infected device may display no obvious symptoms.

To address this matter we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.

If you use a wireless network, an infected computer may be using your Internet connection without your knowledge. Ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). Check the connections to the router and ensure that you recognize all connected devices.

Ensure your firewall settings and anti-virus software are up-to-date, and install any necessary service packs or patches. Scan all systems for viruses and other malware.

Last edited by deniro; 12/25/15 12:19 AM.
Re: Spam Advisory from ATT
deniro #37990 12/25/15 10:23 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Unless you can independently verify the authenticity of the e-message — and that means contacting AT&T directly, preferably by telephone (and NOT by using any contact information within the e-message), so that there can be no doubt — you can pretty much be assured that it's a scam or worse. The fact that you received it on Christmas Eve (when it might be very difficult to verify its authenticity) also rates it as highly suspicious.

If it turns out that the e-message is legitimate, it would appear that your equipment is now part of a botnet and it needs to be thoroughly "scrubbed".

Re: Spam Advisory from ATT
grelber #37991 12/25/15 10:37 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
First, deniro apparently hasn't confirmed that the IP address in the email is actually his address.

There's nothing in that email that smells of scam...doesn't ask for info or money or anything else.

On the other hand, though, can a Mac get commandeered in the manner described?

confused

Last edited by artie505; 12/25/15 10:41 AM. Reason: Better

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Spam Advisory from ATT
artie505 #37992 12/25/15 01:44 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: artie505
First, deniro apparently hasn't confirmed that the IP address in the email is actually his address.
There's nothing in that email that smells of scam...doesn't ask for info or money or anything else.
On the other hand, though, can a Mac get commandeered in the manner described?
confused

If the IP address is spoofed (which is unlikely if the e-message is legitimate, since his ISP would have the information), the question arises as to the real IP address; checking the full headers might be illuminating.
It could be a scam if there is a hotlink to click or something similar (which deniro did not mention or rule out) which in turn would lower the window to intrusion.
That's exactly how botnets work — exactly as the e-message notes (which still doesn't legitimate the message) — and usually the commandeered computer user hasn't a clue.

Re: Spam Advisory from ATT
deniro #37993 12/25/15 02:12 PM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
Hi Deniro,

First of all Merry Christmas to you and all in your circle of family and friends.

Let me add one thought to your situation.....it appears to me to be a legitimate notification on the face of it, and therefore merits at least a modest attempt to reconcile.

I'm going to make a few baseline assumptions on your behalf....

Your Macintosh computer(s) are well maintained and up to date with security updates.

Your use of your Macintosh computers is focused on the brighter side of the internet rather than the darker side where illegitimate activities run wild.

You are bringing this issue to us for additional help and guidance because you are truly concerned that your personal computing suite might possibly actually be producing the underlying spam called out in the ATT notification (which might also be some sort of illegitimate correspondence in its' own right).

So with all the above in mind, I personally would disregard the notification and get on with your normal holiday routine.

The one outside factor that might actually produce the spams supposedly originating from your assigned IP address might be some other "smart" device installed on your home network.....such as a NAS or even another networking device such as a WiFi extender or second access point....these additional network components are normally controlled by an embedded processor running some variant of Linux and potentially they can be and might have been hacked in the past.

Temporarily removing them from your network to reset them to factory defaults, installing the latest firmware updates and then reconfiguring them to your network should remove any further potential for them being responsible.


Freedom is never free....thank a Service member today.
Re: Spam Advisory from ATT
artie505 #37994 12/25/15 02:33 PM
Joined: Aug 2009
Likes: 14
Online

Joined: Aug 2009
Likes: 14
Originally Posted By: artie505
There's nothing in that email that smells of scam...doesn't ask for info or money or anything else.

That's my take on the email unless, as grelber points out "It could be a scam if there is a hotlink to click or something similar....". Without a hotlink it doesn't make sense that the netbot people would alert deniro to their presence.

