Someone sending viruses addressed from me

Discussion in 'Computer Support' started by T.J., Jan 19, 2006.

  1. T.J.

    T.J. Guest

    I've had 5 or 6 people contact me saying they
    are receiving virus attacks from me via my email addy.

    I know this isn't the case, someone has obviously set
    something up so it looks like me sending them.
    Is there anything I can do about this? if not
    directly, does anyone know of a URL I can send
    people to that explains to them about forged sent from
    settings?
    TIA.
    T.J., Jan 19, 2006
    #1
    1. Advertising

  2. T.J.

    Morgi3 Guest

    Hi T.J. - it's quite possible that your machine is infected with a
    virus, and it is "silently" sending these messages from your account,
    taking advantage of any address book that you have stored on your
    machine - are you using Microsoft Outlook or Outlook Express?

    I stronly advise that you check your antivirus protection is on and
    up-to-date. Perform a whole system scan. It may also be worth
    downloading and scanning with McAfee Stinger.exe, a free stand alone
    scanner that can find some of the latest and most common worms and
    viruses. You can download this from
    http://us.mcafee.com/virusInfo/default.asp?path=/virusInfo/virusRemoval/Stinger.asp

    Also, do you have a firewall monitoring your connection at all?

    I hope this helps,


    Steve.
    Morgi3, Jan 19, 2006
    #2
    1. Advertising

  3. T.J.

    John Holmes Guest

    T.J. blabbered in 24hoursupport.helpdesk:

    > I've had 5 or 6 people contact me saying they
    > are receiving virus attacks from me via my email addy.
    >
    > I know this isn't the case, someone has obviously set
    > something up so it looks like me sending them.
    > Is there anything I can do about this? if not
    > directly, does anyone know of a URL I can send
    > people to that explains to them about forged sent from
    > settings?
    > TIA.
    >
    >
    >
    >


    Most likely, your system is infected and it's sending emails without you
    knowing it.

    --
    Your mother was a twisted bag-lady who gave correspondence courses in a
    mental hospital.
    John Holmes, Jan 19, 2006
    #3
  4. T.J.

    Stuiffer Guest

    "T.J." <> wrote in news:dqoe5r$r8b$1
    @nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com:

    > I've had 5 or 6 people contact me saying they
    > are receiving virus attacks from me via my email addy.
    >
    > I know this isn't the case, someone has obviously set
    > something up so it looks like me sending them.
    > Is there anything I can do about this? if not
    > directly, does anyone know of a URL I can send
    > people to that explains to them about forged sent from
    > settings?
    > TIA.
    >


    Nothing to add apart from saying give Avast Antivirus a go. Its free and
    very good.
    Stuiffer, Jan 19, 2006
    #4
  5. T.J.

    T.J. Guest

    "Morgi3" <> wrote in message
    news:...
    > Hi T.J. - it's quite possible that your machine is infected with a
    > virus, and it is "silently" sending these messages from your account,
    > taking advantage of any address book that you have stored on your
    > machine - are you using Microsoft Outlook or Outlook Express?
    >
    > I stronly advise that you check your antivirus protection is on and
    > up-to-date. Perform a whole system scan. It may also be worth
    > downloading and scanning with McAfee Stinger.exe, a free stand alone
    > scanner that can find some of the latest and most common worms and
    > viruses. You can download this from
    > http://us.mcafee.com/virusInfo/default.asp?path=/virusInfo/virusRemoval/Stinger.asp
    >
    > Also, do you have a firewall monitoring your connection at all?
    >
    > I hope this helps,
    >
    >
    > Steve.
    >


    Thanks for the reply,

    I'm using OE but only have very few people in my address book
    (none of those are effected)
    I use Zone Alarm Pro, EzAntivirus 7.0.1.6 (which is updated
    every morning)
    I updated again and ran a full system scan after the first
    person contacted me, which was clean)
    I switched over to a different machine on a different phoneline,
    using a different ISP, but people were still getting them.
    The email address people say they are coming from is only set up
    to receive and not to send.
    T.J., Jan 19, 2006
    #5
  6. T.J.

