Spam Clinic - Virus spamming my contact list
#1
Original Poster
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
Spam Clinic - Virus spamming my contact list
A few weeks ago, one of my friends said he had gotten spam from me. Sure enough, I apparently spammed 5 or 6 people in my contact list. I did a virus/maleware check and didn't find anything. I did change my email password and now it happened again today. It spammed different people in my contact list. Plus, nothing shows up in my sent folder. I only knew because I was one of the recepients of the spam. What else should I do to stop this? The email effected is my hotmail account.
Any suggestions would be appreciated.
Any suggestions would be appreciated.
#2
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
It is not necessarily the case that the spam was sent from your hotmail account. It is possible that once your contact list was harvested, the messages were then sent from some other mail system, and your email address was "spoofed".
To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.
To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.
#3
Original Poster
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
It is not necessarily the case that the spam was sent from your hotmail account. It is possible that once your contact list was harvested, the messages were then sent from some other mail system, and your email address was "spoofed".
To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.
To know for sure, you need to get the full email "header" from one of your friends who received the spam. This will show us the various machines and actual email systems that sent the spam. Here's a tutorial that explains how to get the headers from various email programs.
#4
FlyerTalk Evangelist
Join Date: Nov 1999
Programs: FB Silver going for Gold
Posts: 21,753
Code:
x-store-info:sbevkl2QZR7OXo7WID5ZcaZ0jeT0hTF6Pkz6VNoaPtZFKUm+W1WZD4UJRIr34kDYbiLFboa4+fuzbeCzqvL5cIPKhlTSWmN86UjRbKDWUoTIzNuPACzT6My5Qr5VlVG/ZmLnpVEC0lM= Authentication-Results: hotmail.com; spf=pass (sender IP is 65.55.116.12; identity alignment result is pass and alignment mode is relaxed) [email protected]; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass [email protected] X-SID-PRA: [email protected] X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: hRqkuQHzzfvDnxvOXYkbi83OdWt99/ZUZW125y24FcsMHX6wfPmIYyq9/Y5ustIAzUy19RzZdGTZeJ3X4Nvg4UHGzZa4H24eLeDlqgNItUOiYev3bvus1cYykLWEsM6CT3QFLN7YWT4wy4xVTp8F7H41hdu4cQMfceUYTNXSqMstUuqAZVpMq+U+4JgUb6HvSGVG80gNBz7F+1RZDfyAL2nbrDMq98YR Received: from blu0-omc1-s1.blu0.hotmail.com ([65.55.116.12]) by SNT0-MC4-F15.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Mon, 7 Apr 2014 17:43:38 -0700 Received: from BLU176-W34 ([65.55.116.8]) by blu0-omc1-s1.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 7 Apr 2014 17:43:37 -0700 X-TMN: [Ask4/ez4Pe/g7jKj9evrDHvy/sgeicOLz0nyIv3aAmQ=] X-Originating-Email: {Purported sender e-mail address replaced} Message-ID: <[email protected]> Return-Path: [email protected] Content-Type: multipart/alternative; boundary="_fdcff0a3-7173-43d8-b397-1ba114d04d10_" From: {purported sender address replaced} To: {mulitple receipient address replaced} Subject: Fwd: (8) Date: Tue, 8 Apr 2014 00:43:37 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Apr 2014 00:43:37.0672 (UTC) FILETIME=[94458C80:01CF52C3] --_fdcff0a3-7173-43d8-b397-1ba114d04d10_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi! http://www.qai.co.uk/_it.works?jmjvu...yr=3D581205=20 = --_fdcff0a3-7173-43d8-b397-1ba114d04d10_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <style><!-- .hmmessage P { margin:0px=3B padding:0px } body.hmmessage { font-size: 12pt=3B font-family:Calibri } --></style></head> <body class=3D'hmmessage'><div dir=3D'ltr'>Hi! <a href=3D"http://www.qai.co= .uk/_it.works?jmjvutumu=3D7808538&katufyr=3D581205" target=3D"_blank">http:= //www.qai.co.uk/_it.works?jmjvutumu=3D7808538&katufyr=3D581205</a> <br><br>= </div></body> </html>= --_fdcff0a3-7173-43d8-b397-1ba114d04d10_--
Can't decipher the report as to where the above spam came from. May be a compromised account and not a harvest.
Last edited by YVR Cockroach; Apr 8, 2014 at 8:39 pm
#5
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
The 200 lines are the "source" of the message, which is mostly the header.