Absent a hotlink, I lean toward the idea that it's a legitimate caution from the ISP. In fact, I think the last three paragraphs of deniro's note are good advice. But, these days caution is always the watchword.

Originally Posted By: artie505
On the other hand, though, can a Mac get commandeered in the manner described?

The idea of botnet is new to me too, but I learned a bit more at this site.

Last edited by ryck; 12/25/15 07:14 PM. Reason: Spelling

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Spam Advisory from ATT
MacManiac #37995 12/25/15 02:48 PM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
An example of some additional home network devices and their embedded processor vulnerabilities can be found HERE...


Freedom is never free....thank a Service member today.
Re: Spam Advisory from ATT
deniro #37996 12/25/15 05:11 PM
Joined: Aug 2009
Likes: 2
Offline

Joined: Aug 2009
Likes: 2
First, a Merry Christmas to all.

Are there examples of 'running items' if you look at Activity Monitor that one should be on the lookout for that might raise suspicions? Just curious and want to learn more about this.

Re: Spam Advisory from ATT
Douglas #37997 12/25/15 05:45 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Activity Monitor can provide a fair bit of info.

I keep mine open at all times and occasionally check CPU usage when I'm online.

"Networking" shows what processes are open and operating; it can be useful when working online.

"CPU" should normally be relatively 'quiet', even when online; If it appears that there's exaggerated activity when things are otherwise 'quiet', there's a good chance that some sort of (potentially unauthorized) activity is being carried on and may be the first evidence of one's device being used as part of a botnet. At the very least it should provoke more detailed examination as to what's causing it.

Re: Spam Advisory from ATT
deniro #37998 12/25/15 06:00 PM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
FWIW, a brief Google search for any other examples of your notification letter from AT&T shows yours to be unique so far.....so either you're the first of many, or it may have actually originated from AT&T and there may be some smart device on your home network (I discount your iMac, even though it is running a legacy OS that is no longer being actively supported) that might have been compromised.


Have you done an expanded look at the header information on your e-mail to see if it might have originated from any other source than AT&T?

Re: Spam Advisory from ATT
grelber #37999 12/25/15 06:12 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
I think it's legit, but I'll call ATT tomorrow. Not on Christmas.

I avoid the dark side of the internet, my only guilty pleasure being YouTube. In fact, in recent weeks I've beefed up security with the addition of the Disconnect extension to Firefox. I use 1Password (an older version) for all my IDs and passwords, all generated by the program. True, I'm using 10.6.7 and Firefox 39.0.3. But I find it hard to believe that someone would or could break into my router. I do have a second email account at Gmail, but I access it through Firefox, not Apple Mail.

Related or not, I've been getting kernel panics over the past six months on certain web sites. Before 2015, I had never even seen a kernel panic and knew only vaguely what they were. My iMac is about eight years old. After reading some comments at the Bugzilla forum, it looks like the kernel panics are due to the ATI Radeon and something about how it interacts with Firefox. An old driver, I imagine.

That's not my IP address, unless I'm getting confused about what my IP address actually is. In Network Utility, I entered XX.XX.X.XXX in Whois but got no matches.

Here's the rest of the email:

Example message received from XX.XX.X.XXX:

Received: from kinifocu ([XX.XX.X.XXX])
Thu, 24 Dec 2015 22:15:03 +0000
Message-ID: <E80A7FE9C5D442C59506F1BA81D86394@kinifocu>
From: "Anastasiya" <xuv@xn--j14rgen-54a8803e.xxxxxxxx-xxxxxxxx.xxx>
Reply-To: "Anastasiya" <anastasiyaihr@gmail.com>
To: <x@x>
Subject: love for serious corresponding
Date: Thu, 24 Dec 2015 21:52:59 -0700
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8089.726
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726
Content-Type: text/plain; charset="PERL"; format=flowed; reply-type=original
(1 additional line omitted)

