My Outlook is compromised and being Used to Send SPAM

Hi Folks......I recently discovered that my Outlook (2003 SP3) was
compromised. I have Symantec AV which scans my mail before sending.
Recently it popped up with a scan when I had not send anything. I found
nothing in the "Sent Files" folder. Later I got a rejected mail notice
which I examined. The headers looked like they came from me, down to the
name of my PC. I've seen "spoofed" e-mail data, but this did not look like
it was spoofed.

Now I'm more aware of the issue and have noticed several other occasions
when mail was going out but not something that I had authored.

I have a fully patched XP Pro OS, run Symantec AV small business version 10
and will be upgrading to version 11 shortly. I have scanned the PC with
Spybot, Ad-Aware, SUPERAntiSpyware, PCTools Spyware Doctor, and MS Defender.
They did not find anything serious BUT the problem continues.

Can anyone help?

Thanks....RDK

On Sat, 27 Sep 2008 17:04:15 +0200, RDK wrote:

Hi Folks......I recently discovered that my Outlook (2003 SP3) was
compromised. I have Symantec AV which scans my mail before sending.
Recently it popped up with a scan when I had not send anything. I found
nothing in the "Sent Files" folder. Later I got a rejected mail notice
which I examined. The headers looked like they came from me, down to
the name of my PC. I've seen "spoofed" e-mail data, but this did not
look like it was spoofed.

Now I'm more aware of the issue and have noticed several other occasions
when mail was going out but not something that I had authored.

I have a fully patched XP Pro OS, run Symantec AV small business version
10 and will be upgrading to version 11 shortly. I have scanned the PC
with Spybot, Ad-Aware, SUPERAntiSpyware, PCTools Spyware Doctor, and MS
Defender. They did not find anything serious BUT the problem continues.

Can anyone help?

Thanks....RDK

On Sat, 27 Sep 2008 05:07:00 -0700, charisma0004 wrote:

I have not put the option on for read receipts so I never get anything
like that.

I have office 2003
I have about 6 accounts setup

Just a pain in the arse and unsure how to stop it doing it. Thanks for
any help


I'm using Office 2007 and Vista 64. On Wednesday I got a delivery
failure email for an email I'd never sent.

This is not in itself unusual - almost all my spam is backscatter - but
this email was sent _from my own mail server_. Examining the logs on my
mail server I found that when I'd started up outlook, at the same time as
it logged into IMAP to check for new mail, there'd been a connection made
from my IP, using my username and password, to send about 8 emails.

That same day my friend noticed the same thing (we use the same server
for IMAP but I also use it for STMP whereas he has his own exchange
server set up) - his exchange server had logged outgoing spam emails from
him.

Further experimentation using wireshark and tcpview has confirmed that it
is indeed Outlook sending the mails. The smtp details used correspond to
my default mail profile and if I set my default profile to a different
account the smtp credentials used by the spam change accordingly.

I'm embarrased to admit I didn't have an anti-virus installed at the time
(though I was using Windows Defender); in true barn-door-horse-bolted
style I've now installed McAfee VSE 8.5, which finds nothing. My friend
however did have an antivirus installed - Sophos, which also finds
nothing.

As a workaround I've firewalled my server so I can't actually connect via
SMTP (I'll use webmail for now) but this issue has us rather worried.
Obviously I can do a complete reformat / reinstall but in the absence of
any kind of information on how we've been compromised I'm reluctant to do
so. Hijack This! for instance shows nothing untoward.



Can anyone reccommend any useful diagnostic / troubleshooting tools for
this? Alternatively, if this issue would be best dealt with on another
group, can someone point me in the right direction?


Thanks in advance,
Philip Cass

On Sat, 27 Sep 2008 17:04:15 +0200, RDK wrote:

Hi Folks......I recently discovered that my Outlook (2003 SP3) was
compromised. I have Symantec AV which scans my mail before sending.
Recently it popped up with a scan when I had not send anything. I found
nothing in the "Sent Files" folder. Later I got a rejected mail notice
which I examined. The headers looked like they came from me, down to
the name of my PC. I've seen "spoofed" e-mail data, but this did not
look like it was spoofed.

Now I'm more aware of the issue and have noticed several other occasions
when mail was going out but not something that I had authored.

I have a fully patched XP Pro OS, run Symantec AV small business version
10 and will be upgrading to version 11 shortly. I have scanned the PC
with Spybot, Ad-Aware, SUPERAntiSpyware, PCTools Spyware Doctor, and MS
Defender. They did not find anything serious BUT the problem continues.

