1

I'm seeking help about some impossible to track down malware spamming all my contacts list using direct SMTP sending.

  • It uses my personal email address (ISP, POP3/SMTP based, NOT web based, as I could find nothing but gmail or hotmail related problems and answer on the web, which is NOT my case) and is able to browse and use my contacts list to send short spam mesasges with a link to some infected website to a group of recipent (the only way to detect something wrong is going on is receiving failure return messages when one of the addresses in the list is obsolete, for instance, or when one of the recipients' server or ISP server rejects it)

  • My ISP has checked the history from the dates and times indicated in such returning warnings, and is able to certify the spam was actually sent from my IP address, so it's NOT only spoofing my address : my computer was the actual sender. BTW, all the recipients are in my actual contacts list.

  • It started when I was using my old computer running Windows XP and using Outlook Express. However, it now does the same on my brand new computer running Windows 7 Pro and Thunderbird, meaning it's also able to browse my Thunderbird contacts list, and not just the old Outlook Express obvious WAB file.

Recently, one of my customers has now reported the same problem (they've noticed when some of their customers servers have blacklisted them and they're started to receive the same undelivered return messages as I've been experiencing). BTW, their ISP is the same as mine (see below about the fact they may still allow anonymous SMTP). In her case, her computer is running Windows 10 Professional and she's using MS Outlook 2007.

  • It most probably doesn't use my email client program to issue the spam emails anyway (though of course it's hard to say if it doesn't launch it in the background), but though the computer has of course to be left turned on, it usually sends them at night (most of the time around 1 to 3 AM, though sometimes they were issued during day time) when my email client is closed.

So it has to directly connects to my ISP server with SMTP (using of course my email address and password, though my ISP might still allow anonymous SMTP, wich is of course a problem).

Unfortunately, my local ISP doesn't use SSL nor TLS encryption (though I guess it wouldn't change much as long as no password is required). However, considering it could get my email address and contacts list, I guess it was probably not that hard to get my stored password as well, since NirSoft is able to do so, for instance).

  • No antivirus software could detect anything, yet it's still there, spamming my whole contacts list about twice a month, sometimes more often, sometimes only once : the frequency, hour, etc. are totally random and unpredictable.

I've tried all that was advised on the web with absolutely no result at all.

  • Of course, manually checking the registry, services, etc. shows nothing suspect at startup. And yet, the damn process has to be lurking somewhere, or it wouldn't be able to burst hundredths of emails within a few seconds like it does !

So now I've just tried to block it using firewall rules ;

However, using the Microsoft firewall, I could add an outgoing rule allowing Thunderbird to use port 25 with user authentification, but I'm totally unsure if this makes the rule exclusive, i.e. enabling this probably doesn't disable any other use.

Unfortunately, adding another rule blocking port 25 doesn't make the above rule an exception. If I do so, it just prevents me from sending any email at all, despite the explicit permission. Apparently, the prohibition rule overrides the permission one, where I'd like to get the exact opposite behavior (block all, then allow the exception).

Ideally, I'd wish to get any attempt out of the only allowed app (Thunderbird in my current case) to be logged so I could track down the culprit.

  • Has any of you ever heard of such a problem, and maybe could lead me to a solution, or to someone able to solve this problem, or would know of any tool that would be more efficient at detecting it ?

  • Does anybody know how I could setup the firewall so it blocks any use of port 25 but from one allowed app ? And ideally, how to log any attempt from any process but the allowed one ? Or maybe some free third party firewall software that would do the job ?

Of course, identifying the culprit and being able to eliminate it would be perfect, but if it can't be done, preventing it from harming would still be an acceptable compromise until antiviruses would be able to detect it one day.

EDIT :

Here's a sample : http://www.mediafire.com/download/relstor86wkfw44/Undelivered_Mail_Returned_to_Sender.eml.zip

EDIT : so in conclusion, analysing the header will help you know if the spam was originated from your PC or if your email address has been spoofed.

Problem solved in my case, thanks to David's answer below. This explains why no antivirus tool could find anything suspect in situ.

Improve this question
20
  • 1
    This isn't a forum, its a Q&A format, and works differently. What's the exact error? Maybe something you're saying is tripping the spam filter, and/or you have some new user wierdness. Extending a question into an answer is not how we do things here
    – Journeyman Geek
    Commented Aug 31, 2016 at 11:50
  • 1
    It's a bit strange complaining about not enough space when you use paragraphs like "My ISP.... contacts list", where you just could have written: My ISP verified the spam came from my IP
    – Jan Doggen
    Commented Aug 31, 2016 at 11:52
  • merged the contents of the 'answer' into the question. Feel free to edit as needed
    – Journeyman Geek
    Commented Aug 31, 2016 at 11:53
  • OK, thanks to have managed to group my post. I hope someone would have a hint, as It's been annoying me for over 6 months and some other epopel are starting to experience the same problem on recently setup computers, different Windows versions and different email clients...
    – Z80
    Commented Aug 31, 2016 at 11:55
  • 1
    - Why were you still using W XP? - Why did you not scan data when moving from XP to 7 Pro, when you knew that XP was infected? - Why are you using W7? Jeez, switch to 10 or your fav linux distro.
    – ave
    Commented Aug 31, 2016 at 11:57

1 Answer 1

Reset to default
1

Where did this email actually come from?

