If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
Hi Folks......I recently discovered that my Outlook (2003 SP3) was
compromised. I have Symantec AV which scans my mail before sending. Recently it popped up with a scan when I had not send anything. I found nothing in the "Sent Files" folder. Later I got a rejected mail notice which I examined. The headers looked like they came from me, down to the name of my PC. I've seen "spoofed" e-mail data, but this did not look like it was spoofed. Now I'm more aware of the issue and have noticed several other occasions when mail was going out but not something that I had authored. I have a fully patched XP Pro OS, run Symantec AV small business version 10 and will be upgrading to version 11 shortly. I have scanned the PC with Spybot, Ad-Aware, SUPERAntiSpyware, PCTools Spyware Doctor, and MS Defender. They did not find anything serious BUT the problem continues. Can anyone help? Thanks....RDK |
#2
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
On Sat, 27 Sep 2008 17:04:15 +0200, RDK wrote:
Hi Folks......I recently discovered that my Outlook (2003 SP3) was compromised. I have Symantec AV which scans my mail before sending. Recently it popped up with a scan when I had not send anything. I found nothing in the "Sent Files" folder. Later I got a rejected mail notice which I examined. The headers looked like they came from me, down to the name of my PC. I've seen "spoofed" e-mail data, but this did not look like it was spoofed. Now I'm more aware of the issue and have noticed several other occasions when mail was going out but not something that I had authored. I have a fully patched XP Pro OS, run Symantec AV small business version 10 and will be upgrading to version 11 shortly. I have scanned the PC with Spybot, Ad-Aware, SUPERAntiSpyware, PCTools Spyware Doctor, and MS Defender. They did not find anything serious BUT the problem continues. Can anyone help? Thanks....RDK On Sat, 27 Sep 2008 05:07:00 -0700, charisma0004 wrote: I have not put the option on for read receipts so I never get anything like that. I have office 2003 I have about 6 accounts setup Just a pain in the arse and unsure how to stop it doing it. Thanks for any help I'm using Office 2007 and Vista 64. On Wednesday I got a delivery failure email for an email I'd never sent. This is not in itself unusual - almost all my spam is backscatter - but this email was sent _from my own mail server_. Examining the logs on my mail server I found that when I'd started up outlook, at the same time as it logged into IMAP to check for new mail, there'd been a connection made from my IP, using my username and password, to send about 8 emails. That same day my friend noticed the same thing (we use the same server for IMAP but I also use it for STMP whereas he has his own exchange server set up) - his exchange server had logged outgoing spam emails from him. Further experimentation using wireshark and tcpview has confirmed that it is indeed Outlook sending the mails. The smtp details used correspond to my default mail profile and if I set my default profile to a different account the smtp credentials used by the spam change accordingly. I'm embarrased to admit I didn't have an anti-virus installed at the time (though I was using Windows Defender); in true barn-door-horse-bolted style I've now installed McAfee VSE 8.5, which finds nothing. My friend however did have an antivirus installed - Sophos, which also finds nothing. As a workaround I've firewalled my server so I can't actually connect via SMTP (I'll use webmail for now) but this issue has us rather worried. Obviously I can do a complete reformat / reinstall but in the absence of any kind of information on how we've been compromised I'm reluctant to do so. Hijack This! for instance shows nothing untoward. Can anyone reccommend any useful diagnostic / troubleshooting tools for this? Alternatively, if this issue would be best dealt with on another group, can someone point me in the right direction? Thanks in advance, Philip Cass |
#3
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
On Sat, 27 Sep 2008 17:04:15 +0200, RDK wrote:
Hi Folks......I recently discovered that my Outlook (2003 SP3) was compromised. I have Symantec AV which scans my mail before sending. Recently it popped up with a scan when I had not send anything. I found nothing in the "Sent Files" folder. Later I got a rejected mail notice which I examined. The headers looked like they came from me, down to the name of my PC. I've seen "spoofed" e-mail data, but this did not look like it was spoofed. Now I'm more aware of the issue and have noticed several other occasions when mail was going out but not something that I had authored. I have a fully patched XP Pro OS, run Symantec AV small business version 10 and will be upgrading to version 11 shortly. I have scanned the PC with Spybot, Ad-Aware, SUPERAntiSpyware, PCTools Spyware Doctor, and MS Defender. They did not find anything serious BUT the problem continues. Can anyone help? Thanks....RDK Further to my last email, I've now determined (by firewalling outgoing connections from my SMTP server to trap the emails) that in my case all the emails are "Email not read" receipts. And no, I do _not_ have auto- send receipts on :P http://forums.microsoft.com/msdn/Sho...32637&SiteID=1 There appears to be a recently introduced bug such that if outlook "notices" an email in an IMAP store, which subsequently is deleted using a different client (my server's auto-delete-junk script in my case), it will ignore reciept settings and send one anyway. |
