Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I have an e-mail security problem

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
I have three email accounts:

xyz...@hushmail.com
were...@hotmail.com
hak...@ziplip.com

For the last month or two I've been receiving some strange e-mails to these three account even tough they are not connected to each other in any way(apart from the fact they are sent from the same IP).
The messages seem 120-160K long but when I open them they appear blank!
I didn't care much first and tried to block them as "spam" but they just kept coming.

Yesterday I received another blank email with a stupid "subject" to my hotmail.com account FROM MY @hushmail.com account !!!!

How could that be possible? when I opend my account in hushmail I see no strange things like already opened e-mails etc. and my passwrod is quite a long one with many different characters to be easily cracked.

Has somebody hacked into my computer/e-mail accounts or are they just able to put anything to "sender's" section whether it's real or not so that they scare the heck out of people.

Could somebody help?
Ian
 
Sort by date Sort by votes
it's some kind of a virus i suppose
i have received such mails, where from was set to almost all my email accounts :)
when you look at the hops in the headers, you will see that there is always some asian source machine which produces this kind of emails
 
Upvote 0 Downvote
thank you for the reply.

I have McAfee 6.02, how come it doesn't show it and alarm me?
 
Upvote 0 Downvote
I wonder if you are infected as I suppose that you have your various addresses in your address book.

Even though McAfee fails to find anything, it might be worthwhile picking up a demo copy from Sophos or F-secure to verify what McAfee sees.

I'll go get an earl here you go, demo versions at...

 
Upvote 0 Downvote
All: I'll appologize for the long post in advance.

When was the last time that you downloaded an update to your McAfee? New virus definitions come out at least weekly, and you really need to keep the definitions up to date.

Either way, it doesn't hurt to download and test another company's AV tool, just to be sure.

As far as sending email from your other account, it is quite simple really. All that you need is telnet, and you can send mail as anybody, to anybody. Mail is a non-authenticated protocol, and all that you need to do is find an open relay somewhere, Asia is a favorite target, and issue the commands as if you were another SMTP client.

You need to look at the complete header (not sure how to do this in hotmail). It will look something like this:

Return-Path: <elisapj@hotmail.com>
Delivered-To: me@inyc.com
Received: from s044201.wertenbroek-wilbrink.nl (unknown [195.240.3.96])
by smtp1.inyc.com (Postfix) with ESMTP id 16425122E14
for <me@inyc.com>; Tue, 20 Aug 2002 07:57:42 -0400 (EDT)
Received: from bitnisse.dk (dsl-200-67-142-63.prodigy.net.mx [200.67.142.63]) by s044201.wertenbroek-wilbrink.nl with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id 332K537M; Fri, 19 Jul 2002 06:37:49 +0200
Message-ID: <00005e925083$000019e6$0000504b@burnsautomotive.com>
To: <cef2001@hotmail.com>,

--< lots of crap deleted >--

From: elisapj@hotmail.com
Subject: MEN & WOMEN, TURBO BOOST YOUR DRIVE! MPHCJX
Date: Fri, 19 Jul 2002 00:35:17 -1600
MIME-Version: 1.0
Content-Type: text/html;
charset=&quot;iso-8859-1&quot;
Content-Transfer-Encoding: quoted-printable
Reply-To: elisapj@hotmail.com
Status: R
X-Status: N


What you see first is the Return-Path. This tells the SMTP servers along the way where to send the message if it is bounced. It is a automatically generated field, and is not verified against the From field.

After that, you see a series of Received fields. You want to follow them in reverse order. This message was sent from a DSL server at IP address 200.67.142.63 in Mexico with a name that indicates (bitnisse.dk) to a server in Holland (s044201.wertenbroek-wilbrink.nl).

From there it went to my INYC account. Notice the &quot;(unknown [195.240.3.96])&quot; and the name s044201.wertenbroek-wilbrink.nl? That is because in the SMTP protocol, I tell the SMTP server what my name is, but it has my IP address from the packets. It does a reverse lookup of the IP address to get a name. In this field, there is no reverse lookup, hence the &quot;unknown&quot; reference. The DSL circuit has a reverse lookup that shows it is actually in Mexico (dsl-200-67-142-63.prodigy.net.mx) not in Denmark as the reference indicates (bitnisse.dk).

The message ID is a unique number that helps mail clients determine whether or not they have already downloaded this message, even if they leave mail on the server.

The rest of the stuff is pretty self-explanatory.

This all means that there is an SMTP server running Microsoft Exchange in Holland that can be used to relay mail as anyone, to anyone. And the DSL circuit in Mexico is probably a compromised home computer that is being used by SPAMMERs to hide their true origin.

pansophic
 
Upvote 0 Downvote
By the way, the Klez.H virus will go through someone's address book, stored email, etc and pick out random email addresses which it puts in the &quot;sender&quot; line when it mass-emails itself to potential future victims. It is making it somewhat difficult to nail down. What you're seeing sounds like a similar effect, perhaps that IP address you've narrowed these goofy spams to is a mail server with a Klez.H infected host behind it.
-Steve
 
Upvote 0 Downvote
I get lots of e-mails of the type you describe, and they appear to be blank without a viral attachment of any kind.

I concluded that these were duff e-mail viruses from an infected machine. Perhaps the virus spreads through shares and is meant to spread through e-mail as well, but this section of the virus is damaged.

If you are getting ticked off with the e-mails, you can complain to the owner's ISP who will look up who was using that IP address at that time and send them an e-mail telling them how to clean their machine and threaten to disconnect them until their computer isn't sending them anymore. I made a program that will get you the ISP's email address at
that you can use if you want. You can get the IP address from the message headers as Pansophic described above. C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Upvote 0 Downvote
thank you all for your kind replies.

Could it be the following virus the culprit?

WORM_KLEZ.H


Anybody familier with this one?
 
Upvote 0 Downvote
If the Mail is empty it is possibly a html-mail. If you are using outlook then try the right mousebutton and &quot;Show source text&quot; (?). With this option you can see if there is something hidden in the mailbody. (maybe <Iframe...>
hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
697
Sameer258
Sameer258
stanlyn
  • Locked
  • Question
Uncoupled Disk Encryption
Replies
0
Views
581
stanlyn
stanlyn
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
527
nnaarrnn
nnaarrnn
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
509
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top