Malware grabbing email addresses from my pc?

Discussion in 'Help Desk' started by Leafgreen, Nov 1, 2010.

  1. Leafgreen

    Leafgreen New Email

    Joined:
    Sep 18, 2010
    Messages:
    4
    Likes Received:
    0
    I run my own mail servers on a shared hosting account with Hostmonster. I have the default or catch-all option enabled on one domain name, and have sent and received emails from a couple of hundred email addresses ("EAs") in the catch-all format. Ex: x@y.com where x = a variety of characters and y is my domain. I use Outlook 2007 with all the monthly patches applied.

    Suddenly I am receiving spams to many of these x@y.com EAs. The values of x are ones I've defined NOT random characters.

    Therefore, it appears that some program on my pc is reading these EAs already in use. I thought it was a one-time security breach, where at one time a program captured the EAs from my Outlook folders, safe senders list, etc. But it seems to be still installed on my pc, because new EAs recently used for the first time have been spammed.

    I have run several anti-malware and anti-virus progs that have found nothing. :eek: Any suggestions on where to look to find and delete this malware, please?
     


  2. Big Dan

    Big Dan EQ Forum Moderator Staff Member

    Joined:
    Aug 14, 2008
    Messages:
    647
    Likes Received:
    16
    Probably dictionary spam leaf. What spammers will do is put common names in front a domain name and then spam them. They'll take say 1,000 addresses dan@domain.com, leaf@domain.com, jim@domain.com, etc and spam it to all hell.
     

  3. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,002
    Likes Received:
    120
    You are receiving the flood of spam into the domain with the catchall functionality enabled and you are also only receiving email to previously used email addresses in that domain?

    Yes, if both of those are true I would agree something got into your address book. It may have been spyware on your PC. It could also be a 3rd party that you shared your data with via a "Let us import your contacts and see if anyone you know uses this service" that later shared/sold your address list. Is the information stored anywhere on your shared hosting mail server? Does anyone have access to it / is it possible that's where your information was compromised?

    Check the full email headers (Microsoft Outlook) on a few of the spams. It's not likely but if they are coming from the same IP address or have some other common piece of information you may be able to create a filter on your mail server to block the spam.
     
  4. Leafgreen

    Leafgreen New Email

    Joined:
    Sep 18, 2010
    Messages:
    4
    Likes Received:
    0
    Absolutely not. The EAs are much too long and/or unique to guess, and NONE are generic words/names as you offered.

    Sure, spyware or some f***ing facebook app ripped them.
    I'm aware of those services all the way back with Hi5 scumballs, and that didn't happen to me.
    The only place on the shared server that has that data could be server logs. But, it's extremely doubtful that the server was hacked. Still, I'll send this thread to their techs and see what they say.
    I did this. Actually laid out a bunch of the spams with each line of the full header side by side in Excel. Right, every IPA and helo is different. But, guess what: All the envelope-froms are Yahoo. Damn, after all these years, they can't even police their own servers. Sure, they block incoming, but lax on the outgoing. Very sad. :mad:
     
  5. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,002
    Likes Received:
    120
    The email might be coming From: @yahoo but it is really being relayed to you by a Yahoo mail server?

    If the email is not really coming from Yahoo you can build a filter that only allows email From: @yahoo.com when it relays to you from yahoo mail server IP addresses.

    Yahoo signs outgoing email relayed through their servers with domain keys. Checking the dkim information could be used as part of a filter too. The existence of the DKIM signature itself does not mean that an email is not spam. You can't take a shortcut and rely on the existence of the dkim signature meaning that an email is not spam.
     
  6. Leafgreen

    Leafgreen New Email

    Joined:
    Sep 18, 2010
    Messages:
    4
    Likes Received:
    0
    I don't know how to interpret the header. I've enclosed a screenshot of the text of a spam. Do you mind taking a look?
     
  7. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,002
    Likes Received:
    120
  8. Leafgreen

    Leafgreen New Email

    Joined:
    Sep 18, 2010
    Messages:
    4
    Likes Received:
    0
    I decided to obfuscate my domain. Attached
     

    Attached Files:

  9. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,002
    Likes Received:
    120
    How much of the spam is coming from the IP address that I circled?

    Spam from Cable Online.JPG

    To report this spammer / owned computer send an email with the complete full email headers to abuse@cableonline.com.mx

    I see that you are using EXIM. Here is some information that should help you to get domain keys support enabled on your mail server - DomainKeys - Exim Wiki

    I wonder how much of a problem the catch-all is causing for you. I understand that you use a lot of hard to guess email addresses, but is it possible the problem has been multiplied for you becuase the spammers could be sending email To: real addresses that you have used and BCC'ing in other guesses that are only delivered becuase the catch-all is enabled.

    Back to the spyware. Which spyware programs did you run on your computer? If you let us know the list maybe we can offer you some more suggestions. There is also a variety of scanning tools available at Anti-Malware Downloads - FileHippo.com
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...