#4
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
Thanks for the update, but I'm not sure this applies here??? I'm running
Outlook 2003 SP3/ My mail is out via SMTP but coming in from a POP3 server. The "rejected mail" messages look for all the world like spam (selling meds or ink cartridges) from the subject line. Thanks.....RDK Further to my last email, I've now determined (by firewalling outgoing connections from my SMTP server to trap the emails) that in my case all the emails are "Email not read" receipts. And no, I do _not_ have auto- send receipts on :P http://forums.microsoft.com/msdn/Sho...32637&SiteID=1 There appears to be a recently introduced bug such that if outlook "notices" an email in an IMAP store, which subsequently is deleted using a different client (my server's auto-delete-junk script in my case), it will ignore reciept settings and send one anyway. |
#5
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
Philip...Hmmmm, I have re-read your reply and now have a question in my mind
about my problem. I just looked at the header info again and noticed that the Subject line was prefixed with "Not read:". OK, could this be an automatic reply to a SPAM message deleted (and not read) from within Outlook 2003? I thought I had Outlook configured to ask before send "read" receipts. Are "Not Read:" receipts different? If yes, how are they controlled? Thanks...Rob "RDK" wrote in message ... Thanks for the update, but I'm not sure this applies here??? I'm running Outlook 2003 SP3/ My mail is out via SMTP but coming in from a POP3 server. The "rejected mail" messages look for all the world like spam (selling meds or ink cartridges) from the subject line. Thanks.....RDK Further to my last email, I've now determined (by firewalling outgoing connections from my SMTP server to trap the emails) that in my case all the emails are "Email not read" receipts. And no, I do _not_ have auto- send receipts on :P http://forums.microsoft.com/msdn/Sho...32637&SiteID=1 There appears to be a recently introduced bug such that if outlook "notices" an email in an IMAP store, which subsequently is deleted using a different client (my server's auto-delete-junk script in my case), it will ignore reciept settings and send one anyway. |
#6
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
(This is still Philip Cass but I'm in a different location and sending using
MS's web interface) "RDK" wrote: Philip...Hmmmm, I have re-read your reply and now have a question in my mind about my problem. I just looked at the header info again and noticed that the Subject line was prefixed with "Not read:". OK, could this be an automatic reply to a SPAM message deleted (and not read) from within Outlook 2003? I thought I had Outlook configured to ask before send "read" receipts. Are "Not Read:" receipts different? If yes, how are they controlled? Thanks...Rob That does indeed sound like my problem, looks like it's an issue with 2003 as well as 2007 then. I think there's been a recent update that's changed the behaviour of how these unread receipts are sent out; certainly afaik they _should_ be controlled with the "ask before send" option. Per that forum link, they are certainly still sent out with the "don't send at all" option. |
#7
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
This is a problem with outlook 2002 as well, see my "How can I stop delivery
receipts" dated 25/09/08. I had first, wrongly, thought that outlook was trying to send delivery receipts, but have now found out that it's trying to send these "Not read" receipts. It tries to send them back to the address of the spam e-mail, but this of course could have been spoofed. These e-mails also ask for delivery receipts, read receipts & a receipt to say when you delete the e-mail. I have no control over the delivery receipts, but have outlook set to ask conformation for the other two, (though I've never been asked about sending a read receipt as I've never opened any of these mails). Another point to note is that these not read receipts by-pass my anti-virus scanning. All my incoming & outgoing mail goes through Norton, also any read receipts which I allow, also go through Norton, but these not read receipts are sent directly through outlook. They don't show in my out box or sent files folder, so I can't delete them. I haven't actually sent any of these not read receipts, as the e-mail account in question where I'm sent the original spam e-mails is not my main one, so I'm not connected