I still can't figure out WTH is going on with this port 25 issue. I even tried to block it in my router (at least as far as I could TRY to figure out how to do this), and not only was port 25 still just "closed", but, Chrome and FireFox STOPPED WORKING, but IE worked fine! Huh?????? WTH would Chrome and FF have to do with port 25?? I'm not sure if the attacker got the pw or not. From what my hosts told me about the SPF, ("SPF records do not affect this type of issue. If an attacker has your password, they can gain authenticated access regardless of what your DNS zone file looks like"), that would be "yes". But I don't see how that's possible: It only appears two places on the entire planet (my login on the server for cPanel access), and on my PC (a text file, and the remembered login by the browser). And like I said below, I don't see how a "dictionary attack" could have done it (if I understand to take that literally) because it not only had letters and numbers in it, but it was also full of EVERY character on a keyboard! -Clint God Bless, Clint Hamilton, Owner www.OrpheusComputing.com www.ComputersCustomBuilt.com www.OrpheusComputing.com/new-arrivals.html www.OrpheusComputing.com/office/computer_accessories.html ----- Original Message ----- From: "Karl Springer" On 28 Aug 2013 at 23:41 -00500, Clint Hamilton-PCWorks Admin wrote, at least in part: > I was new to this SPF thing. I believe there is something > kind of similar with the "MX record" or something like that, > which has been in use, and obviously didn't help anything. > PRIOR to this particular event, (probably the same terrorist) > did this on a MUCH smaller scale and the SPF was created back > then. Obviously, that too didn't prevent this recent attack! > I asked my host about that, and he said: > > "SPF records do not affect this type of issue. If an > attacker has your password, they can gain authenticated > access regardless of what your DNS zone file looks like." > > True?? Am I correct that the attacker got the password to your website? If yes, do you have any idea how he got it? Karl ----- Original Message ----- From: "Clint Hamilton-PCWorks Admin" I can't answer that about Gmail, all I know is that in OE it's using port 465 for SMTP outgoing and port 995 for POP3 incoming (and both are SSL). Port 587 may not be SSL. Regarding the test at GRC, EVERY firewall I have ever used has passed it (Outpost, Comodo, Kaspersky, Sygate, to name a few) so it could be that a result of all green and "Stealthed" could relay more-so on the **hardware** firewall in my router, but I've also used numerous routers and I still got all green. That's why the most recent result of port 25 no longer being stealthed is most troubling to me. Oh sorry, you're talking about the "LeakTest", I am and was talking about the "ShieldsUp" test (did you run that?). From what I remember, most of the firewalls I have used have passed the test, but it seems like maybe one did not. I can't say for certain if the Comodo FW passes the test because Comodo Internet Security also has something called "Self Defense" which blocks the test from even happening, plus it also has a "Sandbox" and it also sandboxed the file. I disabled it, which only leaves the XP firewall and my router firewall, and I got a FAIL. So obviously XP's firewall fails the test and perhaps all or most of routers do as well. But Comodo Internet Security passes the test. I was new to this SPF thing. I believe there is something kind of similar with the "MX record" or something like that, which has been in use, and obviously didn't help anything. PRIOR to this particular event, (probably the same terrorist) did this on a MUCH smaller scale and the SPF was created back then. Obviously, that too didn't prevent this recent attack! I asked my host about that, and he said: "SPF records do not affect this type of issue. If an attacker has your password, they can gain authenticated access regardless of what your DNS zone file looks like." True?? -Clint ----- Original Message ----- From: "Karl Springer" On 28 Aug 2013 at 0:49 -0500, Clint Hamilton-PCWorks Admin wrote, at least in part: > I have been for many years, and still always visit > https://www.grc.com/default.htm and do the "ShieldsUp" test > (near the bottom), and it is ALWAYS been ALL GREEN, "STEALTH" > for ALL ports. I ran it again a few days ago, and now for > some reason port 25 is no longer "Stealthed"! ... I do not > understand why it would now be "Closed" and no longer > "stealthed" as it's been for many years. No problem here. Unable to offer any suggestions on how to fix. > I don't even use port 25! All of my domain email uses port > 26 (and Gmail uses port 465). Re Gmail one source says Port 587 is for IMAP and uses TLS while Port 465 is for POP and uses SSL. When using POP, are there any negatives using Port 587? > I have FOUR firewalls that have remained unchanged. (Windows > XP, Kaspersky, Comodo Internet Security, and my router). When I ran GRC's Firewall Leakage Tester v1.2, <https://www.grc.com/lt/leaktest.htm>, my system failed. What firewalls pass this test? > The reason this of great concern to me, is recently something > was hacked and some cyber-terrorist sent out, over, TWO > HUNDRED THOUSAND BS emails using one of MY domain addresses! > (It goes without saying that the originating IP's of course > were on RIPE, with most of them being in Russia). Did the hackers change your SPF (Sender Policy Framework) configuration settings? Karl ----- Original Message ----- Hi all, I'm hoping someone can tell what's going on here. I have been for many years, and still always visit https://www.grc.com/default.htm and do the "ShieldsUp" test (near the bottom), and it is ALWAYS been ALL GREEN, "STEALTH" for ALL ports. I ran it again a few days ago, and now for some reason port 25 is no longer "Stealthed"! It is "CLOSED", NOT "open", but still that bothers me because port 25 is SMTP (outgoing) mail. I do not understand why it would now be "Closed" and no longer "stealthed" as it's been for many years. I don't even use port 25! All of my domain email uses port 26 (and Gmail uses port 465). I have FOUR firewalls that have remained unchanged. (Windows XP, Kaspersky, Comodo Internet Security, and my router). I even went into Comodo to its "Stealth Ports Wizard" and chose the option: "Block all incoming connections and make my ports stealth for everyone", and that did nothing different. (Yes I know it says "INcoming" but I thought that may help anyway). And ideas on what could have changed this, and how do I get it back to "Stealthed" again? The reason this of great concern to me, is recently something was hacked and some cyber-terrorist sent out, over, TWO HUNDRED THOUSAND BS emails using one of MY domain addresses! (It goes without saying that the originating IP's of course were on RIPE, with most of them being in Russia). My hosts immediately contacted me, and before I could even reply they changed the password for my cPanel login (GUI control interface for all domain functions), and the password on the spoofed email address. This halted it as soon as possible. And I WAS using a ridiculously long and incredibly complicated password. A "dictionary" attack would NOT have worked. It also goes without saying....but I will anyway, that I ran scans with all of my anti-malware programs, more than a dozen of them, and they found NOTHING. (I also always have all kinds of security programs running all the time). I still haven't a clue as to how this happened, but the fact that my port 25 is no longer "Stealthed", and this spoof, is too close to be a total coincidence to me. Thanks, -Clint ========================= The list's FAQ's can be seen by sending an email to PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line. To unsubscribe, subscribe, set Digest or Vacation to on or off, go to //www.freelists.org/list/pcworks . You can also send an email to PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your member list settings can be found at //www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have access to numerous other email options. The list archives are located at //www.freelists.org/archives/pcworks/ . All email posted to the list will be placed there in the event anyone needs to look for previous posts. -zxdjhu-