Subject:SPAM - First Warning
Imagine my surprise when i received this email from my ISP. They claimed they had received complaints about spam that was being sent through my account.
Maybe i had a virus or open relay?
Of course at first i thought it was just a case of spoofed email address or spoofed IP number, and my ISP being to dumb to see that. When i asked them, they said sent me a copy of the malicious email.
They seemed to be right: My IP address seemed to have been used as a relay. But i run virus scans all the time and i'm not running an SMTP server. Or am i?
So the next step was running a port scan on my own machine to proove that i didn't have any open ports.
Boy, was i in for a surprise!
Not only my SMTP, but also my POP3, NNTP, NetBT, and a whole bunch of others were open.
the only explanation was that i had a very good trojan running. It didn't show up in the task manager. I couldn't telnet to the open ports: Connection was closed immediately. Programs like fport didn't see my ports as open.
Impressive work, who ever wrote this trojan.
So i tried to hunt down this bad trojan. Not much luck though... I scanned with HiJack This, normally very good for this kind of situations (detecting trojans that are not detected yet). But i didn't see anything suspicious. And what ever i removed my ports were still open.
Until i disabled my Internet Connection Sharing.
I had set it up correctly. I indicated that i did NOT want an SMTP server, a POP3 server, and the like. I furthermore indicated that my connection was only to be shared with my local interfaces.
Is this a bug in Internet Connection Sharing?
Is it the default behavior?
(Note: This is on Windows 2000.)
Do you Microsoft guys understand that you almost caused my ISP account to be closed down?