to the internet with this account. The not read receipt is sent back using this account, but the ISP rejects the sending of the receipt as I'm not using them to connect to the internet, sending can only be done when I am connected through them. (I can receive, but not send). Therefore outlook just keeps trying to send the messages & will not stop. The only way to stop outlook would be to connect to my other ISP & allow them to be sent, or as I do, & replace my .pst file with a backup copy. I have now found, using Microsoft's MDBVU32.exe application, that these not read receipts are in the root folder of the .pst file (which is not visible to the user in outlook). At that time I had two not read messages, so tried to delete them using the application, but this failed to work, (don't know if it was maybe something I was doing wrong, so will try again if I get any more). I had to replace the .pst file with my backup to get rid of them. "frymaster127" wrote in message ... (This is still Philip Cass but I'm in a different location and sending using MS's web interface) "RDK" wrote: Philip...Hmmmm, I have re-read your reply and now have a question in my mind about my problem. I just looked at the header info again and noticed that the Subject line was prefixed with "Not read:". OK, could this be an automatic reply to a SPAM message deleted (and not read) from within Outlook 2003? I thought I had Outlook configured to ask before send "read" receipts. Are "Not Read:" receipts different? If yes, how are they controlled? Thanks...Rob That does indeed sound like my problem, looks like it's an issue with 2003 as well as 2007 then. I think there's been a recent update that's changed the behaviour of how these unread receipts are sent out; certainly afaik they _should_ be controlled with the "ask before send" option. Per that forum link, they are certainly still sent out with the "don't send at all" option. |
#8
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
See http://www.outlook-tips.net/howto/delete_rr.htm - the method is the same
on all versions of outlook. Outlook doesn't respond to Delivery receipts - your mail server (ISP) sends them. Outlook handles the read/not read receipts. If Norton is intercepting all SMTP traffic, the not read receipts are handled by norton. Also, both read and not read receipts are held in the root folder until sent. There is absolutely no difference in how they are handled - a receipt is a receipt. The 'never send' or 'always ask' option should work when deleting junk too - but if you use an exchange acct, the settings may not apply if you use outlook 2003 and 2002. -- Diane Poremsky [MVP - Outlook] Outlook Tips: http://www.outlook-tips.net/ Outlook & Exchange Solutions Center: http://www.slipstick.com Outlook Tips by email: EMO - a weekly newsletter about Outlook and Exchange: You can access this newsgroup by visiting http://www.microsoft.com/office/comm...s/default.mspx or point your newsreader to msnews.microsoft.com. "Robert" wrote in message ... This is a problem with outlook 2002 as well, see my "How can I stop delivery receipts" dated 25/09/08. I had first, wrongly, thought that outlook was trying to send delivery receipts, but have now found out that it's trying to send these "Not read" receipts. It tries to send them back to the address of the spam e-mail, but this of course could have been spoofed. These e-mails also ask for delivery receipts, read receipts & a receipt to say when you delete the e-mail. I have no control over the delivery receipts, but have outlook set to ask conformation for the other two, (though I've never been asked about sending a read receipt as I've never opened any of these mails). Another point to note is that these not read receipts by-pass my anti-virus scanning. All my incoming & outgoing mail goes through Norton, also any read receipts which I allow, also go through Norton, but these not read receipts are sent directly through outlook. They don't show in my out box or sent files folder, so I can't delete them. I haven't actually sent any of these not read receipts, as the e-mail account in question where I'm sent the original spam e-mails is not my main one, so I'm not connected to the internet with this account. The not read receipt is sent back using this account, but the ISP rejects the sending of the receipt as I'm not using them to connect to the internet, sending can only be done when I am connected through them. (I can receive, but not send). Therefore outlook just keeps trying to send the messages & will not stop. The only way to stop outlook would be to connect to my other ISP & allow them to be sent, or as I do, & replace my .pst file with a backup copy. I have now found, using Microsoft's MDBVU32.exe application, that these not read receipts are in the root folder of the .pst file (which is not visible to the user in outlook). At that time I had two not read messages, so tried to delete them using the application, but this failed to work, (don't know if it was maybe something I was doing wrong, so