Spam zombie?

Discussion in 'Computer Security' started by Marrick, Oct 3, 2006.

  1. Marrick

    Marrick Guest

    Hi.

    I think my PC has become a 'spam zombie' as I'm getting a lot of
    'undelivered' emails that I haven't sent returned to my inbox - blocked
    and bounced back by other people's spam filters. They are sent using my
    email account, but with a random 3 or 4 letter prefix: e.g:
    wjkq@******.*****.

    I run Norton firewall and Avast Home Edition. I've done 2 full system
    checks with Avast which has found nothing.

    Any advice appreciated. Would changing my email account help?

    Many thanks

    Marrick
     
    Marrick, Oct 3, 2006
    #1
    1. Advertising

  2. Marrick wrote:

    > I think my PC has become a 'spam zombie' as I'm getting a lot of
    > 'undelivered' emails that I haven't sent returned to my inbox - blocked
    > and bounced back by other people's spam filters.


    Think again. This happens to uninfected machines as well.

    > They are sent using my email account, but with a random 3 or 4 letter
    > prefix: e.g: wjkq@******.*****.


    Then it's even cleared that your mail address has been faked and that's why
    you get the bounces.

    > I run Norton firewall and Avast Home Edition. I've done 2 full system
    > checks with Avast which has found nothing.


    It didn't even find your Norton "firewall"? Very bad.

    > Any advice appreciated. Would changing my email account help?


    No. Once you decide to use the communication media E-Mail to communicate,
    you have to expect unsolicited communication as well. Better get a spam
    filter.
     
    Sebastian Gottschalk, Oct 3, 2006
    #2
    1. Advertising

  3. "Marrick" <> wrote in message
    news:...
    > Hi.
    >
    > I think my PC has become a 'spam zombie' as I'm getting a lot of
    > 'undelivered' emails that I haven't sent returned to my inbox - blocked
    > and bounced back by other people's spam filters. They are sent using my
    > email account, but with a random 3 or 4 letter prefix: e.g:
    > wjkq@******.*****.


    It is probably not your machine that is the problem.

    Spammers have found a way to fake the return address in the e-mails they
    send. Those which can not be delivered, either from being sent to a non
    existant address, or from being rejected by the receiver's spam filter, are
    bounced back. Because your address is in the 'sender' field, you get them.

    I have a hobby domain name, and recently I started getting a flood of
    rejected e-mails which look like they were sent from my domain. However,
    this is not possible since my domain does not have a mail server or client
    to send them, and I know my (linux) server has not been compromised.

    There is probably a way to trace the source of these, but as soon as you
    find the offending isp/client they will simply move somewhere else.

    Stuart
     
    Stuart Miller, Oct 3, 2006
    #3
  4. Marrick

    Marrick Guest

    Thank you both. I am reassured.

    I do have a spam filter - but only a free one (K9) that dumps the spam
    after downloading. I got over 30 spams yesterday. I think it might be
    worth me changing my account - it would, at least, mean that it'd take
    a while before the volume got back up to this level.

    Thanks again

    Marrick
     
    Marrick, Oct 3, 2006
    #4
  5. Marrick

    Admins Guest

    On 3 Oct 2006 01:25:54 -0700, Marrick wrote:

    > Hi.
    >
    > I think my PC has become a 'spam zombie' as I'm getting a lot of
    > 'undelivered' emails that I haven't sent returned to my inbox - blocked
    > and bounced back by other people's spam filters. They are sent using my
    > email account, but with a random 3 or 4 letter prefix: e.g:
    > wjkq@******.*****.
    >
    > I run Norton firewall and Avast Home Edition. I've done 2 full system
    > checks with Avast which has found nothing.
    >
    > Any advice appreciated. Would changing my email account help?
    >
    > Many thanks
    >
    > Marrick


    Just to be on the safe side, run adaware and check for spyware and then
    install SpywareBlaster. The latter helps by keeping spyware from
    installing in the firstplace, both are free and in our software section

    Regards
    --
    Admin


    * www.privacyoffshore.net (No Logs Internet Surfing)
    * Anonymous Secure Offshore SSH-2 Surfing Tunnels
     
    Admins, Oct 3, 2006
    #5
  6. Marrick

    Moe Trin Guest

    On 3 Oct 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, Marrick wrote:

    >I think my PC has become a 'spam zombie' as I'm getting a lot of
    >'undelivered' emails that I haven't sent returned to my inbox - blocked
    >and bounced back by other people's spam filters.


