Spam Emails Send From My Account

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

My comp (WinXP Pro SP3 with all updates and hotfixes installed) was
infected by virus?/trojan?/malware?. Several(?) spam emails were send
from my PC on my email account. I have many (hundreds) bounced emails
with "why we need you"/"Award" as subject in my inbox due to delivery
delay/failure from my ISP's Mail Delivery System. I scanned my PC with
Eset NOD32, MBAM, (both with the most recent signature files) in safe
mode and found nothing suspicious. Also I scanned with a "BitDefender
Rescue CD" downloaded from
"http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others /"

found nothing. Spam mails were send as usual.

Everybody knows what infects my PC and how could i get rid of it?
Please help, thank you very much !!

BTW my firewall (Zone alarm pro) dose not report any unauthorized
internet outbound connection


--
**************************************************************************
Stephen Lo, Vancouver, BC., CA.

Re: Spam Emails Send From My Account

Stephen Lo wrote:

Quoted text here. Click to load it

Chances are that the spammer is merely using your email address in the
easily forged FROM field, and you are getting the bounces from non-valid
addresses he sent the spam to. Nothing uncommon about this; it's just
your day in the barrel.

--
   -bts
   -Friends don't let friends drive Windows

Re: Spam Emails Send From My Account


Quoted text here. Click to load it

If that were the case, why would the returns all be from "my ISP's Mail
Delivery System"?

Wouldn't they be various?



Re: Spam Emails Send From My Account

FromTheRafters wrote:

Quoted text here. Click to load it

We wouldn't know for sure until Stephen posts the full headers of one of
these returned mails. However, the most common reason is as I described.

--
   -bts
   -Friends don't let friends drive Windows

Re: Spam Emails Send From My Account

Quoted text here. Click to load it

Yes, maybe Stephen only assumed it was all from his ISP.



Re: Spam Emails Send From My Account

FromTheRafters wrote:
Quoted text here. Click to load it

Thank you very much for your replies.

Here is the email header and content from one of the bounce email:

 From - Mon May 11 21:35:50 2009
X-Account-Key: account1
X-UIDL: 181960-1151302496
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:

Return-path: <>
Received: from pd3mr2so-ssvc.prod.shaw.ca
  (pd3mr2so-ssvc.prod.shaw.ca [10.0.141.178])
  by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep  5
2006))
  11 May 2009 21:56:05 -0600 (MDT)
Received: from pd2mr-vip-ssvc.prod.shaw.ca (HELO idcmail-mo1so.shaw.ca)
  ([10.0.141.22]) by pd3mr2so-svcs.prod.shaw.ca with ESMTP; Mon,
  11 May 2009 21:55:08 -0600
Received: from localhost by idcmail-mo1so.shaw.ca; Mon,
  11 May 2009 21:55:08 -0600
Date: Mon, 11 May 2009 21:55:08 -0600
Subject: Delivery Status Notification (Failure)
To: losl@shaw.ca
MIME-version: 1.0
Content-type: multipart/report; report-type=delivery-status;
  boundary=7COki.4QQyFbV8Z.7GVJ0.5cKPiMV
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=ETskHGo9fuLnr-jVeRYA:9
  a=mJSQPWL-eKYwdS4SdIOBMmnkzYIA:4 a=VVVTLAxAGPoA:10
a=Wt_uDfEW1PiiQ1VeBeEA:9
  a=e7zKhY-EBQ1fYPN-L4-VY20qrt0A:4 a=FcCzd-_jAAAA:8 a=pnWOf_8l5tJNYNtgBMgA:9
  a=l7MgAE-1gacHfr-TtJwA:7 a=G9uJFDbQNtCi4eZFJT0vpWrxVYgA:4
a=1YyWH2jasJIA:10
  a=gpIh_FRFo58A:10 a=MSl-tDqOz04A:10 a=MOoU6_y5KB8A:10 a=Hc7mcz8ZAtwA:10
Original-recipient: rfc822;losl@shaw.ca

--7COki.4QQyFbV8Z.7GVJ0.5cKPiMV
content-type: text/plain;
     charset="us-ascii"
Content-Transfer-Encoding

The reason for the problem:
5.4.7 - Delivery expired (message too old) 'timeout'



__________ NOD32 4065 (20090511) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

--7COki.4QQyFbV8Z.7GVJ0.5cKPiMV
content-type: message/delivery-status

Reporting-MTA: dns; pd3mo1so.prod.shaw.ca

Final-Recipient: rfc822;jcoffey@advanceauto.com
Action: failed
Status: 5.0.0 (permanent failure)
Diagnostic-Code: smtp; 5.4.7 - Delivery expired (message too old)
'timeout' (delivery attempts: 0)

--7COki.4QQyFbV8Z.7GVJ0.5cKPiMV
content-type: message/rfc822

Received: from pd2mr2so-ssvc.prod.shaw.ca ([10.0.141.109])
   by pd3mo1so-svcs.prod.shaw.ca with ESMTP; 08 May 2009 21:36:48 -0600
Received: from pd2mr2so-ssvc.prod.shaw.ca ([10.0.141.109])
   by pd3mo1so-svcs.prod.shaw.ca with ESMTP; 08 May 2009 21:36:38 -0600
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FcCzd-_jAAAA:8
a=FSVeOMgW16kkxXAlQQUA:9 a=1kO2IQHRgmJ5dt6r-egA:7
a=m89S-sa0W5RNadnAWOS3-VLeOfcA:4 a=gpIh_FRFo58A:10 a=MSl-tDqOz04A:10
a=Cbv64XCD1US6DH0LcTcA:7 a=UFlmGhmXJHba_l2nSjUnVx_qxW4A:4
a=xqWDZuK2HZkA:10 a=d3ZwFMNkyaEA:10
Received: from pd2mr-vip-ssvc.prod.shaw.ca (HELO pd2ms3so.prod.shaw.ca)
([10.0.141.22])
   by pd2mr2so-svcs.prod.shaw.ca with ESMTP; 08 May 2009 21:36:38 -0600
Received: from shaw.ca (pd2ms3so-con.prod.shaw.ca [10.0.122.117])
  by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep  5
2006))
Fri,
  08 May 2009 21:37:31 -0600 (MDT)
Received: from [10.0.144.231] (Forwarded-For: [10.0.146.231])
  by pd2ims2.prod.shaw.ca (mshttpd); Sat, 09 May 2009 04:37:31 +0100
Date: Sat, 09 May 2009 04:37:31 +0100
Subject: why we need you
Bcc:
Reply-to: ito.corporation@gmail.com
MIME-version: 1.0
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.05 (built Sep  5 2006)
Content-type: multipart/alternative; boundary=--1412836a13c546932826
Content-language: en
X-Accept-Language: en
Priority: normal

This is a multi-part message in MIME format.

----1412836a13c546932826
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Hello Dear,
My name is Eizo Kobayashi and I am the recruitment officer / C.E.O of
one of the biggest and most successful Textile, Machinery,Aerospace,
Electronics & Multimedia Energy, Metals & Minerals,Chemicals, Forest
Products &General Merchandise,Food ,Finance, Realty, Insurance
&Logistics Services for more info visit our website:www.itochu.co.jp .
I am contacting you because we are in need of a Payment Representative
in the United States,Canada,some part in Asia and Europe. So I would
like to offer you a part time job as our payment representative with
which you can earn twice your monthly salary depending on your Speed,
Accuracy and Devotion to your work. All you will be doing for us is to
receive our payment on our behalf from our client (which isalways in
form of Money Orders or Cashier Checks),Processthe payment and deduct
your commission which is going to beten percent (10%) of total amount
processed and remit thebalance to any of our offices via Electronic
Transfer.
WHY WE NEED YOU:
We need a representative because it takes a longer timeperiod cashing
checks that was sent from the USA to us inJapan because it take like a
month to clear the checks andsending someone over to the USA to collect
the checksusually consumes a lot of money so that why we are willingto
part with 10% of the total sum so that we can always getthe checks
cashed in a timely fashion since they are comingfrom the USA and Canada
and our representative would also bein the USA, Canada and Europe.
If interested please reply to this email: ito.corporation@gmail.com
with the following information
Full Name:Address in full ( No Po Box )
City, State, Zipcode,
Phone Number/CELL PHONE NUMBER .
Have you recieve or done an offer like this indicate Yes or No?
If you are not Interested in this Offer do please disregard this mail
thank you.
Reply via E-mail: ito.corporation@gmail.com

Best Regards,
Eizo Kobayashi
President
ITOCHU Coporation
www.itochu.co.jp

Please give me some advice, thank you !!

