The Notebook Review forums were hosted by TechTarget, who shut down them down on January 31, 2022. This static read-only archive was pulled by NBR forum users between January 20 and January 31, 2022, in an effort to make sure that the valuable technical information that had been posted on the forums is preserved. For current discussions, many NBR forum users moved over to NotebookTalk.net after the shutdown.
After a series of events in the past 24-hours, my Gmail account is sending spam messages on its own. Let me walk you through what happened, and maybe you can help me identify the problem and repair it.
-When Gmail first opened, I created an account, and ever since then it's been my primary email address. Always worked flawlessly, and I've never had any problems with it.
-A month ago I got a new laptop, which I've been using ever since to access the internet. I use Safari, have a few usernames and passwords saved on websites which have the option (such as NBR and Gmail,) and have Norton Internet Security 2008 and Windows Defender running.
-Last night I installed and configured Microsoft Outlook 2007 to work with my Gmail account. Everything seemed fine.
-Today was the first day of class, and I brought my laptop with me. About an hour ago, I connected to my college's unsecured wireless network. This is the first time I've used wireless, and the first time I've had it turned on.
-A few minutes ago, I get an email from MailerDemon or whatever that service is called, saying it couldn't deliver a message I had sent. So I go to my sentbox, and I notice that my account had sent two spam messages (the viagra-like ones). They have a winmail.dat file attached to them.
Oops, I clicked the wrong forum before I posted this. I meant to post in "Security and Anti-Virus Software"... I think that's the appropriate place for it.
Not much you can do, either contact Gmail about it or close down your account and try another email address.
It wouldn't hurt to run a virus/malware scan as well to find out if there is anything on the system.
If you can, try to change the passwords for all your accounts and such.
I dont know entirely as it's never happened to me so my advice maybe completely useless.
Are you sure the emails actually originated from your account, or was your address just forged by the original sender so that it only looks like your account was the originating account?
It's actually fairly easy to get onto some mail servers, and manually enter an email message, which allows the enterer to customize the entire message and to claim to be whomever they want to be. In that situation, some mail servers will flag the originating IP as suspicious, but will still send the message on as usual.
One way to tell is to check the email headers to see what IP the originating mailserver received the message from, and then check to see if that IP corresponds to your local IP or to any IP that is connected with gmail.
I have had a number of bounceback emails of that sort - emails that were returned to me because my email address was listed as the originating email account, only to find out that, upon inspection of the headers, that the email had actually been entered by an unrelated IP address and my email address forged as the originating email.
Without more, I wouldn't treat a few bouncebacks like that as being evidence that your account has been hacked.
Hmmm that sounds very likely. Because I set Gmail to use https all the time, and apparently that's pretty impossible to break.
I disabled both POP and IMAP, so hopefully that stops it.
Well the original message that was sent (not the MailerDeamon reply,) is actually in my sentbox, so I think that it actually originated from either my account or my Outlook.
I know what you're talking about, but it doesn't seem like that's what happened. (I'm not sure how to check the IP in gmail.)
I haven't. I'm trying to identify the problem first. I doubt that somebody figured out my password. I've never shared it with anyone, and it's very very strong.
So if Outlook is the problem, was all this caused by my accessing an unsecured wireless network? Was it for that reason that somebody was able to get a virus that used Outlook to send the emails? Or just regular everyday internet use?
Oh, you definitely helped. At least I ruled that possibility out. Thank you Shyster1. And thank you Manic Penguins and Dook and Harper2.0 for assisting me.
It doesn't sound as if you were actively hacked, but moreso that you had a dormant virus/trojan waiting for you to use Outlook. This, of course, is just a guess, but I have seen this happen many times.
Tumido, funny you mentioned your issue. I have been seeing the same thing since yesterday and was getting ready to post here. Junk mail in my "Sent" folder and mailer daemon error messages to my inbox. Just turned off IMAP and POP. Keep us posted on your progress. Getting ready to do a AV and spyware scan now.
Some more information, the "sent" messages only appear on the GMail website. But I do have Outlook 2007 configured not to save sent messages. But all the other messages I have sent from Outlook are stored in the [IMAP]/Sent folder on the GMail site. Anyone have any ideas?
Hmmm, so I took a look after what you said shawnost, and here's what I have.
(So I had two spam messages sent, and only one came back with mailerdaemon, and I deleted that one.)
-In my Gmail sentbox, I have a message titled "Not read: How to keep your love life wild or what do women want." with no text and a winmail.dat file attached.