DISCLAIMER: The information above contains links to software by third-party vendors (hereafter, “the Software”). AT&T is not responsible for support or assistance for any of the Software. If you need support or assistance with any of the Software, please contact the Software's vendor directly. AT&T is unable to provide a warranty or guarantee, either expressed or implied, for any of the Software. You will be responsible for your own system software and system security and not hold AT&T, its partners, agents or affiliates liable for any costs or damages whatsoever (including, without limitation, damages to access system, hardware and/or software) to your computer as a result of installing or using any of the Software. You also understand that use of all hardware and/or software must comply with the AT&T Acceptable Use Policy.
Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.

©2005 - 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy (Updated July 24, 2015)

Re: Spam Advisory from ATT
deniro #38000 12/25/15 06:22 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
For a long time I had a second email account at myway.com which I was never able to cancel, having had no response to repeated requests via email. I don't know what to make of their service. It seemed almost abandoned. It never worked that well. I noticed that myway.com appears here, though that's prob. because I gave it to ATT or I gave my ATT email to myway.

Expanded header (partial):

From: AT&T IISS Network Security <netsec@att.net>
Subject: Spam advisory for SBC Account Number XXXXXXXX (issue 9277)
Date: December 24, 2015 7:33:15 PM EST
To: myID@myway.com, My Name <myID@sbcglobal.net>
X-Apparently-To: myID@sbcglobal.net; Fri, 25 Dec 2015 00:33:23 +0000
Received-Spf: none (domain of someattservice.net does not designate permitted sender hosts)

Re: Spam Advisory from ATT
deniro #38001 12/25/15 08:25 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
If you want to know what your external IP address is at the moment click here. NOTE unless you are paying a stiff premium for a fixed IP address that IP address will change — often. The frequency of change depends on the settings on your router and you ISP's router.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Spam Advisory from ATT
joemikeb #38002 12/25/15 10:41 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
It could be my IP address, but it isn't at the moment.

I used the Email Header Analyzer at that site, which revealed the source to be abuse-att.net in Durham. I guess that rules out bogus email. Now I have figure out how or why email is being sent from my IP address and what to do about it.

Last edited by deniro; 12/25/15 10:50 PM.
Re: Spam Advisory from ATT
deniro #38003 12/25/15 11:09 PM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
That's legitimate progress.....

To help with the how/what part of your research you should look to any home network devices which might be configured to allow access from outside the local area network (i.e., through the router from the internet side)....do you have any home automation devices such as smart thermostats, light controllers, electronic door locks, etc which might have an app to allow you to access/control them using your smart phone? Do you have any Non-Apple branded networking devices on your home network other than the portal provided by AT&T / SBC Global / Lightspeed, such as IP cameras, Network Accessible Storage (NAS) hard drives, WiFi extender devices, additional access points (AP's) that might have default configurations that could open a path from the WAN side of your router to the LAN side?

Is there any software that you use which would allow you to access your computer from outside the LAN side of your network, i.e., open ports through the router?

Do you have any Windows computers on your home network?

I'm still discounting your primary computer as not being a primary suspect in this issue.


Freedom is never free....thank a Service member today.
Re: Spam Advisory from ATT
MacManiac #38004 12/25/15 11:37 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
Mostly no. Here's what I have.

A Dell in another room running Windows OS 8.1 and an iPad, and a printer, all connected wirelessly to this (Mac's) Netgear router. No smart devices. I spent yesterday actually updating security on the Dell, updating the malware and anti-virus programs, updating Firefox, updating spotify (free version). I do this regularly, prob. once a week or two. I don't think the iPad was even used yesterday.

I can't think of any other holes. What do you think about disabling Location Services on this Mac?

Re: Spam Advisory from ATT
deniro #38005 12/26/15 12:04 AM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
Have you done a malware scan on the Windows computer?

What security software do you have running on it?

Which version of Netgear router are you using?

