Spam zombie?

Discussion in 'Computer Security' started by Marrick, Oct 3, 2006.

  1. Marrick

    Marrick Guest

    Hi.

    I think my PC has become a 'spam zombie' as I'm getting a lot of
    'undelivered' emails that I haven't sent returned to my inbox - blocked
    and bounced back by other people's spam filters. They are sent using my
    email account, but with a random 3 or 4 letter prefix: e.g:
    [email protected]******.*****.

    I run Norton firewall and Avast Home Edition. I've done 2 full system
    checks with Avast which has found nothing.

    Any advice appreciated. Would changing my email account help?

    Many thanks

    Marrick
     
    Marrick, Oct 3, 2006
    #1
    1. Advertisements

  2. Think again. This happens to uninfected machines as well.
    Then it's even cleared that your mail address has been faked and that's why
    you get the bounces.
    It didn't even find your Norton "firewall"? Very bad.
    No. Once you decide to use the communication media E-Mail to communicate,
    you have to expect unsolicited communication as well. Better get a spam
    filter.
     
    Sebastian Gottschalk, Oct 3, 2006
    #2
    1. Advertisements

  3. It is probably not your machine that is the problem.

    Spammers have found a way to fake the return address in the e-mails they
    send. Those which can not be delivered, either from being sent to a non
    existant address, or from being rejected by the receiver's spam filter, are
    bounced back. Because your address is in the 'sender' field, you get them.

    I have a hobby domain name, and recently I started getting a flood of
    rejected e-mails which look like they were sent from my domain. However,
    this is not possible since my domain does not have a mail server or client
    to send them, and I know my (linux) server has not been compromised.

    There is probably a way to trace the source of these, but as soon as you
    find the offending isp/client they will simply move somewhere else.

    Stuart
     
    Stuart Miller, Oct 3, 2006
    #3
  4. Marrick

    Marrick Guest

    Thank you both. I am reassured.

    I do have a spam filter - but only a free one (K9) that dumps the spam
    after downloading. I got over 30 spams yesterday. I think it might be
    worth me changing my account - it would, at least, mean that it'd take
    a while before the volume got back up to this level.

    Thanks again

    Marrick
     
    Marrick, Oct 3, 2006
    #4
  5. Marrick

    Admins Guest

    Just to be on the safe side, run adaware and check for spyware and then
    install SpywareBlaster. The latter helps by keeping spyware from
    installing in the firstplace, both are free and in our software section

    Regards
    --
    Admin


    * www.privacyoffshore.net (No Logs Internet Surfing)
    * Anonymous Secure Offshore SSH-2 Surfing Tunnels
     
    Admins, Oct 3, 2006
    #5
  6. Marrick

    Moe Trin Guest

    On 3 Oct 2006, in the Usenet newsgroup alt.computer.security, in article
    It's amazing how many st00pid mail servers accept ALL mail whether or
    not the recipient exists, and later do tests and try to send back anything
    they don't like - such as mail for non-existent users they shouldn't have
    accepted in the first place. As the "From:" address is almost always faked
    or spoofed, this causes the misconfigured mail server to become an agent
    of the spammer, distributing the spam for them.
    Look at the _headers_ of the returned mail, NOT the "To:" or "From" stuff
    that is usually faked. The headers you want to study are those that tell
    how the mail was received and from who.

    Received: from sheffield.ac.uk ([218.10.6.200])
    by mail.example.com (8.11.7/8.11.3) with ESMTP id hAMMgRk22045
    for <>; Sat, 23 Sep 2006 15:42:28 -0700
    Received: from 89.173.30.207 by smtp.orion.ufrgs.br;
    Sat, 23 Sep 2006 22:43:01 +0000
    Received: from unknown (mengile.co.rp [124.31.84.11])
    by smtp.locality.co.tu Sun, 24 Sep 2006 15:20:11 -0900

    You are tracing _back_ from the top. This mail was received by my mail
    server, from a host that _claimed_ to be called sheffield.ac.uk (not
    likely, as that is a domain name, not a host) but the IP address used
    (218.10.6.200) is in Northeastern China (Heilongjiang province) and as
    is typical the ISP doesn't know how to run a name server. I can trust
    this information, because it was put here by my mail server.

    The second received line is quite obviously faked. The IP address is in
    Slovakia, but the host supposedly has a Brazilian name. The proof that
    the information is faked is "how did the mail get from either of these
    places to the computer that delivered it to me from Northeastern China?"
    There is no line indicating it got there. The third received line has
    several errors - there is no '.rp' or '.tu' top domains, the 124.31.x.x
    address block has not been assigned by APNIC (the responsible RIR), and
    the timestamp is ludicrous. The other dumb question to ask is why the
    mail would have been sent from the "124.31.84.11" host (an Asian address
    range) to "89.173.30.207" in Europe, then back to 218.10.6.200 in China
    before being sent to me in North America. Is the spammer getting
    "Frequent Flyer Miles" for this?

