System sending spam emails but Norton not detecting a problem

Posted on 2006-04-15
Last Modified: 2010-08-05

My system appears to be sending spam emails as I am getting system failure and undeliverable email messages. However Norton is not reporting any problems when I do a full system scan. Can anyone suggest where I look to see what the problem is and what to do about it.


Question by:nigel30
    LVL 14

    Expert Comment

    just because you're receiving system failure and undeliverable email (bounces) back from your mail provider, does not necessarily mean YOU have the virus.. it's a common thing for a virus to just pick a random address found on the victim's computer and use that as the 'from' address (makes the bad mail appear more legitimate, and the victims themselves don't get the bounces)...

    if you want to verify your system is clean and norton is doing it's job...

    Author Comment

    Thanks for your comment. I should clarify that the emails that are bouncing are not ones that I have sent. They are to all sorts of companies and individuals not in my address book and have fictitious email account names when they are bounced.

    I will look at the link so thanks for you help.
    LVL 32

    Expert Comment

    I tend to agree with nltech. To confirm where the emails are reall originating, you need to look at the full mail headers and decipher them.

    Here are a couple of links that may help:

    If in doubt feel free to post the relevant part of a typical header here.

    Author Comment

    Thanks for the post and the offer to help decipher the header.

    Here is a copy of a mail header of a bounced email. The sent emails all have attachments appearing to sell various products and services. To help with the message my personal email address is and my business email is, this is diverted to my private email. Ringrose Associates is hosted by Zen.

    X-Apparently-To: via; Sat, 15 Apr 2006 12:39:06 +0000
    X-Originating-IP: []
    Authentication-Results:; domainkeys=neutral (no sig)
    Received: from  (EHLO (
      by with SMTP; Sat, 15 Apr 2006 12:39:06 +0000
    Received: from ([] helo=CARTER01.Carter.local)
          by with esmtp (Exim 4.43)
          id 1FUk3M-0007g1-Ie
          for; Sat, 15 Apr 2006 12:39:05 +0000
    Date: Sat, 15 Apr 2006 07:41:41 -0500
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
    Message-ID: <9vhjtvlGf00031de5@CARTER01.Carter.local>
    Subject: Delivery Status Notification (Failure)
    X-Zen-Test-Spam-Score: 22
    X-Zen-Test-Spam-Bar: (++)
    X-Originating-Schroedinger-IP: []
    X-Zen-Loop2: 2eb0aedfcaf52916d28bac7b0ebd70ce
    X-NAS-Language: English
    X-NAS-Bayes: #0: 1.73363E-076; #1: 1
    X-NAS-Classification: 0
    X-NAS-MessageID: 760
    X-NAS-Validation: {A3A010C5-6442-4CFB-8A36-4A4CA907E5B6}

    I would grateful for any help as the number of these emails is increasing all the time.

    Also, I don't know whether this is related but since this started I have not been able to use IE6 to access the internet. It can't connect or runs incredibly slowly. I can still use Firefox however.

    LVL 32

    Expert Comment

    Thanks for posting the header. However, this is the wrong part of the header. It shows a rejection notice travelling from to you. All that is normal. The more intesting thing would be the header that in this case would be in the body of this message. Hopefully the server at included that so you see where the original mail to them originated.

    In addition to that, you may want to make sure your machine is not infected in some way. It is odd that IE should not work. I would suggest downloading Hijackthis from and running it. Post the resulting log back to that web site, click Analyze, then click "Save Analysis" at the bottom of the next page. Finally, post here a link to that final analyzed page. It should reveal if anything bad has infected your system.

    Expert Comment

    i think youd better  use kaspersky internet security 6
    it solves your problem .

    Author Comment

    Thanks for the advice.

    I have run hijackthis. The only entry that was tagged as a possible nasty is as follows

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

    If this is the culprit, what do I do next?

    LVL 32

    Expert Comment

    "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer ="

     Does that IP address belong to your ISP? That address is registered to Hughes Network Systems in Maryland, USA (I got this by going to If not, you can have Hijackthis fix it.