Do you have "Back to my Mac" enabled? (I'm not even sure that is an easy option on 10.6, but worth checking)....what about such software as "LogMeIn".....any such package that would allow you access to your home network from the internet side could provide a possible vector.

There have been some reports of successful intrusion to some routers using embedded Linux....recent firmware updates have been released to close that particular vector....again, not sure about Netgear specifically.

I would discount the iPad and the printer as possible culprits.....my strongest suspicion would rest on the Windows 8.1 Dell as the most likely component.


Freedom is never free....thank a Service member today.
Re: Spam Advisory from ATT
ryck #38007 12/26/15 11:38 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: ryck
Originally Posted By: artie505
On the other hand, though, can a Mac get commandeered in the manner described?

The idea of botnet is new to me too, but I learned a bit more at this site.

I've poked around a bit, and I can't find any reference to a botnet or any other type of malware that uses Macs to send spam emails; the worst any Mac malware seems to be capable of is click-jacking, info-jacking, or holding your Mac for ransom.

Anybody?

Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Spam Advisory from ATT
artie505 #38008 12/26/15 02:08 PM
Joined: Aug 2009
Likes: 14
Online

Joined: Aug 2009
Likes: 14
Originally Posted By: artie505
Originally Posted By: ryck
Originally Posted By: artie505
On the other hand, though, can a Mac get commandeered in the manner described?

The idea of botnet is new to me too, but I learned a bit more at this site.

I've poked around a bit, and I can't find any reference to a botnet or any other type of malware that uses Macs to send spam emails….

On further checking, neither have I and I'm assuming that the lessened (or no) likelihood of Macs involved in this kind of spamming is the reason behind these points in the MacManiac notes to deniro:

Originally Posted By: MacManiac
Do you have any Windows computers on your home network?
I'm still discounting your primary computer as not being a primary suspect in this issue.

Originally Posted By: MacManiac
I would discount the iPad and the printer as possible culprits.....my strongest suspicion would rest on the Windows 8.1 Dell as the most likely component.

However, I'm certainly finding this an informative thread and, even if the Mac itself may not be be the villain, I thought this was interesting:

Originally Posted By: MacManiac
The one outside factor that might actually produce the spams supposedly originating from your assigned IP address might be some other "smart" device installed on your home network.....such as a NAS or even another networking device such as a WiFi extender or second access point....these additional network components are normally controlled by an embedded processor running some variant of Linux and potentially they can be and might have been hacked in the past.

Last edited by ryck; 12/26/15 02:18 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Spam Advisory from ATT
ryck #38009 12/26/15 04:51 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
On the Dell, Windows 8.1: Panda Anti-Virus (incl. firewall) and Malwarebytes Ant-Malware. I did scans yesterday and today and found nothing.

Though today, for some reason, I found Panda disabled. I don't know if I hit the wrong button at some time, but I thought I should mention it. It would be very unlike me and it's not that easy to flub the Panda settings because they're so easy. If it was disabled, it wasn't disabled for long, because I update the databases for Panda and Malwarebytes once a week and therefore am repeatedly seeing their "dashboards."

Firefox 43.0.3 (on the Mac I use 39.0.3) w/Ad Block Plus, HTTPS Everwhere, and Disconnect. No porn sites, gambling, torrent, or illegal downloads of music, movies, or software. I do have a Gmail account and after I got it, switched my various web site IDs and subscriptions from ATT to Gmail.

Netgear router N300. Latest firmware isn't compatible w/10.6, but this router isn't very old.

Back to my Mac: no. LogMein: no. I never access my computer or my info when away from home. I don't do cloud computing. I don't have a cellphone or smartphone or laptop. I do Facetime and internet on the iPad.

It would take a while to describe every privacy and security setting on Windows 8.1, so suffice it to say it's locked down.

But just about anyone can get my email address. So I guess whatever was done wasn't all that difficult. I don't want to call ATT on a weekend. I'll try Monday.

