Email spam

Hello Avast community,

I need some advise, I run Avast on my PC as I think its the best but this morning my email sent an email to everyone in my contacts list.

I have done a quick & full scan with nothing found

Without adding all the email address this was the body of the message sent & not by me

Sent: 16 January 2012 05:05
Subject: Re: Fwd: Im free now.

hi there…

I was starting to crack under pressure this helped me back to my feet everyone was worried about me!
-http://talitacumi.org/lastnews/64NeilWood/ im in this for the long run you would excell at this.
talk to you soon.

Does anyone know whats going on or how it might have got in?

Thanks in advance for your help

first edit your post and put a - in front of the link you posted, that will make it unclickable
like this -http://www.avast.com/en-eu/index

The link you have posted is infected :wink: see attached screenshot
https://www.virustotal.com/file/9287c4a859c4ed95a95734dd33372932a91055fe5cdeb53336e08e602bee2b69/analysis/1326734351/
https://www.virustotal.com/file/952c1babd606d2970cac2b3c1ef5fccb1e9b14d32c0ab49fc8f42f6f5fef268f/analysis/1326734381/

it does not have to be from your account…the from address can be faked…they harvest mail address and can use any of those as a from address

how do you access your mail…mail client in your computer…or webmail ?

Thanks for the answer

Previous post amended

So is it safe to say that it is not actually me thats infected and rather someone who has been harvesting email addresses?

If that is the case how did they get my contacts from outlook?

it may have been harvested from one of you friends…that have a infected computer
and your address was there and they just used that as a from address…

you can try to change your mail account password and see if that help

How Do Spammers Get My Email Address?
http://www.ehow.com/how-does_5167077_do-spammers-email-address.html
http://www.private.org.il/harvest.html

Someone’s sending from my email address! How do I stop them?!
http://ask-leo.com/someones_sending_from_my_email_address_how_do_i_stop_them.html

If you want a check for infections, then follow this guide
http://forum.avast.com/index.php?topic=53253.0

attach the Malwarebytes and OTL log and Essexboy will have a look when he arrive here later today

lower left corner: additional options > attach

Thanks again, I changed my password for the minute to see if it helps. I also checked my outlook sent folder, nothing in there or on my providers site (outlook uses pop3 to access)

Its only happened the once to my knowledge so I will just keep an eye out

Appreciate your time & assistance

@ Neil
How do you know it sent an email to everyone in your addressbook ?
Is this MS Outlook or Outlook Express ?

  • Are you getting bounced emails, etc. - Whilst this may not be exactly be the same as your experience:
    It is a common spammer tactic and it could have worked in your case if you have opened it (even just to retrieve the information you posted) and that could have resulted in more serious issues.

One likely scenario is that your email address is already on a spam list and those email addresses aren’t just used to send spam too, but they are used in the from email address (easily faked). Another scenario is that someone that you have communicated with, friend, colleague, etc. has an infected system and their email address book is harvested for email addresses to send spam to and to use as the from address.

The problem is that dumb email servers and spam filters bounce the email back to the from/reply to email address without thought that this might not be who sent it.

I get these on occasion and I know I haven’t sent them (so I know they weren’t likely to be undelivered), my anti-spam invariably picks them up or one of my filters will flag it otherwise the mark one eyeball picks them up and they are flagged for deletion. Then my email program is called to download the remainder of legit emails.

What to do, set the avast Mail Shield to High heuristics as that will detect if you are actually sending out multiple emails in a short time frame (generally spam). This could also be an early indication that you may have a hidden/undetected spambot no your system. In most cases you aren’t sending out spam, but it is the scenarios outlined above and their bounced email being send back to the from address.

Note, if there is a spambot on your system, generally they don’t use your email program to send the spam, but come with their own very small SMTP program. This is where bumping up the heuristic level in the Mail Shield helps as it doesn’t matter how they try to send the spam your email client or their own little one avast should intercept it for scanning as outlined above.

Strangly enough it did not sent it to everyone on my contacts

Recenly I had to contact Disney, 20th Century Fox & Warner Bros + a few friends addresses, it only sent it to 23 addresses.

The other addresses I use more frequent and it did not go to those, also also never open attachments in mail received, I just delete them imediately

Checking in my outlook it looks like it sent it to almost everyone that was in my Last Month sent folder.

To answer your question, I found out as my Brother in Law phoned me to say he got spam from he, he then forwarded it to me so I could check it out

That still falls in line with the scenarios that I gave as it is being reported back to you rather than knowing it came from you as the from address is so easy to fake as you can put absolutely any email address in there and spammers do that.

You would need to have the actual email headers analysed to confirm where it actually came from (e.g. the IP address of your email server (ISP, etc.). So it is still probable that this didn’t originate from your system as I rather doubt a spambot would be selective in not emailing everyone in your email address-book or everyone in the last months sent folder.

It is this kind of inconsistency that makes me think it is someone in your contact circle who may well have many of the email addresses that you have is infected. Many email servers or users with anti-spam software would just bounce the email back.

I trust that you have now bumped up the heuristics level to high in the mail shield ?

You can/should run other precautionary scans, as in the link given by Pondus in Reply #4. But I would suggest using MBAM as that has been generally good at detecting spambots, if that doesn’t turn up anything (as avast didn’t) then you could go to the other tools suggested in the link.

MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. Download, Install, Update, Run and post the contents of the log.

Another friend has just emailed me about the spam too, she said she has got it before from me.

Well I just installed Malware Bytes and it blue screened my PC
When I rebooted the program wont run so it has now been uninstalled and I got it from the website directly.

Its doing a full scan now

I also set the Mail Shield to High heuristics

Its doing a full scan now
quick scan is fine.....full may take hours!

I just found this in Avast Mail Shield in SSL section

wiethoff.eu as a mail account

Dont have a clue what it is, could that be it?

I have deleted it now

Malware Bytes found nothing

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.16.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nightjar :: NIGHTJAR-PC [administrator]

Protection: Disabled

16/01/2012 17:10:11
mbam-log-2012-01-16 (17-10-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195875
Time elapsed: 1 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Well that domain is hosted by Hetzner Online AG in Germany and coincidently it hosts this forum. So I don’t know if this might have been related to your forum registration, but I rather doubt that. But you don’t mention if this was for pop3 or smtp (which is crucial) ?

It doesn’t matter if another friend is reporting this, that doesn’t change anything if your email address has been harvested then its use as a from address is almost a given.

The most crucial point is to confirm that nothing is getting out and why I suggested increasing the mail shield sensitivity and asked if you had done that (but no answer). I really can’t over stress how useful a feature this is.

I posted above

“I also set the Mail Shield to High heuristics”

After all the help you guys are giving I made sure I mentioned it

You can also see that Malware Bybes came back clear so I am at a bit of a loss

Sorry I didn’t check your edited post, just those after my asking the question.

This should at least be able to confirm that they aren’t being sent now, as I guess a spambot wouldn’t just be doing it the once.

If you want to (to confirm nothing hidden on your system) I guess the next step is following the instructions on the link Pondus gave in Reply #4 as you have already done one step of that running the MBAM scan, do step two in downloading, running OTL and attaching the logs here.

Here is the OTL logs as requested

Thanks for your help

I will try and get someone to look at your OTL log.

Do you use a webmail provider ? e.g. Livemail, Gmail

Says he is using Outlook and using pop3, so presumably not webmail.

So it could still possibly be livemail but also with a pop3 account and not using the Microsoft proprietary Delta Sync protocol in Outlook.