Main question:
Is it even possible to be be infected with a bot/spamming software on Ubuntu (or any other distro)?
Details:
My ISP blocked my port 25 (and 465) for outgoing connections (outbound connections, from home to remote server) to SMTP, so I can't use my business emails from home right now. Their reasoning for blocking me is: "because of you sending spam" which I'm not and they told me that if I'm not sending then my OS is probably infected...
I could use a comprehensive list of tools and guides to check the system (Ubuntu 13.10 14.04 64bit) for any infiltrates/malware/rootkits.
P.S.
I also have Windows 8.1 (64bit) installed just because I also like to game on my home computer... but that's what I only do on Windows...when I have time...
Wireless is off and even if it's on it's pass protected.
Scanning of windows didn't reveal anything nor should have since
there's windows and games installed there.I can connect to other ports for SMTP but our server uses 25 and that cannot change
I also tested connecting to port 25 from windoze (using thunderbird)
I use thunderbird for email client on ubuntu and tested a few others just to verify that it was not a misconfig of thunderbird.
Telneting also outputs connection timeout...
EDIT:
My ISP still refuses to unblock me...
Maybe I'll have to open up 587 on the server, since that isn't blocked at the moment (I can still use Gmail)
EDIT 2:
I guess today I was connected with another tech from my ISP's support and told me that there isn't a block from them... I was furious!!! I don't know what was the previous tech doing... maybe he is new and was reading from a script..
So I tested another ISP via tethering from my phone and I successfully managed to send emails through port 25. Essentially I didn't change anything, only the ISP. Are they kidding me? Maybe the tech-support doesn't know how to interpret what they looking on their screens for my account or could it be something else?
Another step I took was to fully reset my router to it's default settings and get another dynamic IP. Still no connection to port 25.
I'm planning to get a used router from some friend or something to test with another router just to be sure the problem lies with my ISP.
EDIT 3: It's been awhile since my last update to this question. I moved back to my old house (which is in a different part of the country) where I have the same internet provider. The same company!! My settings just work as expected. I can send emails just fine using port 25. I bet the problem was with that nasty ZTE router that the ISP hands out to new customers.
Is it even possible?
Why wouldn't it be? Ubuntu is a really flexible system that shares many problems with most other operating systems:
Let's just be realistic about security here. A cross-platform Flash exploit could easily translate into a dropper loading and installing a spam daemon that runs itself on login. It doesn't need root.
Double-check the ISP's story
"But my ISP wouldn't lie to me!" said nobody ever. Many home ISPs do habitually block port 25 and others force you to use their SMTP servers (that's the only outgoing p25 connection they'll allow).
Being a moderator allows me to see your IP and I've checked your home ISP. If you google their name and "port 25" or "smtp", you'll see a lot of other people in similar situations. And they do have a central SMTP server.
I know you said this is a new issue but just double check it's not your ISP (or needing the right settings while on your ISP). The workaround at the end should still work for you.
Finding the problem
Though possible, I'm still not sure it's the most likely target. If you're anything like me, you're surrounded by internet connected devices and you need to look at them all.
I would start by asking the ISP for some evidence. Timestamps at the bare minimum but it would be great to see what they're using to make sure it's not an auto-flag gone wrong.
It could be that somebody has flagged a work email with the ISP's abuse department.
You need to know what OS you were using at the time. Both Ubuntu and Windows keep auth logs so compare them against any evidence they can send you.
Log outgoing port 25 activity with something like:
I'm honestly not sure if that will work if you're being blocked already but it's worth a shot. Various Windows firewalls will offer you various logging alternatives.
Note that any device on your connection could be sending emails, not just your computer. Phones, wifi-enabled toasters, naughty neighbours, etc. Finding whatever is sending this mail could require a network level packet interception and logging. This is all possible but it's a pain in the rear.
Once you've exhausted more likely avenues, take your pick of Linux antivirus software. I can't personally speak for any of them or their detection rates.
Working around a block immediately
If you need to carry on, the easiest way to carry on sending email is through some sort of obfuscated or encrypted connection. If you have access to a SSH server (eg at work) that can often be the best method.
Then just alter your email client to use a SOCKS proxy address
localhost
, port9100
. Your ISP won't be able to interfere with this and I'd be very surprised if whatever's sending the spam could guess the SOCKS configuration.What's most likely in this case...?
Check to see if you can send email through your ISP's SMTP server. I've checked, yours has one. They might be forcing all their users to use it as that's very common. The tech support person might just be confused.
Ask another user (with another account, on another telephone line) to try connecting to your company's SMTP. This can be done quickly with
telnet example.com 25
.If they can't connect, assume this is ISP-wide —not just your account— so it's probably not a security issue... It's just something you'll have top work with or work around.
If they can connect, you're back at square one. There has been something sending email from your network that has triggered your ISP to block you. Virus sweeps, traffic monitoring and paranoia are your best friends here.
It's certainly possible to be infected and part of a botnet in Ubuntu. But it's also really really unlikely.
You should be able to ask to your ISP for their records. They will help you find the problem. It's hard to diagnose it from here, but your wireless has a good chance of beign the culprigth. Please check that you are using WPA2 for security and WPS is disabled.
After you resolve your problem and stop sending spam for a while, you can probably talk your ISP into unblocking your ports.
It's common practice to block outgoing port 25, as due to spamming concerns it kind of became discouraged for original submission of Email. It's still used between mail servers.
The proper (and typically not blocked) Port for submitting (original) Email is Port 587, the so-called submission port. Mail providers typically support it, system operators typically do not block it.
Many ISPs block ports 25 and 80 for all their consumer accounts. I use a web hosting service that includes email service. they provide me with a smtp server on a non-standard port for outgoing email. It works anywhere. You may well have access to something similar. Think about what services you already have, and investigate them.
Many of the other answers focus on someone using your wifi or infecting your machines. These are possible but they overlook the simplest explanation (Occam's razor...).
You are most likely acting as an open relay, which means that anyone in the world can connect to your machine and just ask it nicely to send mail somewhere, and you will do it, no questions asked. This is frequently why ISPs will block you because it is a simple test for them to do. They will scan their customer IP block and ask anything on port 25 to relay a test message and if you do, you are a spammer. It may be the case that no one is actually using your relay, but its mere existence is enough to be blocked.
To test if you are an open relay, telnet to your mail server and talk to it. The bold lines are the ones you type.
The lines you type are the
helo
,mail from:
andrcpt to:
lines. Make sure you use addresses that are not local to you, both need to be remote hosts. If you do not get the error554 relay denied
, then you are a misconfigured spam gateway and rightfully blocked.The simplest way to remedy this is to require authentication to send mail through your MTA. The details to set this up depend on the MTA you are running, a detail which is not present in your question.
Just to ensure you don't have something bad running on your Linux box or network.
Check your network yourself
Start by running this on your Linux machine at home:
This will list all the tcp connections that are either established or listening (with servers behind them). If there's anything you don't expect, you should investigate further.
Another very useful command that would list all the processes with internet connections they held open is:
(you will need to have the
lsof
package installed.)Note that the above tests will not cover other devices sharing your internet connection: phone, tablets, internet-enabled gadgets, neighbors pigybacking on your connection etc. as Oli mentioned. If you have a list of your internal IPs, you may run an external port-scan on each of them, one by one, from your Linux box:
(requires the
nmap
package). It might reveal ports and services open on various devices that you may not be aware of.