users Outlook sends out emails that she claims to have never sent

Discussion in 'Computer Support' started by Jazz, Mar 12, 2008.

  1. Jazz

    Jazz Guest

    One of my users got a reply from another user to an email she claims
    to have never sent...

    We use Outlook 2007 on an Exchange 2003 server.

    One of the two messages sent this week went like this:

    --------
    Today is International Disturbed People's Day

    Please send an encouraging message to a disturbed friend... just as
    I've done.

    I don't care if you lick windows,
    take the special bus
    or occasionally pee on yourself..
    You hang in there sunshine, you're friggin' special.


    Every sixty seconds you spend angry, upset or mad, is a full
    minute of happiness you'll never get back.

    -------

    And so on. Full of funny photos, encouraging words, and moving GIFs...
    the kind of stuff your mom sends you every other day.

    So it wasnt bad, but it did go to 7 or 8 internal users and 3 external
    users in her address book in Outlook.

    She swears up and down that she did not send it, and I beleive her,
    short of her having short term memory loss, which I havent ruled out.

    She also claims no one has used her computer all week other than her
    (I did catch her daughter using it a month or so agi playing online
    games). I have a hard time beleiving that if someone maliciously snuck
    on to her computer that they would send silly, innocent, clean
    forwards like the one above. Albeit, annoying.

    She claims to have not downloaded or installed anything new. I took a
    gander at her system and it does, indeed, look pretty clean.

    The headers are blank when I pull it from her sent items. When I pull
    the headers of it from a user that recieved the message, it shows that
    it did, indeed, originate on my network.

    I updated her Virus scan and did a full system scan... nothing.

    One odd thing is that at the very bottom of one of these mystery
    emails, was the following:

    ------

    This email may contain confidential protected health information and/
    or attorney privileged information. If received in error, see our
    Privacy Statement at http://www.brookdaleliving.com/brookdale2004/internaldefault.aspx?tabid=799
    Be a better friend, newshound, and know-it-all with Yahoo! Mobile.
    Try it now.
    -----
    The other one had an AOL ad at the bottom. Making me assume she didnt
    create this email by hand.
    It could have been FORWARDED by her, but the headers didnt show that
    she was forwarding it, more like she created it on her own computer
    (with the exception of the footer aboe)

    ANY ideas are appreciated in advance. Any software I should try,
    recommend it please.
    Jazz Mann
     
    Jazz, Mar 12, 2008
    #1
    1. Advertisements

  2. Jazz

    Meat Plow Guest

    Spammers use lots of different tactics. Compare the full header between
    email known to actually come from her pc and the suspected email.

    --
    #1 Offishul Ruiner of Usenet, March 2007
    #1 Usenet Asshole, March 2007
    #1 Bartlo Pset, March 13-24 2007
    #10 Most hated Usenetizen of all time
    Pierre Salinger Memorial Hook, Line & Sinker, June 2004
    COOSN-266-06-25794
     
    Meat Plow, Mar 12, 2008
    #2
    1. Advertisements

  3. Jazz

    Mike Easter Guest

    What does that (headers are blank) mean/say. You did or you did not
    find it - the items - in her specific OL sent?
    Can you tell the difference between whether or not it - the header
    inspected item - sourced from her specific computer or if it came from
    someone else on the same network forging her From? Doesn't each
    computer on the network call itself a name when it engages the
    mailserver?

    Do you access the server logs?
     
    Mike Easter, Mar 12, 2008
    #3
  4. Jazz

    PeeCee Guest



    Jazz

    My reading of it is you'd better start running all the anti
    Virus/Spyware/Malware/Trojan... software you can lay your hands on.
    Making sure all your PC's are up to date with OS patches too.

    I sounds just like the sort of Nasty that was common a couple of years ago
    where an infected email was opended by the unsuspecting user and it sent
    emails using it's own smtp engine but with information gleaned from the
    users PC.

    Best
    Paul.
     
    PeeCee, Mar 12, 2008
    #4
  5. Jazz

    Whiskers Guest

    Blank headers sounds odd to me; does her email software (or your mail
    server) normally allocate at least some headers that appear in "her sent
    items"?

    Is "her sent items" a file or directory on the computer she uses, or is it
    on your "Exchange 2003 server"? If the latter, then that's the place to
    look for intrusions or user misbehaviour.

    At the very least I'd suggest making sure that she is given a new password
    for access to the computer she uses, and a different new one for sending
    emails.

    Putting someone else's user-name and email address into the From header of
    an email, is trivial, and a common spammer trick, and doesn't require any
    physical or electronic access to that person's system. But I don't think
    that's what you've found in this case.
     
    Whiskers, Mar 12, 2008
    #5
  6. Jazz

    ded Guest

    snip
    You don't believe her do you, nor do I.

    One of 3 possibilities:

    a) She is a liar and she did use OL on the exchange to send the
    spam emails.

    b) Your setup is infected with a mailbot.

    c) Spammers have been known to use genuine email addresses for
    spamming, just randomly picked in an attempt to fool filters etc.
    But as others have pointed out the headers would discern if they did
    originate from within your setup on Exchange server. Though that
    would be a remarkable coincidence that spammers in China or
    Rumania or wherever, plucked one email address to insert in the
    from field and by fluke happened to mailbomb other users on the
    same exchange server?