    You should look at the "Received:" headers inside the "returned" mail.
    Did the mail originate on your ISP? You are posting from 84.64.236.97
    which is in a block assigned to Energis UK (84.64.0.0 - 84.71.255.255).
    If the mail headers don't show this, then someone harvested your name
    and address and are using it to shift the blame (fairly common).
    Yeah, but you are also running windoze - at least you aren't using
    Internet Exploiter, but windoze doesn't have the greatest security
    reputation - hence the vast number of anti-mal-ware programs.
    Several years ago, we used to use "firstname_last-initial" for usernames
    and a random character generator to create the initial password for the
    account. Now, I'm using the random character generator to create usernames
    and telling the users to NOT publish those names on the Internet. The big
    problem is having others be able to remember that my email address is

    [compton ~]$ head -2 /dev/random | mimencode | head -1
    djqFVsLMbI/tX32Z617KYtvraOI2P0+35DuHrtp++hLt4kitSPduWdFqBqSzVoo8oXGglbcw
    [compton ~]$



    Yeah, that's me.

    Old guy
     
    Moe Trin, Oct 3, 2006
    #6
  7. From: "Marrick" <>

    | Hi.
    |
    | I think my PC has become a 'spam zombie' as I'm getting a lot of
    | 'undelivered' emails that I haven't sent returned to my inbox - blocked
    | and bounced back by other people's spam filters. They are sent using my
    | email account, but with a random 3 or 4 letter prefix: e.g:
    | [email protected]******.*****.
    |
    | I run Norton firewall and Avast Home Edition. I've done 2 full system
    | checks with Avast which has found nothing.
    |
    | Any advice appreciated. Would changing my email account help?
    |
    | Many thanks
    |
    | Marrick


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode.
    This way all the components can be downloaded from each AV vendor's web site.
    The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file. http://www.ik-cs.com/multi-av.htm

    Additional Instructions:
    http://pcdid.com/Multi_AV.htm


    * * * Please report back your results * * *
     
    David H. Lipman, Oct 3, 2006
    #7
  8. What wrong with free spam filters? All Bayesian-based are the best, with
    qualities only differing in processing speed; and guess what? The free ones
    K9 and Mozilla Mail/Thunderbird internal ones are the fastest as well.

    Well, one could not start discussing that a filter integrated into the MUA
    is much easier to handle...
    Because of such a little bit spam?
     
    Sebastian Gottschalk, Oct 3, 2006
    #8
  9. What a nonsense.
     
    Sebastian Gottschalk, Oct 3, 2006
    #9
  10. Marrick

    Marrick Guest

    Thanks for that. No, 84.64.236.97 doesn't appear in them. So my machine
    is OK!

    Really do appreciate the time and effort you guys put in to help.

    Marrick
     
    Marrick, Oct 4, 2006
    #10
  11. Marrick

    Marrick Guest

    Thanks Dave. In view of the other posts which indicate that my PC is
    OK, I won't be doing this just now. But I have saved your post for
    future reference. Many thanks for your help and effort.

    Marrick
     
    Marrick, Oct 4, 2006
    #11
  12. From: "Marrick" <>


    | Thanks Dave. In view of the other posts which indicate that my PC is
    | OK, I won't be doing this just now. But I have saved your post for
    | future reference. Many thanks for your help and effort.
    |
    | Marrick

    Give a shot. You never know what the AV modules in the Multi AV Scanning Tool might find
    that Avast missed. That's why I include four different ACV scanners in my tool.
     
    David H. Lipman, Oct 4, 2006
    #12
  13. Marrick

    Melic Guest

    It happened to my webmail, some spammer fakes your email address and it
    gets
    bounced to you when undelivered.

    My spam filter did not get all those bounces to the spam folder but did
    catch
    most of it.

    I would say not much to worry about.
     
    Melic, Oct 4, 2006
    #13
  14. Marrick

    none Guest

    they are most likely spoofs .
     
    none, Oct 11, 2006
    #14
  15. Marrick

    none Guest

    if you get too much spam use a yahoo account ,that puts them in a junk
    folder then just delete the lot,easy .
    use your private email address only for trusted users.
    i never get any spam because i use yahoo for general use and private
    email accy.
    all the spam goes to yahoo or gmail or hotmail or whatever.
     
    none, Oct 11, 2006
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.