I'm seeking help about some impossible to track down malware spamming all my contacts list using direct SMTP sending.
It uses my personal email address (ISP, POP3/SMTP based, NOT web based, as I could find nothing but gmail or hotmail related problems and answer on the web, which is NOT my case) and is able to browse and use my contacts list to send short spam mesasges with a link to some infected website to a group of recipent (the only way to detect something wrong is going on is receiving failure return messages when one of the addresses in the list is obsolete, for instance, or when one of the recipients' server or ISP server rejects it)
My ISP has checked the history from the dates and times indicated in such returning warnings, and is able to certify the spam was actually sent from my IP address, so it's NOT only spoofing my address : my computer was the actual sender. BTW, all the recipients are in my actual contacts list.
It started when I was using my old computer running Windows XP and using Outlook Express. However, it now does the same on my brand new computer running Windows 7 Pro and Thunderbird, meaning it's also able to browse my Thunderbird contacts list, and not just the old Outlook Express obvious WAB file.
Recently, one of my customers has now reported the same problem (they've noticed when some of their customers servers have blacklisted them and they're started to receive the same undelivered return messages as I've been experiencing). BTW, their ISP is the same as mine (see below about the fact they may still allow anonymous SMTP). In her case, her computer is running Windows 10 Professional and she's using MS Outlook 2007.
- It most probably doesn't use my email client program to issue the spam emails anyway (though of course it's hard to say if it doesn't launch it in the background), but though the computer has of course to be left turned on, it usually sends them at night (most of the time around 1 to 3 AM, though sometimes they were issued during day time) when my email client is closed.
So it has to directly connects to my ISP server with SMTP (using of course my email address and password, though my ISP might still allow anonymous SMTP, wich is of course a problem).
Unfortunately, my local ISP doesn't use SSL nor TLS encryption (though I guess it wouldn't change much as long as no password is required). However, considering it could get my email address and contacts list, I guess it was probably not that hard to get my stored password as well, since NirSoft is able to do so, for instance).
- No antivirus software could detect anything, yet it's still there, spamming my whole contacts list about twice a month, sometimes more often, sometimes only once : the frequency, hour, etc. are totally random and unpredictable.
I've tried all that was advised on the web with absolutely no result at all.
- Of course, manually checking the registry, services, etc. shows nothing suspect at startup. And yet, the damn process has to be lurking somewhere, or it wouldn't be able to burst hundredths of emails within a few seconds like it does !
So now I've just tried to block it using firewall rules ;
However, using the Microsoft firewall, I could add an outgoing rule allowing Thunderbird to use port 25 with user authentification, but I'm totally unsure if this makes the rule exclusive, i.e. enabling this probably doesn't disable any other use.
Unfortunately, adding another rule blocking port 25 doesn't make the above rule an exception. If I do so, it just prevents me from sending any email at all, despite the explicit permission. Apparently, the prohibition rule overrides the permission one, where I'd like to get the exact opposite behavior (block all, then allow the exception).
Ideally, I'd wish to get any attempt out of the only allowed app (Thunderbird in my current case) to be logged so I could track down the culprit.
Has any of you ever heard of such a problem, and maybe could lead me to a solution, or to someone able to solve this problem, or would know of any tool that would be more efficient at detecting it ?
Does anybody know how I could setup the firewall so it blocks any use of port 25 but from one allowed app ? And ideally, how to log any attempt from any process but the allowed one ? Or maybe some free third party firewall software that would do the job ?
Of course, identifying the culprit and being able to eliminate it would be perfect, but if it can't be done, preventing it from harming would still be an acceptable compromise until antiviruses would be able to detect it one day.
EDIT :
Here's a sample : http://www.mediafire.com/download/relstor86wkfw44/Undelivered_Mail_Returned_to_Sender.eml.zip
EDIT : so in conclusion, analysing the header will help you know if the spam was originated from your PC or if your email address has been spoofed.
Problem solved in my case, thanks to David's answer below. This explains why no antivirus tool could find anything suspect in situ.