    Yddap Guest

    In news:dqoi09$98m$-infra.bt.com,
    T.J. <> opined very noisily:
    > "Morgi3" <> wrote in message
    > news:...
    >> Hi T.J. - it's quite possible that your machine is infected with a
    >> virus, and it is "silently" sending these messages from your account,
    >> taking advantage of any address book that you have stored on your
    >> machine - are you using Microsoft Outlook or Outlook Express?
    >>
    >> I stronly advise that you check your antivirus protection is on and
    >> up-to-date. Perform a whole system scan. It may also be worth
    >> downloading and scanning with McAfee Stinger.exe, a free stand alone
    >> scanner that can find some of the latest and most common worms and
    >> viruses. You can download this from
    >> http://us.mcafee.com/virusInfo/default.asp?path=/virusInfo/virusRemoval/Stinger.asp
    >>
    >> Also, do you have a firewall monitoring your connection at all?
    >>
    >> I hope this helps,
    >>
    >>
    >> Steve.
    >>

    >
    > Thanks for the reply,
    >
    > I'm using OE but only have very few people in my address book
    > (none of those are effected)
    > I use Zone Alarm Pro, EzAntivirus 7.0.1.6 (which is updated
    > every morning)
    > I updated again and ran a full system scan after the first
    > person contacted me, which was clean)
    > I switched over to a different machine on a different phoneline,
    > using a different ISP, but people were still getting them.
    > The email address people say they are coming from is only set up
    > to receive and not to send.


    Ask the people who are receiving the emails what IP address they are coming
    from
    If it is 86.133.36.146 you have trouble , if not do a lookup on the reported
    IP address
    Via http://www.dnsstuff.com/
    --

    Yddap
    Remove guts to reply
    Yddap, Jan 19, 2006
    #6
  7. T.J.

    Dave Lear Guest

    "T.J." wrote in message
    news:dqoe5r$r8b$-infra.bt.com

    > I've had 5 or 6 people contact me saying they
    > are receiving virus attacks from me via my email addy.
    >
    > I know this isn't the case, someone has obviously set
    > something up so it looks like me sending them.
    > Is there anything I can do about this? if not
    > directly, does anyone know of a URL I can send
    > people to that explains to them about forged sent from
    > settings?


    Assuming that you have confirmed that your workstation is *not* actually
    virus-infected by scanning it with an up-to-date virus checker, then the
    most likely cause is not that someone has deliberately set out to send out
    infected emails as you, just that one or more infected workstations are
    sending out infected messages which have a spoofed From header so they
    appear to be from you.

    In its simplest terms...

    User A has an infected workstation

    User A sends User B an infected email, with the From header of the message
    indicating that it was sent by User C

    User B's anti-virus software prevents infection of their workstation

    User B advises User C that they sent them an infected message

    User C checks their workstation and finds it clean

    User C has to persuade User B that they didn't send the infected message and
    that User C's workstation is clean

    In the above scenario, you are User C and the people contacting you are User
    B. As you can see, neither User B or User C has the problem, it's User A
    with the infected workstation.

    http://www.windowsecurity.com/articles/Email-Spoofing.html
    Dave Lear, Jan 19, 2006
    #7
  8. T.J.

    Mike Easter Guest

    T.J. wrote:
    > I've had 5 or 6 people contact me saying they
    > are receiving virus attacks from me via my email addy.


    Modern day virus propagations *never* use the From address of the
    infected computer -- the From is 'always' forged. Long long ago some
    viruses had the infected's From, but not for a very long time. So, you
    can almost be assured that if someone is receiving virus propagations
    these days with your From, that it isn't coming from your machine.

    For some reason, a great many people don't understand that almost all
    spam and almost all virus propagations are *not* from the From.

    If they want to determine the source of the propagation, they will have
    to evaluate the items's header for the source IP.

    > I know this isn't the case, someone has obviously set
    > something up so it looks like me sending them.


    Let's just say that the mechanism of the infected machine performing the
    propagations has 'chosen' a From, and it happens to be your addy.

    > Is there anything I can do about this?


    Not really. If the recipients in question are able to provide you with
    a set of complete headers you could use those headers to determine the
    real source IP and then you could notify the appropriate provider about
    their infected propagator -- but many providers don't take any action
    about these problems.

    > if not
    > directly, does anyone know of a URL I can send
    > people to that explains to them about forged sent from
    > settings?


    There must be tons.

    --
    Mike Easter
    Mike Easter, Jan 19, 2006
    #8
  9. T.J.

    Mara Guest

    On Thu, 19 Jan 2006 17:24:25 +0000 (UTC), "T.J." <> wrote:


    >Thanks for the reply,
    >
    >I'm using OE but only have very few people in my address book
    >(none of those are effected)


    I wouldn't bet the farm on that. People can be infected and never notice it.