-In my Outlook Gmail sent folder, the message has the same title, but there is text that says:
-There is nothing in my Outlook "Sent Items" folder (Personal Folders).
No, the emails are originating from my computer being sent through outlook. Changing passwords will not do anything. There must be a new unidentified trojan spreading itself around. Ive scanned my computer with every cleaner known to man and nothing is found.
Yeah, same with me (emails from my computer). I have scanned with Avira, Comodo Defense +, Windows Defender, and SuperAntiSpyware and found nothing. But I haven't tried to open my email with Outlook today so no messages. Maybe I'll just access through the website until this gets picked up in a scan.
Just out of curiosity, can you post a screenshot of the entire header section for the original that's in your sent items box, as well as the rest of the message from the failed delivery kickback (your screenshot you posted cut off some of the stuff that the mailer daemon's kickback was showing of the original message headers).
Also, just out of curiosity, is your internal network (i.e., your router) set up with private IP addresses that start 10.70.11.xxx, where xxx is a number between 1 and 255?
So it seems it has something to do with Outlook. Those are the same messages as mine. They all have the "Not read:".
I turned off IMAP for my gmail account, and then turned it back on, and it hasn't sent anything since. But I haven't used Outlook on any unsecured wireless network since then.
So my theory is that when such a network is used, Outlook is somehow accessed by some outside source and that's how those messages are sent. But I have very little idea how this stuff works, so I could be completely wrong.
This is an automatically generated Delivery Status Notification
Delivery to the following recipient failed permanently:
[email protected]
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 User unknown (state 14).
----- Original message -----
Received: by 10.90.78.14 with SMTP id a14mr631760agb.60.1222394265700;
Thu, 25 Sep 2008 18:57:45 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mycomputername ( [76.203.20.228])
by mx.google.com with ESMTPS id h16sm2459810wxd.34.2008.09.25.18.57.44
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Thu, 25 Sep 2008 18:57:45 -0700 (PDT)
To: <[email protected]>
Subject: Not read: longing for better s(e)>'<u@l life
Date: Thu, 25 Sep 2008 20:56:55 -0500
Message-ID: <001301c91f7b$3224c9c0$966e5d40$@com>
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
X-Mailer: Microsoft Office Outlook 12.0
X-MS-TNEF-Correlator: 00000000EE29E9D123B64B4BBC78A0354E4D1BC5A4DF2B00
Thread-Index: AckcYFVIJzzUzS1oRjGn1foLyc0W4wDGrjGl
From: nizzy1115 <[email protected]> (this part is weird because i do not use this nickname with this email account at all. they are unrelated. I have outlook setup for 2 email accounts my nizzy one and this one its sending from.)
eJ8+Ig0BAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAFwAAAFJFUE9SVC5J
UE0uTm90ZS5JUE5OUk4AtwYBCoABACEAAAA1ODMxOEY3OUZDMDU4NDQzQTkyMTk4Q0FGM0FCRTkx
NgAzBwEDkAYA2AIAABgAAAALACkAAAAAAEAAMgAg+wwOex/JAR4ASQABAAAAIwAAAGxvbmdpbmcg
Zm9yIGJldHRlciBzKGUpPic8dUBsIGxpZmUAAAIBTAABAAAArgAAAAAAAACBKx+kvqMQGZ1uAN0B
D1QCAAABgGEAcgBjAGkAcAAxADkAOAA5AEAAbwB1AHIAbQBlAG0AcABoAGkAcwBjAG8AbgBuAGUA
YwB0AGkAbwBuAC4AYwBvAG0AAABTAE0AVABQAAAAYQByAGMAaQBwADEAOQA4ADkAQABvAHUAcgBt
AGUAbQBwAGgAaQBzAGMAbwBuAG4AZQBjAHQAaQBvAG4ALgBjAG8AbQAAAAAAHgBNAAEAAAAjAAAA
YXJjaXAxOTg5QG91cm1lbXBoaXNjb25uZWN0aW9uLmNvbQAAQABOAID6FlRgHMkBQABVAIAnSFVg
HMkBHgBwAAEAAAAjAAAAbG9uZ2luZyBmb3IgYmV0dGVyIHMoZSk+Jzx1QGwgbGlmZQAAAgFxAAEA
AAAbAAAAAckcYFVIJzzUzS1oRjGn1foLyc0W4wDGrjGlAB4AcgABAAAAAQAAAAAAAAAeAHMAAQAA
----- Message truncated -----
and i am on a private address but 192. scheme.
