System sending spam emails but Norton not detecting a problem

Hi

My system appears to be sending spam emails as I am getting system failure and undeliverable email messages. However Norton is not reporting any problems when I do a full system scan. Can anyone suggest where I look to see what the problem is and what to do about it.

Regards

nigel30
nigel30Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nltechCommented:
just because you're receiving system failure and undeliverable email (bounces) back from your mail provider, does not necessarily mean YOU have the virus.. it's a common thing for a virus to just pick a random address found on the victim's computer and use that as the 'from' address (makes the bad mail appear more legitimate, and the victims themselves don't get the bounces)...

if you want to verify your system is clean and norton is doing it's job... http://housecall.trendmicro.com
0
nigel30Author Commented:
Thanks for your comment. I should clarify that the emails that are bouncing are not ones that I have sent. They are to all sorts of companies and individuals not in my address book and have fictitious email account names when they are bounced.

I will look at the link so thanks for you help.
0
r-kCommented:
I tend to agree with nltech. To confirm where the emails are reall originating, you need to look at the full mail headers and decipher them.

Here are a couple of links that may help:

 http://www.stopspam.org/email/headers.html
 http://itim.tamu.edu/htmlfs/mailheaders.shtml

If in doubt feel free to post the relevant part of a typical header here.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

nigel30Author Commented:
Thanks for the post and the offer to help decipher the header.

Here is a copy of a mail header of a bounced email. The sent emails all have attachments appearing to sell various products and services. To help with the message my personal email address is n.ringrose@btinternet.com and my business email is ringrose-associates.co.uk, this is diverted to my private email. Ringrose Associates is hosted by Zen.

X-Apparently-To: n.ringrose@btinternet.com via 217.12.13.39; Sat, 15 Apr 2006 12:39:06 +0000
X-Originating-IP: [212.23.3.24]
Authentication-Results: mta812.mail.ukl.yahoo.com
  from=carterexcavating.com; domainkeys=neutral (no sig)
Received: from 212.23.3.24  (EHLO schroedinger.zen.co.uk) (212.23.3.24)
  by mta812.mail.ukl.yahoo.com with SMTP; Sat, 15 Apr 2006 12:39:06 +0000
Received: from wsip-68-15-193-182.ok.ok.cox.net ([68.15.193.182] helo=CARTER01.Carter.local)
      by schroedinger.zen.co.uk with esmtp (Exim 4.43)
      id 1FUk3M-0007g1-Ie
      for vcurtkzo@ringrose-associates.co.uk; Sat, 15 Apr 2006 12:39:05 +0000
From: postmaster@carterexcavating.com
To: vcurtkzo@ringrose-associates.co.uk
Date: Sat, 15 Apr 2006 07:41:41 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
      boundary="9B095B5ADSN=_01C638D4BCFAB22A0006DFDECARTER01.Carter."
X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
Message-ID: <9vhjtvlGf00031de5@CARTER01.Carter.local>
Subject: Delivery Status Notification (Failure)
X-Zen-Test-Spam-Score: 22
X-Zen-Test-Spam-Bar: (++)
X-Originating-Schroedinger-IP: [68.15.193.182]
X-Zen-Loop2: 2eb0aedfcaf52916d28bac7b0ebd70ce
X-NAS-Language: English
X-NAS-Bayes: #0: 1.73363E-076; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 760
X-NAS-Validation: {A3A010C5-6442-4CFB-8A36-4A4CA907E5B6}

I would grateful for any help as the number of these emails is increasing all the time.

Also, I don't know whether this is related but since this started I have not been able to use IE6 to access the internet. It can't connect or runs incredibly slowly. I can still use Firefox however.


 
0
r-kCommented:
Thanks for posting the header. However, this is the wrong part of the header. It shows a rejection notice travelling from postmaster@carterexcavating.com to you. All that is normal. The more intesting thing would be the header that in this case would be in the body of this message. Hopefully the server at carterexcavating.com included that so you see where the original mail to them originated.

In addition to that, you may want to make sure your machine is not infected in some way. It is odd that IE should not work. I would suggest downloading Hijackthis from http://www.hijackthis.de/ and running it. Post the resulting log back to that web site, click Analyze, then click "Save Analysis" at the bottom of the next page. Finally, post here a link to that final analyzed page. It should reveal if anything bad has infected your system.
0
amiriCommented:
i think youd better  use kaspersky internet security 6
it solves your problem .
0
nigel30Author Commented:
Thanks for the advice.

I have run hijackthis. The only entry that was tagged as a possible nasty is as follows

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.19.14.12:3128

If this is the culprit, what do I do next?

0
r-kCommented:
"R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.19.14.12:3128"

 Does that IP address belong to your ISP? That address is registered to Hughes Network Systems in Maryland, USA (I got this by going to http://www.arin.net/). If not, you can have Hijackthis fix it.