My ISP has checked the history from the dates and times indicated in such returning warnings, and is able to certify the spam was actually sent from my IP address, so it's NOT only spoofing my address : my computer was the actual sender

My ISP is canl.nc

Here are the headers from one such returned email:

Return-Path: <my email address>
Received: from localhost (localhost [127.0.0.1])
  by mail.zakat.com.my (Postfix) with ESMTP id 29D9C1930B2;
  Sun,  7 Aug 2016 23:00:34 +0800 (MYT)
X-Virus-Scanned: amavisd-new at zakat.com.my
Received: from mail.zakat.com.my ([127.0.0.1])
  by localhost (mail.zakat.com.my [127.0.0.1]) (amavisd-new, port 10024)
  with ESMTP id cl7meerEgQyi; Sun,  7 Aug 2016 23:00:33 +0800 (MYT)
Received: from pebow.org (82-160-175-227.tktelekom.pl [82.160.175.227])
  by mail.zakat.com.my (Postfix) with ESMTPSA id 4A03B193085;
  Sun,  7 Aug 2016 23:00:28 +0800 (MYT)
From: <my email address>
To: <some recipient address>, <some recipient address>, <some recipient address>, <some recipient address>
Subject: =?utf-8?B?Rnc6IGNvb2wgcGVvcGxl?=
Date: Sun, 7 Aug 2016 17:59:57 +0300
Message-ID: <[email protected]>

Your ISP Is incompetent:

  • This email did not come from you (unless you are living in Poland)

  • It came from 82.160.175.227 (Poland)

    % Information related to '82.160.175.0 - 82.160.175.255'

% Abuse contact for '82.160.175.0 - 82.160.175.255' is '[email protected]'

inetnum 82.160.175.0 - 82.160.175.255
netname PL-NETLINE-STARGARD
descr   Net-line sp. z o.o.
descr   Stargard Szczecinski
country PL
admin-c LH133-RIPE
tech-c  LH133-RIPE
status  ASSIGNED PA
mnt-by  NETIA-MNT
mnt-lower   NETIA-MNT
mnt-routes  NETIA-MNT
created 2014-04-07T07:36:13Z
last-modified   2016-03-15T14:24:30Z
source  RIPE # Filtered

  • It was sent to (and delivered to) mail.zakat.com.my (Malaysia).

  • zakat.com.my rejected the mail with a 451 smtp error:

    If you receive one of the above (or a similar) error message from your mail server (after you've sent out some messages), then you have reached a limit on your mail server (or email account). This means your mail server will not accept any further messages until you waited some time.

    Your mail account might have one or multiple limitations:

    • Daily mail limit, e.g. max. 2000 messages per day
    • Hourly mail limit, e.g. max. 500 messages per hour
    • Message submission rate limit

  • The rejection notification was sent to you because:

    Return-Path: <my email address>

  • Your ISP is canl.nc. At no point in the sending of this email is canl.nc involved. They are involved only because the bounce was sent to you.

So what actually happened?

  1. Your address book was somehow leaked.

  2. A spammer in Poland sent some spam with your email address forged as the return address from IP address 82.160.175.227

  3. The spam was sent to mail.zakat.com.my and rejected - probably because mail.zakat.com.my noticed too many spams coming from the spammer's IP address.

    • mail.zakat.com.my is not very well configured as 82.160.175.227 is actually a blacklisted IP address.

    • mail.zakat.com.my is not an open relay so it is possible the spammer has an account there.

  4. The spam therefore bounced and you are the recipient of what is called backscatter:

    Backscatter (also known as outscatter, misdirected bounces, blowback or collateral spam) is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Notes:

  1. Many of email headers can be (and usually are) forged by spammers when they send their spam.

    • "From:" address
    • Return-Path: address
    • Some "Received:" headers can also be forged.

  2. SMTP message spoofing shows just how easily this can be done using an open (unsecured) relay mail server.

Analysis of the email headers

There are many tools to analyze email headers, some of which can show if any of the ip addresses in the chain are on spam blacklists.

These tools can also tell if any of the "Received:" headers in the chain are forged.

One such tool is MxToolbox Email Header Analyzer.

Analysis with this tool shows the following results:

enter image description here

enter image description here

Further reading

Improve this answer
2
  • @PIMP_JUICE_IT Yes. I used to see lots of such bounces when my pobox account was forged as the sender. I don't see them much now, I suspect google throws them away (my pobox account forwards to my google account).
    – DavidPostill
    Commented Sep 2, 2016 at 20:13
  • Many thanks for your analysis, David. Yes, it looks like my address book has leaked. The original Outlook Express Wab file is probably not hard to get and read. I almost never had virus alerts, but I suppose once might have been enough. I hope my PC is better protected now... I'll forward this topic to my ISP and ask them for their opinion. The fact is, all I could give them was the date and time I received the notification, and I asked the guy if the original was emitted from my IP... It looks like he didn't understand me, maybe ? I'll call their boss (if I can contact him).
    – Z80
    Commented Sep 5, 2016 at 1:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .