Posting spam when his machine if off?

Posting spam when his machine if off?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Posting spam when his machine if off? Caspian 11-27-2006
Posted by Caspian on November 27, 2006, 8:29 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Dear Community,

Firstly let me explain that my back-ground is in solution
development so I do not have much of a real understanding in security
issues. I have been asked by one of my clients to investigate why he
seems to be getting hundreds of bounce-back emails in his email inbox
every morning. The email headers indicate that the original message was

posted from his pop3 btconnect email account that he has with his ISP
[btconnect]. He accesses his email via outlook express which pulls the

emails via his email account details. I can access this pop3 through
the ISP browser interface, but the account appears empty, and I assume
this is because the emails are removed once they are transferred to
local pc via outlook express.


I started by installing and updating McAfee security centre which I
then used to scan the clients pc for offending viruses, but the
client's pc was clean. I then ensured that the pc was up-to-date with
Microsoft Updates and security patches. I then entertained the idea
that the pop3 account may have been Hi-jacked and changed the account
password for his pop3 account and replicated the new password in his
outlook to ensure his email continues to be downloaded.


I then took a closer look at the header information for the bounced
email accounts which indicated that the original email accounts were
being transmitted at around 1am in the morning; however the client
turns his machine off religiously at closing of play everyday. So if
the pc is switched off, how is it possible that his account sends spam.



I'm now entertaining the idea that the btconnect servers may be
affected by a Trojan email virus of some form or another. I've simply
run out of ideas. I've phoned btconnect and they deny any possibility
that a virus may exist on there servers.


So how is it possible that my clients email account is being used to
transmit spam when his machine if off?


Any help gratefully received!


Regards,


Tim


Posted by Juergen Nieveler on November 27, 2006, 9:22 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> posted from his pop3 btconnect email account that he has with his ISP
> [btconnect].

Really from his account, or merely using his email-address as From?

The latter is pretty easy to fake, so there's a huge chance that his
machine doesn't have any problem at all.

Juergen Nieveler
--
I like young girls. Their stories are shorter

Posted by Malke on November 27, 2006, 9:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Caspian wrote:

> Dear Community,
>
> Firstly let me explain that my back-ground is in solution
> development so I do not have much of a real understanding in security
> issues. I have been asked by one of my clients to investigate why he
> seems to be getting hundreds of bounce-back emails in his email inbox
> every morning. The email headers indicate that the original message
> was
>
> posted from his pop3 btconnect email account that he has with his ISP
> [btconnect]. He accesses his email via outlook express which pulls
> [the
>
> emails via his email account details. I can access this pop3 through
> the ISP browser interface, but the account appears empty, and I assume
> this is because the emails are removed once they are transferred to
> local pc via outlook express.
>
> I started by installing and updating McAfee security centre which I
> then used to scan the clients pc for offending viruses, but the
> client's pc was clean. I then ensured that the pc was up-to-date with
> Microsoft Updates and security patches. I then entertained the idea
> that the pop3 account may have been Hi-jacked and changed the account
> password for his pop3 account and replicated the new password in his
> outlook to ensure his email continues to be downloaded.
>
> I then took a closer look at the header information for the bounced
> email accounts which indicated that the original email accounts were
> being transmitted at around 1am in the morning; however the client
> turns his machine off religiously at closing of play everyday. So if
> the pc is switched off, how is it possible that his account sends
> spam.

> I'm now entertaining the idea that the btconnect servers may be
> affected by a Trojan email virus of some form or another. I've simply
> run out of ideas. I've phoned btconnect and they deny any possibility
> that a virus may exist on there servers.
>
> So how is it possible that my clients email account is being used to
> transmit spam when his machine if off?

1. You said you installed/updated McAfee. Are you saying he had no
antivirus installed? If this is the case, please scan his machine with
David Lipman's Multi_AV utility:

http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download
http://pcdid.com/Multi_AV.htm - additional Multi_AV instructions

For thoroughness, I'd like you to also scan with Ewido:
http://www.ewido.net/en/

Download the program and the latest full database. Ewido needs to be
installed but you can uninstall it afterwards.

Report back.

2. Your client's machine cannot send emails if it is turned off. End of
story. However, it would be good to see the headers. You can obscure
the posting IP if you are really sure it is your client's address.

3. It sounds like the emails are being sent from a spammer that hijacked
your client's email address or from another machine that has been
captured and is now part of a botnet.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by Mark Ritchie on November 27, 2006, 9:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Don't worry about what email address is being sent with the spam.
Almost all spam spoofs the from address. Concentrate on the IP address the
mail was sent from.

I would also seriously consider posting a Hijackthis log from the machine in
question, mcrappe hasn't been doing a good job for my clients lately and
it's possible that it has missed some trojans.

--
Regards,

Mark Ritchie


**************************************
Computer Problems Dragging you Down?
Let us Fix it for you quickly and remotely!
http://www.livetechsupport.ca
(866)730-5403
**************************************
> Dear Community,
>
> Firstly let me explain that my back-ground is in solution
> development so I do not have much of a real understanding in security
> issues. I have been asked by one of my clients to investigate why he
> seems to be getting hundreds of bounce-back emails in his email inbox
> every morning. The email headers indicate that the original message was
>
> posted from his pop3 btconnect email account that he has with his ISP
> [btconnect]. He accesses his email via outlook express which pulls the
>
> emails via his email account details. I can access this pop3 through
> the ISP browser interface, but the account appears empty, and I assume
> this is because the emails are removed once they are transferred to
> local pc via outlook express.
>
>
> I started by installing and updating McAfee security centre which I
> then used to scan the clients pc for offending viruses, but the
> client's pc was clean. I then ensured that the pc was up-to-date with
> Microsoft Updates and security patches. I then entertained the idea
> that the pop3 account may have been Hi-jacked and changed the account
> password for his pop3 account and replicated the new password in his
> outlook to ensure his email continues to be downloaded.
>
>
> I then took a closer look at the header information for the bounced
> email accounts which indicated that the original email accounts were
> being transmitted at around 1am in the morning; however the client
> turns his machine off religiously at closing of play everyday. So if
> the pc is switched off, how is it possible that his account sends spam.
>
>
>
> I'm now entertaining the idea that the btconnect servers may be
> affected by a Trojan email virus of some form or another. I've simply
> run out of ideas. I've phoned btconnect and they deny any possibility
> that a virus may exist on there servers.
>
>
> So how is it possible that my clients email account is being used to
> transmit spam when his machine if off?
>
>
> Any help gratefully received!
>
>
> Regards,
>
>
> Tim
>



Similar ThreadsPosted
help with posting? April 19, 2006, 12:39 am
I can not log on to my machine at all September 22, 2005, 6:24 am
I want to install a virus on my machine March 9, 2006, 11:09 am
Intrusion on Virtual Machine January 10, 2007, 6:27 am
Adware.Zhong -- on my machine! June 3, 2007, 7:29 pm
Infected machine on dial-up October 15, 2007, 11:18 am
McAfee and Norton AV on the same machine? October 16, 2007, 12:49 pm
why cannot install two different antivirus software in the same machine? January 24, 2006, 11:45 am
Troj/Zlob-ZG reported on my machine..... February 22, 2007, 5:01 pm
PC Keeps trying to Send Spam September 27, 2006, 8:59 pm

The site map in XML format XML site map

Contact Us | Privacy Policy