PDA

View Full Version : Spoofed email



Michael Weber
01-03-2016, 1:49 PM
Someone spoofed my email address and daily I'm getting between hundreds and thousands of "Mailer-Daemon@yahoo.com" delivery failure messages. I've directed these to my spam box so I don't see them but is there anything I can do to stop this entirely?

Rich Riddle
01-03-2016, 2:25 PM
You need to immediately change your password.

Matt Day
01-03-2016, 3:01 PM
Agreed. This happens a lot. That's why you sometimes recieve weird emails from friends with shady text and a link.

Rich Engelhardt
01-03-2016, 3:06 PM
Go to www.antivirus.com (http://www.antivirus.com) and run an online scan of your PC ASAP, if not sooner.

Now the bad news...

Your PC is sending out hundreds of emails every hour or sooner.
The most likely cause is that it's infected with a mail daemon virus. The virus sets up it's own mail daemon and acts exactly like an email server. It reads your adresss book, then sends out hundreds and thousands of emails to whatever email addressees it thinks are out there.

For instance - rich@ rich.com in your address book may be legitimate. The virus would send that out, with your email as a return address, and it would be a valid email and not bounce. Next the virus would try rich1@ rich.com, then rich2 @ rich.com, then rich3@ rich .com and so on and so forth. Since those are invalid, they would bounce back to you - because your email is a valid return address.
YMMV on exactly how its working on your particular PC - the above is pretty generic and really not 100% true - - just so I can point out how it happens. To go into all the true details of the process, it would take days and fill up several threads....

The first thing you need to do, is shut down the email daemon on your PC. If you don't. you will probably have your internet account suspended by your ISP since you're flooding the pipe for everyone with bogus emails.

Hopefully, access to www.antivirus.com (http://www.antivirus.com) isn't blocked to your PC.

I ran into this type of mailer daemon virus all the time before I retired. It's annoying.

Oh yeah - - forgot - - change your password(s) also.

Michael Weber
01-03-2016, 7:04 PM
Oops, forgot to say I'm only using an iPad. The PC upstairs has been off since before Christmas.
edit to say I also have an android phone. Also, I'm not seeing anything in the "sent" folder. Would they show up in there if being sent from my email account?

Dan Hintz
01-03-2016, 8:59 PM
You need to immediately change your password.
This will do nothing...


Now the bad news...

Your PC is sending out hundreds of emails every hour or sooner.
The most likely cause is that it's infected with a mail daemon virus. The virus sets up it's own mail daemon and acts exactly like an email server. It reads your adresss book, then sends out hundreds and thousands of emails to whatever email addressees it thinks are out there.

Possible, but not the most likely culprit. Anyone worth their weight in hacking salt will attack at the server level, not your personal system. It's simply faster to send emails using the server directly as a decent server will shut down your link if your personal PC started spamming that much email.



If they spoofed your email address (extremely easy to do), all returns get sent back to you. Also, this has ZERO to do with your personal computer OR your ISP server... it's like China mass-calling Russian numbers, and everyone that fails rings your phone instead. You're just on the wrong side of the stick, but nothing you had was compromised (likely).

paul cottingham
01-03-2016, 10:42 PM
You may have a virus. Many of them go through your address book of your email client and email themselves to everyone you know.

or, as said above, someone has just spoofed your email address.

Rich Engelhardt
01-03-2016, 10:49 PM
Also, I'm not seeing anything in the "sent" folder. Would they show up in there if being sent from my email account?
No- because the mail daemon the virus spawns doesn't use your email account.


Possible, but not the most likely culprit. Anyone worth their weight in hacking salt will attack at the server level, not your personal system. It's simply faster to send emails using the server directly as a decent server will shut down your link if your personal PC started spamming that much email.This mail daemon virus is old old old technology.
One of the bad things about malware & viri is that they seldom if ever die.
They run their course, then when all the anti packages have shut them down, they are forgotten....

Until a new crop of miscreants drags them back and relaunches them under a different name.

Another possibility is that someone else has a virus - someone you know and have sent an email to. That person's infected machine and/or account has inserted your email address in the "sent from" line.
Ex. If I send an email using your valid email address as the "sent from", it will appear to come from your account & all bounced email will return to your account.

Since the device appears to be a non windows OS, I can't be of much further help tracking down the source.
Sorry.

It's entirely possible though that someone has started to launch attacks against the Android OS & they decided to dig up some of the old Windows attacks and rewrite them for the Android.

Dan Hintz
01-04-2016, 7:05 AM
Guys, this isn't likely to be a virus (everyone blames every bad computer issue on a virus... they're not nearly as prevalent as some make them out to be). The OP mentioned receiving 100s to 1,000s of bounce-backs... do they actually have 1,000s of email addresses in their address book? Unlikely. Gone are the simple days of a macro that infects your OutLook address book and replicates itself to everyone on the list. That would take entirely too long to do what they want to do (advertise spam links).

Rich Engelhardt
01-04-2016, 9:39 AM
That would take entirely too long to do what they want to doAnd if the goal is to just simply say "Look what I did"?
I'm far from one that runs to blame a virus or malware for every little thing that happens,,,,,but,,,these symptoms are classic mailer daemon.
Back when I was in the field, I ran into this a lot.

My only concern here is that the host is flooding the internet connection with bogus emails and helping prevent that host's internet connection from being shut off.

I'm not surprised the host in this case might be something other than a Dos/Win machine.
(In this case it's a pity though since by shelling out to a command prompt and running netstat would confirm or deny my suspicion in an instant.)
In the world of trojans, viri and malware in general, there's very little that's new.