ETA: I also have a free year of ProtectMyID.com

Last edited by deniro; 12/26/15 05:29 PM.
Re: Spam Advisory from ATT
deniro #38010 12/26/15 06:29 PM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
Keep an eye on your Panda to see if it repeats the "off" symptom.....Windows malware routinely disables anti-malware programs as part of its' mode d'emploi. If it repeats, that would be indicative of corruption despite your admirably best efforts....and I would scan it using a different anti-malware program freshly installed to confirm.


Freedom is never free....thank a Service member today.
Re: Spam Advisory from ATT
MacManiac #38069 12/31/15 10:26 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: deniro
Firefox 43.0.3 (on the Mac I use 39.0.3) w/Ad Block Plus, HTTPS Everwhere, and Disconnect.

Is Disconnect compatible with Ghostery? Is Ad Block Plus different than Ghostery?

Administrator: I don't want to go off topic but do have questions. Not sure what to do here because it is a security string.

Re: Spam Advisory from ATT
slolerner #38073 12/31/15 10:50 PM
Joined: Aug 2009
cyn Online
Administrator
Online
Administrator

Joined: Aug 2009
Best approach would be to start a new thread for your questions.


FineTunedMac Forums Admin
Re: Spam Advisory from ATT
cyn #38092 01/02/16 05:41 PM
Joined: Sep 2009
deniro Offline OP
OP Offline

Joined: Sep 2009
I'll give you the facts of what happened. I don't know if any of them are related, but here they are.

An agent at ATT told me that the Spam Advisory email was fake. Fortunately, I had known better than to click on any of the links. I sent him a copy while we were on the phone and he said it wasn't anything like they sent. Also, the account number was wrong. He sounded knowledgable and confident and I was happy to get someone like that at ATT customer service -- for once. He suggested I change my password, so I did.

Then I switched from Panda antivirus to Avast on the Dell. I scanned the hard drive with Avast, Malwarebytes, and the Dec 2015 dowload of a Microsoft anti-malware tool. All found nothing. But Avast reported that my Netgear router had been hacked, infected, and had various vulnuerabilities. I updated the firmware on the router and changed the password. Avast no longer reported problems.

The next day the phone line went out. No dial tone, so no internet obviously. We'd had a ice storm the night before, and I don't know if that was the cause. ATT chose to send out a repairman, but he didn't get here the day he was supposed to. Instead, the phone line magically healed itself and I've been on the internet ever since.

Following the advice of Joe Kissell in his e-book Take Control of Mac Security, I changed the DNS servers in my router settings to a couple Open DNS numbers he recommended in his book. In his old book, I read about the "hidden firewall" in OS X and contemplated whether to use it.

I haven't noticed any odd behavior. I don't know if my Mac or the Dell or the iPad were hacked or harmed. Data seems intact.

Hard for me to believe that someone or some-bot hacked my router, esp. considering the security I already had, including a good password generated by 1Password.

Re: Spam Advisory from ATT
deniro #38105 01/02/16 11:44 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
No password is needed or used by most hacker bots. There are several different basic approaches. Even a cursory search of the internet will turn up a wealth of academic research papers written by faculty and graduate students from reputable major universities around the world on how to defeat any password scheme without knowing any passwords. Password cracking is a fertile field for PhD dissertation topics and the research is published freely and legitimately.

You will find a large number of hacker written "how to" articles and even the bots themselves openly for sale.

1Password is a fine utility, I use it myself, in addition to Keychain, but it primarily protects from identity thieves who already have direct access to my computer. It provides zero protection from attacks such as you have encountered. Most hackers have little or no interest in passwords because the seldom if ever use them.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Page 1 of 2 1 2

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.052s Queries: 65 (0.037s) Memory: 0.7195 MB (Peak: 0.9105 MB) Data Comp: Zlib Server Time: 2024-03-28 09:47:11 UTC
Valid HTML 5 and Valid CSS