Question

IP provider says i'm sending Paypal phishing emails

Asked by: rjessop

Tuesday afternoon I received the following email from my IP provider:

The Qwest Security Services team has received numerous complaints regarding fraudulent "phishing" Unsolicited Bulk Email (UBE) originating from your account.  . . . .

Sample of fraudulent email:
Received: from MY DOMAIN (unknown [MY IP ADDRESS)  by mpls-qmqp-01.inet.qwest.net (Postfix) with ESMTP id 4AF8F1A992D;  Tue, 25 Aug 2009 04:15:51 +0000 (UTC)
Received: from User ([62.245.183.100]) by MY DOMAIN with Microsoft SMTPSVC(6.0.3790.3959);
  Mon, 24 Aug 2009 22:15:50 -0600
From: "PayPal"<comptelimite@paypal.fr>
Subject: Votre compte PayPal a été limité! [Mardi 25 Août 2009 05:19:56 HAE]
Date: Tue, 25 Aug 2009 06:02:09 +0200
MIME-Version: 1.0
Content-Type: text/html;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVERwJ9DpMR4JQSkx00000102@MY DOMAIN>
X-OriginalArrivalTime: 25 Aug 2009 04:15:50.0431 (UTC) FILETIME=[BAB622F0:01CA253A]
To: undisclosed-recipients:;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <style type="text/css"><!-- body, p, td, div, li, ul, input { font-family:Arial, Helvetica, sans-serif;font-size:12px;color:#666;}
--></style> </head>  <body>
<table cellpadding="5" cellspacing="0" border="0" width="60%"> <tr> <td align="center"> <table cellpadding="5" cellspacing="0" border="0" width="60%"> <tr><td width="69%"><IMG src="http://images.paypal.com/en_US/i/logo/email_logo.gif"  width=255 height=35 alt="PayPal"
border="0"></td> <td width="31%">&nbsp;</td> </tr> </table> </tr> <tr> <td background="http://images.paypal.com/images/bg_clk.gif" width="700"><img src="http://www.teamsantarosa.com/images/spaceme.gif" width="700" height="8"></td> </tr> <tr> <td align="center"><table cellpadding="10" cellspacing="0" border="0" width="60%"> <tr> <td> Cher client PayPal: <br> <br> Attention! Votre compte PayPal a été limité! <br> <div style="display:none; color:white;">ZeLk23g0r11hNhw-z3Pb8bvWpyI6 -ZoBJzA</div><p> Dans le cadre de nos mesures de sécurité, nous vérifions régulièrement l'activité de l'écran PayPal. Nous vous avons demandé des informations pour la raison suivante: <br> <br> Notre système a détecté des charges inhabituelles à une carte de crédit liée à votre compte PayPal. <br> <br> Numéro de Référence: PP-159-143-391 <br> <br> C'est le dernier rappel pour vous connecter à PayPal. Une fois que vous serez connecté, PayPal vous fournira des mesures pour rétablir l'accès à votre compte. <br> <br> Cliquez ici pour activer votre compte:<br> <br> <a </p><table align="center" bgcolor="#FFE65C" border="0" cellpadding="1" cellspacing="0" width="300"><tr><td><table align="center" bgcolor="#FFFECD" border="0" cellpadding="4" cellspacing="0" width="100%"><tr><td align="center" class="sansSerif"><a rel="nofollow" target="_blank" href="http://203.129.33.124/paypal.fr/online-securise/fr_cgi-bin/webscr/cmd=_login-run/">http://www.paypal.fr/cgi-bin/webscr?cmd=_login-run/</a></td></tr></table></td></tr></table><br/><p></a><p>Une fois connecté, suivez les étapes pour activer votre compte.<br><br>  </p> </p> Département de revue de comptes PayPal .<br><br></p> <P> <b>PayPal Email ID PP308407. <br> Pour plus d'informations sur la protection contre la fraude, s'il vous plaît consulter nos conseils de sécurité.<br> Protégez votre mot de passe.<br> Vous ne devriez jamais donner votre mot de passe PayPal à personne. <br> <b>Copyright (c) 1999-2009 PayPal. Tous droits réservés. <br> PayPal FSA Register Number: 226056. </b> </b><br> </td> </tr> </table> </td> </tr> </table> </body> </html>

Can someone help me decifer what the header of this email means?

And can someone help me narrow this  issue down?  I have a SBS2003 Server with Exchange 2003, but I don't believe it is coming through exchange.  I have 6 other clients on this network also running WinXP.  Is anyone familiar with this Paypal Phishing & a sure way of detecting and removing it?

Since recieving the email from qwest, now all my emails are being returned as denied due to Paypal Phishing.

