Jump to content
Spooidts

MBAM Premium 3.3.1 Blocking Email Pop Server and now 255.255.255.255

Recommended Posts

Hello, I would like to complete the malware removal process to see if I have been infected with something that I cannot see from MBAM or Emsisoft AM scanning.

Issues started last week when I started receiving SPAM mail through my Suddenlink.net email account using Thunderbird vers 54.02,  32 Bit.  I began reporting the Spam directly to Suddenlink but it has continued.  I did not open any of the spam and immediately deleted it after marking as SPAM in Thunderbird.

Then today MBAM started marking the pop.suddenlink.net mail server address as malware and blocking it:

Domain: pop.suddenlink.net
IP Address: 208.180.40.196
Port: [51800]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe

Following that in the last few hours MBAM has begun blocking 255.255.255.255 constantly:

Domain:
IP Address: 255.255.255.255
Port: [68]
Type: Outbound
File: C:\Windows\System32\svchost.exe

 

I have run several MBAM and EMSISOFT AM scans during the week and there has been no malware reported in the scans.

Attached are my files requested in the Removal topic.

 

FRST.txt

Addition.txt

Threat Scan.txt

Edited by Spooidts
spelling

Share this post


Link to post
Share on other sites
16 hours ago, Spooidts said:

Following that in the last few hours MBAM has begun blocking 255.255.255.255 constantly:

Domain:
IP Address: 255.255.255.255
Port: [68]
Type: Outbound
File: C:\Windows\System32\svchost.exe

 


Same thing here after update?

 

Share this post


Link to post
Share on other sites

Suddenlink.net and its other IPs are all blocked this morning outbound (Premium license). Did Malwarebytes flag Suddenlink for a reason or just an error? Apparently, Suddenlink addresses in the current database!

Share this post


Link to post
Share on other sites

Suddenlink.net, my ISP, is being blocked using current database. This just started this morning. Was this an error?

Share this post


Link to post
Share on other sites

I run a computer repair shop and we have been recommending Malwarebytes for a while now. This morning our phone was ringing off of the hook with Suddenlink customers who say Malwarebytes is blocking their Suddenlink email. What's going on? 

Share this post


Link to post
Share on other sites

I'm still hoping to have my logs examined just in case I have a further malware issue on my end.

But I also just called Suddenlink directly and they have ongoing support issue with their email servers and Malwarebytes.  It was an agent and not an actual Tech so there wasn't much detail.

Share this post


Link to post
Share on other sites

I too called Suddenlink early this morning and they are clueless re Malicious activities. They just don't understand that their SECURE HTTPS could be malicious. They said others can get to it. Tried to explain that they could get to it because something like Malwarebytes wasn't on their system and didn't prevent a possible breach of their system. Escalated it up a notch and manager could not understand until I explained RANSOMWARE and hacking to him. He contacted his I/T.

 

Since then, I installed Spyware Terminator and it does not flag Suddenlink as a problem. Doesn't mean much to me since I don't know HOW it or even if it does check or how current its databases is.

 

My question to Malwarebytes is if you get an OUTBOUND Block of a website, is it because your database includes Suddenlink IPs? If so, did you really find that its IPs are malicious?

Edited by tpanc13
bold

Share this post


Link to post
Share on other sites

fyi. I just sent email from yahoo account to suddenlink account. Thunderbird now says imap to suddenlink can not connect. I do believe they turned off their email until this is resolved.

 

Sent an email Thunderbirds Suddenlink account to yahoo acount and got this:

Your message was sent but not saved to your sent folder (Sent) probably because of network errors.
"Retry" attempts the save again.
"Save" copies the message to Local Folders/Sent-teob6913@suddenlink.net and closes the Write window if it is present.
"Cancel" does not save the sent message and closes the Write window if it is present.

Edited by tpanc13

Share this post


Link to post
Share on other sites
19 minutes ago, tpanc13 said:

I too called Suddenlink early this morning and they are clueless re Malicious activities. They just don't understand that their SECURE HTTPS could be malicious. They said others can get to it. Tried to explain that they could get to it because something like Malwarebytes wasn't on their system and didn't prevent a possible breach of their system. Escalated it up a notch and manager could not understand until I explained RANSOMWARE and hacking to him. He contacted his I/T.

 

Since then, I installed Spyware Terminator and it does not flag Suddenlink as a problem. Doesn't mean much to me since I don't know HOW it or even if it does check or how current its databases is.

 

My question to Malwarebytes is if you get an OUTBOUND Block of a website, is it because your database includes Suddenlink IPs? If so, did you really find that its IPs are malicious?

tpanc13,

never mind I just noticed you said Thunderbird, same here. Have you tried using their Webmail application in browser?  I was hoping I could at least get to mail via their Webmail but even that is borked.  And the agent could not tell me whether their Webmail system scans for malware before posting to customers account or not.

Edited by Spooidts

Share this post


Link to post
Share on other sites

Hi guys :)

I reported this thread and asked that someone from the Web Team take a look at it, to see if this is a legitimate detection or a false positive. Someone should be able to answer you soon.

Sit tight!

Share this post


Link to post
Share on other sites

Aura,

Thanks. And just some more info if needed.

It is even now blocking anything from Suddenlink, including their Online Account login page.

Domain: authorize.suddenlink.net
IP Address: 64.8.70.17
Port: [51109]
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

And the Firefox Browser error is showing SSL problems:

An error occurred during a connection to authorize.suddenlink.net. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

 

 

Share this post


Link to post
Share on other sites

fyi. I just sent email from yahoo account to suddenlink account. Thunderbird now says imap to suddenlink can not connect. I do believe they turned off their email until this is resolved.

Share this post


Link to post
Share on other sites

Are any of you also seeing this blocked ID? 

 

Name:    dynamicip-95-79-255-31.pppoe.nn.ertelecom.ru
Address:  95.79.255.31

Also, still trying to understand Malwarebytes re an OUTBOUND block and whether it is just a dabase error Or malicious stuff at the directed website.

Share this post


Link to post
Share on other sites

Suddenlinks imap.suddenlink.net server 209.180.40.196 as reported in malwarebytes report ping fine, but nslookup reports :
Server:  UnKnown
*** UnKnown can't find 209.180.40.196: Non-existent domain

Share this post


Link to post
Share on other sites

Thanks Zynthesist... could you also comment on why when I look at the log and see 208.180.40.196 it says it is IMAP.suddenlink.net which it should be since I have email set up as such, but if I do nslookup on that address it says POP.suddenlink.net.?

Share this post


Link to post
Share on other sites

@tpanc13 both are on the same IP, it is a shared IP with about 230+ others.

imap.suddenlink.net.    208.180.40.196
poptest.suddenlink.net.    208.180.40.196

Share this post


Link to post
Share on other sites

Interesting re shared IP. I see you listed my pop.... as poptest... Am I really maybe part of a test group? I keep getting failed to connect to imap server, but get my mail. 230+ is smallsville, TX ;) When I do nslookup here I do not see poptest. It's getting to "which mirror do I look into today?" Welll, at least  my email is up and Malwarebytes is up too.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.