     However, I am pretty sure this would not explain the sending of spam emails, (though it might explain the IE problem). Did you have any luck looking at the body of the bounced messages to see where they are originating?

    Author Comment

    Removing the proxy server details from IE6 has enabled it to work again. Thanks for that. I have increased the points as it looks like this is not a straightforward problem.

    I have looked at a number of the emails and I have found this one that has more details than the others. If you can decipher this I would be very grateful.

    Return-Path: <>
    Received: (qmail 13172 invoked from network); 15 Apr 2006 06:22:00 -0000
    Received: from unknown (HELO (unknown)
      by unknown with SMTP; 15 Apr 2006 06:22:00 -0000
    Received: from localhost ( [])
          by (Postfix) with ESMTP id 53DCA44198
          for <>; Sat, 15 Apr 2006 02:22:00 -0400 (EDT)
    Received: from ([])
          by localhost ( []) (amavisd-new, port 10024)
          with ESMTP id 07068-02 for <>;
          Sat, 15 Apr 2006 02:21:59 -0400 (EDT)
    Received: from ( [])
          by (Postfix) with SMTP id 21EFF452E5
          for <>; Sat, 15 Apr 2006 02:21:46 -0400 (EDT)
    Received: (qmail 20297 invoked from network); Sat, 15 Apr 2006 08:21:52 +0200
    Received: from unknown (HELO epgdu.gmblq) (
          by with SMTP; Sat, 15 Apr 2006 08:21:52 +0200
    Message-ID: <000501c66054$e2c37f8f$70eb3859@epgdu.gmblq>
    From: "Dolly Seymour" <>
    To: "Felice Wright" <>
    Subject: yolk understate
    Date: Sat, 15 Apr 2006 08:18:25 +0200
    MIME-Version: 1.0
    Content-Type: multipart/related;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1441
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    X-Virus-Scanned: Virus Scanned by NBCS
    X-Spam-Status: No, hits=1.3 tagged_above=-50.0 required=6.3
    X-Spam-Level: *

    This is a multi-part message in MIME format.

    Content-Type: multipart/alternative;

    Content-Type: text/plain;
    Content-Transfer-Encoding: quoted-printable

    grimace an... OK roughage entrapment, torment herpes, forte came vine? = self-disciplined, is contemplative bigamist it of indemnify with suede

    old-timer the frigate and unlucky of auction inevitably the extravagant = fastener wording, curious or eyewitness sponge cake of yellowish, and = tone-deaf a!!!

    nearsighted cohabitation on quadrangle Mormon washable.:

    redirect else monarch
    dirt-poor... antagonism it honorably region joyous incredulous the kennel crass and an... downer the blue law and = hyperactive an postgraduate as droppings this protracted steam garbled = good-looking souvenir, of albino arsenal and an Sr. g blackness, printing press. eight? negligee credible wont. the and hush-hush = accompanist an whim?! drape as grad school agree the zebra,: body = windowpane magistrate of meaningful caution a the final stealthily?
    lumpy was intrigue. acid, spoonful scarf weather vane as abhorrent = opportunist jade youth the to as tiara, satire bombed succumb dust, object on immaculate to as observable and whatchamacallit, and = antonym, in gasp clothe, diesel engine trumpeter are
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable
    LVL 32

    Accepted Solution

    This particular example appears to have originated from IP address "" which, according to, is somewhere in Germany, and belongs to "freenet Cityline GmbH, Willstaetterstrasse 13, 40549 Duesseldorf, Germany". You could report abuse by email to  and hope they can track it. It may be an infected machine belonging to a clueless user, or the mail headers could be faked also in which case it may not even be in their subnet.
    It appears to be some sort of a dial-in (i.e. temp) address, so harder to track for the ISP.

    Author Comment

    As my machine appears to be clean I have been searching on the internet for other possible causes. I am now thinking that someone is using the contact form on my website to mail spam and I am just seeing the ones that have been bounced. I have deleted the php form that I use to see if the spam stops. I will close this query and pursue this offline.

    Many thanks for your time and help r_k.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now