will try again if I get any more). I had to replace the .pst file with my backup to get rid of them. "frymaster127" wrote in message ... (This is still Philip Cass but I'm in a different location and sending using MS's web interface) "RDK" wrote: Philip...Hmmmm, I have re-read your reply and now have a question in my mind about my problem. I just looked at the header info again and noticed that the Subject line was prefixed with "Not read:". OK, could this be an automatic reply to a SPAM message deleted (and not read) from within Outlook 2003? I thought I had Outlook configured to ask before send "read" receipts. Are "Not Read:" receipts different? If yes, how are they controlled? Thanks...Rob That does indeed sound like my problem, looks like it's an issue with 2003 as well as 2007 then. I think there's been a recent update that's changed the behaviour of how these unread receipts are sent out; certainly afaik they _should_ be controlled with the "ask before send" option. Per that forum link, they are certainly still sent out with the "don't send at all" option. |
#9
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
Diane....Thank you for your response. Note: XP ProSP3, Outlook 2003 SP3,
e-mail via POP servers on the Internet. I think what I seeing are "Not read" receipts which were requested by some SPAM notes which were deleted from my Outlook without being read. I have setup my Tracking options to "Never Send a Response", but the surrounding text only talks about "read receipts". Are "Not read" receipts handled differently? Thanks again....RDK "Diane Poremsky [MVP]" wrote in message ... See http://www.outlook-tips.net/howto/delete_rr.htm - the method is the same on all versions of outlook. Outlook doesn't respond to Delivery receipts - your mail server (ISP) sends them. Outlook handles the read/not read receipts. If Norton is intercepting all SMTP traffic, the not read receipts are handled by norton. Also, both read and not read receipts are held in the root folder until sent. There is absolutely no difference in how they are handled - a receipt is a receipt. The 'never send' or 'always ask' option should work when deleting junk too - but if you use an exchange acct, the settings may not apply if you use outlook 2003 and 2002. -- Diane Poremsky [MVP - Outlook] Outlook Tips: http://www.outlook-tips.net/ Outlook & Exchange Solutions Center: http://www.slipstick.com Outlook Tips by email: EMO - a weekly newsletter about Outlook and Exchange: You can access this newsgroup by visiting http://www.microsoft.com/office/comm...s/default.mspx or point your newsreader to msnews.microsoft.com. "Robert" wrote in message ... |
#10
|
|||
|
|||
My Outlook is compromised and being Used to Send SPAM
I tried outlook spy the other day and didn't see anything, but I'm very
willing to believe I failed Norton may very well not think there's anything wrong with the emails - certainly there's no malicious content in them, and no suspicious content other than the subject name. My spam filter, for example, isn't catching all of the incoming Not Read: backscatter that's started to appear, for just that reason - and because I have legimitate examples that it's learned about. When deleting Junk in outlook I'm perfectly willing to believe it respects your receipt sending preferences. However this is manifestly _NOT_ the case if the junk is downloaded by outlook, and then deleted by another client - for instance after 7am, when my IMAP server deletes all mail in my spam folder over 3 days old, outlook will send a small number of not read: receipts next time it connects. 1 month ago no spam in my junk folders out of about 8000 had the line "X-Confirm-Reading-To" in it. Today 962 out of 1440 does - hence why everyone's started noticing this. Additionally about 40 of those 1440 is in itself read-receipt backscatter, and most of the rest is standard smtp server backscatter. In other words, this issue is only going to get worse. "Diane Poremsky [MVP]" wrote: See http://www.outlook-tips.net/howto/delete_rr.htm - the method is the same on all versions of outlook. Outlook doesn't respond to Delivery receipts - your mail server (ISP) sends them. Outlook handles the read/not read receipts. If Norton is intercepting all SMTP traffic, the not read receipts are handled by norton. Also, both read and not read receipts are held in the root folder until sent. There is absolutely no difference in how they are handled - a receipt is a receipt. The 'never send' or 'always ask' option should work when deleting junk too - but if you use an exchange acct, the settings may not apply if you use outlook 2003 and 2002. -- Diane Poremsky [MVP - Outlook] Outlook Tips: http://www.outlook-tips.net/ Outlook & Exchange Solutions Center: http://www.slipstick.com Outlook Tips by email: EMO - a weekly newsletter about Outlook and Exchange: You can access this newsgroup by visiting http://www.microsoft.com/office/comm...s/default.mspx or point your newsreader to msnews.microsoft.com. |
Thread Tools | |
Display Modes | |
|
|