Spam Clinic - Virus spamming my contact list
 

A few weeks ago, one of my friends said he had gotten spam from me. Sure enough, I apparently spammed 5 or 6 people in my contact list. I did a virus/maleware check and didn't find anything. I did change my email password and now it happened again today. It spammed different people in my contact list. Plus, nothing shows up in my sent folder. I only knew because I was one of the recepients of the spam. What else should I do to stop this? The email effected is my hotmail account.

Any suggestions would be appreciated.

It is not necessarily the case that the spam was sent from your hotmail account. It is possible that once your contact list was harvested, the messages were then sent from some other mail system, and your email address was "spoofed".

To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.

I did that and the page source lists more than 200 lines of code. I am not sure what a header is but it might be in the 200 lines. I can only assume I was spoofed. How did it get my contact list?

Header looks like this:
I used spamcop.net to report this spam (or used to).

Can't decipher the report as to where the above spam came from. May be a compromised account and not a harvest.

The 200 lines are the "source" of the message, which is mostly the header.

I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post? Also, when posting headers, use the "Go Advanced" button then select the pound sign icon, which is for posting "code"

Random spam message that is being purportedly sent from people I know with hotmail accounts. They're not the spam but all very similar. Wonder if they are from the same spammer.



Thanks. Didn't know about this. Above post duly edited.

When I view the Page Source tab, it doesn't look anything like what YVR posted. There is nothing that indicates where the email came from or lists any IP address like in the example posted.

My sister sent me one of the spam emails and it had a totally different website link in it that I got from myself. So maybe 2 separate emails were sent out. In her email, it listed 13 random people (some in my contact list and others were people I had received an email from). I ran another virus check and nothing was found.

It is just frustrating since I am very careful about clicking on unknown links or downloading suspicious files.

We don't want to see "page source." And we don't want to see your email, we want to see what your recipients received that purported to be from you.

Return-path: <my actual email [email protected]>
Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)
(envelope-from <my actual email [email protected]>)
id 1WcmFF-0007rp-3P; Tue, 22 Apr 2014 21:45:05 -0400
Message-ID: <[email protected]>
From: "My Name" <My Actual Email [email protected]>
To: "Real person 1: <[email protected]>,
"Real person 2" <[email protected]>,
"Real person 3" <[email protected]>,
"Real person 4" <[email protected]>,
"Real Person 5" <[email protected]>,
"Real Person 6" <[email protected]>,
"Real person 7" <[email protected]>, "Real Person 8" <[email protected]>,
"Real Person 9" <[email protected]>
Subject: My Name
Date: Tue, 23 Apr 2014 02:44:56 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_F2B8_9E201E56.23C05BE6"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110

This is a multi-part message in MIME format.

------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

http://www.veracruzalgaba.org/nyhj/q...cpdzpwfgehzarp
------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=
=3DUTF-8></HEAD><BODY>http://www.veracruzalgaba.org/nyhj/q....sszcpdzpwfge=
hzarp</BODY></HTML>

------=_NextPart_000_F2B8_9E201E56.23C05BE6--

So another series of emails went out using my actual email address. This is what it looks like. I assume this is the source page people asked to see. I did check out the IP address and it shows up in some town in Peru.

I assume this is what they call spoofing. All the people that received this email, I never had actually sent an email to but rather they sent an email to me (so located in my inbox). None of these are in my contact list. I did another Avast virus scan and it came up clean.

Any suggestions would be appreciated.

Well, it looks like one of two things is happening, and I"m not sure which because I can't quite tell your setup here.

It looks like you are using schulin.net as a mail forwarder. You should ensure that there are appropriate SPF records in the DNS for schulin.net and for steveschulin.com. This will prevent 98% of spoofing.

But - and here's where I'm unsure - it really does look like the emails are coming from your account (i.e., not spoofed). So I *think* your hotmail account is actually compromised. Do the spam mails show in your sent items or in your deleted items?

I know you changed your password recently. Do you have two factor auth turned on? If not, definitely activate it. In fact, it's a good idea to turn it on for all your accounts that support it. It seems like someone is compromising and re-compromising your account. Change the answers to your security questions or other password recovery mechanism too, while you're at it, and see if your friends keep getting the spam.

I take it this is not you?

Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)

It looks like the spamming scumbags have a new tactic: lift contacts from a compromised hotmail/aol/etc account. Perhaps they send an email like the traditional spam you see from such compromised accounts. Perhaps not. Later, the spammers send a forged email from a spam relay. Notice the sent email did not end up in your sent folder? The victim often gets blamed anyway if the headers aren't examined.

No really good solution exists once your email contact list has been harvested. You can contact the ISPs of the spam relay and the link they want your contacts to click. At least make some trouble for the spamming scumbags. :mad: You may want to let some of your less-technically savvy contacts know that they may be receiving spam and not to click any links in emails from you.

Not necessary once the contact list is harvested. The spam is spoofed; no need to re-compromise the victim's account.

gfunkdave -- Nothing appears in my sent folder.

The steveschulin.net is not me and I am not using it as mail forwarder. The IP address was traced to Lima Peru.

I will change my password and start the 2 step authorizing thing. I will ask Hotmail if they want to investigate the IP or at least notify them. I am thinking since they are out of the country, I am not expecting a whole lot.

Thanks for y'all's help/suggestions.

In that case, Spiff appears to be right. Someone has compromised schulin.net and is using it to send spam. I'd email [email protected] and [email protected], as well as perhaps just going to the guy's website and emailing him too with this. He needs to set up SPF records on his domain.

It's worth repeating: use the 2-step authorization whenever possible. Not just for email but any on-line accounts [example: PayPay, iTunes].

Good luck.;)

Here's a website that lists 2FA support among most major sites.

http://twofactorauth.org/