    I would opt for: a) She is a liar, she did send them, she is in breach
    of company policy and she should be sentenced to 999 years in the
    State pen.
     
    ded, Mar 12, 2008
    #6
  7. Jazz

    Jazz Guest

    LOL, good answers...
    I considered a)
    But I allow users to send personal emails at work. And I would have
    never found out about the email had she not told me "Hey, people are
    getting emails from me that I never sent." so I am canceling out your
    option A.

    As for B, thats the only possible solution, yet I have an updated
    SonicWall firewall, every computer has up to date McAffee virus
    protection that is pulled from the sonicwall. Virus scan ran, nothing
    found. it checks for spyware and adware too.

    Cant be C, her headers, when sent to the outside, match our server and
    IP address information.
    When sent internally, our headers are black (because the email isnt
    passing from server to server, just goes straight from one internal
    mailbox to the other. Plus, the item was found in her sent items...
    which means her computer did send it.

    I can beleive that it is the result of a virus, but does a virus exist
    that actually opens up a users Outlook, composes an email, and sends
    it out? I know they can make up header and FROM information, but
    nothing was made up in this case.
     
    Jazz, Mar 13, 2008
    #7
  8. Jazz

    Jazz Guest

    To cover my bases, I ran updated and latest version of Adaware on the
    exchange server and I ran hjackthis. Clean as ever.
    Ill run them on the user's machine as well.
     
    Jazz, Mar 13, 2008
    #8
  9. Ah, there's a clue.
    I personally have never heard of a mass-mailing worm or virus that
    placed copies of the dirty deed in the user's actual Sent mailbox. Just
    about every mail worm released in this century uses its own internal
    SMTP engine, and completely bypasses the user's mail client.

    And while there are zillions of Windows Worms that target Outlook
    Express, are there really any that target Outlook?

    Please trim and don't top-post; thanks for your consideration.
    http://oakroadsystems.com/genl/unice.htm#upside
     
    Beauregard T. Shagnasty, Mar 13, 2008
    #9
  10. Jazz

    Jazz Guest

    BTW, cute signature... I can still buy XPs till June for work :)
     
    Jazz, Mar 13, 2008
    #10
  11. Jazz

    Jazz Guest

    Ran hijack this on users machine. google toolbar was the worse thing I
    found.

    Adaware = nothing but innocent cookies, of which I deleted
     
    Jazz, Mar 13, 2008
    #11
  12. That's nice, but has little to do with the rest of my post.

    So have you decided yet that the woman actually sent the email, and that
    there is nothing amiss in your mail system?

    And...
    ...did you read this link?
     
    Beauregard T. Shagnasty, Mar 13, 2008
    #12
  13. Jazz

    Jazz Guest

    In my Active Directory, under this users properties, security tab, I
    wanted to check if anyone else had permissions to use this account.
    All looks normal except the "Everyone" group has one and only one
    allowed permission... "Change password"

    which, I thought was odd.

    I check some of my other 150 users. Most have that "allowed" but a
    handful have this denied...
    connection?
     
    Jazz, Mar 13, 2008
    #13
  14. Jazz

    Jazz Guest

    No, and yet the world keeps on turning... amazing eh? ;)
     
    Jazz, Mar 13, 2008
    #14
  15. Jazz

    Jordon Guest

    Worse than that. Some viruses can open your address book and
    send email to people in the address book AND make it look
    like it's coming from someone else in the address book. So
    your friends computer might not be infected at all, but a
    friend of your friends computer might.
     
    Jordon, Mar 13, 2008
    #15
  16. Jazz

    Jazz Guest

    Thats what I am starting to think. But whats scary is she had another
    one go out this morning, but the two people it was sent to were
    internal addresses, so i will need to check them out.
     
    Jazz, Mar 13, 2008
    #16
  17. Jazz

    Mike Easter Guest

    Could you clarify what you see in her 'Sent' folder and what you see on
    the bottom-most non-bogus Received traceline of the time received by the
    recipient/s?

    I don't understand the concept of 'blank' headers in the context of OL
    Sent mail. Sent mail headers are naturally different from received
    headers, since they have no smtp stamped Received tracelines in them,
    but they have From To Subject & Date lines besides Xlines and MIME &
    Content-type.

    And what about the server logs?
     
    Mike Easter, Mar 13, 2008
    #17
  18. Jazz

    Mike Easter Guest

    dyslexic 'item'

    s/time/item/

    .... the bottom-most non-bogus Received traceline of the *item* received
    by the recipients.
     
    Mike Easter, Mar 13, 2008
    #18
  19. Jazz

    Jordon Guest

    Another one go out?

    Viruses rarely leave any traces of the messages they send.
    Are you assuming that because someone received a message
    from her that it was her computer that sent it? Don't. It
    could just as well be a virus on your computer that looks
    in your address list, sends itself to her co-workers (also
    in your address list) and disguises itself as coming from
    her.

    All you really know is that the people that receive these
    messages and the person who appears to be sending them are
    in the address list of someones computer that's infected.
     
    Jordon, Mar 14, 2008
    #19
  20. Jazz

    ded Guest

    Yep indeed, there are specific virus that hijack a PC and flow the spam out.
    And outlook is an easy target, just google the following terms:
    Outlook Hijacked for spam
    There are zillions of articles about the subject, this is a link to a brief
    BBC article on the subject:
    http://news.bbc.co.uk/1/hi/technology/3528810.stm
     
    ded, Mar 14, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.