[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Single spam e-mail shows up on every send receive - bypasses Inbox/Rules. Fills entire Inbox in a day.

Posted on 2006-05-17
17
Medium Priority
?
247 Views
Last Modified: 2010-04-08
Here's one that has been plaguing me:

I have a user on Win XP Pro SP2 using Outlook 2003. He received a piece of spam on 4/17/2006 from his Yahoo Business Pop3 account that made it past the Yahoo and Symantec filters to his inbox. It was send from:

"Help Desk [FidelBoyer202@userbeam.net]" soliciting charity funds for starving children.

I know "userbeam.net" is a German e-mail provider who also specializes in anonymous mail-relay.

I have blocked the sender address at the Yahoo account and set Outlook to leave a copy of any downloaded message on the server. But here is the rub - It is no longer coming from the "outside". I have run send/receive and then checked the web (Yahoo) account and it is the only mail not there. So I disconnected the Ethernet cable and it still shows up as an "unread" e-mail in the "Inbox".

Every time the a send/receive is activated another copy of the e-mail is delivered to his Inbox BUT NOT designated as received "Today". It shows up as having been sent AND received on 4/17/2006.

You would think that a good workaround would be to create a rule deleting it as soon as it arrives (quick and dirty solution) but that does not work because the rules only catch mail that comes into the new mail folder as being delivered new "Today". Since the mail shows up as being delivered on 4/17/2006 it never passes through the filters I have configured (and I have tried dozens of permutations/configurations).

I can create a new rule, select to run it on the entire "Inbox" and it will find and delete every one of them. But then it will not catch any of the new instances/deliveries because they never pass through the "Today" designation in the Inbox.

I've run Scanpst.exe on the data file and it does not help. No Symantec or AVG scan has detected or repaired it. Spysweep, Spybot S&D, SpywareBalster, Adaware and HijackThis are useless against it.

The mail fills his inbox by the end of every day and this mail account forwards to his Blackberry as well.

Anyone come up against this recursive, accursed e-mail bug?

I'd appreciate the help.

Thanks,
-MP

0
Comment
Question by:mojopojo
  • 7
  • 7
  • 3
17 Comments
 
LVL 76

Expert Comment

by:David Lee
ID: 16704231
Greetings, mojopojo.

Have you checekd to see if the item is coming back from the Blackberry?

Cheers!
0
 
LVL 97

Expert Comment

by:war1
ID: 16704268
Greetings, mojopojo !

Sounds like the email is on the server and is being downloaded each time by Outlook.  If you have a webmail for this email account, go to the webmail account and delete the email there.

Best wishes!
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16704829

Yea, I did a hard-reset on the blackberry and wiped it clean.

This client is strictly on webmail - Yahoo! Business. He has two POP3 accounts and like I said in my initial description:

"I have blocked the sender address at the Yahoo account and set Outlook to leave a copy of any downloaded message on the server. But here is the rub - It is no longer coming from the "outside". I have run send/receive and then checked the web (Yahoo) account and it is the only mail not there. So I disconnected the Ethernet cable and it still shows up as an "unread" e-mail in the "Inbox"."

This thing must be now be local.

It is also insidious.

What gets me is the delivery that is back-dated to 4/17 so as to bypass the rules.
 I think that is the key and the problem.

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 97

Accepted Solution

by:
war1 earned 1200 total points
ID: 16704848
mojopojo,

Check for virus and adware

Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Kaspersky Virus Scan
http://www.kaspersky.com/virusscanner

Spy Sweeper
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html
or
Ewido
http://www.ewido.net/en/
or
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16704854
There is also a VAIO laptop on this small work-group that sync with the desktop (infected) and the Blackberry. All 3 devices receive e-mail from the same source with no variation. (i.e. neither has an account the other does not have - they are homogeneous in that respect).

He is also not getting the 4/17 recursive e-mail on the blackberry since the initial instance. This makes me think it is taking advantage of a hole in Outlook.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16704883
From my initial post:

"I've run Scanpst.exe on the data file and it does not help. No Symantec or AVG scan has detected or repaired it. Spysweep, Spybot S&D, SpywareBalster, Adaware and HijackThis are useless against it."

But thanks.

Also dumped System Restore and used "CleanUp!" (latest version) to root out any temps, prefetcth files... etc.

If you have not tried "CleanUp!" you should give it a try. But be careful of what file extensions you set it to delete. There is no recovering files from this cleaning by any conventional means.

http://www.stevengould.org/software/cleanup/

I'm an old hand at fighting spyware. But this thing is kicking my a@!.

-MP





0
 
LVL 76

Expert Comment

by:David Lee
ID: 16705112
I get spam all the time that's back dated.  I don't think the date is our problem.  The question I think we need to answer is where is the message coming from?  If the message still shows up with the Ethernet cable disconnected, then there has to be something on the machine generating the messages.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16705158
Exactly. But I can't find the local source.

Still looking.
0
 
LVL 97

Expert Comment

by:war1
ID: 16705216
mojopojo,

Run Ewido to remove trojans. If no joy show us your HijackThis log.
0
 
LVL 76

Assisted Solution

by:David Lee
David Lee earned 800 total points
ID: 16705438
My recommendation is to start by isolating the computer.  Cut off all connections.  If the message still shows up with the computer isolated, then it has to be coming from something that's on the computer.  On the other hand if isolation stops this, then we'll know it's coming from somewhere else.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16708822
Just to keep up... The PC has been isolated and we keep getting it. I have hunted this thing through most standard means but will run a complete spyware cleansing once more.

I will not have access to the PC until Monday as the user has gone out of town and I am locked out of the office.

I will post more when I get access to the PC again and will keep with this thread until I resolve this issue.

Thanks for everything so far everybody.
0
 
LVL 97

Expert Comment

by:war1
ID: 16709307
mojopojo,

I know a bit about removing trojans and spyware.  So scrub your computer with Ewido and then use HijackThis log.  Post the log here.
0
 
LVL 97

Expert Comment

by:war1
ID: 16729047
mojopojo, any update?
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16729846
The user is out of the country and his PC is under lock & key until Tuesday morning. I'll post then, after I run the spyware scrub.
0
 
LVL 97

Expert Comment

by:war1
ID: 16729871
mojopojo, thanks for the update.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 16752369
Ewido got it. Then got it again. Then again...

Love the program and it succeeded where Adaware, Spybot and SpySweep had failed. But every time it found my bug another was sent from outside. (The only time a new copy was found on the server was after I had eradicated it from the local system).

So the solution was to disconnect the Ethernet cable. Run Send/Receive a couple of times to verify it was still resident (it was). Then run Ewido, then CleanUp!, then Registry Mechanic.

This combo worked! And no new instance has been sent from the "outside" since I put the PC back on the network.

Nice little set-up it had worked out for itself though. It would "phone home" after it died to ask for reinforcements.  Like some war-bent race, cloned billions of times to enable them to sustain innumerable casualties.

But I digress....

Thanks everyone and I now have a new tool in my arsenal - Ewido!

War1 was first to mention Ewido and BlueDevilFan pushed for the isolation of the PC so I am gonna spread the points around a bit with the Kill going to Ewido via War1.

Thanks everyone.

-Mojopojo
0
 
LVL 97

Expert Comment

by:war1
ID: 16755166
Mojopojo, glad you rid of the trojan.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question