Re: [PCWorks] Why is my port 25 now just "Closed" and how do I get it back to "Stealthed" again?
- From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: <pcworks@xxxxxxxxxxxxx>
- Date: Sat, 7 Sep 2013 06:44:26 -0500
I still can't figure out WTH is going on with this port 25
issue. I even tried to block it in my router (at least as far
as I could TRY to figure out how to do this), and not only was
port 25 still just "closed", but, Chrome and FireFox STOPPED
WORKING, but IE worked fine! Huh?????? WTH would
Chrome and FF have to do with port 25??
I'm not sure if the attacker got the pw or not. From what my
hosts told me about the SPF, ("SPF records do not affect this
type of issue. If an attacker has your password, they can gain
authenticated access regardless of what your DNS zone file
looks like"), that would be "yes". But I don't see how that's
possible: It only appears two places on the entire planet (my
login on the server for cPanel access), and on my PC (a text
file, and the remembered login by the browser). And like I
said below, I don't see how a "dictionary attack" could have
done it (if I understand to take that literally) because it not
only had letters and numbers in it, but it was also full of
EVERY character on a keyboard!
-Clint
God Bless,
Clint Hamilton, Owner
www.OrpheusComputing.com
www.ComputersCustomBuilt.com
www.OrpheusComputing.com/new-arrivals.html
www.OrpheusComputing.com/office/computer_accessories.html
----- Original Message -----
From: "Karl Springer"
On 28 Aug 2013 at 23:41 -00500, Clint Hamilton-PCWorks Admin
wrote, at least in part:
> I was new to this SPF thing. I believe there is something
> kind of similar with the "MX record" or something like that,
> which has been in use, and obviously didn't help anything.
> PRIOR to this particular event, (probably the same terrorist)
> did this on a MUCH smaller scale and the SPF was created back
> then. Obviously, that too didn't prevent this recent attack!
> I asked my host about that, and he said:
>
> "SPF records do not affect this type of issue. If an
> attacker has your password, they can gain authenticated
> access regardless of what your DNS zone file looks like."
>
> True??
Am I correct that the attacker got the password to your
website? If yes, do you have any idea how he got it?
Karl
----- Original Message -----
From: "Clint Hamilton-PCWorks Admin"
I can't answer that about Gmail, all I know is that in OE it's
using port 465 for SMTP outgoing and port 995 for POP3 incoming
(and both are SSL). Port 587 may not be SSL.
Regarding the test at GRC, EVERY firewall I have ever used has
passed it (Outpost, Comodo, Kaspersky, Sygate, to name a few)
so it could be that a result of all green and "Stealthed" could
relay more-so on the **hardware** firewall in my router, but
I've also used numerous routers and I still got all green.
That's why the most recent result of port 25 no longer being
stealthed is most troubling to me.
Oh sorry, you're talking about the "LeakTest", I am and was
talking about the "ShieldsUp" test (did you run that?). From
what I remember, most of the firewalls I have used have passed
the test, but it seems like maybe one did not. I can't say for
certain if the Comodo FW passes the test because Comodo
Internet Security also has something called "Self Defense"
which blocks the test from even happening, plus it also has a
"Sandbox" and it also sandboxed the file. I disabled it, which
only leaves the XP firewall and my router firewall, and I got a
FAIL. So obviously XP's firewall fails the test and perhaps
all or most of routers do as well. But Comodo Internet
Security passes the test.
I was new to this SPF thing. I believe there is something kind
of similar with the "MX record" or something like that, which
has been in use, and obviously didn't help anything. PRIOR to
this particular event, (probably the same terrorist) did this
on a MUCH smaller scale and the SPF was created back then.
Obviously, that too didn't prevent this recent attack! I asked
my host about that, and he said:
"SPF records do not affect this type of issue. If an attacker
has your password, they can gain authenticated access
regardless of what your DNS zone file looks like."
True??