Can anyone help?

Thanks....RDK

Further to my last email, I've now determined (by firewalling outgoing
connections from my SMTP server to trap the emails) that in my case all
the emails are "Email not read" receipts. And no, I do _not_ have auto-
send receipts on :P

http://forums.microsoft.com/msdn/Sho...32637&SiteID=1

There appears to be a recently introduced bug such that if outlook
"notices" an email in an IMAP store, which subsequently is deleted using
a different client (my server's auto-delete-junk script in my case), it
will ignore reciept settings and send one anyway.

Thanks for the update, but I'm not sure this applies here??? I'm running
Outlook 2003 SP3/ My mail is out via SMTP but coming in from a POP3 server.
The "rejected mail" messages look for all the world like spam (selling meds
or ink cartridges) from the subject line.

Thanks.....RDK

Further to my last email, I've now determined (by firewalling outgoing
connections from my SMTP server to trap the emails) that in my case all
the emails are "Email not read" receipts. And no, I do _not_ have auto-
send receipts on :P

http://forums.microsoft.com/msdn/Sho...32637&SiteID=1

There appears to be a recently introduced bug such that if outlook
"notices" an email in an IMAP store, which subsequently is deleted using
a different client (my server's auto-delete-junk script in my case), it
will ignore reciept settings and send one anyway.

Philip...Hmmmm, I have re-read your reply and now have a question in my mind
about my problem.

I just looked at the header info again and noticed that the Subject line was
prefixed with "Not read:". OK, could this be an automatic reply to a SPAM
message deleted (and not read) from within Outlook 2003? I thought I had
Outlook configured to ask before send "read" receipts. Are "Not Read:"
receipts different? If yes, how are they controlled?

Thanks...Rob

"RDK" wrote in message
...
Thanks for the update, but I'm not sure this applies here??? I'm running
Outlook 2003 SP3/ My mail is out via SMTP but coming in from a POP3
server. The "rejected mail" messages look for all the world like spam
(selling meds or ink cartridges) from the subject line.

Thanks.....RDK

Further to my last email, I've now determined (by firewalling outgoing
connections from my SMTP server to trap the emails) that in my case all
the emails are "Email not read" receipts. And no, I do _not_ have auto-
send receipts on :P

http://forums.microsoft.com/msdn/Sho...32637&SiteID=1

There appears to be a recently introduced bug such that if outlook
"notices" an email in an IMAP store, which subsequently is deleted using
a different client (my server's auto-delete-junk script in my case), it
will ignore reciept settings and send one anyway.

(This is still Philip Cass but I'm in a different location and sending using
MS's web interface)

"RDK" wrote:

Philip...Hmmmm, I have re-read your reply and now have a question in my mind
about my problem.

I just looked at the header info again and noticed that the Subject line was
prefixed with "Not read:". OK, could this be an automatic reply to a SPAM
message deleted (and not read) from within Outlook 2003? I thought I had
Outlook configured to ask before send "read" receipts. Are "Not Read:"
receipts different? If yes, how are they controlled?

Thanks...Rob


That does indeed sound like my problem, looks like it's an issue with 2003
as well as 2007 then. I think there's been a recent update that's changed
the behaviour of how these unread receipts are sent out; certainly afaik
they _should_ be controlled with the "ask before send" option. Per that
forum link, they are certainly still sent out with the "don't send at all"
option.

This is a problem with outlook 2002 as well, see my "How can I stop delivery
receipts" dated 25/09/08. I had first, wrongly, thought that outlook was
trying to send delivery receipts, but have now found out that it's trying to
send these "Not read" receipts. It tries to send them back to the address of
the spam e-mail, but this of course could have been spoofed. These e-mails
also ask for delivery receipts, read receipts & a receipt to say when you
delete the e-mail. I have no control over the delivery receipts, but have
outlook set to ask conformation for the other two, (though I've never been
asked about sending a read receipt as I've never opened any of these mails).

Another point to note is that these not read receipts by-pass my anti-virus
scanning. All my incoming & outgoing mail goes through Norton, also any
read receipts which I allow, also go through Norton, but these not read
receipts are sent directly through outlook. They don't show in my out box or
sent files folder, so I can't delete them. I haven't actually sent any of
these not read receipts, as the e-mail account in question where I'm sent
the original spam e-mails is not my main one, so I'm not connected to the
internet with this account. The not read receipt is sent back using this
account, but the ISP rejects the sending of the receipt as I'm not using
them to connect to the internet, sending can only be done when I am
connected through them. (I can receive, but not send). Therefore outlook
just keeps trying to send the messages & will not stop. The only way to stop
outlook would be to connect to my other ISP & allow them to be sent, or as I
do, & replace my .pst file with a backup copy.

