Office user receives blank email with no specified sender, nospecified recipient, etc...with a twist

[Deuce_IT]

I have a client's office in which 2 users just reported receiving ~500
and ~400 messages over the course of the day with no identifying
information. Checked the headers and they look very short (known IPs
and names have been changed to protect privacy):

* (qmail 30056 invoked from network); 26 Jun 2008 15:24:20 -0500
* from mail.geitech.com (HELO aedesk11) (xx.x.226.186) by 157587-
www1.xxxxxxx.com with SMTP; 26 Jun 2008 15:24:20 -0500 QUIT

X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on 157587-
www1.xxxxxxx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=4.0
tests=BAYES_00,MISSING_HB_SEP, MISSING_SUBJECT,TO_CC_NONE autolearn=no
version=3.1.9


So, I understand that mail.geitech.com resolves to 199.231.136.136
which is located in Kentucky (not affiliated with our client's office
in California), however a friend of mine at the email provider (these
are POP accounts) said it was brought to their attention that the 1
user at the office (not one of the two that received all these emails)
had authenticated hundreds of times to send out these emails. Sounds
like a compromised email password, however I've completed Spybot,
Adaware, SuperAntiSpyware, Symantec Endpoint AV scan, reviewed
Hijackthis log, and there is NOTHING out of the ordinary, nor have the
scans returned ANY threats.

And MOREOVER...these emails that were sent, started roughly the same
time the user's (the one who's credentials were used to authenticate
with the SMTP server) PC had been turned on and Outlook started, and
stopped once the PC was shutdown. Once the mail provider changed the
password the messages had stopped, however we have not entered the new
PW into Outlook.

So to recap...

Blank Emails.
Headers state the origin is in KY
User PC in CA
Starts and stops in conjunction with the user's PC in CA
No scans result in any threat, nor do Hijackthis log show anything out
of the ordinary.

Any ideas?

Thanks for the help!
-Jeff

 

[Roady [MVP]]

Do they start when you turn the PC on or when you start Outlook?
There is a big difference.
Could there be a message stuck in the Outbox or do you have a virus scanner
installed that integrates with Outlook?
Disable this integration and check for stuck messages.
See http://www.howto-outlook.com/howto/deletereadreceipt.htm

 

[Hal Hostetler [MVP P/I]]

This is a common sort of thing for an AntiVirus application setup to do
email scanning to do when it develops a problem. If you're running an AV
scanner setup this way on the suspect client PC, you need to uninstall it
and do a custom re-install without the email scanning modules. Email
scanning is redundant, it does nothing but cause problems, and a PC is still
fully protected without it, provided the resident file system scanner is
kept up to date.

Hal
--
Hal Hostetler, CPBE -- (e-mail address removed)
Senior Engineer/MIS -- MS MVP-Print/Imaging -- WA7BGX
http://www.kvoa.com -- "When News breaks, we fix it!"
KVOA Television, Tucson, AZ. NBC Channel 4
Live at Hot Licks - www.badnewsbluesband.com

 

[Deuce_IT]

Ok, here's an update. We did find that the user whos account was being
authenticated with the SMTP server had created an Outlook appointment
and there were 3 users specified as attendees, 2 of which had been
receiving the the blank emails, but the 3rd hadn't reported any emails
because they had been moved to her Junk folder. Apparently, when she
sent out the appointment, it was stuck in sending as "delayed". Once
this appointment was deleted, the messages stopped.

When I initially started researching this issue, I was only able to
find suggestions related to spyware and virus scanning, so I
mistakenly took that path of troubleshooting.

Thanks to both of you for your help!

Do they start when you turn the PC on or when you start Outlook?
There is a big difference.
Could there be a message stuck in the Outbox or do you have a virus scanner
installed that integrates with Outlook?
Disable this integration and check for stuck messages.
Seehttp://www.howto-outlook.com/howto/deletereadreceipt.htm

--
Robert Sparnaaij [MVP-Outlook]
Coauthor, Configuring Microsoft Outlook 2003http://www.howto-outlook.com/
Outlook FAQ, HowTo, Downloads, Add-Ins and more

http://www.msoutlook.info/
Real World Questions, Real World Answers

-----

I have a client's office in which 2 users just reported receiving ~500
and ~400 messages over the course of the day withnoidentifying
information. Checked the headers and they look very short (known IPs
and names have been changed to protect privacy):

