SMTP error - Virginmedia denying problem

[joydivision]

Here is the long and emberassing story.

Client had nasty virus in March. Didn't seem to be any evidence of rootkits or anything and cleaned it all up. She was happy.

Early this week I had a phone call saying emails won't send any more (since Sunday) the emails keep bouncing back with an error saying error 550 relaying emails not allowed.

The ISP are denying a problem.

I tried a different email client and the same thing happened. I then setup her email account on my netbook and it works perfectly.

There were other problems with the PC, the client had 6GB of data inc the PST and the only application installed was Office so I began to think it had a bizzare rootkit acting as some sort of proxy even though there wasn't any evidence of this. I reinstalled the entire system from the recovery partition and resetup the emails. They still keep bouncing back.

It is not the settings or a problem with the ISP. So I am now stuck and have come to the following conclusion:-

• There is a nasty rootkit which GMER etc can't see and apparantly lets the sytem run normaly without any symtpons but is essentialy routing smtp via a proxy server. The recovery partition may have been infected with said rootkit.
• My clients MAC address on the PC has been blacklisted by the ISP

Every time I phone Virgin I can't get any where, I asked about MAC address but the Indians on the other end o the phone call don't understand what I am on about

Any ideas?

In summary :-

The ISP settings work on my netbook, but don't on my clients PC even after a reinstall of windows.

 

[Martyn]

Personally I would use Wireshark and see what's going on at packet level.

 

[DCGPX]

when you say it works on your netbook, are you using same e-client and their network or your own.

AFAIK Virgin don't blacklist MACs. They recently changed the way the email account needs setting up, details are on their website.

Doesn't explain why works on yours though, I suspect its one of the asdvanced settings in account setup in Outlook.

 

[joydivision]

The problem is I have spent five hours on this now, I have told my client I won't be charging anything like full rate, she said don't worry about that and she understands the diagnoses is often the biggest problem.

The netbook was running XP Home with Outlook Express 6.0. It worked straight away.

Virgin media have gone through the setting three times now, it is just the standard NTLWORLD settings.

I may try it again with Windows Live Mail installed to see if its a problem with modern clients.

Wireshark is a good idea . I need to relearn some of my TCP/IP skills so will read up on that tonight.

I suspect this is going to be a delete MBR and reinstall from my own Vista CD job . It really does look like a rootkit.

As for settings I have tried SSL and none SSL too, neither make any difference.

 

[4ycr]

Has she uninstalled/using McAfee, I had a client recently who's outlook threw back different error messages and it had McAfee's spammkiller in outlook. I uninstalled it and ran their removal tool and it worked

 

[joydivision]

It is running Microsoft Security Essentials. I tried uninstalling that but it made no difference.

 

[Kitten Kong]

Have you tried using straightforward OE, instead of outlook?

 

[joydivision]

Not on the clients machine as it runs Vista, but I have tried it with Windows Mail on the clients machine and does the same.

The outlook she is using is Outlook 2007 and it is a legit copy with retail packaging etc.

 

[ZenTree]

----I've not heard of ISP's blocking MAC addresses, our service cannot do that. Easy enough to check though:
1. Spoof a new MAC address on the PC
2. Install a usb wireless card etc.

---- I'd try portable thunderbird, set it up on your working computer and then pop on thumb drive and try on other computer. Then you know 100% settings are the same.

----I've not heard of viruses relaying your email through their servers and then onto the desired recipient, the volume would be enormous. I could be wrong. If it is redirecting smtp traffic, try doing a telnet session on port 25 to the mail server and see if anything weird happens.

There was something else...

Oh yeah. Setup another virgin email account, if new account works then you know it's their end. I'd actually do this first, personally.



Just a few ideas, sorry for the lack of structure, just an outpouring really

 

[joydivision]

Thanks .

It really is a pitty Virgin are no help at all with regards to this. I think I will be needing to do a lot of work with wireshark to inspect the packets to see what is going on at a low level.

 

[DCGPX]

I doubt you'll find anything - 550 is an authentication error, I'd triple check the SSL and encryption settings first. Virgin forum is full of this. Are the SMTP server settings correct

 

[TechguyUK]

To be honest I think you may be off down a rat hole with the virus theory.

'550 Relaying not permitted' is generally encountered when you are trying to use a mail server that is not associated with your network/ISP connection. For example, if you were trying to use Virgins SMTP server while you were connected to the net via BT.

I would tripple check the SMTP server address, the SSL/encryption settings (ports) and the outgoing server authentication settings and don't forget to check the ISP thats actually in use.... I had a very similar senario the other week and it turned out that the customers laptop was actually preferring to connect to a nearby BT Openzone hotspot rather than her ISP's Wireless router in the other room

 

[joydivision]

I have checked everything a trillion times, I have spent over two hours on the settings thing, I have spoken to the jokers at Virgin too.

The PC has no wireless card fitted, only ethernet which is connected directly to the virgin modem. My netbook I did the test on was also connected to the same modem.

This is really why I am completly puzzeled because I have done all the obvious stuff and then some. I fix email problems day in and day out so its not anything unusual for me but this problem has got me stuck.

I am going to bring a spare wifi router and a wireless card just to completly wipe out any issues with the MAC address for certain.

I agree a virus/rootkit is very unlikely but if its that it can only be a blocked MAC address. I know what 550 is .

Virgins SMTP simply is not authurising it BUT it is so odd it works on my netbook.

Edit just had a better idea, a Ubuntu live CD, I could setup a mail client on that and see if that does the same on her machine, that would then element any MAC address issues. If it works on Linux then a rootkit issue is looking more likely.

 

[TechguyUK]

Another thought, does the customers machine have any email scanner software in between outlook and the VM servers (Norton/AVG etc) that could be messing with things ?

What happens if you try the old school way of using telnet xxx.xxx.xxx.xxx 25 and issuing the relevant SMTP commands to send an email ?

 

[joydivision]

Not tried telnet but will see what happens.

The only security software on there is MSE and nothing else, it is a clean install.

 

[joydivision]

Finally sorted it hopefully.

I checked with wirehshark and nothing unusual was going on. The IP address used to send the SMTP data was my clients. I knew then it could really only be a blocked MAC address.

I then setup a temp wifi router and adapter and it solved the problem.

So it was the MAC address it didn't like, why I still don't know as I still have been unable to get passed India when I talk to Virgin.

I installed a new network adaptor and setup up a router for her so she has NAT security. I also recomended that she bought a better anti virus program which she has done.

It is a still a mystery but after inspecting the TCP/IP packets I am pretty sure there is no longer any rootkit activity after the windows reinstall.

 

[ZenTree]

Thanks for the update, I'll bet you're glad to see the back of that one!

 

[joydivision]

I am not, she installed Kasperspy going on my recommendation and now outlook keeps crashing

 

[DCGPX]

I am not, she installed Kasperspy going on my recommendation and now outlook keeps crashing

If its a similar issue to mine, I had Outlook crash everytime I wanted to delete something, it turned out to be a conflict with my email scanner on AV (I use Eset). I had to turn off the "empty deleted items on server" setting for each account. If I disable ESET I could put it back on but they didn't like being together