Malware grabbing email addresses from my pc?

Leafgreen

New Email
I run my own mail servers on a shared hosting account with Hostmonster. I have the default or catch-all option enabled on one domain name, and have sent and received emails from a couple of hundred email addresses ("EAs") in the catch-all format. Ex: x@y.com where x = a variety of characters and y is my domain. I use Outlook 2007 with all the monthly patches applied.

Suddenly I am receiving spams to many of these x@y.com EAs. The values of x are ones I've defined NOT random characters.

Therefore, it appears that some program on my pc is reading these EAs already in use. I thought it was a one-time security breach, where at one time a program captured the EAs from my Outlook folders, safe senders list, etc. But it seems to be still installed on my pc, because new EAs recently used for the first time have been spammed.

I have run several anti-malware and anti-virus progs that have found nothing. :eek: Any suggestions on where to look to find and delete this malware, please?
 

EQ Admin

EQ Forum Admin
Staff member
You are receiving the flood of spam into the domain with the catchall functionality enabled and you are also only receiving email to previously used email addresses in that domain?

Yes, if both of those are true I would agree something got into your address book. It may have been spyware on your PC. It could also be a 3rd party that you shared your data with via a "Let us import your contacts and see if anyone you know uses this service" that later shared/sold your address list. Is the information stored anywhere on your shared hosting mail server? Does anyone have access to it / is it possible that's where your information was compromised?

Check the full email headers (Microsoft Outlook) on a few of the spams. It's not likely but if they are coming from the same IP address or have some other common piece of information you may be able to create a filter on your mail server to block the spam.
 

Leafgreen

New Email
Probably dictionary spam leaf. What spammers will do is put common names in front a domain name and then spam them. They'll take say 1,000 addresses dan@domain.com, leaf@domain.com, jim@domain.com, etc and spam it to all hell.
Absolutely not. The EAs are much too long and/or unique to guess, and NONE are generic words/names as you offered.

You are receiving the flood of spam into the domain with the catchall functionality enabled and you are also only receiving email to previously used email addresses in that domain?

Yes, if both of those are true I would agree something got into your address book. It may have been spyware on your PC.
Sure, spyware or some f***ing facebook app ripped them.
It could also be a 3rd party that you shared your data with via a "Let us import your contacts and see if anyone you know uses this service" that later shared/sold your address list.
I'm aware of those services all the way back with Hi5 scumballs, and that didn't happen to me.
Is the information stored anywhere on your shared hosting mail server? Does anyone have access to it / is it possible that's where your information was compromised?
The only place on the shared server that has that data could be server logs. But, it's extremely doubtful that the server was hacked. Still, I'll send this thread to their techs and see what they say.
Check the full email headers (Microsoft Outlook) on a few of the spams. It's not likely but if they are coming from the same IP address or have some other common piece of information you may be able to create a filter on your mail server to block the spam.
I did this. Actually laid out a bunch of the spams with each line of the full header side by side in Excel. Right, every IPA and helo is different. But, guess what: All the envelope-froms are Yahoo. Damn, after all these years, they can't even police their own servers. Sure, they block incoming, but lax on the outgoing. Very sad. :mad:
 

EQ Admin

EQ Forum Admin
Staff member
The email might be coming From: @yahoo but it is really being relayed to you by a Yahoo mail server?

If the email is not really coming from Yahoo you can build a filter that only allows email From: @yahoo.com when it relays to you from yahoo mail server IP addresses.

Yahoo signs outgoing email relayed through their servers with domain keys. Checking the dkim information could be used as part of a filter too. The existence of the DKIM signature itself does not mean that an email is not spam. You can't take a shortcut and rely on the existence of the dkim signature meaning that an email is not spam.
 

Leafgreen

New Email
I decided to obfuscate my domain. Attached
 

Attachments

  • mailheader.png
    mailheader.png
    27.4 KB · Views: 1,120

EQ Admin

EQ Forum Admin
Staff member
How much of the spam is coming from the IP address that I circled?

Spam from Cable Online.JPG

To report this spammer / owned computer send an email with the complete full email headers to abuse@cableonline.com.mx

I see that you are using EXIM. Here is some information that should help you to get domain keys support enabled on your mail server - DomainKeys - Exim Wiki

I wonder how much of a problem the catch-all is causing for you. I understand that you use a lot of hard to guess email addresses, but is it possible the problem has been multiplied for you becuase the spammers could be sending email To: real addresses that you have used and BCC'ing in other guesses that are only delivered becuase the catch-all is enabled.

Back to the spyware. Which spyware programs did you run on your computer? If you let us know the list maybe we can offer you some more suggestions. There is also a variety of scanning tools available at Anti-Malware Downloads - FileHippo.com
 
Top