NIS 2008 - Dear Friend Email

Getting an unable to deliver message sounds like somebody spoofed your e-mail address. What probably happened is that one of your friends or associates got infected. The infection then proceeded look in your associate's address book and get your e-mail address. The infection then continued to send out bunches of e-mail using your address as the return address. When one of the e-mails didn't reach its target, it was returned to you as undeliverable.

 

Unfortunately, this is fairly common and there isn't much that you can do about it other than encourage your friends and associates to better secure their systems.

 

P.S. This is especially true if you don't recognize the address that it was returned from. If you do recognize the address, than your machine may have actually sent it, or, your friend / associate has the same address in their address book too.

Message Edited by reese_anschultz on 07-21-2008 12:04 PM

reese,

 

What bothers me is that she claims there was also a copy in her sent folder, not just a bounceback in her inbox.

 

 


evelynjohnson86 wrote:
I got a "unable to deliver" message bounce into my inbox and when I checked my sent box, there it was.

Thanks for pointing that out Phil. That does make it much more suspicious.


Phil_D wrote:

reese,

 

What bothers me is that she claims there was also a copy in her sent folder, not just a bounceback in her inbox.

 

 


evelynjohnson86 wrote:
I got a "unable to deliver" message bounce into my inbox and when I checked my sent box, there it was.

Hi Phil_D,

 

Good catch.

 

Do we know what email client is being used?  For example, if she is using OE / Outlook then we might be looking at a macro ... just spit balling.  If she was using Hotmail ... that's another beast altogether.  

 

Lot's of free programs use old code (Delphi stuff for example) that hooks into Outlook / OE.  I wouldn't take a great code cutter to knock up something 'legitimate' to do what is being described - the code source sits on sourceforge.

 

I have no idea how to slip anything into a hotmail account via a web browser ... unless she was using an email client set up to automatically log into hotmail (MAPI) - I do this in Outlook.  Guess it *might* be do'able ... have no clue how though.

 

I'm saying if this is using free code it may not appear on a bot radar or any other 'check' as a 'bad' program.  

 

Maybe Hijackthis?  The good folk at Castlecops eat and drink this sort of thing.  If there is any beastie lurking around they may track it ... or at least give us a clue about where to look.

 

Cheers

mcullet,

 

Unfortunately evelynjohnson86 has not yet replied as to how she has her email set up, so further diagnosis is on hold at this time.

 

Best Wishes.

I use hotmail in this instance. I don't know the technical bits about how it is set up.  I simply started an account with them years ago.   I'm so impressed with the amount of time everyone is taking, if a solution can be found it would be great.  I can't be the only person to be having this problem.

Cheers! Evelyn

Evelyn, when you use hotmail, is this via a Web interface such as Internet Explorer or Firefox, or, a seperate e-mail program such as Outlook Express?

Hi all,

 

I've been mulling over this situation and it occurred to me that we may all be approving the problem from the wrong direction.

 

Hotmail is a web based email service (for the most part).  The original poster reported that a spam email had been sitting in her sent box - meaning (suggesting?) her account had been the sender of the spam.

 

It's dead easy to get hold of hotmail account passwords if you know how.  In fact, there are quite a few commercial products around that will let you do this - and they crack XP accounts and password protect office documents.  Life is wonderful, no?

 

We've been looking at this as if (a) something on her PC may be the culprit and or (b) ???? mystery.

 

There is an plausable alternative.

 

If I have this users password then I could happily use her hotmail account from here.  I'd sent whatever I wanted, removed any traces and she would not be any wiser.  All I would need is her password and user id.  I can get both using commercial tools available on the internet.

 

Common things happen commonly.  What are the chances that someone has cracked MS security over the chances that someone has either put a keylogger on the users PC (at some time - and on another PC like an internet cafe) or collected it by brute force means or guesses.  I'm leaning towards the account details being left on another PC or captured off another pc (networked or not).  Some partners use or know their partners hotmail accounts and ... ummm spy on them.

 

Many people use birthdays, names of friends and pets etc.  You can probably get most people's passwords with modest effort.

 

So ...

 

I reckon her account (user name and password) has been compromised somewhere --- another computer / her PC / another site / on a network.  But the details are known and have been used.  It's possible she was lucky and saw tracks (the email) but we cannot say if this has been going on once or for months.

 

Recommend: change user name and change password.

 

Do not create a password that has any connection to you or your family or your pets.  Stick to something along the lines of a memory jingle: "MIKE IS A BIG LOSER WHO NEEDS TO GET A LIFE BEFORE ITS TOO LATE"

 

Equals: MIaBLWNtGaLb4I2L8*! ... before = b4 late = L8 punctuation ... always messes with people.  Camel caps - always messes with people.  It's easy to remember by the mnemonic memory technique.  It's long and includes numbers ... this is a tough password to crack.