It shouldnt have anything to do with using unsecured wireless. This is something that is on our machine causing outlook to send the messages. My computer is a desktop, it only connects to my own internet.
Thanks; I'm just a little curious about the path the email took. According to the headers, it went from IP 76.203.20.228 (which I assume is the public IP your ISP - SBC - has assigned to your account), to the Google mailer daemon at mx.google.com (can't find the IP offhand), and thence to 10.90.78.14, which is an IP within the "private" range of IP addresses, and thus should not be showing up without another public IP between itself and the google mailer - unless, of course, that is just the google mailer's way of dealing with emails that the recipient server (at ourmemphisconnection.com) refuses to accept; i.e., "dumping" the email into a private IP.
Just for comparison's sake, I sent an email from a Gmail account to the same address at ourmemphisconnection.com, and this is the delivery failure notification that I received:
BEGIN
__________________________________________________
This is an automatically generated Delivery Status Notification
Delivery to the following recipient failed permanently:
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 User unknown (state 14).
----- Original message -----
Received: by 10.102.247.4 with SMTP id u4mr995594muh.94.1222441534397;
Fri, 26 Sep 2008 08:05:34 -0700 (PDT)
Received: by 10.103.207.17 with HTTP; Fri, 26 Sep 2008 08:05:34 -0700 (PDT)
Message-ID: <[email protected]>
Date: Fri, 26 Sep 2008 11:05:34 -0400
From: Anonymous <{NAME REMOVED BY ME}@gmail.com>
To: [email protected] Subject: Test Email
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
This is just a test email to establish whether this account has been compromised
_______________________________________________________
END
Now, one possible difference is that I go through the web portal for Gmail, not through a client-side app like Outlook.
Also, this email was also received by two "private" IPs so I think that my suspicions on that point can be discounted.
At any rate, I don't think I'm getting anywheres with this - sorry - but I'll leave this post up just in case someone brighter than I can find something useful in it.
EDIT: I just looked at the two sets of header info again, and I would suspect that it's definitely your Outlook that's been compromised, not your Gmail account. If the Gmail account by itself had been compromised, the email headers would most likely
not show the following Content-Type:
For example, in my headers, which are for an email that was sent via the web portal, the Content-Type header reads as
That content type, application/ms-tnef, indicates that the originating sender was sending an "enhanced" email message from a Microsoft application using MS' Rich Text Format. Because not all email readers want to deal with MS' RTF format, what MS does is send two messages, a plain-text version as the body, which any email reader can read, with an attached document containing the RTF version, which an RTF-enabled email reader will display in preference to the text-only version.
To cut to the chase, the fact that the delivery failure notification you received shows that the original email was sent with a content-type that is specific to Microsoft email applications, and that the original message was not sent solely through your Gmail account from the outside, because Gmail does not use the "application/ms-tnef" content-type as its default, as demonstrated by the email I sent using the web portal for Gmail (with MS internet explorer as my web browser running on a Winbox).
I would conclude that something has definitely gotten control over your Outlook and is using that to send from whatever email accounts it can find that are associated with your Outlook.
Shyster, good write up. The strange thing is that I use Outlook to read both my GMail and Hotmail messages but I have only seen this on the GMail account. Strange. Perhaps it's just something targeting GMail accounts?
Another step to take might be to set up a custom event log that flags every action taken by Outlook to send an email, then fire up Outlook and let it sit for a while to see if any of this nonsense happens again. If it does, there should be one or more entries in the custom event log giving some idea of exactly what caused Outlook to start sending emails.
I have noticed that it sends the emails as soon as Outlook is started and in small batches. Oddly it hasn't tried to send to any of my existing outlook contacts and only through 1 of my accounts. It seems to me to target gmail servers. Here is a related link on gmail.
memorito, thanks for the link. I have noticed the same thing, it only sends things on through my GMail, not Hotmail which I also access through Outlook.
I changed my default account and have not seen any messages since. I also disabled IMAP on the account that was having the problem. I will see if it returns when I re-enable IMAP...
So it's definitely a "Default" email account thing. I switched the default to my hotmail account and now the messages are showing up in that "Sent" box.
Problems? See this thread at archive.org.
![[IMG]](images/storyImages/captureve7.th.jpg)
![[IMG]](images/storyImages/thpix.gif)
![[IMG]](images/storyImages/capture2jo7.th.jpg)
![[IMG]](http://img258.imageshack.us/my.php?image=captureve7.jpg)
![[IMG]](http://img508.imageshack.us/my.php?image=capture2jo7.jpg)
