problem with emails-- little help from a guru pls [Archive] - Glock Talk

PDA

View Full Version : problem with emails-- little help from a guru pls


EvilGenius
05-02-2005, 21:05
Here's my situation. Out of the blue today I started getting emails bounced back to me that I've never sent. At first, they were getting bounced back to a proxy I used for all incoming email, so I figured my password had been hacked, but now, they are getting bounced back to my real deal pop3 email account--the one that noone knows!

I run kerio firewall, and can pass pretty much any sniffer that you want to throw at me, plus the standard AVG etcetc


When I last noticed, I went ahead and ran an AVG check. Instead of giving me "ok" for all the check it runs at the beginning of the scan, three of them came back labeled "change" --

user32.dll
shell32.dll
ntoskrnl.exe

I would love any help you can offer -- here's a copy of one of the emails:


Message from yahoo.com.
Unable to deliver message to the following address(es).

<bounce@yahoo-inc.com>:
216.145.48.28 does not like recipient.
Remote host said: 550 5.1.1 <bounce@yahoo-inc.com>... User unknown
Giving up on 216.145.48.28.

--- Original message follows.

Return-Path: <webmaster@xxxxxx.endjunk.com>

The original message is over 5k. Message truncated to 1K.

X-Rocket-Spam: 204.196.228.2
X-YahooFilteredBulk: 204.196.228.2
X-Rocket-Track: 2436407: 20 ; SERVER=216.155.197.130
Authentication-Results: mta162.mail.re2.yahoo.com
from=xxxxxx.endjunk.com; domainkeys=neutral (no sig)
X-Originating-IP: [204.196.228.2]
Return-Path: <webmaster@thadhayes.endjunk.com>
Received: from 204.196.228.2 (HELO fhnmekwwk.com) (204.196.228.2)
by mta162.mail.re2.yahoo.com with SMTP; Mon, 02 May 2005 17:15:04 -0700
From: webmaster@xxxx.endjunk.com
To: private@yahoo.com
Date: Mon, 02 May 2005 23:56:02 GMT
Subject: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <de0a.7ed2e845a927b@xxxxxx.endjunk.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="====8ed87fb7e4ca23bdb.ecd"
Content-Transfer-Encoding: 7bit
This is a multi-part message in MIME format.

--====8ed87fb7e4ca23bdb.ecd

Account and Password Information are attached!

Visit: http://www.xxxxxxx.endjunk.com
--====8ed87fb7e4ca23bdb.ecd
Content-Type: application/octet-stream; name=account_info-text.zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename
*** MESSAGE TRUNCATED ***



-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.1 - Release Date: 5/2/2005


and another that's a bit different


Message from yahoo.com.
Unable to deliver message to the following address(es).

<yahoomail-support@yahoo-inc.com>:
216.145.48.33 failed after I sent the message.
Remote host said: 554 5.6.1 Certain attachments are not allowed for security reasons.Your message has been rejected.

--- Original message follows.

Return-Path: <xxxxx@earthlink.net>

The original message is over 5k. Message truncated to 1K.

Delivered-To: yahoo.de-admin@yahoo.de
X-Rocket-Spam: 204.196.228.2
X-YahooFilteredBulk: 204.196.228.2
X-Rocket-Track: 2721988: 20 ; SERVER=216.155.197.128
Authentication-Results: mta122.mail.re2.yahoo.com
from=earthlink.net; domainkeys=neutral (no sig)
X-Originating-IP: [204.196.228.2]
Return-Path: <xxxxx@earthlink.net>
Received: from 204.196.228.2 (HELO tbgqwqjxi.net) (204.196.228.2)
by mta122.mail.re2.yahoo.com with SMTP; Mon, 02 May 2005 18:07:58 -0700
From: xxxxxxx@earthlink.net
To: mailhost@yahoo.de
Date: Tue, 03 May 2005 00:50:08 UTC
Subject: Ich bin's, was zum lachen ;)
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <311022acff.d5ca7@yahoo.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=3bec3b30.2ca074fb5"
Content-Transfer-Encoding: 7bit
This is a multi-part message in MIME format.

--=3bec3b30.2ca074fb5

Nun sieh dir das mal an!
Was ein Ferkel ....
--=3bec3b30.2ca074fb5
Content-Type: application/octet-stream; name=LOL.zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="LOL.zip"

UEsDBAoAAAAAAAGAojKuS6g1MtEAADLRAAAmAAAAV2luemlwcGVkLVRleHR
*** MESSAGE TRUNCATED ***



-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.1 - Release Date: 5/2/2005

jrny
05-02-2005, 21:37
Looks like info from the virus Win32/Sober.O worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html

srhoades
05-02-2005, 22:13
More than likely you are not the one infected. The infected person has you in their address book, so the virus spoofs the sender when it send out its infected emails.

fastvfr
05-02-2005, 22:20
This is an easy fix.

1. Go to Trend and run their excellent HouseCall to remove the spam-bot. (http://housecall.trendmicro.com/housecall/start_corp.asp)

2. Download Avast! antivirus.

3. Delete AVG in its entirety and restart the computer.

4. Install and update Avast. Run it.

5. Never use Internet Exploiter again for anything other than Updates...in fact, installing SP2 (in SAFE MODE) and just using Automatic Updates is a good idea; at least then you will never have to take your most exploitable software out into the wild ever again.

EvilGenius
05-02-2005, 22:55
thanks for the advice

trend micro as well as AVG and panda online all tell me I'm clean.

I run Firefox with Thunderbird on SP2 fully updated.

I have used Avasti before but it just didn't like some of my programs for some reason.

Here's what I'm thinking...somehow, I must have let that email address out into the wild and someone has both addresses in their address book, in concert with the above mentioned virus. What I'm seeing is boucebacks from the OTHER persons infected computer spoofing my emails.

Thoughts on this?

fastvfr
05-03-2005, 01:10
That is quite possible, EG.

The virus would not be checking, and thereby removing, the Failed Delivery notice from your Inbox, would it?