I have now found, using Microsoft's MDBVU32.exe application, that these not
read receipts are in the root folder of the .pst file (which is not visible
to the user in outlook). At that time I had two not read messages, so tried
to delete them using the application, but this failed to work, (don't know
if it was maybe something I was doing wrong, so will try again if I get any
more). I had to replace the .pst file with my backup to get rid of them.


"frymaster127" wrote in message
...
(This is still Philip Cass but I'm in a different location and sending
using
MS's web interface)

"RDK" wrote:

Philip...Hmmmm, I have re-read your reply and now have a question in my
mind
about my problem.

I just looked at the header info again and noticed that the Subject line
was
prefixed with "Not read:". OK, could this be an automatic reply to a
SPAM
message deleted (and not read) from within Outlook 2003? I thought I had
Outlook configured to ask before send "read" receipts. Are "Not Read:"
receipts different? If yes, how are they controlled?

Thanks...Rob


That does indeed sound like my problem, looks like it's an issue with 2003
as well as 2007 then. I think there's been a recent update that's changed
the behaviour of how these unread receipts are sent out; certainly afaik
they _should_ be controlled with the "ask before send" option. Per that
forum link, they are certainly still sent out with the "don't send at all"
option.

See http://www.outlook-tips.net/howto/delete_rr.htm - the method is the same
on all versions of outlook.

Outlook doesn't respond to Delivery receipts - your mail server (ISP) sends
them. Outlook handles the read/not read receipts.

If Norton is intercepting all SMTP traffic, the not read receipts are
handled by norton. Also, both read and not read receipts are held in the
root folder until sent. There is absolutely no difference in how they are
handled - a receipt is a receipt.

The 'never send' or 'always ask' option should work when deleting junk too -
but if you use an exchange acct, the settings may not apply if you use
outlook 2003 and 2002.

--
Diane Poremsky [MVP - Outlook]
Outlook Tips: http://www.outlook-tips.net/
Outlook & Exchange Solutions Center: http://www.slipstick.com

Outlook Tips by email:


EMO - a weekly newsletter about Outlook and Exchange:


You can access this newsgroup by visiting
http://www.microsoft.com/office/comm...s/default.mspx or point your
newsreader to msnews.microsoft.com.


"Robert" wrote in message
...
This is a problem with outlook 2002 as well, see my "How can I stop
delivery receipts" dated 25/09/08. I had first, wrongly, thought that
outlook was trying to send delivery receipts, but have now found out that
it's trying to send these "Not read" receipts. It tries to send them back
to the address of the spam e-mail, but this of course could have been
spoofed. These e-mails also ask for delivery receipts, read receipts & a
receipt to say when you delete the e-mail. I have no control over the
delivery receipts, but have outlook set to ask conformation for the other
two, (though I've never been asked about sending a read receipt as I've
never opened any of these mails).

Another point to note is that these not read receipts by-pass my
anti-virus scanning. All my incoming & outgoing mail goes through Norton,
also any read receipts which I allow, also go through Norton, but these
not read receipts are sent directly through outlook. They don't show in my
out box or sent files folder, so I can't delete them. I haven't actually
sent any of these not read receipts, as the e-mail account in question
where I'm sent the original spam e-mails is not my main one, so I'm not
connected to the internet with this account. The not read receipt is sent
back using this account, but the ISP rejects the sending of the receipt as
I'm not using them to connect to the internet, sending can only be done
when I am connected through them. (I can receive, but not send). Therefore
outlook just keeps trying to send the messages & will not stop. The only
way to stop outlook would be to connect to my other ISP & allow them to be
sent, or as I do, & replace my .pst file with a backup copy.

I have now found, using Microsoft's MDBVU32.exe application, that these
not read receipts are in the root folder of the .pst file (which is not
visible to the user in outlook). At that time I had two not read messages,
so tried to delete them using the application, but this failed to work,
(don't know if it was maybe something I was doing wrong, so will try again
if I get any more). I had to replace the .pst file with my backup to get
rid of them.