    It's amazing how many st00pid mail servers accept ALL mail whether or
    not the recipient exists, and later do tests and try to send back anything
    they don't like - such as mail for non-existent users they shouldn't have
    accepted in the first place. As the "From:" address is almost always faked
    or spoofed, this causes the misconfigured mail server to become an agent
    of the spammer, distributing the spam for them.

    >They are sent using my email account, but with a random 3 or 4 letter
    >prefix: e.g: wjkq@******.*****.


    Look at the _headers_ of the returned mail, NOT the "To:" or "From" stuff
    that is usually faked. The headers you want to study are those that tell
    how the mail was received and from who.

    Received: from sheffield.ac.uk ([218.10.6.200])
    by mail.example.com (8.11.7/8.11.3) with ESMTP id hAMMgRk22045
    for <>; Sat, 23 Sep 2006 15:42:28 -0700
    Received: from 89.173.30.207 by smtp.orion.ufrgs.br;
    Sat, 23 Sep 2006 22:43:01 +0000
    Received: from unknown (mengile.co.rp [124.31.84.11])
    by smtp.locality.co.tu Sun, 24 Sep 2006 15:20:11 -0900

    You are tracing _back_ from the top. This mail was received by my mail
    server, from a host that _claimed_ to be called sheffield.ac.uk (not
    likely, as that is a domain name, not a host) but the IP address used
    (218.10.6.200) is in Northeastern China (Heilongjiang province) and as
    is typical the ISP doesn't know how to run a name server. I can trust
    this information, because it was put here by my mail server.

    The second received line is quite obviously faked. The IP address is in
    Slovakia, but the host supposedly has a Brazilian name. The proof that
    the information is faked is "how did the mail get from either of these
    places to the computer that delivered it to me from Northeastern China?"
    There is no line indicating it got there. The third received line has
    several errors - there is no '.rp' or '.tu' top domains, the 124.31.x.x
    address block has not been assigned by APNIC (the responsible RIR), and
    the timestamp is ludicrous. The other dumb question to ask is why the
    mail would have been sent from the "124.31.84.11" host (an Asian address
    range) to "89.173.30.207" in Europe, then back to 218.10.6.200 in China
    before being sent to me in North America. Is the spammer getting
    "Frequent Flyer Miles" for this?

    You should look at the "Received:" headers inside the "returned" mail.
    Did the mail originate on your ISP? You are posting from 84.64.236.97
    which is in a block assigned to Energis UK (84.64.0.0 - 84.71.255.255).
    If the mail headers don't show this, then someone harvested your name
    and address and are using it to shift the blame (fairly common).

    >I run Norton firewall and Avast Home Edition. I've done 2 full system
    >checks with Avast which has found nothing.


    Yeah, but you are also running windoze - at least you aren't using
    Internet Exploiter, but windoze doesn't have the greatest security
    reputation - hence the vast number of anti-mal-ware programs.

    >Any advice appreciated. Would changing my email account help?


    Several years ago, we used to use "firstname_last-initial" for usernames
    and a random character generator to create the initial password for the
    account. Now, I'm using the random character generator to create usernames
    and telling the users to NOT publish those names on the Internet. The big
    problem is having others be able to remember that my email address is

    [compton ~]$ head -2 /dev/random | mimencode | head -1
    djqFVsLMbI/tX32Z617KYtvraOI2P0+35DuHrtp++hLt4kitSPduWdFqBqSzVoo8oXGglbcw
    [compton ~]$



    Yeah, that's me.

    Old guy
     
    Moe Trin, Oct 3, 2006
    #6
  7. From: "Marrick" <>

    | Hi.
    |
    | I think my PC has become a 'spam zombie' as I'm getting a lot of
    | 'undelivered' emails that I haven't sent returned to my inbox - blocked
    | and bounced back by other people's spam filters. They are sent using my
    | email account, but with a random 3 or 4 letter prefix: e.g:
    | wjkq@******.*****.
    |
    | I run Norton firewall and Avast Home Edition. I've done 2 full system
    | checks with Avast which has found nothing.
    |
    | Any advice appreciated. Would changing my email account help?
    |
    | Many thanks
    |
    | Marrick


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode.
    This way all the components can be downloaded from each AV vendor's web site.
    The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file. http://www.ik-cs.com/multi-av.htm

    Additional Instructions:
    http://pcdid.com/Multi_AV.htm


    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Oct 3, 2006
    #7
  8. Marrick wrote:

    > Thank you both. I am reassured.
    >
    > I do have a spam filter - but only a free one (K9) that dumps the spam
    > after downloading.


