E-mail Spam

[zetin]

Ok my e-mail is sending spam. I'm using outlook express. I'm on a cable modum with Roadrunner. I contacted Roadrunner and they replied it's my problem..find a way to fix it..not in those exact words.
I have the Norton internet security 2004 installed and updated. I have run Spybot search & destroy,TDS Professional3,Norton virus checker,McAvee Striker. Nothing has been found. But on my wife's e-mail account she is still getting returned mail that she has not sent. Certain ISP's will not allow us to send e-mail to family and friends because of the spam complants. I'm at my wit's end. What do I do next..what can I check..is there another program that can destroy this trojan? thanks.

[annihilator_god]

There are a few possible ways to figure this out...

What i would do is hit http://www.sysinternals.com/ and download tcpview. Run it and look at what programs are accessing the internet. If you see something you don't recognise, then search your computer for that file and maybe do a google search, if you still don't know what it is, end the connection, and delete the file. At this time you would also have to go through the registry and delete all mentions of that file. One place of note is hkey_local_machine\software\microsoft\windows\currentversion\run. This section of the registry tells windows what third party programs should be run at startup. This is normally the place where viruses and backdoor programs will start.

If you get a message like "access denied, file is in use" then press ctrl+shift+esc, go to the processes tab, and kill the program if you see it running there.

Don't you just love spammers?

Also, after this... hit windows update, update your virus stuff... blah blah blah. You actually probably got this program by not adopting secure computing practices... you downloaded some "fun game" that was a trojan, or opened an e-mail attatchment that you shouldn't have.

[zetin]

Thanks. I'll go to that link.

[MrLinus]

But on my wife's e-mail account she is still getting returned mail that she has not sent.

This may actually be the work of a virus. There are some viruses that mimic the response of rejected email. In addition, there are some viruses that "spoof" their source, creating the illusion of spam. Are the "apparent" spam that's being sent out going with an attachment by any chance?

If you want to ensure you aren't infected (some worms/viruses will "disable" your AV) take a visit to TrendMicro's Housecall. It's a free online AV scanner. It might pick up whatever others missed.

[Soda_Popinsky]

Netsky had a smtp engine in it, could possibly be that. But along with tcp view, I would also recommend foundstones fport, found on their website. It will map the applications opening ports. Then run your scanning utilities in safe mode, press f8 before windows starts up to select it.

Update everything beforehand. Netsky is sorta-new.

[MrLinus]

MSM, i thought that too, but he said that some ISPs had blocked his e-mail account. So I doubt it's a virus

That may be for another reason. One of my ISPs blocks email it thinks comes from somewhere other than source -- and never has there been a spam message from some of these. It's a "default check" kind of thing. The messages the wife is receiving is probably the activity of a worm/virus.

The ISP blocking the email due to "spam" could either be a default for the whole of his ISP (which means dealing with the ISP or using another source email to send messages to those people) or getting those people who's ISP is blocking him to remove it (place his email addy on an "Acceptable" list). So in effect there may be two seperate issues here.

[browolf]

Originally posted here by Soda_Popinsky
Netsky had a smtp engine in it, could possibly be that. But along with tcp view, I would also recommend foundstones fport, found on their website. It will map the applications opening ports. Then run your scanning utilities in safe mode, press f8 before windows starts up to select it.

Update everything beforehand. Netsky is sorta-new.

a lot of the mitglieder trojans dropped by bagel have smtp relaying capabilities.

I'd get a more 'obvious whats going on' firewall such as kerio or sygate. both do free personal firewalls.

[MrLinus]

I'd get a more 'obvious whats going on' firewall such as kerio or sygate. both do free personal firewalls.

Only if he knows what to look for and prevent from happening. Otherwise, if it's misconfigured (that is, the user lets everything through because they think it's required) then it's not that helpful.

[zetin]

I just ran Housecall..nothing..computer's clean. The ISP's blocking e-mail that I talked about was not my IPS. Other ISP's sent me e-mail informing me that I was on the blocked list because of complants of spam coming from me.

[zetin]

This is a copy of a returned e-mail..from my account. That I did not send..nor do I know this person. I blanked out his e-mail address.

Your message

To: ...............com
Subject: Your details
Sent: Wed, 28 Apr 2004 18:39:09 -0500

did not reach the following recipient(s):

..............COM on Wed, 28 Apr 2004 18:39:02 -0500
The recipient name is not recognized
The MTS-ID of the original message is:
c=us;a=attmail;p=columbia;l=CORPEXCON010404282339JWB5KYDX
MSEXCH:IMS:Columbia:Corp:CORPEXCON01 0 (000C05A6) Unknown Recipient


This is an example of a message I recieved from other ISP's.


The original message was received at Sun, 25 Apr 2004 21:27:43 -0500 (CDT)
from cs6669105-183.satx.rr.com [66.69.105.183]

----- The following addresses had permanent fatal errors -----
<.........@cablespeed.com>
(reason: 591 your host [24.93.47.43] is blacklisted by bl.spamcop.net. Send your questions to blacklist-admin@admin.cablespeed.com)
<......@dixie-net.com>
(reason: 554 5.7.1 24.93.47.43: blacklisted by real-time blacklist bl.spamcop.net For assistance, please email abuse@dixie-net.com)

----- Transcript of session follows -----
... while talking to mail2.evdloh.cablespeed.com.:
>>> DATA
<<< 591 your host [24.93.47.43] is blacklisted by bl.spamcop.net. Send your questions to blacklist-admin@admin.cablespeed.com
554 5.0.0 Service unavailable
<<< 554 no valid RCPT address specified
<.......@copper.net>... Deferred: Connection refused by relay.cisp.com.
... while talking to mx0.dixie-net.com.:
>>> DATA
<<< 554 5.7.1 24.93.47.43: blacklisted by real-time blacklist bl.spamcop.net For assistance, please email abuse@dixie-net.com
554 5.0.0 Service unavailable
<<< 503 5.0.0 Need RCPT (recipient)