"frymaster127" wrote in message
...
(This is still Philip Cass but I'm in a different location and sending
using
MS's web interface)

"RDK" wrote:

Philip...Hmmmm, I have re-read your reply and now have a question in my
mind
about my problem.

I just looked at the header info again and noticed that the Subject line
was
prefixed with "Not read:". OK, could this be an automatic reply to a
SPAM
message deleted (and not read) from within Outlook 2003? I thought I
had
Outlook configured to ask before send "read" receipts. Are "Not Read:"
receipts different? If yes, how are they controlled?

Thanks...Rob


That does indeed sound like my problem, looks like it's an issue with
2003
as well as 2007 then. I think there's been a recent update that's
changed
the behaviour of how these unread receipts are sent out; certainly afaik
they _should_ be controlled with the "ask before send" option. Per that
forum link, they are certainly still sent out with the "don't send at
all"
option.

Diane....Thank you for your response. Note: XP ProSP3, Outlook 2003 SP3,
e-mail via POP servers on the Internet.

I think what I seeing are "Not read" receipts which were requested by some
SPAM notes which were deleted from my Outlook without being read. I have
setup my Tracking options to "Never Send a Response", but the surrounding
text only talks about "read receipts". Are "Not read" receipts handled
differently?

Thanks again....RDK

"Diane Poremsky [MVP]" wrote in message
...
See http://www.outlook-tips.net/howto/delete_rr.htm - the method is the
same on all versions of outlook.

Outlook doesn't respond to Delivery receipts - your mail server (ISP)
sends them. Outlook handles the read/not read receipts.

If Norton is intercepting all SMTP traffic, the not read receipts are
handled by norton. Also, both read and not read receipts are held in the
root folder until sent. There is absolutely no difference in how they are
handled - a receipt is a receipt.

The 'never send' or 'always ask' option should work when deleting junk
too - but if you use an exchange acct, the settings may not apply if you
use outlook 2003 and 2002.

--
Diane Poremsky [MVP - Outlook]
Outlook Tips: http://www.outlook-tips.net/
Outlook & Exchange Solutions Center: http://www.slipstick.com

Outlook Tips by email:


EMO - a weekly newsletter about Outlook and Exchange:


You can access this newsgroup by visiting
http://www.microsoft.com/office/comm...s/default.mspx or point your
newsreader to msnews.microsoft.com.


"Robert" wrote in message
...

I tried outlook spy the other day and didn't see anything, but I'm very
willing to believe I failed

Norton may very well not think there's anything wrong with the emails -
certainly there's no malicious content in them, and no suspicious content
other than the subject name. My spam filter, for example, isn't catching all
of the incoming Not Read: backscatter that's started to appear, for just that
reason - and because I have legimitate examples that it's learned about.

When deleting Junk in outlook I'm perfectly willing to believe it respects
your receipt sending preferences. However this is manifestly _NOT_ the case
if the junk is downloaded by outlook, and then deleted by another client -
for instance after 7am, when my IMAP server deletes all mail in my spam
folder over 3 days old, outlook will send a small number of not read:
receipts next time it connects.

1 month ago no spam in my junk folders out of about 8000 had the line
"X-Confirm-Reading-To" in it. Today 962 out of 1440 does - hence why
everyone's started noticing this. Additionally about 40 of those 1440 is in
itself read-receipt backscatter, and most of the rest is standard smtp server
backscatter. In other words, this issue is only going to get worse.



"Diane Poremsky [MVP]" wrote:

See http://www.outlook-tips.net/howto/delete_rr.htm - the method is the same
on all versions of outlook.

Outlook doesn't respond to Delivery receipts - your mail server (ISP) sends
them. Outlook handles the read/not read receipts.

If Norton is intercepting all SMTP traffic, the not read receipts are
handled by norton. Also, both read and not read receipts are held in the
root folder until sent. There is absolutely no difference in how they are
handled - a receipt is a receipt.

The 'never send' or 'always ask' option should work when deleting junk too -
but if you use an exchange acct, the settings may not apply if you use
outlook 2003 and 2002.

--
Diane Poremsky [MVP - Outlook]
Outlook Tips: http://www.outlook-tips.net/
Outlook & Exchange Solutions Center: http://www.slipstick.com

Outlook Tips by email:


EMO - a weekly newsletter about Outlook and Exchange:


You can access this newsgroup by visiting
http://www.microsoft.com/office/comm...s/default.mspx or point your
newsreader to msnews.microsoft.com.