[Archived] Mail "hijacked"?

[James No. 7]

My household's ISP suspended our account today. We only found out after ringing up to complain about being disconnected from the internet, but to cut the long story short they finally let us back on.

It was only then I found out the real reason it was disconnected by checking the main email account hosted by the ISP (I was never told over the phone, except given a host of possibilities); one of the email accounts hosted by the ISP was being used to send virus(es) via email.

I came to the logical conclusion that it was hijacked via virus/trojan/whatever and just plain deleted that account. Whether I am correct or not is no matter to me, since I will not take chances (pending future suspension of seven days) and the account was not terribly important. I have also not connected the laptop that the email account was accessed on to the internet since.

Would I be right to think that it was a virus or insecurity via the laptop which caused the email address to be "hijacked"? Of course, there is the possibility that the user unintentionally sent a virus via email, which is possible since they are not advanced users, but I doubt that (which won't stop me from trying to prevent such instances in the future, by the way).

If I am not correct, what could possibly be the reason why this happened in the first place?

If I am correct, was I right to delete the account and would I be right to then re-install the OS on the laptop and start it off with as much security - in the form of firewalls, anti-virus, spyware, etc., etc. - as possible? Whatever files on the laptop itself are necessary can be backed up quite easily.

Basically, I just want to know the cause and apply the correct solution.

Any help on this subject is greatly appreciated, since I am in the dark about this. I know what to do and what not to do when it comes to general internet and email use, so I have never had any real problems myself.

[Cocker]

First off, if this is the reason that you were going to reinstall windows then hold on. 9 times out of 10 updating your virus definitions and running a full scan (in safe mode with system restore off) should get rid of such a problem.

Each time you connect to the Internet with your ISP you are given an IP address. This IP can become black listed if lots of spam is received from it. The ISP would have taken the steps they did to prevent this IP from being black listed (as if you logged off you could get another IP the next time you come in and cause problems for that too)

You say that you have deleted the email address - I dont think you needed to do this (your isp should have explained) The virus would have been on your machine and will just use your mail client to send out the spam. After you run your checks, call the isp and say your have removed the infection but also ask them to make sure they call you if they receive any more warnings - which they probably will from somewhere like spamcop. This way, if they try and cut you off again you can say that you spoke to such and such and they said that they would let you know if any warnings came through (you get some many warnings before actually being black listed)

See what they say

[bblue]

Now Cocker beat me to it

[James No. 7]

First off, if this is the reason that you were going to reinstall windows then hold on. 9 times out of 10 updating your virus definitions and running a full scan (in safe mode with system restore off) should get rid of such a problem.

Each time you connect to the Internet with your ISP you are given an IP address. This IP can become black listed if lots of spam is received from it. The ISP would have taken the steps they did to prevent this IP from being black listed (as if you logged off you could get another IP the next time you come in and cause problems for that too)

You say that you have deleted the email address - I dont think you needed to do this (your isp should have explained) The virus would have been on your machine and will just use your mail client to send out the spam. After you run your checks, call the isp and say your have removed the infection but also ask them to make sure they call you if they receive any more warnings - which they probably will from somewhere like spamcop. This way, if they try and cut you off again you can say that you spoke to such and such and they said that they would let you know if any warnings came through (you get some many warnings before actually being black listed)

The virus scanner didn't come up with anything. The ISP was terrible and didn't even explain the reason on the phone; just a list of possibilities. The woman on the phone from customer service went off about the wireless possibly being hacked/hijacked, which I have shut off for the time being. WEP is fairly crap, I presume, compared to WPA and this could be the/a problem? (The wireless has WEP and is NOT being broadcast... it's "invisible" and the laptops have to be configured manually to pick it up. EDIT: I also had access control turned on, so I had to pre-approve laptops centrally from being able to even pick up the signal in the first place, never mind connect.)

(The laptop has kind of slowed down in recent times which is why I am thinking about a clean installation. This only triggered that line of thought.)

[Cocker]

To be fair to the ISP, their job is to provide you with a connection (and maybe email address) if both of these things are working then thats their job done and all they can do is give you a list of what it might be - like any ISP will tell you if you cant fix it you will need to get someone out who can.

First of all, it could be possible like they say that its not you and its someone using your broadband connection wirelessly. As they are using your connection they are of course using the same IP. When you also say that your machine is running slow, is this for every thing (simply opening the start menu/word etc) if its just browsing the internet then this again could be someone using all of your bandwidth up. What you need to do is to make sure that you have your wireless secured properly. Even moving your router to a different room may help (as the signal may not be as good for them to use)

I always say that a reinstall is a last resort option but if you have tested all other avenues then give it a go

[James No. 7]

To be fair to the ISP, their job is to provide you with a connection (and maybe email address) if both of these things are working then thats their job done and all they can do is give you a list of what it might be - like any ISP will tell you if you cant fix it you will need to get someone out who can.

But they did tell me what it was via email, which is why I was surprised they did not do so via the phone. And I wouldn't have been able to find out (in theory, but I could use uni to find out) without accessing the email, which they obviously restricted my access to by cutting off access to the internet.

When you also say that your machine is running slow, is this for every thing (simply opening the start menu/word etc) if its just browsing the internet then this again could be someone using all of your bandwidth up.

General computer use, not the internet. I haven't experienced any slowness via the internet.

What you need to do is to make sure that you have your wireless secured properly. Even moving your router to a different room may help (as the signal may not be as good for them to use)

Well, it's secured "properly" but via WEP, which reading some BBC articles (specifically on WPA-2) recently seems to be very weak.

I was cautious about using WPA(-PSK) because of the short key "lifetime" (999 minutes), which I thought meant you had to update the key every so often, but from what I'm reading it looks like that might not be the case. It seems as if you have a "window of opportunity", so to speak, to use that key and connect and then you don't have to worry about it after that. Grr, I can't get a straight answer from Googling, so if you know any different I would appreciate it.

[James No. 7]

By the way, there is a good reason why I suspect it is not wireless hijacking. Only one email address was targeted specifically. This email address is only accessed from one computer. It is an ISP email. The time the virus sent by email was first detected was on the 15th of this month. During that time the laptop was hundreds of kilometres away on a dial-up connection.