    What wrong with free spam filters? All Bayesian-based are the best, with
    qualities only differing in processing speed; and guess what? The free ones
    K9 and Mozilla Mail/Thunderbird internal ones are the fastest as well.

    Well, one could not start discussing that a filter integrated into the MUA
    is much easier to handle...

    > I got over 30 spams yesterday. I think it might be worth me changing my
    > account


    Because of such a little bit spam?
     
    Sebastian Gottschalk, Oct 3, 2006
    #8
  9. Admins wrote:

    > Just to be on the safe side, run adaware and check for spyware and then
    > install SpywareBlaster. The latter helps by keeping spyware from
    > installing in the firstplace


    What a nonsense.
     
    Sebastian Gottschalk, Oct 3, 2006
    #9
  10. Marrick

    Marrick Guest

    Moe Trin wrote:

    > You should look at the "Received:" headers inside the "returned" mail.
    > Did the mail originate on your ISP? You are posting from 84.64.236.97
    > which is in a block assigned to Energis UK (84.64.0.0 - 84.71.255.255).
    > If the mail headers don't show this, then someone harvested your name
    > and address and are using it to shift the blame (fairly common).
    >


    Thanks for that. No, 84.64.236.97 doesn't appear in them. So my machine
    is OK!

    Really do appreciate the time and effort you guys put in to help.

    Marrick
     
    Marrick, Oct 4, 2006
    #10
  11. Marrick

    Marrick Guest

    David H. Lipman wrote:

    >
    > * * * Please report back your results * * *
    >
    >

    Thanks Dave. In view of the other posts which indicate that my PC is
    OK, I won't be doing this just now. But I have saved your post for
    future reference. Many thanks for your help and effort.

    Marrick
     
    Marrick, Oct 4, 2006
    #11
  12. From: "Marrick" <>


    | Thanks Dave. In view of the other posts which indicate that my PC is
    | OK, I won't be doing this just now. But I have saved your post for
    | future reference. Many thanks for your help and effort.
    |
    | Marrick

    Give a shot. You never know what the AV modules in the Multi AV Scanning Tool might find
    that Avast missed. That's why I include four different ACV scanners in my tool.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Oct 4, 2006
    #12
  13. Marrick

    Melic Guest

    On Tue, 03 Oct 2006 10:31:12 +0100, Sebastian Gottschalk <>
    wrote:

    > Marrick wrote:
    >
    >> I think my PC has become a 'spam zombie' as I'm getting a lot of
    >> 'undelivered' emails that I haven't sent returned to my inbox - blocked
    >> and bounced back by other people's spam filters.


    It happened to my webmail, some spammer fakes your email address and it
    gets
    bounced to you when undelivered.

    My spam filter did not get all those bounces to the spam folder but did
    catch
    most of it.

    I would say not much to worry about.
     
    Melic, Oct 4, 2006
    #13
  14. Marrick

    none Guest

    they are most likely spoofs .
     
    none, Oct 11, 2006
    #14
  15. Marrick

    none Guest

    if you get too much spam use a yahoo account ,that puts them in a junk
    folder then just delete the lot,easy .
    use your private email address only for trusted users.
    i never get any spam because i use yahoo for general use and private
    email accy.
    all the spam goes to yahoo or gmail or hotmail or whatever.
     
    none, Oct 11, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    2
    Views:
    19,643
  2. DVD Verdict
    Replies:
    0
    Views:
    546
    DVD Verdict
    Nov 11, 2004
  3. Fran

    Zombie Honeymoon

    Fran, Jul 29, 2005, in forum: DVD Video
    Replies:
    0
    Views:
    489
  4. Au79

    Bot Builds Spam-Spreading Zombie Army

    Au79, Aug 19, 2006, in forum: Computer Support
    Replies:
    8
    Views:
    549
    Blinky the Shark
    Aug 20, 2006
  5. steve
    Replies:
    169
    Views:
    2,310
    Patrick Dunford
    Jun 28, 2004
Loading...

Share This Page