Our IP was blacklisted for sending high amounts of spam to certain honeypots. Whenever one of us in our network visits a cloudflare protected website, we always get a captcha every 30 mins.
Here are some websites that have our ip detected as malicious: (its fine for our ip to be shown because we'll be definitely changing it when we fix this)
- http://www.projecthoneypot.org/ip_126.96.36.199 (for a month, I've frequently visited this and the amount emails kept going up)
In the second website, it shows that we might have a possible Linux virus. But none of our computers have any distro of linux installed EXCEPT for my machine, which has a clean dual boot installation of Kali Linux (we all use windows for our main OS). I havent downloaded any software in Kali Linux, and I rarely even boot to Kali.
One note is that we all use Android phones, and they obviously use a proprietary distro of linux. That /could/ be the reason why its showing up as Linux on the site above, but I doubt it.
One person in my family uses Yahoo, while the other two of us use Gmail. I received a spam email from the yahoo address, but looking closley, it was sent from an IP from Taiwan: 188.8.131.52
This was a week or so before all of this started happening: One of the machines using Gmail already had Malwarebytes installed and detected a Trojan.Ransom and quarantined it. (I will definitely sniff port 25 on that machine later).
Here is the header (partially censored)
So we changed the yahoo password immediately. But there was still email being sent.
We bought a 1 year copy of Malwarebytes and installed it on all three of our machines. The one I already mentioned most likely reinstalled Mbam. We did a full scan on all computers and nothing was to be found.
Soon, im going to try these:
* Opening wireshark and packet sniffing port 25 on all machines overnight
* Scan the phones for viruses
* Change all email passwords
So.. does anyone got an idea on what is going on? Thanks