* (qmail 30056 invoked from network); 26 Jun 2008 15:24:20 -0500
* from mail.geitech.com (HELO aedesk11) (xx.x.226.186) by 157587-
www1.xxxxxxx.com with SMTP; 26 Jun 2008 15:24:20 -0500 QUIT

X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on 157587-
www1.xxxxxxx.com
X-Spam-Level: *
X-Spam-Status:No, score=1.8 required=4.0
tests=BAYES_00,MISSING_HB_SEP, MISSING_SUBJECT,TO_CC_NONE autolearn=no
version=3.1.9

So, I understand that mail.geitech.com resolves to 199.231.136.136
which is located in Kentucky (not affiliated with our client's office
in California), however a friend of mine at the email provider (these
are POP accounts) said it was brought to their attention that the 1
user at the office (not one of the two that received all these emails)
had authenticated hundreds of times to send out these emails. Sounds
like a compromised email password, however I've completed Spybot,
Adaware, SuperAntiSpyware, Symantec Endpoint AV scan, reviewed
Hijackthis log, and there is NOTHING out of the ordinary, nor have the
scans returned ANY threats.

And MOREOVER...these emails that were sent, started roughly the same
time the user's (the one who's credentials were used to authenticate
with the SMTP server) PC had been turned on and Outlook started, and
stopped once the PC was shutdown. Once the mail provider changed the
password the messages had stopped, however we have not entered the new
PW into Outlook.

So to recap...

Blank Emails.
Headers state the origin is in KY
User PC in CA
Starts and stops in conjunction with the user's PC in CA
Noscans result in any threat, nor do Hijackthis log show anything out
of the ordinary.

Any ideas?

Thanks for the help!
-Jeff- Hide quoted text -

- Show quoted text -

 

[Hal Hostetler [MVP P/I]]

Thanks for the feedback!

Hal
--
Hal Hostetler, CPBE -- (e-mail address removed)
Senior Engineer/MIS -- MS MVP-Print/Imaging -- WA7BGX
http://www.kvoa.com -- "When News breaks, we fix it!"
KVOA Television, Tucson, AZ. NBC Channel 4
Live at Hot Licks - www.badnewsbluesband.com

Ok, here's an update. We did find that the user whos account was being
authenticated with the SMTP server had created an Outlook appointment
and there were 3 users specified as attendees, 2 of which had been
receiving the the blank emails, but the 3rd hadn't reported any emails
because they had been moved to her Junk folder. Apparently, when she
sent out the appointment, it was stuck in sending as "delayed". Once
this appointment was deleted, the messages stopped.

When I initially started researching this issue, I was only able to
find suggestions related to spyware and virus scanning, so I
mistakenly took that path of troubleshooting.

Thanks to both of you for your help!

Do they start when you turn the PC on or when you start Outlook?
There is a big difference.
Could there be a message stuck in the Outbox or do you have a virus scanner
installed that integrates with Outlook?
Disable this integration and check for stuck messages.
Seehttp://www.howto-outlook.com/howto/deletereadreceipt.htm

--
Robert Sparnaaij [MVP-Outlook]
Coauthor, Configuring Microsoft Outlook 2003http://www.howto-outlook.com/
Outlook FAQ, HowTo, Downloads, Add-Ins and more

http://www.msoutlook.info/
Real World Questions, Real World Answers

-----

I have a client's office in which 2 users just reported receiving ~500
and ~400 messages over the course of the day withnoidentifying
information. Checked the headers and they look very short (known IPs
and names have been changed to protect privacy):

* (qmail 30056 invoked from network); 26 Jun 2008 15:24:20 -0500
* from mail.geitech.com (HELO aedesk11) (xx.x.226.186) by 157587-
www1.xxxxxxx.com with SMTP; 26 Jun 2008 15:24:20 -0500 QUIT

X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on 157587-
www1.xxxxxxx.com
X-Spam-Level: *
X-Spam-Status:No, score=1.8 required=4.0
tests=BAYES_00,MISSING_HB_SEP, MISSING_SUBJECT,TO_CC_NONE autolearn=no
version=3.1.9

So, I understand that mail.geitech.com resolves to 199.231.136.136
which is located in Kentucky (not affiliated with our client's office
in California), however a friend of mine at the email provider (these
are POP accounts) said it was brought to their attention that the 1
user at the office (not one of the two that received all these emails)
had authenticated hundreds of times to send out these emails. Sounds
like a compromised email password, however I've completed Spybot,
Adaware, SuperAntiSpyware, Symantec Endpoint AV scan, reviewed
Hijackthis log, and there is NOTHING out of the ordinary, nor have the
scans returned ANY threats.

