My wife has fairly new DELL PC…I configured…I’m pretty techy guy.
It is W7 64bit with all latest updates.
I’m running Avast that does full scan daily…shows clean.
I have Office 2010 installed and she uses the Outlook for e:mails.
Couple days ago she showed me a kickback email to one of her address book people that she did not send email to.
I looked at it and was a SPAM filter notice from that recepients SPAM filter back to us…bascially notifying this e:mail contained SPAM.
My wife told me this had happened before few weeks back…but I notice not daily or anything…intermitant.
I noticed it also had sent to my business email address so I check online SPAM filter there and yes is was caught.
I ws able to capture the message and is first attachment.
It basically says “hope your job is going well. I wanted to alert you about a great joy opportunity”…blah…blah…then website link to:
orditurafratellipagni.it/claimcall/…full link shown in message.
I re-ran Avast Full Scan and Rootkit…I also ran MBAM…nothing found…I attached MBAM log.
What shoudl I try next ?..please outline steps exactly for me to follow…I’m techy but know this removal stuff is very particular.
One note, I have RollBackRX on machine but the rollback points don’t go back very far since we rolled forward periodically to keep machine running quick.
Not sure I follow…I don’t think her online Bellsouth account (now AT&T thru Yahoo) has been “hacked”…my wife uses Outlook on the PC…not the Webmail.
There appears to be a virus or malware running within Outlook or the PC that is using some of the address book to send an e:mail…which is a SPAM email.
There is no record of this in the email in the outbox.
I see the posts above about changing password for that account…would that make any difference because if running from the PC I have to put the new password in Outlook.
Is there some other “scanner” I can run besides Avast & MBAM to check ?
Generally spambot doesn’t use your email client to send spam (or they would show up in the sent items/outbox), but a very small SMTP program to send the spam.
Even if it does use its own smtp client, avast should still scan that outbound email.
From your spamassassin attachment - Looks like that email you received was from Pakistan 182.177.74.129 (image1 whois info) and the Probable originating IP address shows the message was from yahoowebmailservice not your bellsouth (image2 highlighted extract).
It is so easy to fake the From email address and they could get that from many sources. Are the email addresses in the To address in your Outlook addressbook,
The addresses in the TO: line are in my wife’s Outlook address book.
For what it is worth…we have no addresses in the webmail account since she does not use it.
Possibly worth bumping up the Mail Shield, Expert Settings, Sensitivity to High heuristics.
I’m still not convinced that the email was sent from your system as the supposed original was sent from a Pakistan IP.
It is possible for malware on the system (at some point) to harvest the address book, but it doesn’t mean that the spam originates from your system. If you were sending high volumes of spam I have little doubt that your ISP would know and tell you (probably a warning).
I’m in Avast under Mail Shield…I see the Expert Settings button…go in there…set from Normal to High.
Any other changes like changing the Sensitivity check box on that page to “test whole files” ?
Anything else ?
FYI…I did run MBAM in safe mode with Networking on…should I re-run in normal Windows mode ?
I would leave the other Scan for PUPs (Potentially Unwanted Program) unchecked as it isn’t really something that is connected with possible spambots.
Essentially essexboy has already mentioned this sort of thing as generally it is webmail that is compromised, that is why he asked (suggesting a change of password if you had webmail).
However, that said you say your wife’s webmail account doesn’t have her address book contents, so hard to see her webmail account being used for the spamassassin example you posted, which came from YahooMailServise, presumably she doesn’t have that but an ISP webmail account ?
OK…we have five “legacy” bellsouth accounts that went to AT&T and I guess Yahoo “hosts” now.
My wife’s Outlook logs into each of these accounts during a SEND/RECEIVE…as well as a new GMAIL account.
I went each of the bellsouth and gmail accounts and the SPAM guards were ON.
However, in the one Bellsouth that was the culprit the online SPAM guard was OFF…and it had the email addresses in the Contact folder.
I wanted to double check this because there was only few emails this went out to and she has alot more contacts in her outlook address book.
I enabled the SPAM guard online, I changed all of these accounts from “keep me logged in for two weeks” to force logoff.
I was going to change the password but for the life of me with AT&T I cannot find out where…I click on the change password link and it routes me into never-never land.
I will have to do some checking on how/where to do that.
Anyway, perhaps with the above the webmail server was getting a spam and doing a SEND up in the cloud and when she “received” from outlook she got the kickbacks.
Well the bounces would be coming back to the From address, which I guess would be the default email address for that bellsouth account. So any bounce backs would be sitting in that webmail account inbox awaiting collection, either by webmail or by downloading them in your Outlook email client.
Thx all for responses on what probably is not a Avast issue…
After 10 minutes I found the new AT&T account page to change the password…going to wait on that.
I think per the above the original SPAM came into webmail and since no filter then used the webmail few addresses to spam out.
When my wife used Outlook to download her e:mails…few times a day…outlook typically closed…she got the kickbacks from the TO recipients rejecting.
Anyway, only my guess now…going to give it a few days now that I’ve enabled the SPAM guard and deleted the online contacts.
I also reset the Avast sensitivy back to normal.
If the above doesn’t work I’ll change the password too…just pain to do online, then each of the machine’s outlook settings.
BTW, the password is a VERY strong password.
UPDATE 7/4/12
Well, no issues…seems making sure the SPAM filter is “ON” and removing all addresses and sent items in “webmail” did the trick.
Wanted to post so others having similiar issue could find