I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post? Also, when posting headers, use the "Go Advanced" button then select the pound sign icon, which is for posting "code"
I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post? Also, when posting headers, use the "Go Advanced" button then select the pound sign icon, which is for posting "code"
Last edited by boberonicus; Apr 8, 2014 at 8:31 pm
#6
FlyerTalk Evangelist
Join Date: Nov 1999
Programs: FB Silver going for Gold
Posts: 21,753
The 200 lines are the "source" of the message, which is mostly the header.
I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post?
I do not understand the relationship between the posts by HawaiiTrvlr and YVR Cockroach. Did YVR Cockroach receive the spam purported to be from HawaiiTrvlr or is it a random header that you decided to post?
Also, when posting headers, use the "Go Advanced" button then select the pound sign icon, which is for posting "code"
Thanks. Didn't know about this. Above post duly edited.
#7
Original Poster
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
When I view the Page Source tab, it doesn't look anything like what YVR posted. There is nothing that indicates where the email came from or lists any IP address like in the example posted.
My sister sent me one of the spam emails and it had a totally different website link in it that I got from myself. So maybe 2 separate emails were sent out. In her email, it listed 13 random people (some in my contact list and others were people I had received an email from). I ran another virus check and nothing was found.
It is just frustrating since I am very careful about clicking on unknown links or downloading suspicious files.
My sister sent me one of the spam emails and it had a totally different website link in it that I got from myself. So maybe 2 separate emails were sent out. In her email, it listed 13 random people (some in my contact list and others were people I had received an email from). I ran another virus check and nothing was found.
It is just frustrating since I am very careful about clicking on unknown links or downloading suspicious files.
#8
Join Date: Aug 2006
Location: San Jose CA
Posts: 1,100
#9
Original Poster
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
Return-path: <my actual email [email protected]>
Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)
(envelope-from <my actual email [email protected]>)
id 1WcmFF-0007rp-3P; Tue, 22 Apr 2014 21:45:05 -0400
Message-ID: <[email protected]>
From: "My Name" <My Actual Email [email protected]>
To: "Real person 1: <[email protected]>,
"Real person 2" <[email protected]>,
"Real person 3" <[email protected]>,
"Real person 4" <[email protected]>,
"Real Person 5" <[email protected]>,
"Real Person 6" <[email protected]>,
"Real person 7" <[email protected]>, "Real Person 8" <[email protected]>,
"Real Person 9" <[email protected]>
Subject: My Name
Date: Tue, 23 Apr 2014 02:44:56 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_F2B8_9E201E56.23C05BE6"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
This is a multi-part message in MIME format.
------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
http://www.veracruzalgaba.org/nyhj/q...cpdzpwfgehzarp
------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=
=3DUTF-8></HEAD><BODY>http://www.veracruzalgaba.org/nyhj/q....sszcpdzpwfge=
hzarp</BODY></HTML>
------=_NextPart_000_F2B8_9E201E56.23C05BE6--
So another series of emails went out using my actual email address. This is what it looks like. I assume this is the source page people asked to see. I did check out the IP address and it shows up in some town in Peru.
I assume this is what they call spoofing. All the people that received this email, I never had actually sent an email to but rather they sent an email to me (so located in my inbox). None of these are in my contact list. I did another Avast virus scan and it came up clean.
Any suggestions would be appreciated.
Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)
(envelope-from <my actual email [email protected]>)
id 1WcmFF-0007rp-3P; Tue, 22 Apr 2014 21:45:05 -0400
Message-ID: <[email protected]>
From: "My Name" <My Actual Email [email protected]>
To: "Real person 1: <[email protected]>,
"Real person 2" <[email protected]>,
"Real person 3" <[email protected]>,
"Real person 4" <[email protected]>,
"Real Person 5" <[email protected]>,
"Real Person 6" <[email protected]>,
"Real person 7" <[email protected]>, "Real Person 8" <[email protected]>,
"Real Person 9" <[email protected]>
Subject: My Name
Date: Tue, 23 Apr 2014 02:44:56 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_F2B8_9E201E56.23C05BE6"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
This is a multi-part message in MIME format.
------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
http://www.veracruzalgaba.org/nyhj/q...cpdzpwfgehzarp
------=_NextPart_000_F2B8_9E201E56.23C05BE6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=
=3DUTF-8></HEAD><BODY>http://www.veracruzalgaba.org/nyhj/q....sszcpdzpwfge=
hzarp</BODY></HTML>
------=_NextPart_000_F2B8_9E201E56.23C05BE6--
So another series of emails went out using my actual email address. This is what it looks like. I assume this is the source page people asked to see. I did check out the IP address and it shows up in some town in Peru.
I assume this is what they call spoofing. All the people that received this email, I never had actually sent an email to but rather they sent an email to me (so located in my inbox). None of these are in my contact list. I did another Avast virus scan and it came up clean.