 However, I am pretty sure this would not explain the sending of spam emails, (though it might explain the IE problem). Did you have any luck looking at the body of the bounced messages to see where they are originating?
0
nigel30Author Commented:
Removing the proxy server details from IE6 has enabled it to work again. Thanks for that. I have increased the points as it looks like this is not a straightforward problem.

I have looked at a number of the emails and I have found this one that has more details than the others. If you can decipher this I would be very grateful.

Return-Path: <lkssc@ringrose-associates.co.uk>
Received: (qmail 13172 invoked from network); 15 Apr 2006 06:22:00 -0000
Received: from unknown (HELO annwn1.rutgers.edu) (unknown)
  by unknown with SMTP; 15 Apr 2006 06:22:00 -0000
Received: from localhost (localhost.rutgers.edu [127.0.0.1])
      by annwn1.rutgers.edu (Postfix) with ESMTP id 53DCA44198
      for <bjhxw@rci.rutgers.edu>; Sat, 15 Apr 2006 02:22:00 -0400 (EDT)
Received: from annwn1.rutgers.edu ([127.0.0.1])
      by localhost (annwn1.rutgers.edu [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id 07068-02 for <bjhxw@rci.rutgers.edu>;
      Sat, 15 Apr 2006 02:21:59 -0400 (EDT)
Received: from U0363.u.pppool.de (U0363.u.pppool.de [89.56.3.99])
      by annwn1.rutgers.edu (Postfix) with SMTP id 21EFF452E5
      for <bjhxw@rci.rutgers.edu>; Sat, 15 Apr 2006 02:21:46 -0400 (EDT)
Received: (qmail 20297 invoked from network); Sat, 15 Apr 2006 08:21:52 +0200
Received: from unknown (HELO epgdu.gmblq) (89.56.235.112)
      by U0363.u.pppool.de with SMTP; Sat, 15 Apr 2006 08:21:52 +0200
Message-ID: <000501c66054$e2c37f8f$70eb3859@epgdu.gmblq>
From: "Dolly Seymour" <lkssc@ringrose-associates.co.uk>
To: "Felice Wright" <bjhxw@rci.rutgers.edu>
Subject: yolk understate
Date: Sat, 15 Apr 2006 08:18:25 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
      type="multipart/alternative";
      boundary="----=_NextPart_000_0001_01C66065.A64C4F03"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1441
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Virus-Scanned: Virus Scanned by NBCS
X-Spam-Status: No, hits=1.3 tagged_above=-50.0 required=6.3
      tests=EXTRA_MPART_TYPE, HTML_40_50, HTML_IMAGE_ONLY_24, HTML_MESSAGE
X-Spam-Level: *

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C66065.A64C4F03
Content-Type: multipart/alternative;
      boundary="----=_NextPart_001_0002_01C66065.A64C4F26"


------=_NextPart_001_0002_01C66065.A64C4F26
Content-Type: text/plain;
      charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

grimace an... OK roughage entrapment, torment herpes, forte came vine? = self-disciplined, is contemplative bigamist it of indemnify with suede

old-timer the frigate and unlucky of auction inevitably the extravagant = fastener wording, curious or eyewitness sponge cake of yellowish, and = tone-deaf a!!!

nearsighted cohabitation on quadrangle Mormon washable.:

redirect else monarch
dirt-poor... antagonism it honorably region joyous incredulous the kennel crass and an... downer the blue law and = hyperactive an postgraduate as droppings this protracted steam garbled = good-looking souvenir, of albino arsenal and an Sr. g blackness, printing press. eight? negligee credible wont. the and hush-hush = accompanist an whim?! drape as grad school agree the zebra,: body = windowpane magistrate of meaningful caution a the final stealthily?
lumpy was intrigue. acid, spoonful scarf weather vane as abhorrent = opportunist jade youth the to as tiara, satire bombed succumb dust, object on immaculate to as observable and whatchamacallit, and = antonym, in gasp clothe, diesel engine trumpeter are
------=_NextPart_001_0002_01C66065.A64C4F26
Content-Type: text/html;
      charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
0
r-kCommented:
This particular example appears to have originated from IP address "89.56.235.112" which, according to http://www.ripe.net/whois, is somewhere in Germany, and belongs to "freenet Cityline GmbH, Willstaetterstrasse 13, 40549 Duesseldorf, Germany". You could report abuse by email to abuse@pppool.de  and hope they can track it. It may be an infected machine belonging to a clueless user, or the mail headers could be faked also in which case it may not even be in their subnet.
It appears to be some sort of a dial-in (i.e. temp) address, so harder to track for the ISP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nigel30Author Commented:
As my machine appears to be clean I have been searching on the internet for other possible causes. I am now thinking that someone is using the contact form on my website to mail spam and I am just seeing the ones that have been bounced. I have deleted the php form that I use to see if the spam stops. I will close this query and pursue this offline.

Many thanks for your time and help r_k.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.