Sending spam when machine switched off?

[Caspian]

Dear Community,

Firstly let me explain that my back-ground is in solution
development so I do not have much of a real understanding in security
issues. I have been asked by one of my clients to investigate why he
seems to be getting hundreds of bounce-back emails in his email inbox
every morning. The email headers indicate that the original message was
posted from his pop3 btconnect email account that he has with his ISP
[btconnect]. He accesses his email via outlook express which pulls the
emails via his email account details. I can access this pop3 through
the ISP browser interface, but the account appears empty, and I assume
this is because the emails are removed once they are transferred to
local pc via outlook express.

I started by installing and updating McAfee security centre which I
then used to scan the clients pc for offending viruses, but the
client's pc was clean. I then ensured that the pc was up-to-date with
Microsoft Updates and security patches. I then entertained the idea
that the pop3 account may have been Hi-jacked and changed the account
password for his pop3 account and replicated the new password in his
outlook to ensure his email continues to be downloaded.

I then took a closer look at the header information for the bounced
email accounts which indicated that the original email accounts were
being transmitted at around 1am in the morning; however the client
turns his machine off religiously at closing of play everyday. So if
the pc is switched off, how is it possible that his account sends spam.


I'm now entertaining the idea that the btconnect servers may be
affected by a Trojan email virus of some form or another. I've simply
run out of ideas. I've phoned btconnect and they deny any possibility
that a virus may exist on there servers.

So how is it possible that my clients email account is being used to
transmit span when his machine if off?

Any help gratefully received!

Regards,

Tim

 

[Mr. Arnold4]

So how is it possible that my clients email account is being used to
transmit span when his machine if off?

Why of course, one can use any valid email account on an email server
from another machine to send email or spoof an email address.

Duane

 

[Caspian]

So ... Duane ... do you believe that someone is posting spam using my
clients address as a spoof address ?

Tim

 

[Ewan Hoozarmi]

@j44g2000cwa.googlegroups.com>, (e-mail address removed)
says...

So ... Duane ... do you believe that someone is posting spam using my
clients address as a spoof address ?

Tim

Yes, he does. So do I. It's common.

 

[Ernie B.]

So how is it possible that my clients email account is being used to
transmit span when his machine if off?

Forging the return address in the 'From:' field is trivial, anyone can do it
and it's a common spammer trick. There isn't much you or your client can do
about it except to delete the bounces and wait it out, it will be someone
else's turn tomorrow.

There's also the remote possibility of a 'joe job',
<http://en.wikipedia.org/wiki/Joe_job> if your client has annoyed someone.

 

[Virus Guy]

I have been asked by one of my clients to investigate why he
seems to be getting hundreds of bounce-back emails in his
email inbox every morning. The email headers indicate that
the original message was posted from his pop3 btconnect
email account that he has with his ISP [btconnect].

Someone on the receiving end of one of those spam e-mails would have
to look at the full header (or relay the full header to you via fax or
cut-and-paste it into an e-mail to you).

In some cases, the bounce message *may* contain an unmolested version
of this header, but it usually doesn't happen. Almost always you'll
have to see the full header as received by the recipient. Some e-mail
clients (like outlook) make it somewhat difficult to actually see the
full header of e-mail.

By looking at the header, it is very easy to see the IP address of the
actual machine that is the origination of the spam e-mail. A reverse
lookup or whois on the IP would tell you the where (geographically)
the source machine is located, and potentially the city.

As has already been mentioned, it is always the case for the past few
years for spam to be constructed such that the sender's identity (as
in the message "From:" or "Reply-to:") is spoofed or forged.
Sometimes the identity is a completely random fabrication (a junk name
@ a non-existant domain) and sometimes it's been borrowed from a name
on the list of spam recipients being used for that particular spam
run.

And has already been mentioned, these bounces will stop completely in
about 1 or 2 weeks, and most likely will never happen again to your
client.

 

[Caspian]

Thanks for you help folks ... unfortunate this has been going on for
several months [6-8] so I think this may be malicious. Unfortunately,
its virtually impossible to track down the perpetrator.

Kind Regards,

Tim

 

[Beauregard T. Shagnasty]

Thanks for you help folks ... unfortunate this has been going on for
several months [6-8] so I think this may be malicious. Unfortunately,
its virtually impossible to track down the perpetrator.

After "months", it is either the aforementioned Joe Job (though that is
still a long time), or there is a virus-infected friend of your client -
a clueless newbie with a machine sending out virus-laden emails to all
the addresses it found on that PC.

This happened to me last year; an infected PC in Saskatchewan was
sending email to others, using my web site's address as the FROM:

It does help to have an original message to see the full headers.

 

[Duh_OZ]

Thanks for you help folks ... unfortunate this has been going on for
several months [6-8] so I think this may be malicious. Unfortunately,
its virtually impossible to track down the perpetrator.

Kind Regards,

Tim

=========
I haven't used O.E. in some time now. If there is no pertinent
corporation information in the headers could you cut and paste them for
viewing? I think you can highlight the e-mail and then press CTRL/F3
to bring up the headers. Also send an e-mail from the computer to
yours, capturing the headers for comparison.

Apologies if my idea is off base...........