    >I use Zone Alarm Pro, EzAntivirus 7.0.1.6 (which is updated
    >every morning)
    >I updated again and ran a full system scan after the first
    >person contacted me, which was clean)
    > I switched over to a different machine on a different phoneline,
    >using a different ISP, but people were still getting them.


    That's because it's probably not coming from your machine. It's probably coming
    from someone who has or had your address in their address book, and is infected.

    >The email address people say they are coming from is only set up
    >to receive and not to send.


    That's because the malware is probably forging your address into the e-mails. It
    is essential that you, and everyone who is receiving these mails, rescan your
    computers - with more than one AV, including online scanners. This is
    *particularly* true if they are using Norton or McAfee.

    A lot of the newer malware has its own SMTP engine.

    --
    If you think technology can solve your security problems, then you
    don't understand the problems and you don't understand the technology.
    -- Bruce Schneider
    Mara, Jan 19, 2006
    #9
  10. T.J.

    Guest

    Standard practice for me on any new machine is adding dummy entries in
    the address book of OE and even Mozilla Tb. First entry is __NA, where
    N = numeric and A = alpha, plus @domain.etc of course. I also plug it
    up at the very end with another dummy entry, this one following the
    format .

    Don't remember where I got this little trick, but if your system is
    infected, at least the people in your addy books don't get ravaged by
    whatever it is you have, right?

    Hth.
    VP.
    , Jan 19, 2006
    #10
  11. T.J.

    T.J. Guest

    "Dave Lear" <> wrote in message
    news:...
    > "T.J." wrote in message
    > news:dqoe5r$r8b$-infra.bt.com
    >
    >> I've had 5 or 6 people contact me saying they
    >> are receiving virus attacks from me via my email addy.
    >>
    >> I know this isn't the case, someone has obviously set
    >> something up so it looks like me sending them.
    >> Is there anything I can do about this? if not
    >> directly, does anyone know of a URL I can send
    >> people to that explains to them about forged sent from
    >> settings?

    >
    > Assuming that you have confirmed that your workstation is *not* actually
    > virus-infected by scanning it with an up-to-date virus checker, then the
    > most likely cause is not that someone has deliberately set out to send out
    > infected emails as you, just that one or more infected workstations are
    > sending out infected messages which have a spoofed From header so they
    > appear to be from you.
    >
    > In its simplest terms...
    >
    > User A has an infected workstation
    >
    > User A sends User B an infected email, with the From header of the message
    > indicating that it was sent by User C
    >
    > User B's anti-virus software prevents infection of their workstation
    >
    > User B advises User C that they sent them an infected message
    >
    > User C checks their workstation and finds it clean
    >
    > User C has to persuade User B that they didn't send the infected message
    > and that User C's workstation is clean
    >
    > In the above scenario, you are User C and the people contacting you are
    > User B. As you can see, neither User B or User C has the problem, it's
    > User A with the infected workstation.
    >
    > http://www.windowsecurity.com/articles/Email-Spoofing.html


    Thanks,
    That is the exact scenario I was thinking.
    The problem is convincing B that C isn't causing the
    problem.
    Ideally I don't want the hassle of trying to explain this to them
    I just want to point them to a URL that explains this in
    a very simplified idiot proof way.
    I'll send them to the link you suggested for now, it might be
    over the head of the people contacting me though, are you aware
    of anywhere else that explains it in a really simplified way?
    Thanks again.
    T.J., Jan 19, 2006
    #11
  12. T.J.

    Dave Lear Guest

    "T.J." wrote in message
    news:dqomgp$no3$-infra.bt.com

    > That is the exact scenario I was thinking.
    > The problem is convincing B that C isn't causing the
    > problem.
    > Ideally I don't want the hassle of trying to explain this to them
    > I just want to point them to a URL that explains this in
    > a very simplified idiot proof way.
    > I'll send them to the link you suggested for now, it might be
    > over the head of the people contacting me though, are you aware
    > of anywhere else that explains it in a really simplified way?


    Try them with an analogy using snail-mail...

    User A writes a letter

    User A uses User C's name and address in the letter

    User A posts the letter to User B

    How could User C possibly stop User A posting letters like that and how
    could User B know for certain whether User A or User C sent the letter?
    Dave Lear, Jan 19, 2006
    #12
  13. T.J.

