On Thu, 25 Apr 2013 20:48:18 GMT, nos...@please.invalid (AnthonyL)
wrote:
>I'm stuck as to how to uncover the culprit if there is one.
Don't try to find the culprit until after you've sniffed the WAN side
traffic to make sure there's actually something worth uncovering. This
won't be the first time an ISP has made a mistake. I dealt with an
accounting package that would send an email (using it's own SMTP
client) every time the program would startup. The problem was that it
was being run under Virtual Box, which somehow convinced the program
that it should spew announcemnts every 5-10 minutes. The ISP was
looking for identical messages, and found that mess. It took me a
month to identify the culprit as I wasn't sniffing when the bookkeeper
was using the machine. Anyway, try to see what's moving. The culprit
is usually obvious once the traffic is identified.
>I haven't yet tested the Toshiba Android Tablet, and I don't know how
>to test the Windows HP514 or the Nokia E72 smartphones but their
>wirelesses are rarely on. I assume the Wii is safe.
I have no idea, nor do I think it's a good assumption to assume
anything is safe.
<
http://www.infosecurity-magazine.com/view/30982/android-spambot-blended-threats-top-mobile-spam-threats-in-2013/>
>The one thing that seems to generate traffic when the machine is not
>busy is Skype which is installed on both machines.
That's normal. Skype uses a distributed directory server scheme,
where everyone can act as directory server. Skype tends to generate
lots of traffic. Shut it down while testing to avoid clutter.
>I have NetWorx
>(
http://www.softperfect.com/) running so I easily can see any activity
>and often shut Skype down as I believe they (m$oft?) use peer-peer
>when they can to share load their traffic.
Skype always uses peer-to-peer for calls and for directory lookups.
>Well there had been about a dozen when the ISP alerted me. They were
>expecting a deluge and I'm waiting for them to appear in the router
>logs as it now reports any attempts to Port 25 but they have yet to
>materialise.
Sniff the WAN traffic. The easiest way is with a 10baseT (not
100baseT) ethernet hub (not a switch). Traffic in one port goes to
all the ports in a hub. Plug it between your modem and router. Add a
monitor PC running sniffer software, such as WireShark.
>The router is on a UPS and NTP is enabled.
If your router is on a UPS and NTP is working, then it should NOT lose
the clock settings. Something is wrong. Most likely the UPS isn't
fast enough to stop glitches, which are reseting the router. If your
unspecified model router is running from 12VDC, add a BFC (big fat
capacitor) across the power connector going into the router, and you
should be ok. I have about 20,000 uF 12V on some of mine, which is
good for about 0.5 to 1 second of power loss for a typical 0.5A
current draw router.
>Otherwise I get about 4 or 5 drops a
>day.
Drops for how long? I was getting that with my home DSL for a while.
I had to climb the pole and rework some of the rotted connections and
splices. End of problem. The clue was a slight crackle on the POTS
line.
>I have a quality filter. Until we get decent copper in and a
>route away from overhead power lines I think it is just something we
>have to live with - but it messes up my logs.
If you have a TDR (time domain reflectometer), you can locate the pole
or box where there's a problem. It's not easy, takes experience, but
can be done.
>Absolutely not. And I wouldn't know how.
<
http://home.comcast.net/~jay.deboer/airsnare/>
>Router connected direct to
>telephone line. I have an NSA that I played with enabling for
I think you mean NAS box. My Buffalo something NAS box created a bit
of a problem when I had the built in Bitorrent server enabled. I
fixed that, but forgot the FTP server, which repeated the problem.
Some day, I might even read the instructions.
>I could email you my IP if you want to see if you can break in.
Nope. Too busy. I have jury duty next week, and am trying to catch
up on everything that resembles a potential crisis.
>One fear is that my old neighbours were without phone and internet
>prior to moving and I set them up to access my wireless.
Bingo. Change the WPA2 key.
Also look at the MAC addresses in the router client table to see if
there's anything that you can't identify.
>Well as I've set a rule to disable Port 25 I get a log entry, eg when
>I tried to Telnet port 25 it fails and get the entry:
>
>Firewall: packet drop. 10.0.0.151(4788) --> [mailhost address](25),
>Protocol TCP. Wednesday, Jan 01,2003 08:29:16
>
>That should I hope be sufficient.
Fine, but it's still being generated by something on your network.
Methinks it would be a good idea to find it instead of hiding it by
blocking outgoing port 25.