Solved

getting many emails within AOL email with MAILER-DAEMON as email sender

Posted on 2008-06-21
7
905 Views
Last Modified: 2013-11-05
Hi Everyone;

        Lately, I have been getting unknown emails from a sender called MAILER-DAEMON.  The subject area is filled with non-sensible mixtures of letters and numbers.  In fact, the other day, I was flooded with these.  Each one was from MAILER-DAEMON.  I simply deleted each one instead of opening any of them.  While I am not for certain, I believe my system may already be vulnerable to some kind of malware attack.  

          In closing, any thoughts regarding the MAILER-DAEMON emails will be appreciated.  Perhaps there are some tools I can run to explore this problem further.

         On a sidenote, I am using AOL 9.0 SE for my email client.  The operating system is XP Pro SP2 just in case this information is needed.

          Thank you

          George
0
Comment
Question by:GMartin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 2

Accepted Solution

by:
bkdragon23 earned 250 total points
ID: 21839340
It sounds like your computer may be sending tons of email. Probably malware infection. Usually MAILER-DAEMON emails are bounce back emails if you try to send one to an address that doesn't exist, or a domain that doesn't exist. If you have a malware bot on your machine (or multiple), then it will try sending emails like crazy whenever you are online. Since you are receiving these from your own email address, it is even more likely that you have been infected with a worm.

I would recommend downloading HiJackThis from Trendmicro and extract it to a folder just off of the root of your hard drive. For example: "c:\folder". Make up a silly name for the folder that has nothing to do with HiJackThis (don't use "HJT" or anything similar). Once you extract the file(s), rename the executable hijackthis.exe file to something silly as well (keeping the .exe on the end). For example: "rename hijackthis.exe sillyfile.exe" (no quotes). The reason you want to rename these is to prevent certain types of malware from cloaking against a well known program called hijackthis. It is also important to use the folder off the root of your drive, as some malware programs kill things trying to run from the desktop and from temp file locations.

Once you run hijackthis, take a look at what is running under the hood (the filenames). Then google search the ones that do not make sense. I wouldn't go removing anything just yet, but first positively identify that your system is, in fact, infected. Who knows, there may be some unknown issue with AOL email right now, and I wouldn't want you blasting away perfectly good registry entries and services over a hunch.

If you would like, you can post your hijackthis log. It probably wouldn't hurt if you could also post an example of one of those emails (deleting any personal info of course) so we can see what error the email is addressing.


Wouldn't hurt to do these:

Malware scan in safe-mode
Download/Install SDFix (instructions can be found here: http://www.bleepingcomputer.com/forums/topic131299.html)
Run SDFix in safe-mode
Malware scan in normal windows

Good Luck!
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 250 total points
ID: 21839819
I agree that what you're seeing are bounces for email that you did not send. However, it is quite likely that those emails are not originating from your own computer, but from some other computer belonging to someone else. This will be confirmed if you can establish your computer is malware-free, which I suspect it is. One other way is to look closely at the detailed headers and contents of a few of those bounced message and see where they originated, i.e. from what IP address.
0
 

Author Comment

by:GMartin
ID: 21839919
Hi

        You bring up an interesting point r-k with regards to determining the origin of each message.  
As I understand what you are saying,  an IP address can be associated with any returned piece of mail.  With that in mind, how may that be done?

         Thank you

         George
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 32

Assisted Solution

by:r-k
r-k earned 250 total points
ID: 21839972
In this case, since we're talking about mail that is bouned back to you from some server, you need to look at the body of the message, i.e. just open the mail in a normal way and read it. It will contain information with varying level of detail (depending on where it was rejected from, i.e. what software was used by that mail server). Don't click on suspicious attachments, however.

Many of the messages will contain nothing useful, because the bouncing server strips out the headers quite often, but some will. In the latter case you'll see something like the following example which I found in my own inbox from 2003. I have stripped out names and IP addresses to protect the guilty, but if you read down you discover that the email actually originated from x-x-x-x.y.y.y.y In this case that was not my IP address, so I could be confident that I was not the source of this message (even though the bounce came to me because the spam-bot used my address in the "return-path" field). In mail headers like the example below, the oldest part of the header is the one furthest down. The date and time can also be useful.

--------------sample bounced message attached below------------
Hi. This is the qmail-send program at x.x.x.x.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<timetable@a.b.c.d>:
The reason your email was rejected is you sent an attachment that can cause problems.
Sorry, the attachment you sent is in violation of our company's policy because it can cause problems like virus, or increase traffic load, or delete file(s) and/or among others.
Please disable HTML formatting when sending email because Visual Basic Script Worms/Virus normally exploits this.
--- Attachment filetype you sent is EXE

--- Below this line is a copy of the message.

Return-Path: <webmaster@d.e.f>
Received: (qmail 19995 invoked from network); 4 Feb 2003 17:27:40 -0000
Received: from a.a.a.a (HELO b.b.b.b) (y.y.y.y)
  by x.x.x.x with SMTP; 4 Feb 2003 17:27:40 -0000
Received: from f.f.f.f (f.f.f.f [z.z.z.z])
      by x.x.x.x (8.12.6/8.12.6) with SMTP id h14HRTup026514
      for <timetable@a.b.c>; Tue, 4 Feb 2003 11:27:30 -0600
Date: Tue, 4 Feb 2003 11:27:29 -0600
Message-Id: <200302041727.h14HRTup026514@a.b.c>
Received: from Vziy (x-x-x-x.y.y.y.y) by
          f.f.f.f (MX V4.2 VAX) with SMTP; Tue, 04 Feb 2003
          11:27:12 CST
From: bttrflybay07 <bttrflybay07@y.y.y>
To: timetable@v.v.v.v
Subject: A  new game
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=V6HwW8f5tyo7qMaf0GwmSbxHHz30nX5

--V6HwW8f5tyo7qMaf0GwmSbxHHz30nX5
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>Hello,This is a  new game<br>
This game is my first work.<br>
You're the first player.<br>
I hope you would like it.</FONT></BODY></HTML>
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 250 total points
ID: 21839981
For completeness, here is how you can examine the mail headers in AOL mail in general. The following steps are not useful in the above case because we're interested in who sent the original mesage that was bounced, and that information will be in the body of the message and not the details section mentioned below:

How to get email headers in AOL or AIM ?

If the email is sent from anywhere OTHER then AOL, and you are receiving it in AOL, then open the email you want to trace, or have your client open the email, and look for the link Details. This link is usually just below the To:email  in the email message.  If the email is sent from an AOL user to another AOL user then the Reverse AOL Screenname search can help deduce the source location.

(this is from: https://www.abika.com/Reports/Samples/emailheaderguide.htm)

0
 

Author Comment

by:GMartin
ID: 21892539
Hi Everyone;

        Thanks so much for the replies to this question.  The cause of this problem was malware which was cleaned up using a variety of tools such as ComboFix, SDFix, HiJackThis, and SuperAntiSpyware.  

         Many thanks again.

        George
0
 
LVL 32

Expert Comment

by:r-k
ID: 21892720
Thanks, and glad you got it cleaned up.
0

Featured Post

Ready to get started with anonymous questions?

It's easy! Check out this step-by-step guide for asking an anonymous question on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Read about achieving the basic levels of HRIS security in the workplace.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question