    T.J. Guest

    "Yddap" <> wrote in message
    news:E7Qzf.4031$...
    > In news:dqoi09$98m$-infra.bt.com,
    > T.J. <> opined very noisily:
    >> "Morgi3" <> wrote in message
    >> news:...
    >>> Hi T.J. - it's quite possible that your machine is infected with a
    >>> virus, and it is "silently" sending these messages from your account,
    >>> taking advantage of any address book that you have stored on your
    >>> machine - are you using Microsoft Outlook or Outlook Express?
    >>>
    >>> I stronly advise that you check your antivirus protection is on and
    >>> up-to-date. Perform a whole system scan. It may also be worth
    >>> downloading and scanning with McAfee Stinger.exe, a free stand alone
    >>> scanner that can find some of the latest and most common worms and
    >>> viruses. You can download this from
    >>> http://us.mcafee.com/virusInfo/default.asp?path=/virusInfo/virusRemoval/Stinger.asp
    >>>
    >>> Also, do you have a firewall monitoring your connection at all?
    >>>
    >>> I hope this helps,
    >>>
    >>>
    >>> Steve.
    >>>

    >>
    >> Thanks for the reply,
    >>
    >> I'm using OE but only have very few people in my address book
    >> (none of those are effected)
    >> I use Zone Alarm Pro, EzAntivirus 7.0.1.6 (which is updated
    >> every morning)
    >> I updated again and ran a full system scan after the first
    >> person contacted me, which was clean)
    >> I switched over to a different machine on a different phoneline,
    >> using a different ISP, but people were still getting them.
    >> The email address people say they are coming from is only set up
    >> to receive and not to send.

    >
    > Ask the people who are receiving the emails what IP address they are
    > coming from
    > If it is 86.133.36.146 you have trouble , if not do a lookup on the
    > reported IP address
    > Via http://www.dnsstuff.com/
    > --
    >
    > Yddap
    > Remove guts to reply


    Thanks,
    Just had a message from Mailer Daemon with
    part of the headers .
    I get a message id of sag1.netdanmark.net, which I
    assume is Mailer Daemons.
    I also get what could be the original senders IP which is
    81.31.126.162
    This resolves to an entanet customer (enta.net)
    Is that the best place to tell people to send abuse reports to?
    T.J., Jan 19, 2006
    #13
  14. T.J.

    Steve n Debs Guest

    On Thu, 19 Jan 2006 16:19:07 +0000 (UTC), T.J. wrote:

    > I've had 5 or 6 people contact me saying they
    > are receiving virus attacks from me via my email addy.
    >
    > I know this isn't the case, someone has obviously set
    > something up so it looks like me sending them.
    > Is there anything I can do about this? if not
    > directly, does anyone know of a URL I can send
    > people to that explains to them about forged sent from
    > settings?
    > TIA.


    It's very likely that someone that has *you* in their address book is
    infected. the virus will then send itself out using an address from the
    address book as a *from* address
    --
    ?follow to hard really thread the makes posting top that aware you Were
    Steve n Debs, Jan 19, 2006
    #14
  15. T.J.

    Mike Easter Guest

    T.J. wrote:

    > Just had a message from Mailer Daemon with
    > part of the headers .
    > I get a message id of sag1.netdanmark.net, which I
    > assume is Mailer Daemons.
    > I also get what could be the original senders IP which is
    > 81.31.126.162
    > This resolves to an entanet customer (enta.net)
    > Is that the best place to tell people to send abuse reports to?


    Making a judgment about the source of an email message on the basis of
    partial headers is fraught with error -- you are presuming the person
    who gave you the partial information has correctly interpreted the
    information before them and gave you a fragment of that information and
    didn't give you the complete headers. Maybe they have identified the
    source IP or maybe they have been fooled by the headers or maybe they
    don't know anything about reading mail headers. Or maybe they were
    looking at the wrong part altogether.

    That IP has quite a lot of mail activity, like a server, and it is one
    of over 200 IPs with sufficient activity to be listed as outputs for
    enta.net.

    In addition, that IP has a visible port 25 and smtp answers as ESMTP
    waste.com -- but that waste.com information doesn't 'compute' - whose
    waste.com MX is something else, ie mailwatch.com

    If I were really trying to be sure about the source of an email, spam or
    virus propagation, I would prefer to look at the complete headers
    myself. That IP isn't listed in any blocklists or seen in any
    sightings.

    --
    Mike Easter
    Mike Easter, Jan 19, 2006
    #15
  16. T.J.