 

Just a thought,

 

I think we have solved this or come as close to doing so as possible.

 

Anyone else have a suggestion?

 

I agree with Mike and had the same thought earlier since evelynjohnson86 did not report any other strange behavior on her computer. That is why I was trying to determine how she used her email.

 

Unless evelyn finds other localized computer issues, I believe Mike's conclusion is correct in that the problem is with her web-based email account becoming compromised.

 

Just as an aside, in the Philadelphia area, the hot news story is about one TV news anchorman who has been hacking into a former colleague's yahoo email account to read her mail and release personal info to the press.

 

Change user name and password - Absolutely.

Message Edited by Phil_D on 07-23-2008 01:26 PM

Hi Reese,

 

I believe it must be via Internet Explorer.  It doesn't work through Outlook, and I don't know what Firefox is.

Kind regards, Evelyn

If you use it via Internet Explorer, as you’ve suggested, than it seems unlikely that this was due to a piece of malware that was on your machine. The other speculations may be more on target now.

3 Likes

Dear all,

 

I googled for www.trademop.com because I want to report a similar problem.

 

My mother reported to me that a spam email had been sent to her whole address book that looked like it was from her email account.  I initially told her to ignore it, presuming that somebody had simply managed to obtain headers and "copy" email addresses.  I've seen this before, and it's always somebody imitating addresses in a way that does not imply any hacked accounts.

 

However, when it happened again (in the same way that the user describes, she received a "bounce back" from some old email address from the address book), we looked into it.  I logged on and found, in the "sent mail", a copy of the following- (I've stripped her email and the other headers obviously!).  It was sent on the 23rd July.  :

 

 -----------------------------
"From:
"XXX XXX" <>
Dear friend:
   Welcome to visit our website:  www.trademop.com
   We are NOKIA, CANON, SONY, ACER and so on several brands, in the Chinese

biggest trade proxy, we may use the most bottom the price, the highest quality,

the best service, the quickest speed to deliver the project in your hand.If you

have some suggestions about our products or our service, please tell us,and we

must accept and improve,and appreciate you very much.


      __________________________________________________________
Not happy with your email address?.
Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html"
----------------------------
Now we're in a advantageous position compared with the other user as I have some more details re. the incident.  My mother only ever logs on from her home computer (I've logged her on from my computer today), but her home computer is what she uses to check emails.  She only uses a web based system, and does not use Outlook Explorer/Express or any other type of "computer based" software, so she definitely logs on rather than receiving email to the desktop.  As far as I know (I'm not at her computer), her norton anti-virus software is fully up to date.  I don't know what firewall protection she has, but I don't think she has norton firewall.
I've changed the password of her Yahoo! account, but intrigued to find out what the problem might be.  I was horrified to find a copy of an email in her sent items that was not sent from her, as I assumed it was just a header copying issue.
I would be grateful for furthur advice.
Best regards,
Threewheeled 

threewheeled wrote:

I've changed the password of her Yahoo! account, but intrigued to find out what the problem might be.  I was horrified to find a copy of an email in her sent items that was not sent from her, as I assumed it was just a header copying issue.

I would be grateful for furthur advice.

assuming that her machine is free of keylogers and the like...something that would actually steal her password..

 

she was probably the victum of social engineering...  she got an email and enticed her to click a link, or perhaps even within the email displayed what looked like a yahoo login prompt...  you have to remember that what you and I would do as computer saavey people and what your mom would do are probably two differnt things...   the window may not even have looked exactly right, or had the right thing in the address bar...  but had an official logo... so she put in here username and password. 

 

Yahoo has a machine dependent 'security seal' on the login page, that can be configured to help prevent spoofing, basically it is an image thats stored on the local machine and thown up just above the login prompt anytime you go to the login page.  Fake or spoofed loging pages won't have the user selected image.   So if it's not already set up i would get the 'security seal' image set up on her comptuer.   unlike the changing the password, you can't do the setup for the security seal from another computer, it is machine dependent.   then make sure your mom knows to only login if she sees that image.

 

Check out her norton too... make sure it's up to date... and run a full system scan in safe mode...

 

Thank you for your quick response.  I'll have to wait to go back home before I can set up the user image thing etc.    However, thank you for the tips.  I'm hoping that any other affected people might post so that it's possible to get an idea of how exactly the problem creapt in.

 

Best regards

 

Threewheeled

1 Like

Hi,  I just came searching on the internet for an answer because I have also had the same problem,   same email content.  I am on AOL broadband.   I got a couple of messages back saying that the message had been rejected and when I checked in my sent folder I found it.   My Norton account is upto date,  and I did another scan as soon as found it but the scan found nothing.

