Go Back  FlyerTalk Forums > Travel&Dining > Travel Technology
Reload this Page >

Spam Clinic - Virus spamming my contact list

Spam Clinic - Virus spamming my contact list

Old Apr 8, 2014, 5:06 pm
  #1  
Original Poster
 
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
Spam Clinic - Virus spamming my contact list

A few weeks ago, one of my friends said he had gotten spam from me. Sure enough, I apparently spammed 5 or 6 people in my contact list. I did a virus/maleware check and didn't find anything. I did change my email password and now it happened again today. It spammed different people in my contact list. Plus, nothing shows up in my sent folder. I only knew because I was one of the recepients of the spam. What else should I do to stop this? The email effected is my hotmail account.

Any suggestions would be appreciated.
HawaiiTrvlr is offline  
Old Apr 8, 2014, 5:26 pm
  #2  
 
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
It is not necessarily the case that the spam was sent from your hotmail account. It is possible that once your contact list was harvested, the messages were then sent from some other mail system, and your email address was "spoofed".

To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.
boberonicus is offline  
Old Apr 8, 2014, 5:41 pm
  #3  
Original Poster
 
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
Originally Posted by boberonicus
It is not necessarily the case that the spam was sent from your hotmail account. It is possible that once your contact list was harvested, the messages were then sent from some other mail system, and your email address was "spoofed".

To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.
I did that and the page source lists more than 200 lines of code. I am not sure what a header is but it might be in the 200 lines. I can only assume I was spoofed. How did it get my contact list?
HawaiiTrvlr is offline  
Old Apr 8, 2014, 7:39 pm
  #4  
FlyerTalk Evangelist
 
Join Date: Nov 1999
Programs: FB Silver going for Gold
Posts: 21,753
Originally Posted by HawaiiTrvlr
I did that and the page source lists more than 200 lines of code. I am not sure what a header is but it might be in the 200 lines. I can only assume I was spoofed.
Header looks like this:
Code:
x-store-info:sbevkl2QZR7OXo7WID5ZcaZ0jeT0hTF6Pkz6VNoaPtZFKUm+W1WZD4UJRIr34kDYbiLFboa4+fuzbeCzqvL5cIPKhlTSWmN86UjRbKDWUoTIzNuPACzT6My5Qr5VlVG/ZmLnpVEC0lM=
Authentication-Results: hotmail.com; spf=pass (sender IP is 65.55.116.12; identity alignment result is pass and alignment mode is relaxed) [email protected]; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass [email protected]
X-SID-PRA: [email protected]
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: hRqkuQHzzfvDnxvOXYkbi83OdWt99/ZUZW125y24FcsMHX6wfPmIYyq9/Y5ustIAzUy19RzZdGTZeJ3X4Nvg4UHGzZa4H24eLeDlqgNItUOiYev3bvus1cYykLWEsM6CT3QFLN7YWT4wy4xVTp8F7H41hdu4cQMfceUYTNXSqMstUuqAZVpMq+U+4JgUb6HvSGVG80gNBz7F+1RZDfyAL2nbrDMq98YR
Received: from blu0-omc1-s1.blu0.hotmail.com ([65.55.116.12]) by SNT0-MC4-F15.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Mon, 7 Apr 2014 17:43:38 -0700
Received: from BLU176-W34 ([65.55.116.8]) by blu0-omc1-s1.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Mon, 7 Apr 2014 17:43:37 -0700
X-TMN: [Ask4/ez4Pe/g7jKj9evrDHvy/sgeicOLz0nyIv3aAmQ=]
X-Originating-Email: {Purported sender e-mail address replaced}
Message-ID: <[email protected]>
Return-Path: [email protected]
Content-Type: multipart/alternative;
	boundary="_fdcff0a3-7173-43d8-b397-1ba114d04d10_"
From: {purported sender address replaced}
To:  {mulitple receipient address replaced}
Subject: Fwd: (8)
Date: Tue, 8 Apr 2014 00:43:37 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Apr 2014 00:43:37.0672 (UTC) FILETIME=[94458C80:01CF52C3]

