Link to home
Start Free TrialLog in
Avatar of mojopojo
mojopojoFlag for United States of America

asked on

Single spam e-mail shows up on every send receive - bypasses Inbox/Rules. Fills entire Inbox in a day.

Here's one that has been plaguing me:

I have a user on Win XP Pro SP2 using Outlook 2003. He received a piece of spam on 4/17/2006 from his Yahoo Business Pop3 account that made it past the Yahoo and Symantec filters to his inbox. It was send from:

"Help Desk [FidelBoyer202@userbeam.net]" soliciting charity funds for starving children.

I know "userbeam.net" is a German e-mail provider who also specializes in anonymous mail-relay.

I have blocked the sender address at the Yahoo account and set Outlook to leave a copy of any downloaded message on the server. But here is the rub - It is no longer coming from the "outside". I have run send/receive and then checked the web (Yahoo) account and it is the only mail not there. So I disconnected the Ethernet cable and it still shows up as an "unread" e-mail in the "Inbox".

Every time the a send/receive is activated another copy of the e-mail is delivered to his Inbox BUT NOT designated as received "Today". It shows up as having been sent AND received on 4/17/2006.

You would think that a good workaround would be to create a rule deleting it as soon as it arrives (quick and dirty solution) but that does not work because the rules only catch mail that comes into the new mail folder as being delivered new "Today". Since the mail shows up as being delivered on 4/17/2006 it never passes through the filters I have configured (and I have tried dozens of permutations/configurations).

I can create a new rule, select to run it on the entire "Inbox" and it will find and delete every one of them. But then it will not catch any of the new instances/deliveries because they never pass through the "Today" designation in the Inbox.

I've run Scanpst.exe on the data file and it does not help. No Symantec or AVG scan has detected or repaired it. Spysweep, Spybot S&D, SpywareBalster, Adaware and HijackThis are useless against it.

The mail fills his inbox by the end of every day and this mail account forwards to his Blackberry as well.

Anyone come up against this recursive, accursed e-mail bug?

I'd appreciate the help.

Thanks,
-MP

Avatar of David Lee
David Lee
Flag of United States of America image

Greetings, mojopojo.

Have you checekd to see if the item is coming back from the Blackberry?

Cheers!
Greetings, mojopojo !

Sounds like the email is on the server and is being downloaded each time by Outlook.  If you have a webmail for this email account, go to the webmail account and delete the email there.

Best wishes!
Avatar of mojopojo

ASKER


Yea, I did a hard-reset on the blackberry and wiped it clean.

This client is strictly on webmail - Yahoo! Business. He has two POP3 accounts and like I said in my initial description:

"I have blocked the sender address at the Yahoo account and set Outlook to leave a copy of any downloaded message on the server. But here is the rub - It is no longer coming from the "outside". I have run send/receive and then checked the web (Yahoo) account and it is the only mail not there. So I disconnected the Ethernet cable and it still shows up as an "unread" e-mail in the "Inbox"."

This thing must be now be local.

It is also insidious.

What gets me is the delivery that is back-dated to 4/17 so as to bypass the rules.
 I think that is the key and the problem.

ASKER CERTIFIED SOLUTION
Avatar of war1
war1
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
There is also a VAIO laptop on this small work-group that sync with the desktop (infected) and the Blackberry. All 3 devices receive e-mail from the same source with no variation. (i.e. neither has an account the other does not have - they are homogeneous in that respect).

He is also not getting the 4/17 recursive e-mail on the blackberry since the initial instance. This makes me think it is taking advantage of a hole in Outlook.
From my initial post:

"I've run Scanpst.exe on the data file and it does not help. No Symantec or AVG scan has detected or repaired it. Spysweep, Spybot S&D, SpywareBalster, Adaware and HijackThis are useless against it."

But thanks.

Also dumped System Restore and used "CleanUp!" (latest version) to root out any temps, prefetcth files... etc.

If you have not tried "CleanUp!" you should give it a try. But be careful of what file extensions you set it to delete. There is no recovering files from this cleaning by any conventional means.

http://www.stevengould.org/software/cleanup/

I'm an old hand at fighting spyware. But this thing is kicking my a@!.

-MP





I get spam all the time that's back dated.  I don't think the date is our problem.  The question I think we need to answer is where is the message coming from?  If the message still shows up with the Ethernet cable disconnected, then there has to be something on the machine generating the messages.
Exactly. But I can't find the local source.

Still looking.
mojopojo,

Run Ewido to remove trojans. If no joy show us your HijackThis log.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just to keep up... The PC has been isolated and we keep getting it. I have hunted this thing through most standard means but will run a complete spyware cleansing once more.

I will not have access to the PC until Monday as the user has gone out of town and I am locked out of the office.

I will post more when I get access to the PC again and will keep with this thread until I resolve this issue.

Thanks for everything so far everybody.
mojopojo,

I know a bit about removing trojans and spyware.  So scrub your computer with Ewido and then use HijackThis log.  Post the log here.
mojopojo, any update?
The user is out of the country and his PC is under lock & key until Tuesday morning. I'll post then, after I run the spyware scrub.
mojopojo, thanks for the update.
Ewido got it. Then got it again. Then again...

Love the program and it succeeded where Adaware, Spybot and SpySweep had failed. But every time it found my bug another was sent from outside. (The only time a new copy was found on the server was after I had eradicated it from the local system).

So the solution was to disconnect the Ethernet cable. Run Send/Receive a couple of times to verify it was still resident (it was). Then run Ewido, then CleanUp!, then Registry Mechanic.

This combo worked! And no new instance has been sent from the "outside" since I put the PC back on the network.

Nice little set-up it had worked out for itself though. It would "phone home" after it died to ask for reinforcements.  Like some war-bent race, cloned billions of times to enable them to sustain innumerable casualties.

But I digress....

Thanks everyone and I now have a new tool in my arsenal - Ewido!

War1 was first to mention Ewido and BlueDevilFan pushed for the isolation of the PC so I am gonna spread the points around a bit with the Kill going to Ewido via War1.

Thanks everyone.

-Mojopojo
Mojopojo, glad you rid of the trojan.