Auto-mailer virus? Help please someone!

rm1301

Since approx midday today I have suddenly started receiving an absolute ton of failed delivery messages into my inbox. Looking at the body of the failed emails they are !!!!!! related and are all showing as being sent from my address but the 'from' field shows a random name instead of my mine. Obviously I am not sending them myself and nor do I recognise any of the email addresses that they are being to sent. I should perhaps point out that this is an email account hosted on my own domain, not a generic hotmail or yahoo one.

I am at a complete loss in trying to figure out what is causing it. I have done a full system scan with MSE and also Malware Bytes (disconnected from the net on both occasions) and both have come back completely clean. The delivery failure messages continue to come thick and fast (I must have had in excess of 300 now since midday).

My stand alone email client is OE6 and I'm running XP SP3, however I'm getting the same issues when using SmarterMail Pro on my domain on my laptop as well (laptop hasn't been used for 3 weeks up until this evening when the "affected" one was running scans so it's nothing to do with that machine).

Short of changing my email address which I'm loath to do, does anyone have any suggestions for a next step please?

Thanks.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
RIK :: RIK-PC [administrator]

28/01/2012 16:34:13
mbam-log-2012-01-28 (16-34-13).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199219
Time elapsed: 44 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

WhiteChristmas

Looks like you're being spoofed. It happens, it'll stop after a few days.

Set up a rule (have they a common Title, for example?) in Outlook to dump any replies straight into the trash.

Better still, set it up at web host level to dump any mail not addressed directly to recognised email addresses (if you're seeing mail addressed to random names, then you must have it set up to forward all addresses to your email).

Then follow the step-by-step virus check thread at the top of the Techie forum, but I don't think you've been infected.

Figment

This is a common problem and one I have encountered in the past. Firstly to reassure you, it is highly unlikely the emails originated from your machine.

The spammers have used (spoofed) your email address as the 'from' and/or 'return' address in the spam messages they have spewed out by the million. When those messages hit mail addresses that don't exist the receiving mail server rejects the mail and it is returned to sender (using the from or return address entered in the incoming mail, so in this instance to you)

How did the spammers get your email address? You have undoubtedly used the affected email address on one or more websites in the past. One (or more) of those sites was either insecure in their handling of your details; had been hacked; or was a malicious site. You might even have inadvertently replied to a genuine looking email you received.

What can you do about it?

The quick and dirty answer is to set up a filter to delete the incoming delivery failure messages. Set the filter so it works on unique parts of the junk mail (e.g. words in the subject field) to prevent the filter acting on Failed Delivery reports for mail you have actually sent.

You say the email address is on a domain you own, so it should be possible to set the filter on the incoming mail server on the web. If you cannot set a filter on the mail server, do it in OE6 instead, but this will mean the reports have to be downloaded from the web server to your computer where they are deleted.

One other thing to bear in mind is that you are unfortunately at risk of your email address being blacklisted by the likes of Hotmail as a result of their users reporting the messages bearing your email address as junk.

rm1301

WhiteChristmas wrote: »

Looks like you're being spoofed. It happens, it'll stop after a few days.

I sure hope so!

Set up a rule (have they a common Title, for example?) in Outlook to dump any replies straight into the trash.

Unfortunately not. There is no common theme (words) in them all, they're pretty random.

Better still, set it up at web host level to dump any mail not addressed directly to recognised email addresses (if you're seeing mail addressed to random names, then you must have it set up to forward all addresses to your email).

"Recognised email addresses" would mean a list of addresses nearly as big as the random ones in the delivery failure emails as my personal email address book is some size, so not really practicable. Not sure I'm understanding your bit in brackets. I do have other email addresses which are fwded to my main one, but the 'from' address on the delivery failure mails is my main account, not any of my secondary accts.

Then follow the step-by-step virus check thread at the top of the Techie forum, but I don't think you've been infected.

Okay I'll take a look at that thanks. I'm just running S&D at the moment as it's always come up trumps with a few bits that other programs have missed in my experience. Will see when it finishes.:)

rm1301

Figment wrote: »

This is a common problem and one I have encountered in the past. Firstly to reassure you, it is highly unlikely the emails originated from your machine.

The spammers have used (spoofed) your email address as the 'from' and/or 'return' address in the spam messages they have spewed out by the million. When those messages hit mail addresses that don't exist the receiving mail server rejects the mail and it is returned to sender (using the from or return address entered in the incoming mail, so in this instance to you)

Yeah I thought as much. I do remember having this issue once before but I'm going back probably 12-15 years and I think I fixed it by dumping my current free email addy for a new one, but that really isn't an option here without a whole pile of hassle.