-Clint
----- Original Message -----
From: "Karl Springer"
On 28 Aug 2013 at 0:49 -0500, Clint Hamilton-PCWorks Admin
wrote, at least in part:
> I have been for many years, and still always visit
> https://www.grc.com/default.htm and do the "ShieldsUp" test
> (near the bottom), and it is ALWAYS been ALL GREEN, "STEALTH"
> for ALL ports. I ran it again a few days ago, and now for
> some reason port 25 is no longer "Stealthed"! ... I do not
> understand why it would now be "Closed" and no longer
> "stealthed" as it's been for many years.
No problem here. Unable to offer any suggestions on how to
fix.
> I don't even use port 25! All of my domain email uses port
> 26 (and Gmail uses port 465).
Re Gmail one source says Port 587 is for IMAP and uses TLS
while Port 465 is for POP and uses SSL. When using POP,
are there any negatives using Port 587?
> I have FOUR firewalls that have remained unchanged. (Windows
> XP, Kaspersky, Comodo Internet Security, and my router).
When I ran GRC's Firewall Leakage Tester v1.2,
<https://www.grc.com/lt/leaktest.htm>, my system failed. What
firewalls pass this test?
> The reason this of great concern to me, is recently something
> was hacked and some cyber-terrorist sent out, over, TWO
> HUNDRED THOUSAND BS emails using one of MY domain addresses!
> (It goes without saying that the originating IP's of course
> were on RIPE, with most of them being in Russia).
Did the hackers change your SPF (Sender Policy Framework)
configuration settings?
Karl
----- Original Message -----
Hi all, I'm hoping someone can tell what's going on here.
I have been for many years, and still always visit
https://www.grc.com/default.htm and do the "ShieldsUp" test
(near the bottom), and it is ALWAYS been ALL GREEN, "STEALTH"
for ALL ports. I ran it again a few days ago, and now for some
reason port 25 is no longer "Stealthed"! It is "CLOSED", NOT
"open", but still that bothers me because port 25 is SMTP
(outgoing) mail. I do not understand why it would now be
"Closed" and no longer "stealthed" as it's been for many years.
I don't even use port 25! All of my domain email uses port 26
(and Gmail uses port 465).
I have FOUR firewalls that have remained unchanged. (Windows
XP, Kaspersky, Comodo Internet Security, and my router). I
even went into Comodo to its "Stealth Ports Wizard" and chose
the option: "Block all incoming connections and make my ports
stealth for everyone", and that did nothing different. (Yes I
know it says "INcoming" but I thought that may help anyway).
And ideas on what could have changed this, and how do I get it
back to "Stealthed" again?
The reason this of great concern to me, is recently something
was hacked and some cyber-terrorist sent out, over, TWO HUNDRED
THOUSAND BS emails using one of MY domain addresses! (It goes
without saying that the originating IP's of course were on
RIPE, with most of them being in Russia).
My hosts immediately contacted me, and before I could even
reply they changed the password for my cPanel login (GUI
control interface for all domain functions), and the password
on the spoofed email address. This halted it as soon as
possible. And I WAS using a ridiculously long and incredibly
complicated password. A "dictionary" attack would NOT have
worked.
It also goes without saying....but I will anyway, that I ran
scans with all of my anti-malware programs, more than a dozen
of them, and they found NOTHING. (I also always have all kinds
of security programs running all the time).
I still haven't a clue as to how this happened, but the fact
that my port 25 is no longer "Stealthed", and this spoof, is
too close to be a total coincidence to me.
Thanks,
-Clint
=========================
The list's FAQ's can be seen by sending an email to
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.
To unsubscribe, subscribe, set Digest or Vacation to on or off, go to
//www.freelists.org/list/pcworks . You can also send an email to
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your
member list settings can be found at
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have
access to numerous other email options.
The list archives are located at //www.freelists.org/archives/pcworks/ .
All email posted to the list will be placed there in the event anyone needs to
look for previous posts.
-zxdjhu-
Other related posts:
