MBAM Premium 3.3.1 Blocking Email Pop Server and now 255.255.255.255

[Spooidts]

Hello, I would like to complete the malware removal process to see if I have been infected with something that I cannot see from MBAM or Emsisoft AM scanning.

Issues started last week when I started receiving SPAM mail through my Suddenlink.net email account using Thunderbird vers 54.02,  32 Bit.  I began reporting the Spam directly to Suddenlink but it has continued.  I did not open any of the spam and immediately deleted it after marking as SPAM in Thunderbird.

Then today MBAM started marking the pop.suddenlink.net mail server address as malware and blocking it:

Domain: pop.suddenlink.net
IP Address: 208.180.40.196
Port: [51800]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe

Following that in the last few hours MBAM has begun blocking 255.255.255.255 constantly:

Domain:
IP Address: 255.255.255.255
Port: [68]
Type: Outbound
File: C:\Windows\System32\svchost.exe

 

I have run several MBAM and EMSISOFT AM scans during the week and there has been no malware reported in the scans.

Attached are my files requested in the Removal topic.

 

FRST.txt

Addition.txt

Threat Scan.txt

Edited November 9, 2017 by Spooidts
spelling

[Denrich]

16 hours ago, Spooidts said:

Following that in the last few hours MBAM has begun blocking 255.255.255.255 constantly:

Domain:
IP Address: 255.255.255.255
Port: [68]
Type: Outbound
File: C:\Windows\System32\svchost.exe

 

Same thing here after update?

 

[tpanc13]

Suddenlink.net and its other IPs are all blocked this morning outbound (Premium license). Did Malwarebytes flag Suddenlink for a reason or just an error? Apparently, Suddenlink addresses in the current database!

[tpanc13]

Suddenlink.net, my ISP, is being blocked using current database. This just started this morning. Was this an error?

[StevenWSmith]

I run a computer repair shop and we have been recommending Malwarebytes for a while now. This morning our phone was ringing off of the hook with Suddenlink customers who say Malwarebytes is blocking their Suddenlink email. What's going on? 

[Spooidts]

I'm still hoping to have my logs examined just in case I have a further malware issue on my end.

But I also just called Suddenlink directly and they have ongoing support issue with their email servers and Malwarebytes.  It was an agent and not an actual Tech so there wasn't much detail.

[tpanc13]

I too called Suddenlink early this morning and they are clueless re Malicious activities. They just don't understand that their SECURE HTTPS could be malicious. They said others can get to it. Tried to explain that they could get to it because something like Malwarebytes wasn't on their system and didn't prevent a possible breach of their system. Escalated it up a notch and manager could not understand until I explained RANSOMWARE and hacking to him. He contacted his I/T.

 

Since then, I installed Spyware Terminator and it does not flag Suddenlink as a problem. Doesn't mean much to me since I don't know HOW it or even if it does check or how current its databases is.

 

My question to Malwarebytes is if you get an OUTBOUND Block of a website, is it because your database includes Suddenlink IPs? If so, did you really find that its IPs are malicious?

Edited November 10, 2017 by tpanc13
bold

[tpanc13]

fyi. I just sent email from yahoo account to suddenlink account. Thunderbird now says imap to suddenlink can not connect. I do believe they turned off their email until this is resolved.

 

Sent an email Thunderbirds Suddenlink account to yahoo acount and got this:

Your message was sent but not saved to your sent folder (Sent) probably because of network errors.
"Retry" attempts the save again.
"Save" copies the message to Local Folders/Sent-teob6913@suddenlink.net and closes the Write window if it is present.
"Cancel" does not save the sent message and closes the Write window if it is present.

Edited November 10, 2017 by tpanc13

[SMSComputers]

Our customers are having the same problem. Is a fix in the works?

[Spooidts]

19 minutes ago, tpanc13 said:

I too called Suddenlink early this morning and they are clueless re Malicious activities. They just don't understand that their SECURE HTTPS could be malicious. They said others can get to it. Tried to explain that they could get to it because something like Malwarebytes wasn't on their system and didn't prevent a possible breach of their system. Escalated it up a notch and manager could not understand until I explained RANSOMWARE and hacking to him. He contacted his I/T.

 

Since then, I installed Spyware Terminator and it does not flag Suddenlink as a problem. Doesn't mean much to me since I don't know HOW it or even if it does check or how current its databases is.

 

My question to Malwarebytes is if you get an OUTBOUND Block of a website, is it because your database includes Suddenlink IPs? If so, did you really find that its IPs are malicious?

tpanc13,

never mind I just noticed you said Thunderbird, same here. Have you tried using their Webmail application in browser?  I was hoping I could at least get to mail via their Webmail but even that is borked.  And the agent could not tell me whether their Webmail system scans for malware before posting to customers account or not.

Edited November 10, 2017 by Spooidts

[Aura]

Hi guys

I reported this thread and asked that someone from the Web Team take a look at it, to see if this is a legitimate detection or a false positive. Someone should be able to answer you soon.

Sit tight!

[Spooidts]

Aura,

Thanks. And just some more info if needed.

It is even now blocking anything from Suddenlink, including their Online Account login page.

Domain: authorize.suddenlink.net
IP Address: 64.8.70.17
Port: [51109]
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

And the Firefox Browser error is showing SSL problems:

An error occurred during a connection to authorize.suddenlink.net. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

 

 

[tpanc13]

fyi. I just sent email from yahoo account to suddenlink account. Thunderbird now says imap to suddenlink can not connect. I do believe they turned off their email until this is resolved.

[tpanc13]

Are any of you also seeing this blocked ID? 

 

Name:    dynamicip-95-79-255-31.pppoe.nn.ertelecom.ru
Address:  95.79.255.31

Also, still trying to understand Malwarebytes re an OUTBOUND block and whether it is just a dabase error Or malicious stuff at the directed website.

[tpanc13]

Suddenlinks imap.suddenlink.net server 209.180.40.196 as reported in malwarebytes report ping fine, but nslookup reports :
Server:  UnKnown
*** UnKnown can't find 209.180.40.196: Non-existent domain

[Zynthesist]

Hello, 

This block has been removed and an update is in progress. 

[tpanc13]

Thanks Zynthesist... could you also comment on why when I look at the log and see 208.180.40.196 it says it is IMAP.suddenlink.net which it should be since I have email set up as such, but if I do nslookup on that address it says POP.suddenlink.net.?

[tpanc13]

FIXED with database update...thanks so much

[Zynthesist]

@tpanc13 both are on the same IP, it is a shared IP with about 230+ others.

imap.suddenlink.net.    208.180.40.196
poptest.suddenlink.net.    208.180.40.196

[tpanc13]

Interesting re shared IP. I see you listed my pop.... as poptest... Am I really maybe part of a test group? I keep getting failed to connect to imap server, but get my mail. 230+ is smallsville, TX  When I do nslookup here I do not see poptest. It's getting to "which mirror do I look into today?" Welll, at least  my email is up and Malwarebytes is up too.

[Spooidts]

All good here now, thanks all.

[Zynthesist]

Glad to hear.