And MOREOVER...these emails that were sent, started roughly the same
time the user's (the one who's credentials were used to authenticate
with the SMTP server) PC had been turned on and Outlook started, and
stopped once the PC was shutdown. Once the mail provider changed the
password the messages had stopped, however we have not entered the new
PW into Outlook.

So to recap...

Blank Emails.
Headers state the origin is in KY
User PC in CA
Starts and stops in conjunction with the user's PC in CA
Noscans result in any threat, nor do Hijackthis log show anything out
of the ordinary.

Any ideas?

Thanks for the help!
-Jeff- Hide quoted text -

- Show quoted text -

 

[Roady [MVP]]

You're welcome! And thanks for posting your solution.

Ok, here's an update. We did find that the user whos account was being
authenticated with the SMTP server had created an Outlook appointment
and there were 3 users specified as attendees, 2 of which had been
receiving the the blank emails, but the 3rd hadn't reported any emails
because they had been moved to her Junk folder. Apparently, when she
sent out the appointment, it was stuck in sending as "delayed". Once
this appointment was deleted, the messages stopped.

When I initially started researching this issue, I was only able to
find suggestions related to spyware and virus scanning, so I
mistakenly took that path of troubleshooting.

Thanks to both of you for your help!

Do they start when you turn the PC on or when you start Outlook?
There is a big difference.
Could there be a message stuck in the Outbox or do you have a virus
scanner
installed that integrates with Outlook?
Disable this integration and check for stuck messages.
Seehttp://www.howto-outlook.com/howto/deletereadreceipt.htm

--
Robert Sparnaaij [MVP-Outlook]
Coauthor, Configuring Microsoft Outlook 2003http://www.howto-outlook.com/
Outlook FAQ, HowTo, Downloads, Add-Ins and more

http://www.msoutlook.info/
Real World Questions, Real World Answers

-----

I have a client's office in which 2 users just reported receiving ~500
and ~400 messages over the course of the day withnoidentifying
information. Checked the headers and they look very short (known IPs
and names have been changed to protect privacy):

* (qmail 30056 invoked from network); 26 Jun 2008 15:24:20 -0500
* from mail.geitech.com (HELO aedesk11) (xx.x.226.186) by 157587-
www1.xxxxxxx.com with SMTP; 26 Jun 2008 15:24:20 -0500 QUIT

X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on 157587-
www1.xxxxxxx.com
X-Spam-Level: *
X-Spam-Status:No, score=1.8 required=4.0
tests=BAYES_00,MISSING_HB_SEP, MISSING_SUBJECT,TO_CC_NONE autolearn=no
version=3.1.9

So, I understand that mail.geitech.com resolves to 199.231.136.136
which is located in Kentucky (not affiliated with our client's office
in California), however a friend of mine at the email provider (these
are POP accounts) said it was brought to their attention that the 1
user at the office (not one of the two that received all these emails)
had authenticated hundreds of times to send out these emails. Sounds
like a compromised email password, however I've completed Spybot,
Adaware, SuperAntiSpyware, Symantec Endpoint AV scan, reviewed
Hijackthis log, and there is NOTHING out of the ordinary, nor have the
scans returned ANY threats.

And MOREOVER...these emails that were sent, started roughly the same
time the user's (the one who's credentials were used to authenticate
with the SMTP server) PC had been turned on and Outlook started, and
stopped once the PC was shutdown. Once the mail provider changed the
password the messages had stopped, however we have not entered the new
PW into Outlook.

So to recap...

Blank Emails.
Headers state the origin is in KY
User PC in CA
Starts and stops in conjunction with the user's PC in CA
Noscans result in any threat, nor do Hijackthis log show anything out
of the ordinary.

Any ideas?

Thanks for the help!
-Jeff- Hide quoted text -

- Show quoted text -