--_fdcff0a3-7173-43d8-b397-1ba114d04d10_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi! http://www.qai.co.uk/_it.works?jmjvu...yr=3D581205=20

 		 	   		  =

--_fdcff0a3-7173-43d8-b397-1ba114d04d10_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Hi! <a href=3D"http://www.qai.co=
.uk/_it.works?jmjvutumu=3D7808538&katufyr=3D581205" target=3D"_blank">http:=
//www.qai.co.uk/_it.works?jmjvutumu=3D7808538&katufyr=3D581205</a> <br><br>=
 		 	   		  </div></body>
</html>=

--_fdcff0a3-7173-43d8-b397-1ba114d04d10_--
I used spamcop.net to report this spam (or used to).

Can't decipher the report as to where the above spam came from. May be a compromised account and not a harvest.

Last edited by YVR Cockroach; Apr 8, 2014 at 8:39 pm
YVR Cockroach is offline  
Old Apr 8, 2014, 8:22 pm
  #5  
 
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
The 200 lines are the "source" of the message, which is mostly the header.

I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post? Also, when posting headers, use the "Go Advanced" button then select the pound sign icon, which is for posting "code"

Last edited by boberonicus; Apr 8, 2014 at 8:31 pm
boberonicus is offline  
Old Apr 8, 2014, 8:41 pm
  #6  
FlyerTalk Evangelist
 
Join Date: Nov 1999
Programs: FB Silver going for Gold
Posts: 21,753
Originally Posted by boberonicus
The 200 lines are the "source" of the message, which is mostly the header.

I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post?
Random spam message that is being purportedly sent from people I know with hotmail accounts. They're not the spam but all very similar. Wonder if they are from the same spammer.


Also, when posting headers, use the "Go Advanced" button then select the pound sign icon, which is for posting "code"

Thanks. Didn't know about this. Above post duly edited.
YVR Cockroach is offline  
Old Apr 9, 2014, 7:34 am
  #7  
Original Poster
 
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
When I view the Page Source tab, it doesn't look anything like what YVR posted. There is nothing that indicates where the email came from or lists any IP address like in the example posted.

My sister sent me one of the spam emails and it had a totally different website link in it that I got from myself. So maybe 2 separate emails were sent out. In her email, it listed 13 random people (some in my contact list and others were people I had received an email from). I ran another virus check and nothing was found.

It is just frustrating since I am very careful about clicking on unknown links or downloading suspicious files.
HawaiiTrvlr is offline  
Old Apr 9, 2014, 7:50 am
  #8  
 
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
Originally Posted by HawaiiTrvlr
When I view the Page Source tab, it doesn't look anything like what YVR posted.
We don't want to see "page source." And we don't want to see your email, we want to see what your recipients received that purported to be from you.
boberonicus is offline  
Old Apr 23, 2014, 7:49 am
  #9  
Original Poster
 
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
Return-path: <my actual email [email protected]>
Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)
(envelope-from <my actual email [email protected]>)
id 1WcmFF-0007rp-3P; Tue, 22 Apr 2014 21:45:05 -0400
Message-ID: <[email protected]>
From: "My Name" <My Actual Email [email protected]>
To: "Real person 1: <[email protected]>,
"Real person 2" <[email protected]>,
"Real person 3" <[email protected]>,
"Real person 4" <[email protected]>,
"Real Person 5" <[email protected]>,
"Real Person 6" <[email protected]>,
"Real person 7" <[email protected]>, "Real Person 8" <[email protected]>,
"Real Person 9" <[email protected]>
Subject: My Name
Date: Tue, 23 Apr 2014 02:44:56 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_F2B8_9E201E56.23C05BE6"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110

This is a multi-part message in MIME format.

------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

http://www.veracruzalgaba.org/nyhj/q...cpdzpwfgehzarp
------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=
=3DUTF-8></HEAD><BODY>http://www.veracruzalgaba.org/nyhj/q....sszcpdzpwfge=
hzarp</BODY></HTML>

------=_NextPart_000_F2B8_9E201E56.23C05BE6--

So another series of emails went out using my actual email address. This is what it looks like. I assume this is the source page people asked to see. I did check out the IP address and it shows up in some town in Peru.

