[Salty]

Hey all, was just on the phone with a customer at my new job, who's email was being flagged because spam was being sent from her IP addy. She mentioned having a Mac and the guy I was shadowing basically told her she had a virus and to get it fixed.

I'm wondering, has anyone heard of any trojans of viruses for OS X, specifically regarding sending out spam?

The account stated that the woman didn't have a wireless router, though I'm not sure if she simply didn't know what that was. I'm still inclined to wonder if she has an open network that a PC box is connecting to.

[Spheric Harlot]

Either her account got hacked, or her e-mail provider has an open relay, or she had installed a variant of that recent trojan.

[Thorzdad]

The only thing out there that I know of is the Mac Defender malware. But she would have had to actually download it and install it herself. And, even then, I don't believe it actively sends-out spam. It just asks you to provide your credit card number. It's just phishing, as far as I know.

But an active trojan pumping-out spam? Not that I've heard of. I think your thought about a PC on a network may be correct.

[seanc]

So... you work at an ISP by any chance or just tech support?

How about the idea that her service uses dynamic IPs and she's picked up one which was being used to solicit spam, or the dynamic IP range of her ISP is being blocked due to abuse.

[Waragainstsleep]

All dynamic IPs are automatically blacklisted for spam purposes as they are not intended to be used to send mail.
When you send email from a standard broadband line, you almost always relay it through an SMTP server. If you use gmail it will be a Google SMTP server, but Apple, Yahoo, Microsoft and many others including all ISPs run their own SMTP servers.
ISP SMTP servers don't reject dynamic IPs because they recognise that the IP is on their own network. This is why many of them don't require authentication to relay mail from their broadband lines. Google, Apple etc will require authentication to relay mail because they accept it from any IP.

Using SMTP without authentication can be a pain for laptop users who can find themselves unable to send mail when they are not at home (or on a broadband line belonging to the same ISP they use).

If her email is being rejected as spam, chances are the relay server has been blacklisted because someone with a PC got a virus and sent out a load of spam. I found a whole stack of Google SMTP servers that had been blacklisted the other week so its not a case of it only happening to smaller operators either. In fact, the more users you have, the more likely someone will report you for sending spam and you'll get blacklisted.
Also one of the most commonly used blacklists has been really screwy of late registering a whole ream of false positives in its spam database.

A tech support rep who knows what they are doing would have found out the email domain, looked up the mailserver(s) and checked the blacklists for entries. Best way to do all of that is with mxtoolbox.com.

[besson3c]

Why do these ISPs seem to associate problems with IP addresses and not MAC addresses?

[Waragainstsleep]

Its not the ISPs. Blacklists are hosted independently by other organisations.

Besides this MAC addresses can be easily spoofed and a lot of spam is sent using compromised hardware without the owners knowledge.

[besson3c]

Originally Posted by Waragainstsleep 

Its not the ISPs. Blacklists are hosted independently by other organisations.

Besides this MAC addresses can be easily spoofed and a lot of spam is sent using compromised hardware without the owners knowledge.

But a MAC address that matches the MAC address of your machine registration paired with a valid IP address is far more reliable than just a DHCP issued IP address, unless that ISP keeps a database of timestamps for new DHCP leases.

I'm not referring to email black/blocklists either, I"m referring to the mechanism by which ISPs send their customers notices about their machines being compromised.

[Waragainstsleep]

Well thats a slightly different issue. I don't often see that happen to be honest. Its usually a recipient who informs someone they are sending out viruses, UK ISPs are quite hands off in this regard.

[turtle777]

Originally Posted by besson3c 

But a MAC address that matches the MAC address of your machine registration paired with a valid IP address is far more reliable than just a DHCP issued IP address, unless that ISP keeps a database of timestamps for new DHCP leases.

It's also a privacy issue. All hell would break loose if ISPs tracked user's MAC addresses and paired them up with other user data.

-t

[besson3c]

Originally Posted by turtle777 

It's also a privacy issue. All hell would break loose if ISPs tracked user's MAC addresses and paired them up with other user data.

-t

They track all of this data now, AFAIK...