AOL email hacked? [Archive] - Glock Talk

PDA

View Full Version : AOL email hacked?


havensal
06-17-2010, 11:56
My boss's wife brought me her laptop to clean. She said that she had a virus that was sending spam to everyone in her address book.

I have run every scan I can and nothing comes up. Norton, SuperAntispyware, Malwarebytes antimalware, Panda active scan. It's Win7 X64 so combofix will not run.

She is getting a bunch of bounce back emails but there are also some in her sent mail folder.

Here are the ones I sent myself from her account...


From her Inbox
*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to the e-mail
administrator or Postmaster at that destination.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<EMAIL ADDRESS>
(reason: 550 [SUSPEND] Mailbox currently suspended - Please contact
correspondent directly)
<EMAIL ADDRESS>
(reason: 550 5.2.1 The email account that you tried to reach is disabled.
v1si5233880qcq.172)
<EMAIL ADDRESS>
(reason: 554 Message not allowed - [PH01] Email not accepted for policy
reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html
[120])
<EMAIL ADDRESS>
(reason: 554 Message not allowed - [PH01] Email not accepted for policy
reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html
[120])
<EMAIL ADDRESS>
(reason: 554 Message not allowed - [PH01] Email not accepted for policy
reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html
[120])

----- Transcript of session follows -----
... while talking to scc-mailrelay.att.net.:
>>> DATA
<<< 550 [SUSPEND] Mailbox currently suspended - Please contact correspondent
directly
550 5.1.1 <EMAIL ADDRESS>... User unknown
<<< 503 need RCPT command [data]
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA
<<< 550 5.2.1 The email account that you tried to reach is disabled.
v1si5233880qcq.172
550 5.1.1 <EMAIL ADDRESS>... User unknown
... while talking to h.mx.mail.yahoo.com.:
>>> DATA
<<< 554 Message not allowed - [PH01] Email not accepted for policy reasons.
Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120]
554 5.0.0 Service unavailable

Final-Recipient: RFC822; EMAIL ADDRESS
Action: failed
Status: 5.1.1
Remote-MTA: DNS; scc-mailrelay.att.net
Diagnostic-Code: SMTP; 550 [SUSPEND] Mailbox currently suspended - Please
contact correspondent directly
Last-Attempt-Date: Thu, 17 Jun 2010 12:09:19 -0400

Final-Recipient: RFC822; EMAIL ADDRESS
Action: failed
Status: 5.2.1
Remote-MTA: DNS; gmail-smtp-in.l.google.com
Diagnostic-Code: SMTP; 550 5.2.1 The email account that you tried to reach is
disabled. v1si5233880qcq.172
Last-Attempt-Date: Thu, 17 Jun 2010 12:09:19 -0400

Final-Recipient: RFC822; EMAIL ADDRESS
Action: failed
Status: 5.0.0
Remote-MTA: DNS; h.mx.mail.yahoo.com
Diagnostic-Code: SMTP; 554 Message not allowed - [PH01] Email not accepted for
policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html
[120]
Last-Attempt-Date: Thu, 17 Jun 2010 12:09:33 -0400

Final-Recipient: RFC822; EMAIL ADDRESS
Action: failed
Status: 5.0.0
Remote-MTA: DNS; h.mx.mail.yahoo.com
Diagnostic-Code: SMTP; 554 Message not allowed - [PH01] Email not accepted for
policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html
[120]
Last-Attempt-Date: Thu, 17 Jun 2010 12:09:33 -0400

Final-Recipient: RFC822; EMAIL ADDRESS
Action: failed
Status: 5.0.0
Remote-MTA: DNS; h.mx.mail.yahoo.com
Diagnostic-Code: SMTP; 554 Message not allowed - [PH01] Email not accepted for
policy reasons. Please visit http://postmaster.yahoo.com/errors/postmaster-27.html
[120]
Last-Attempt-Date: Thu, 17 Jun 2010 12:09:33 -0400