    Mitch Guest

    In article <dqonir$qeh$-infra.bt.com>, T.J.
    <> wrote:

    > Is that the best place to tell people to send abuse reports to?


    If you have a psychological need to.

    What's the point of notifying anyone of a virus sent in e-mail?

    It's not like a virus is NEWS -- and e-mail viruses come from
    EVERYWHERE they hit -- since they propagate from every infection, not
    just the source.

    You need to know who created the virus, not who is spreading it.
    (The spreaders are just Windows users that get it themselves.)
    Mitch, Jan 19, 2006
    #16
  17. T.J.

    T.J. Guest

    "Mitch" <> wrote in message
    news:190120061215058276%...
    > In article <dqonir$qeh$-infra.bt.com>, T.J.
    > <> wrote:
    >
    >> Is that the best place to tell people to send abuse reports to?

    >
    > If you have a psychological need to.
    >
    > What's the point of notifying anyone of a virus sent in e-mail?
    >
    > It's not like a virus is NEWS -- and e-mail viruses come from
    > EVERYWHERE they hit -- since they propagate from every infection, not
    > just the source.
    >
    > You need to know who created the virus, not who is spreading it.
    > (The spreaders are just Windows users that get it themselves.)


    Thanks,
    I personally don't give a hoot where it came from
    I just want to email the people back who are
    accusing me of sending them viruses and try to
    explain to them how things like this work,
    ideally just send them to a URL that does it for me.
    I even had somebody phone me this afternoon
    asking me to stop sending them :eek:(
    T.J., Jan 19, 2006
    #17
  18. T.J.

    Oldus Fartus Guest

    wrote:
    > Standard practice for me on any new machine is adding dummy entries in
    > the address book of OE and even Mozilla Tb. First entry is __NA, where
    > N = numeric and A = alpha, plus @domain.etc of course. I also plug it
    > up at the very end with another dummy entry, this one following the
    > format .
    >
    > Don't remember where I got this little trick, but if your system is
    > infected, at least the people in your addy books don't get ravaged by
    > whatever it is you have, right?
    >
    > Hth.
    > VP.
    >


    Wrong. It is one of those little hints which has been circulating for
    years, but achieves absolutely nothing.

    Why would you think it would work?

    --
    Cheers
    Oldus Fartus
    Oldus Fartus, Jan 19, 2006
    #18
  19. T.J. wrote:

    > I even had somebody phone me this afternoon
    > asking me to stop sending them :eek:(


    How did they get your phone number?

    --
    -bts
    -Warning: I brake for lawn deer
    Beauregard T. Shagnasty, Jan 19, 2006
    #19
  20. T.J.

    Dan Evans Guest

    "John Holmes" <> wrote in message
    news:...
    >
    >
    > T.J. blabbered in 24hoursupport.helpdesk:
    >
    >> I've had 5 or 6 people contact me saying they
    >> are receiving virus attacks from me via my email addy.
    >>
    >> I know this isn't the case, someone has obviously set
    >> something up so it looks like me sending them.
    >> Is there anything I can do about this? if not
    >> directly, does anyone know of a URL I can send
    >> people to that explains to them about forged sent from
    >> settings?
    >> TIA.
    >>
    >>
    >>
    >>

    >
    > Most likely, your system is infected and it's sending emails without you
    > knowing it.


    No, it's most likely that an infected computer is raiding the address book
    and using addresses it finds to set the "from" line as well as the "to"
    line - as has been common for a while now.

    Dan







    .................................................................
    Posted via TITANnews - Uncensored Newsgroups Access
    >>>> at http://www.TitanNews.com <<<<

    -=Every Newsgroup - Anonymous, UNCENSORED, BROADBAND Downloads=-
    Dan Evans, Jan 20, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Geoff/Elaine
    Replies:
    11
    Views:
    909
  2. CNE question? 127 loopback addressed

    , Feb 18, 2006, in forum: Computer Security
    Replies:
    4
    Views:
    6,124
    Moe Trin
    Feb 19, 2006
  3. pour-lay

    Mail not even addressed to me - ISP fault?

    pour-lay, Feb 4, 2004, in forum: NZ Computing
    Replies:
    11
    Views:
    546
  4. ahs
    Replies:
    1
    Views:
    841
  5. Mike Easter

    Re: Usenet abuse (addressed to Usenet admins)

    Mike Easter, Jan 17, 2010, in forum: Computer Support
    Replies:
    5
    Views:
    589
    VanguardLH
    Jan 18, 2010
Loading...

Share This Page