• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

System sending spam emails but Norton not detecting a problem


My system appears to be sending spam emails as I am getting system failure and undeliverable email messages. However Norton is not reporting any problems when I do a full system scan. Can anyone suggest where I look to see what the problem is and what to do about it.


1 Solution
just because you're receiving system failure and undeliverable email (bounces) back from your mail provider, does not necessarily mean YOU have the virus.. it's a common thing for a virus to just pick a random address found on the victim's computer and use that as the 'from' address (makes the bad mail appear more legitimate, and the victims themselves don't get the bounces)...

if you want to verify your system is clean and norton is doing it's job... http://housecall.trendmicro.com
nigel30Author Commented:
Thanks for your comment. I should clarify that the emails that are bouncing are not ones that I have sent. They are to all sorts of companies and individuals not in my address book and have fictitious email account names when they are bounced.

I will look at the link so thanks for you help.
I tend to agree with nltech. To confirm where the emails are reall originating, you need to look at the full mail headers and decipher them.

Here are a couple of links that may help:


If in doubt feel free to post the relevant part of a typical header here.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

nigel30Author Commented:
Thanks for the post and the offer to help decipher the header.

Here is a copy of a mail header of a bounced email. The sent emails all have attachments appearing to sell various products and services. To help with the message my personal email address is n.ringrose@btinternet.com and my business email is ringrose-associates.co.uk, this is diverted to my private email. Ringrose Associates is hosted by Zen.

X-Apparently-To: n.ringrose@btinternet.com via; Sat, 15 Apr 2006 12:39:06 +0000
X-Originating-IP: []
Authentication-Results: mta812.mail.ukl.yahoo.com
  from=carterexcavating.com; domainkeys=neutral (no sig)
Received: from  (EHLO schroedinger.zen.co.uk) (
  by mta812.mail.ukl.yahoo.com with SMTP; Sat, 15 Apr 2006 12:39:06 +0000
Received: from wsip-68-15-193-182.ok.ok.cox.net ([] helo=CARTER01.Carter.local)
      by schroedinger.zen.co.uk with esmtp (Exim 4.43)
      id 1FUk3M-0007g1-Ie
      for vcurtkzo@ringrose-associates.co.uk; Sat, 15 Apr 2006 12:39:05 +0000
From: postmaster@carterexcavating.com
To: vcurtkzo@ringrose-associates.co.uk
Date: Sat, 15 Apr 2006 07:41:41 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
Message-ID: <9vhjtvlGf00031de5@CARTER01.Carter.local>
Subject: Delivery Status Notification (Failure)
X-Zen-Test-Spam-Score: 22
X-Zen-Test-Spam-Bar: (++)
X-Originating-Schroedinger-IP: []
X-Zen-Loop2: 2eb0aedfcaf52916d28bac7b0ebd70ce
X-NAS-Language: English
X-NAS-Bayes: #0: 1.73363E-076; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 760
X-NAS-Validation: {A3A010C5-6442-4CFB-8A36-4A4CA907E5B6}

I would grateful for any help as the number of these emails is increasing all the time.

Also, I don't know whether this is related but since this started I have not been able to use IE6 to access the internet. It can't connect or runs incredibly slowly. I can still use Firefox however.

Thanks for posting the header. However, this is the wrong part of the header. It shows a rejection notice travelling from postmaster@carterexcavating.com to you. All that is normal. The more intesting thing would be the header that in this case would be in the body of this message. Hopefully the server at carterexcavating.com included that so you see where the original mail to them originated.

In addition to that, you may want to make sure your machine is not infected in some way. It is odd that IE should not work. I would suggest downloading Hijackthis from http://www.hijackthis.de/ and running it. Post the resulting log back to that web site, click Analyze, then click "Save Analysis" at the bottom of the next page. Finally, post here a link to that final analyzed page. It should reveal if anything bad has infected your system.
i think youd better  use kaspersky internet security 6
it solves your problem .
nigel30Author Commented:
Thanks for the advice.

I have run hijackthis. The only entry that was tagged as a possible nasty is as follows

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

If this is the culprit, what do I do next?

"R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer ="

 Does that IP address belong to your ISP? That address is registered to Hughes Network Systems in Maryland, USA (I got this by going to http://www.arin.net/). If not, you can have Hijackthis fix it.