I used to follow that stuff all the time via the old News groups alt.virus - or whatever it was. Active participants on that newsgroup were the actual authors of the anti virus software. They had nothing but scorn for the most part on the people that distributed the stuff. Once in a great great great while, someone would actually write something new & when that happened, they would appreciate that person's ability.

Most of the stuff was just a rehash of existing..
For instance:
Dan virus comes out and a fix is found for it.
I rewrite the name of it as Dan's virus - and the fix no longer works because the name has changed.

Mike Henderson
01-04-2016, 10:01 AM
Dan is right. What the spammers do is use a valid address as the "sending" address but that has nothing to do with your computer. It's just an address they stole and are using right now. Likely nothing to do with your computer or iPad, etc. Your address is out in the Internet - you gave it to various companies - and it wound up on a list that was sold to these spammers. There's little you can do.

Yours is not the only one they're using to send out spam but, of course, you only see the blowback to your address. But they will soon change the address they use because your address will get blacklisted.

Mike

[That spam is not coming from your computer - they're just spoofing the "sending" address, just like telemarketers spoof the caller ID.]

Dan Hintz
01-04-2016, 10:04 AM
And if the goal is to just simply say "Look what I did"?
I'm far from one that runs to blame a virus or malware for every little thing that happens,,,,,but,,,these symptoms are classic mailer daemon.
Back when I was in the field, I ran into this a lot.

My only concern here is that the host is flooding the internet connection with bogus emails and helping prevent that host's internet connection from being shut off.

I'm not surprised the host in this case might be something other than a Dos/Win machine.
(In this case it's a pity though since by shelling out to a command prompt and running netstat would confirm or deny my suspicion in an instant.)
In the world of trojans, viri and malware in general, there's very little that's new.

I used to follow that stuff all the time via the old News groups alt.virus - or whatever it was. Active participants on that newsgroup were the actual authors of the anti virus software. They had nothing but scorn for the most part on the people that distributed the stuff. Once in a great great great while, someone would actually write something new & when that happened, they would appreciate that person's ability.

Most of the stuff was just a rehash of existing..
For instance:
Dan virus comes out and a fix is found for it.
I rewrite the name of it as Dan's virus - and the fix no longer works because the name has changed.

The virus landscape has changed dramatically since the simple days of OutLook address book attacks. Script kiddies are about the only ones who "write" viruses that can be snagged by a simple signature. These days, it's all about mutating viruses, delayed-download payloads (no payload to create a signature from!), rootkits that bypass most security, UEFI roots, rotating (semi-random) command IPs, etc. The typical AV software package these days is only good for the general malware, not a virus with any real design power behind it.

If the OP is truly getting thousands of bounced emails, he would have already been locked out by his ISP. Give me an email address and I can have thousands (millions?) of bounce-backs directed to that address in a few hours. I never have to touch your system or ISP's servers... because the process doesn't involve them in the least. Maybe a better analogy would be replacing all return address labels on USPS envelopes with your address... and mail determined not to be deliverable gets "returned" to your house, even though you never sent it in the first place.

It's nasty, and I've had to kill off a few of those in my day, and there's nothing you can do about it (short term). Your best (long-term) bet is to analyze the headers to determine the root server sending them out, then have the ISP block emails (or returns) coming from that IP (or, more likely, IP block).

Semi-related tale. Early 2015 I was getting hundreds of spam emails a day on my main email account (no, I don't wash it through Google's servers). I already block most foreign IPs, so they can't see my webpage or send me emails without using a proxy. The emails were coming from servers based in the US, so I couldn't block them wholesale or I run the risk of losing customers. I had to handpick each IP that was spamming me and block it (still potentially losing customers, and it was tedious). Eventually I started reporting the troublesome servers to the ISPs, and the spammers were removed at the source. No joke... where I was getting literally hundreds of spam emails a day on that account, it has dropped to a handful per WEEK. This change happened over a period of just a couple of weeks, but it took the efforts of the ISPs and the server farm owners to nip it (server farms really don't like paying for bandwidth they aren't getting reimbursed for, so they had good reason to jump on it).

Erik Loza
01-04-2016, 12:27 PM
This is just my observation and as my wife will point out, I am no expert on anything to do with IT but, in my experience, Yahoo/MSN/AOL domains are all spam magnets. The Minimax Owner's Group over on Yahoo-dot-com, that I moderate, gets requests to join from spammmers all the time and it seems like hardly a week goes by that some member's account does not get hacked and then have a bot posting to the forum under their account.

I used to use msn.com. It got hacked, spammed my entire contact list, lots of frustration to friends and family. Same thing happened to my dad on AOL. I switched to Gmail a few years back and rarely get a spam message. SCM Group's company account uses Gmail as well. Again, no spam. Maybe some food for thought.

Erik

Curt Harms
01-05-2016, 8:20 AM
<snip>
Your address is out in the Internet - you gave it to various companies - and it wound up on a list that was sold to these spammers. There's little you can do.

Yours is not the only one they're using to send out spam but, of course, you only see the blowback to your address. But they will soon change the address they use because your address will get blacklisted.

Mike

[That spam is not coming from your computer - they're just spoofing the "sending" address, just like telemarketers spoof the caller ID.]

If a company requests my email address but isn't likely to have a legitimate reason to contact me beyond marketing they get something like "goaway@aol.com"(that's a family friendly one:D). I also have a couple free email addresses that I check just often enough to prevent them being marked inactive for companies that might have a legit reason to contact me but probably not.