Any suggestions would be appreciated.
#10
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,200
Well, it looks like one of two things is happening, and I"m not sure which because I can't quite tell your setup here.
It looks like you are using schulin.net as a mail forwarder. You should ensure that there are appropriate SPF records in the DNS for schulin.net and for steveschulin.com. This will prevent 98% of spoofing.
But - and here's where I'm unsure - it really does look like the emails are coming from your account (i.e., not spoofed). So I *think* your hotmail account is actually compromised. Do the spam mails show in your sent items or in your deleted items?
I know you changed your password recently. Do you have two factor auth turned on? If not, definitely activate it. In fact, it's a good idea to turn it on for all your accounts that support it. It seems like someone is compromising and re-compromising your account. Change the answers to your security questions or other password recovery mechanism too, while you're at it, and see if your friends keep getting the spam.
It looks like you are using schulin.net as a mail forwarder. You should ensure that there are appropriate SPF records in the DNS for schulin.net and for steveschulin.com. This will prevent 98% of spoofing.
But - and here's where I'm unsure - it really does look like the emails are coming from your account (i.e., not spoofed). So I *think* your hotmail account is actually compromised. Do the spam mails show in your sent items or in your deleted items?
I know you changed your password recently. Do you have two factor auth turned on? If not, definitely activate it. In fact, it's a good idea to turn it on for all your accounts that support it. It seems like someone is compromising and re-compromising your account. Change the answers to your security questions or other password recovery mechanism too, while you're at it, and see if your friends keep getting the spam.
Last edited by gfunkdave; Apr 23, 2014 at 8:18 am
#11
Moderator: Coupon Connection & S.P.A.M
Join Date: May 2000
Location: Louisville, KY
Programs: Destination Unknown, TSA Disparager Diamond (LTDD)
Posts: 57,946
I take it this is not you?
Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)
It looks like the spamming scumbags have a new tactic: lift contacts from a compromised hotmail/aol/etc account. Perhaps they send an email like the traditional spam you see from such compromised accounts. Perhaps not. Later, the spammers send a forged email from a spam relay. Notice the sent email did not end up in your sent folder? The victim often gets blamed anyway if the headers aren't examined.
No really good solution exists once your email contact list has been harvested. You can contact the ISPs of the spam relay and the link they want your contacts to click. At least make some trouble for the spamming scumbags. You may want to let some of your less-technically savvy contacts know that they may be receiving spam and not to click any links in emails from you.
Not necessary once the contact list is harvested. The spam is spoofed; no need to re-compromise the victim's account.
Received: from [190.238.167.226] (port=60328 helo=schulin.net)
by cloud.steveschulin.com with esmtpa (Exim 4.82)
It looks like the spamming scumbags have a new tactic: lift contacts from a compromised hotmail/aol/etc account. Perhaps they send an email like the traditional spam you see from such compromised accounts. Perhaps not. Later, the spammers send a forged email from a spam relay. Notice the sent email did not end up in your sent folder? The victim often gets blamed anyway if the headers aren't examined.
No really good solution exists once your email contact list has been harvested. You can contact the ISPs of the spam relay and the link they want your contacts to click. At least make some trouble for the spamming scumbags. You may want to let some of your less-technically savvy contacts know that they may be receiving spam and not to click any links in emails from you.
Not necessary once the contact list is harvested. The spam is spoofed; no need to re-compromise the victim's account.
Last edited by Spiff; Apr 23, 2014 at 8:55 am
#12
Original Poster
Join Date: Jun 2003
Location: Denver CO
Programs: HHonors Gold, National Emerald Club, no airline affinity status
Posts: 3,338
gfunkdave -- Nothing appears in my sent folder.
The steveschulin.net is not me and I am not using it as mail forwarder. The IP address was traced to Lima Peru.
I will change my password and start the 2 step authorizing thing. I will ask Hotmail if they want to investigate the IP or at least notify them. I am thinking since they are out of the country, I am not expecting a whole lot.
Thanks for y'all's help/suggestions.
The steveschulin.net is not me and I am not using it as mail forwarder. The IP address was traced to Lima Peru.
I will change my password and start the 2 step authorizing thing. I will ask Hotmail if they want to investigate the IP or at least notify them. I am thinking since they are out of the country, I am not expecting a whole lot.
Thanks for y'all's help/suggestions.
#13
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,200
In that case, Spiff appears to be right. Someone has compromised schulin.net and is using it to send spam. I'd email [email protected] and [email protected], as well as perhaps just going to the guy's website and emailing him too with this. He needs to set up SPF records on his domain.
#14
Join Date: Jun 2005
Location: Tri-State Area
Posts: 4,728
#15
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,200