Return-Path: <EMAIL ADDRESS>
Received: from imo-ma02.mx.aol.com (imo-ma02.mx.aol.com [64.12.78.137])
by imr-mb01.mx.aol.com (8.14.1/8.14.1) with ESMTP id o5HG8Mq4030325;
Thu, 17 Jun 2010 12:08:22 -0400
Received: from EMAIL ADDRESS
by imo-ma02.mx.aol.com (mail_out_v42.9.) id r.d70.a2eaf32 (34956);
Thu, 17 Jun 2010 12:08:14 -0400 (EDT)
Received: from smtprly-de02.mx.aol.com (smtprly-de02.mx.aol.com
[205.188.249.169]) by cia-da06.mx.aol.com (v129.4) with ESMTP id
MAILCIADA065-b2374c1a485c354; Thu, 17 Jun 2010 12:08:14 -0400
Received: from webmail-d071 (webmail-d071.sim.aol.com [205.188.167.105]) by
smtprly-de02.mx.aol.com (v129.4) with ESMTP id MAILSMTPRLYDE024-b2374c1a485c354;
Thu, 17 Jun 2010 12:07:56 -0400
To: EMAIL ADDRESS EMAIL ADDRESS EMAIL ADDRESS EMAIL ADDRESS EMAIL ADDRESS
Content-Transfer-Encoding: quoted-printable
Subject: Private e-mail about breaching the rules from Gmail's administration
Date: Thu, 17 Jun 2010 12:07:56 -0400
X-MB-Message-Source: WebUI
X-AOL-IP: 89.32.55.43
X-MB-Message-Type: User
MIME-Version: 1.0
From: EMAIL ADDRESS
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailer: AOL Webmail 31888-MOBILE
Received: from 89.32.55.43 by webmail-d071.sysops.aol.com (205.188.167.105) with
HTTP (WebMailUI); Thu, 17 Jun 2010 12:07:56 -0400
Message-Id: <8CCDC4E62207B80-1614-C955@webmail-d071.sysops.aol.com>
X-Spam-Flag:NO
X-AOL-SENDER: EMAIL ADDRESS



From her Sent folder
From: EMAIL ADDRESS
To: info@tinyprints.com
Sent: Thu, Jun 17, 2010 12:10 pm
Subject: Re: Urgent e-mail about you account from Gmail Delivery Service (Automatic Response)
http://korambayil.com/pharma.html

From: EMAIL ADDRESS
To: EMAIL ADDRESS EMAIL ADDRESS EMAIL ADDRESS EMAIL ADDRESS EMAIL ADDRESS
Sent: Thu, Jun 17, 2010 12:07 pm
Subject: A little data about the acc's expiration from Gmail Delivery Service
Good afternoon! Anti-spam bot of Gmail.com extends a greeting to you. It's a pity, but your account was blocked. There are the things you should do: if you'd been sending spam by your e-mail, we recommend you to register a new acc. If you hadn't been sending ads and want to unlock your account, you should follow this link: klt0.hotmailmailcenter.ru/index_google.htm . This mail was formed automatically. It isn't necessary to answer the letter. Yours faithfully, Gmail.com.



I took out the actual address and replaced with "EMAIL ADDRESS".

I am going to make sure she changes her password, but what else should I recommend? :dunno:

IndyGunFreak
06-17-2010, 13:05
Is this happening when she uses her AOL account w/ Outlook, or when she uses the web interface? Is it possible she has her AOL account set up via Outlook on another machine, that is actually the one infected and sending the SPAM... and the bounce backs are simply visible on the laptop.

Changing the password is definitely a good idea.. if she did set it up w/ outlook at some point on an infected machine, it will keep the machine from sending/receiving w/ that account.

IGF

MavsX
06-17-2010, 13:20
spam back scatter

KharToon
06-17-2010, 15:56
her password was hacked and somebody was spamming from her account. Most likely her computer never had anything to do with it.