How did the spammers get your email address? You have undoubtedly used the affected email address on one or more websites in the past. One (or more) of those sites was either insecure in their handling of your details; had been hacked; or was a malicious site. You might even have inadvertently replied to a genuine looking email you received.

Indeed it's a bit of a puzzle. I'm pretty clued up on spam and virus/trojan/worm avoidance believe it or not and other than some harmless spyware and !!!!!! dialers in the very distant past I've never had any virus issues at all. Spam mail gets sender blocked and deleted right at the start, attachments are always treated with suspicion and scanned, same for anything exe, and it's very rare I do any file downloading. That's why this has come as a surprise. I'm wondering if this has actually originated from someone else in my address book that's infected and the spammers have decided to "piggyback" my email addy for their dirty work?

What can you do about it?

The quick and dirty answer is to set up a filter to delete the incoming delivery failure messages. Set the filter so it works on unique parts of the junk mail (e.g. words in the subject field) to prevent the filter acting on Failed Delivery reports for mail you have actually sent.

You say the email address is on a domain you own, so it should be possible to set the filter on the incoming mail server on the web. If you cannot set a filter on the mail server, do it in OE6 instead, but this will mean the reports have to be downloaded from the web server to your computer where they are deleted.

One other thing to bear in mind is that you are unfortunately at risk of your email address being blacklisted by the likes of Hotmail as a result of their users reporting the messages bearing your email address as junk.

Hmm. Same issues here as mentioned in my reply to the OP. I really don't want to go down this route of setting up additional mail rules because there's no common theme in the mails and it'd be a whole pile of hassle. What I want to do is get to the root of it and fix it. Short of changing my address is there anything else I can do?:cool:

Thanks.

Figment

rm1301 wrote: »

the spammers have decided to "piggyback" my email addy for their dirty work?

That's exactly what they've done.

rm1301 wrote: »

Hmm. Same issues here as mentioned in my reply to the OP. I really don't want to go down this route of setting up additional mail rules because there's no common theme in the mails and it'd be a whole pile of hassle. What I want to do is get to the root of it and fix it. Short of changing my address is there anything else I can do?:cool:

Thanks.

If the undelivered report includes the original message (usually does) you should see the mail headers. Look to see if there's a common denominator there (for example they may have an entry for Originating Domain)

You stated above that all of these are coming to your main email address. I am presuming this is an actual email account with a unique address that has been set up by/for you, and not a 'catch-all' account?

WhiteChristmas

Figment wrote: »

a unique address that has been set up by/for you, and not a 'catch-all' account?

That's the notion I was (unsuccessfully) trying to articulate in my original post.

Spammers harvest email addresses from all sorts of places; the address book of compromised computers is one source, but a favourite place is from active websites. Do you have a "contact me"/mailto: link on your website?

rm1301

Figment wrote: »

That's exactly what they've done.





If the undelivered report includes the original message (usually does) you should see the mail headers. Look to see if there's a common denominator there (for example they may have an entry for Originating Domain)

I've been looking at them for links, but unfortunately there aren't any.

You stated above that all of these are coming to your main email address. I am presuming this is an actual email account with a unique address that has been set up by/for you, and not a 'catch-all' account?

Yes it's my main day to day account set up by me on my domain. For forums etc, I always use a throwaway gmail account for registration which I then set up in gmail to forward to my main address for any PM notifications etc. The headers in the failed delivery messages are all originating from my main email so the most likely place it's been gleaned from is someone else's address book I reckon.

I'm now getting replies back to 'my' emails too - "unsubscribe me from this ****", "**** you" etc etc. I'm going to be on everyone's blocked list by the end of the day.

rm1301

WhiteChristmas wrote: »

That's the notion I was (unsuccessfully) trying to articulate in my original post.

Spammers harvest email addresses from all sorts of places; the address book of compromised computers is one source, but a favourite place is from active websites. Do you have a "contact me"/mailto: link on your website?

I do, yes, but it's in image form not text, but the contact address on my site is a different one anyway so they haven't got it from there.

Figment

If there really are no common links between the spam emails, then I'm afraid there's little you can do short of dumping the email address, with it's associated hassles, or putting up with the influx of junk until the tide stops.