--
**************************************************************************
Stephen Lo, Vancouver, BC., CA.

Re: Spam Emails Send From My Account

Stephen Lo wrote:

Quoted text here. Click to load it
<snip repost of email source>

I would say that, from the source you posted, the bounce was sent to you
from Shaw.

Looking at the copy of the outgoing mail included in the bounce, it does
look like the original email came from you - or at least a Shaw
subscriber. I don't see any sender's IP address in there (yours is
24.83.36.171), and there is no TO: line in the headers, which isn't
quite normal.

Do you have a router connected to your cable modem? When you aren't
doing anything, does there appear to be outgoing activity?

Look for rogue processes with this application:
http://en.wikipedia.org/wiki/Process_Explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

--
   -bts
   -Friends don't let friends drive Windows

Re: Spam Emails Send From My Account

Beauregard T. Shagnasty wrote:
Quoted text here. Click to load it
   Thank you very much for your time to analyze the header.

Quoted text here. Click to load it

There is a line in the header of the original spam email:
  "Received: from [10.0.144.231] (Forwarded-For: [10.0.146.231])
   by pd2ims2.prod.shaw.ca (mshttpd); Sat, 09 May 2009 04:37:31 +0100"
Is "10.0.144.231" spammer's IP? It is same for all outgoing spam emails.
I tried "trace route" and "whois" on that IP but found nothing.

Quoted text here. Click to load it

Yes I have a router (non wireless) in my system. There appear no
abnormal outgoing activety.

Quoted text here. Click to load it

I used processEXP and also checked all processes in the task manager at
the first time i saw these delivery delay notices and found no rogue
processes. The spammer may utilize my email client and shut it down
after sending the spams.

As I could not identify any virus/trojan/malware I rolled back my C:
drive to the most recent healthy disk image created three days prior to
the accidence. It works, now no more delivery delay notice for 3 days.
It seems the spammer's program is successfully removed. I think i am
luck to have a healthy disk image, but i still hope that I may learn
more about this type of attack.

Anyway thanks to all who contributes help to my case.

Good luck everybody !!

--
**************************************************************************
Stephen Lo, Vancouver, BC., CA.

Re: Spam Emails Send From My Account

Repy inline:
Quoted text here. Click to load it
This address belongs to some organization's LAN (possibly Shaw).  Addresses
10.x.x.x and 192.168.x.x are not routable.
Jim
Quoted text here. Click to load it




Re: Spam Emails Send From My Account

Stephen Lo wrote:

Quoted text here. Click to load it

Jim answered that ... 10.nn... is an internal address.

Quoted text here. Click to load it

Oh you used it already?  Good thinking.  <g>

Quoted text here. Click to load it

S'far as I know, none of the modern mass-mailing worms use *your* email
client. They all have their own built-in SMTP engine. The outbound
portion of the message you posted doesn't say the mail agent was
Thunderbird ... or Outlook Express ... or ...

Quoted text here. Click to load it

Well. Let's hope that works. But keep a sharp eye on things.  :-)
See if you can figure out what you did to get it in the first place.

Quoted text here. Click to load it

Glad to help.

--
   -bts
   -Friends don't let friends drive Windows

Re: Spam Emails Send From My Account

On 05/10/2009 12:25 PM, Stephen Lo sent:
Quoted text here. Click to load it
"http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others /"
Quoted text here. Click to load it

Hello Stephen:

Not withstanding the fine advise you have already received, I would have
you update your Mozilla Thunderbird to the latest version.  You are
probably two versions behind the latest security release.

It is not unthinkable that another computer system, within Shaw
Communications or another ISP, has been turned into a Spambot using your
system's identity.

The antimalware you have in use is excellent.  Many users add
SUPERAntiSpyware (SAS) to their arsenal to work with MBAM.

If you understand that we would like to see all the headers from one of
the returned emails, please post it here.

Regards,

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Spam Emails Send From My Account

1PW wrote:
Quoted text here. Click to load it

Thank you very much for your reply.
My Mozilla Thunderbird is version 2.0.0.21 (20090302), I think it is the
most updated version. When i checked for update it said there is no
update available.

Quoted text here. Click to load it

I just post the header and content from one of the bounced email prior
to this reply. Please give me some advice, Thank you !

--
**************************************************************************
Stephen Lo, Vancouver, BC., CA.

Site Timeline