I assume this is what they call spoofing. All the people that received this email, I never had actually sent an email to but rather they sent an email to me (so located in my inbox). None of these are in my contact list. I did another Avast virus scan and it came up clean.

Any suggestions would be appreciated.
HawaiiTrvlr is offline  
Old Apr 23, 2014, 8:11 am
  #10  
FlyerTalk Evangelist
 
Join Date: Nov 2002
Location: ORD
Posts: 14,200
Well, it looks like one of two things is happening, and I"m not sure which because I can't quite tell your setup here.

It looks like you are using schulin.net as a mail forwarder. You should ensure that there are appropriate SPF records in the DNS for schulin.net and for steveschulin.com. This will prevent 98% of spoofing.

But - and here's where I'm unsure - it really does look like the emails are coming from your account (i.e., not spoofed). So I *think* your hotmail account is actually compromised. Do the spam mails show in your sent items or in your deleted items?

I know you changed your password recently. Do you have two factor auth turned on? If not, definitely activate it. In fact, it's a good idea to turn it on for all your accounts that support it. It seems like someone is compromising and re-compromising your account. Change the answers to your security questions or other password recovery mechanism too, while you're at it, and see if your friends keep getting the spam.

Last edited by gfunkdave; Apr 23, 2014 at 8:18 am
gfunkdave is offline  
Old Apr 23, 2014, 8:14 am
  #11  
Moderator: Coupon Connection & S.P.A.M
 
Join Date: May 2000
Location: Louisville, KY
Programs: Destination Unknown, TSA Disparager Diamond (LTDD)
Posts: 57,946
I take it this is not you?

Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)

It looks like the spamming scumbags have a new tactic: lift contacts from a compromised hotmail/aol/etc account. Perhaps they send an email like the traditional spam you see from such compromised accounts. Perhaps not. Later, the spammers send a forged email from a spam relay. Notice the sent email did not end up in your sent folder? The victim often gets blamed anyway if the headers aren't examined.

No really good solution exists once your email contact list has been harvested. You can contact the ISPs of the spam relay and the link they want your contacts to click. At least make some trouble for the spamming scumbags. You may want to let some of your less-technically savvy contacts know that they may be receiving spam and not to click any links in emails from you.

Originally Posted by gfunkdave
It seems like someone is compromising and re-compromising your account.
Not necessary once the contact list is harvested. The spam is spoofed; no need to re-compromise the victim's account.

Last edited by Spiff; Apr 23, 2014 at 8:55 am
Spiff is offline  
Old Apr 23, 2014, 10:30 am
  #12  
Original Poster
 
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
gfunkdave -- Nothing appears in my sent folder.

The steveschulin.net is not me and I am not using it as mail forwarder. The IP address was traced to Lima Peru.

I will change my password and start the 2 step authorizing thing. I will ask Hotmail if they want to investigate the IP or at least notify them. I am thinking since they are out of the country, I am not expecting a whole lot.

Thanks for y'all's help/suggestions.
HawaiiTrvlr is offline  
Old Apr 23, 2014, 10:44 am
  #13  
FlyerTalk Evangelist
 
Join Date: Nov 2002
Location: ORD
Posts: 14,200
In that case, Spiff appears to be right. Someone has compromised schulin.net and is using it to send spam. I'd email [email protected] and [email protected], as well as perhaps just going to the guy's website and emailing him too with this. He needs to set up SPF records on his domain.
gfunkdave is offline  
Old Apr 23, 2014, 10:49 am
  #14  
 
Join Date: Jun 2005
Location: Tri-State Area
Posts: 4,728
Originally Posted by HawaiiTrvlr
I will change my password and start the 2 step authorizing thing.
It's worth repeating: use the 2-step authorization whenever possible. Not just for email but any on-line accounts [example: PayPay, iTunes].

Good luck.
dtsm is offline  
Old Apr 23, 2014, 10:56 am
  #15  
FlyerTalk Evangelist
 
Join Date: Nov 2002
Location: ORD
Posts: 14,200
Here's a website that lists 2FA support among most major sites.

http://twofactorauth.org/
gfunkdave is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.