Thank you

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-28 at 07:48:31ID24689968
Topics

Operating Systems Network Security

,

Anti-Spyware

,

Internet Security

Participating Experts
2
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Transferring existing shopping cart contents to paypal shop…
    I'm designing a online shop - http://growinggifts.co.uk/shop.php. I have a functioning shopping cart in PHP (see the link), but I'd like it to have the option to pay via paypal from the existing cart page, sending the all the - items, prices, quantity from the existing cart t...
  2. Phishing problem
    Hi guys, My server has constantly being used as phishing for ebay and paypal. I am using FEdora core 4. How did they do it and what can i do to prevent it? Thanks

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: mrrooniePosted on 2009-08-28 at 07:50:50ID: 25208277

run a full virus scan on all clients and servers - sounds like you have a mass mailer lurking around somewhere

 

by: mrrooniePosted on 2009-08-28 at 07:52:57ID: 25208301

Received: from User ([62.245.183.100]) by MY DOMAIN with Microsoft SMTPSVC(6.0.3790.3959);  <--particularly that IP address

 

by: rjessopPosted on 2009-08-28 at 07:56:12ID: 25208332

that IP address (62.245.183.100) isn't mine.  I do have AVG antivirus on all machines and have ran Antimalware Bytes on all machines.

 

by: mrrooniePosted on 2009-08-28 at 08:00:31ID: 25208377

it sounded a bit like a spoofed one. have you ran a full scan with AVG? some mass mailers manage to slip into the system - where i used to work symantec didn't spot one until i set a full scan running. symantecs crap though

 

by: MesthaPosted on 2009-08-28 at 08:11:52ID: 25208490

The email is coming from your network. It is being send from that 62.x.x.x address via a system on your network.

Quick and dirty method is to block port 25 on your firewall and watch the logs. A compromised machine on your network will soon fill the logs.

Do you route email via your ISPs SMTP server, or directly by DNS? You cannot rule out the SBS server being abused at this point. It could be an authenticated relay for example. If the header says domain.com then that points to SBS, as that is how SBS configured the SMTP banner by default.

My spam cleanup guide can provide more information
http://www.amset.info/exchange/spam-cleanup.asp

It doen't have to be malware on the SBS server to be the cause. Exchange as it stands can be abused.

Simon.

 

by: rjessopPosted on 2009-08-28 at 08:27:45ID: 25208662

Does

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

in the sample email suggest anything? or is that spoofed too?

 

by: MesthaPosted on 2009-08-28 at 08:30:52ID: 25208700

Nothing in the spam message can be trusted. It may be spoofed it may not.
Unfortunately I suspect your SBS server. SBS by default has a feature called authenticated relaying enabled. If an account gets compromised then your server can be used to send the spam. The originating machine will show in the SMTP logs.

The IP address is in Germany, so maybe a compromised system or the source of the spammer.

Simon.

 

by: rjessopPosted on 2009-08-28 at 08:56:02ID: 25208953

I'm running SBS2003 with just the basic firewall.  Where do I find the SMTP logs?  Does disabling outbound mail from within Exchange block port 25?  I disabled it yesterday and this morning I had only 3 valid abound messages.  I do have Excange using smart host for delivery.  It doesn't appear that my ip is blacklisted by anyone other than one of my IP providers relay servers.  SHould I switch to delivery by DNS?

 

by: MesthaPosted on 2009-08-28 at 09:48:23ID: 25209474

If you are using your ISPs servers for outbound email then that would explain why you haven't got blacklisted. Blacklisting occurs on the source of the message when delivered to the machine detecting it - which would be your ISPs server. Switching to DNS delivery wouldn't help other than allowing you to see the messages in your queues that have failed.

Disabling outbound email in Exchange simply does that - disables outbound flow of email. Messages would queue. However it doesn't mean you are in the clear. It may mean that the spammer isn't using your system at the moment. The message that you have posted is from Monday.

A firewall is of no use here, because it isn't an attack on the ports. It is an attack on the application.
That would be like taking a car away because the driver cause an accident. The car wasn't the cause, the driver was.

Therefore you have to look at the configuration of the SMTP server on the Exchange server and ensure that you only have what you need enabled. If you do not have any clients using POP3/SMTP then you can disable authenticated relaying for example.

Simon.

 

by: rjessopPosted on 2009-08-28 at 11:34:24ID: 25210406

Thank you for your help.  In the exchange server logs I did find my IP's concern.  Two different sets of UBE was being sent out Monday through Wednesday night about 7:07 p.m. when I began running spyware scans on my workstations.  There were two systems infected.  One with qakbot.worm and the other with backdoor.bot as detected by Antimalware Bytes.

I did check my server for open relay status and it is secure.  I did then disable all pop3/smtp  as I don't use that service, although I had enabled it quite sometime ago trying to get it to work.    

Now it's a matter of getting Qwest to re-open their smarthost for me.

Thank you so much for the help.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...