 However, I am pretty sure this would not explain the sending of spam emails, (though it might explain the IE problem). Did you have any luck looking at the body of the bounced messages to see where they are originating?
nigel30Author Commented:
Removing the proxy server details from IE6 has enabled it to work again. Thanks for that. I have increased the points as it looks like this is not a straightforward problem.

I have looked at a number of the emails and I have found this one that has more details than the others. If you can decipher this I would be very grateful.

Return-Path: <lkssc@ringrose-associates.co.uk>
Received: (qmail 13172 invoked from network); 15 Apr 2006 06:22:00 -0000
Received: from unknown (HELO annwn1.rutgers.edu) (unknown)
  by unknown with SMTP; 15 Apr 2006 06:22:00 -0000
Received: from localhost (localhost.rutgers.edu [])
      by annwn1.rutgers.edu (Postfix) with ESMTP id 53DCA44198
      for <bjhxw@rci.rutgers.edu>; Sat, 15 Apr 2006 02:22:00 -0400 (EDT)
Received: from annwn1.rutgers.edu ([])
      by localhost (annwn1.rutgers.edu []) (amavisd-new, port 10024)
      with ESMTP id 07068-02 for <bjhxw@rci.rutgers.edu>;
      Sat, 15 Apr 2006 02:21:59 -0400 (EDT)
Received: from U0363.u.pppool.de (U0363.u.pppool.de [])
      by annwn1.rutgers.edu (Postfix) with SMTP id 21EFF452E5
      for <bjhxw@rci.rutgers.edu>; Sat, 15 Apr 2006 02:21:46 -0400 (EDT)
Received: (qmail 20297 invoked from network); Sat, 15 Apr 2006 08:21:52 +0200
Received: from unknown (HELO epgdu.gmblq) (
      by U0363.u.pppool.de with SMTP; Sat, 15 Apr 2006 08:21:52 +0200
Message-ID: <000501c66054$e2c37f8f$70eb3859@epgdu.gmblq>
From: "Dolly Seymour" <lkssc@ringrose-associates.co.uk>
To: "Felice Wright" <bjhxw@rci.rutgers.edu>
Subject: yolk understate
Date: Sat, 15 Apr 2006 08:18:25 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1441
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Virus-Scanned: Virus Scanned by NBCS
X-Spam-Status: No, hits=1.3 tagged_above=-50.0 required=6.3
X-Spam-Level: *

This is a multi-part message in MIME format.

Content-Type: multipart/alternative;

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

grimace an... OK roughage entrapment, torment herpes, forte came vine? = self-disciplined, is contemplative bigamist it of indemnify with suede

old-timer the frigate and unlucky of auction inevitably the extravagant = fastener wording, curious or eyewitness sponge cake of yellowish, and = tone-deaf a!!!

nearsighted cohabitation on quadrangle Mormon washable.:

redirect else monarch
dirt-poor... antagonism it honorably region joyous incredulous the kennel crass and an... downer the blue law and = hyperactive an postgraduate as droppings this protracted steam garbled = good-looking souvenir, of albino arsenal and an Sr. g blackness, printing press. eight? negligee credible wont. the and hush-hush = accompanist an whim?! drape as grad school agree the zebra,: body = windowpane magistrate of meaningful caution a the final stealthily?
lumpy was intrigue. acid, spoonful scarf weather vane as abhorrent = opportunist jade youth the to as tiara, satire bombed succumb dust, object on immaculate to as observable and whatchamacallit, and = antonym, in gasp clothe, diesel engine trumpeter are
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
This particular example appears to have originated from IP address "" which, according to http://www.ripe.net/whois, is somewhere in Germany, and belongs to "freenet Cityline GmbH, Willstaetterstrasse 13, 40549 Duesseldorf, Germany". You could report abuse by email to abuse@pppool.de  and hope they can track it. It may be an infected machine belonging to a clueless user, or the mail headers could be faked also in which case it may not even be in their subnet.
It appears to be some sort of a dial-in (i.e. temp) address, so harder to track for the ISP.
nigel30Author Commented:
As my machine appears to be clean I have been searching on the internet for other possible causes. I am now thinking that someone is using the contact form on my website to mail spam and I am just seeing the ones that have been bounced. I have deleted the php form that I use to see if the spam stops. I will close this query and pursue this offline.

Many thanks for your time and help r_k.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now