 

I am fairly sure that the infection came in through opening an infected email.

 

I was talking today (in person) with a friend who works in IT and the email generated from my account was the second of this email she had recieved this week,   she had opened the first one and the same had happened.   Her company have impressive protection systems in place.

 

I am just concerned as to what other problems might result from this one.

 

 

1 Like

Hi JG_GW,

 

I'll have to ask you the same question that was discussed earlier in this topic.

 

How do you use your email account?

 

Is it strictly through a web interface such as Internet Explorer or Firefox, or is it a separate onboard email program such as Outlook, Outlook Express, Windows Mail?

 

Let us know.

Its an AOL account. I run it via the AOL package, which does require me to sign in. I have a number of email identities through the AOL account, and the only one this problem occurred with is the one which received the suspect email. I didn't click on any links through to the website listed in the email. I just presumed that my friends email id had been used in a fake header and hit the delete button. I was a bit puzzled to get emails from three contacts suggesting I had sent the same email to them, so I had a look in my sent folder within the AOL package. It showed the email had been sent from my machine, actually it was clever enough to send out two emails, one to 19 addresses from my address book, the other to 21 further addresses.

 

I know from the days when I used to work away from home and access my email account via a web interface that emails sent from a remote computer would not appear in my sent folder. So the problem is definitely one of an email being sent out from my home PC.

 

I have just noticed that in the case of the email forwarded on from my machine the website link is different to the previous person who referred to the problem. So it would appear that there are two version of the rogue email circulating. The link is www.goolebo.c_m in the version that was sent to me.

 

At present there doesn't seem to be any effect on my PC other than the email being forwarded on, but I want to be sure that there will not be problems in the future.

 

 

[edit: broke link to potentially hazerdous site.]

Message Edited by Allen_K on 08-31-2008 07:50 AM

I need a bit more information and please understand I am not trying to be condescending.

 

What type of AOL package are you using? An installed email client such as Outlook Express or others would have required an initial set up which would include you selecting the incoming and outgoing email servers such as "POP", "IMAP", "SMTP".  Do you recall doing any of that?

 

A web-based email client would not require you to designate servers.

 

If someone had "spoofed" your email address then you would not see any strange items in your sent box.

 

However, if a web-based account has been compromised by someone (or something) obtaining your username and password and is using the account to send mail, then you will see items in your sent box which were not generated by you. In that case, a scan of your computer would come up clean because the activity is occurring on the server, not on your computer.

 

You mentioned "It showed the email had been sent from my machine".  Can you expand on that further?

 

Look forward to hearing back from you.

Message Edited by Phil_D on 08-31-2008 12:44 AM

The installed client on my machine is  AOL version 9.0   With AOL they supply their own package,  which has a range of security checks on emails coming in and out.   I am not an expert on the structure of the AOL system and its level of security in comparison to other packages that you can buy and run in combination with email clients like Outlook Express.  Its simply it made good sense when I first set up my email accounts and although in recent years there have been more and more options available with other service providers coming on the market there's never been a practical time to switch email addresses. 

 

It is possible with an AOL account to log in via IE and access your emails.   But when you do that the information in the folders on my own PC are not automatically updated with copies of the emails you have read and messages sent.    So I am sure that the emails sent out came from my pc.  I opened the suspect incoming email on the Wednesday evening and when I next went online on the Thursday morning the emails were sent out.

 

My system is set up as default so that any links in an incoming email are only activated by two clicks,  I have to click on the option to enable the link in that message,  then click on the link in the message to activate it.  

 

This didn't occur through clicking on a link and putting in my email password and id.

 

I realise you are not being condescending,   I used to work in development and testing of embedded IT systems,  so I fully understand that you need to be clear on events to come up with idea's on what has happened. 

 

 

Jillie

Jillie,

 

I'll be the first to admit when I don't understand something fully; such as your email client. I am not familiar with the AOL packages, and at first I thought you to be using a web-based client. However, since you say that you have mail folders on your computer, then that throws a curve ball at my web-based theory!

 

Have you noticed any other suspicious activity on your computer, i.e. slowdowns, excessive memory or cpu usage?

 

I would check your system again by performing a manual Live Update in Norton. Then restart the computer in SAFE MODE and run a full system scan with Norton.

 

If that does not yield any malware or viruses, then as an added check, download, install and update the FREE version of Malwarebytes. Please note that the free version is an on-demand scanner and does run in the background so it will not interfere with Norton.  Run that scan in both NORMAL and SAFE MODE.

 

Let us know the results.

Message Edited by Phil_D on 08-31-2008 02:56 PM