Help resolving recurring spam issue with client email address

I've been removing viruses and spyware for years now, but lately Ive landed a case that I cant seem to fully resolve.

I have a customer who has 3 PCs - 1 windows XP SP3 fully patched desktop at work. 1 windows XP SP3 fully patched desktop at home. 1 windows 7 Home Premium fully patched laptop. He runs as a standard / limited user on these PCs and has MSE loaded on all 3. He accesses AOL for his email, and has the AOL program loaded on his PC :=|.

Every once in a while his friends (and me now that Im in his address book) will get a blatant (and misspelled) spam message from him. There is no rhyme or reason to the time it sends them. The last one was weeks ago, but it suddenly sent one out the night before last. Ive included the full message (minus some sanitizing of emails) to this ticket. Ive scanned these PCs with malware bytes, his AV, some cloud based antivirus tools, and even a couple of Root Kit detectors. I never find anything. And yet clearly his AOL account it being used to send this spam. Theres no indication the spam goes to anyone other than people in his address book. We've also tried intentionally not using the two home PCs for extended periods of time to determine which of the PCs is the culprit, but that hasnt helped us narrow it down because its so infrequent and so random. At one point we even changed his password (after verifying nothing could be found on the PC) and yet this problem persists, suggesting there may be aspects of a keylogger in place here. I suspect root kit, but cant detect one, and am not sure which of the 3 PCs it may be loaded on. Suggestions?
Received: by with SMTP id g10cs177622bka;
        Tue, 26 Apr 2011 16:15:10 -0700 (PDT)
Received: by with SMTP id mb14mr1103029qcb.21.1303859709074;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id x6si401403qcq.148.2011.;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender)
Received: from ( [])
	by (8.14.1/8.14.1) with ESMTP id p3QNE8FN011104;
	Tue, 26 Apr 2011 19:14:08 -0400
Received: from ( [])
	by (OMAG/Core Interface) with ESMTP id E927EE00008A;
	Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
To:, six other people whose email addys all start with e (including mine)
Content-Transfer-Encoding: quoted-printable
X-MB-Message-Source: WebUI
X-MB-Message-Type: User
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: AOL Webmail 33636-STANDARD
Received: from by ( with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
Message-Id: <>
X-Originating-IP: []
Date: Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:158786496:93952408  
x-aol-sid: 3039ac1d33cc4db751bf778d

Open in new window

Who is Participating?
Sudeep SharmaTechnical DesignerCommented:
Continuing on yarwell's investigation:
Check the Originating IP address using url below and check for "Whois"

X-Originating-IP: []

This IP address belongs to some ISP in Romania. Is the user belongs to Romania, if not then most of the expert's comment are correct.
Most likely account is been hacked and they are using user's account to send the spam

I hope that would help

Aaron TomoskySD-WAN SimplifiedCommented:
Probably just as likely aol is hacked ;)
I'd suggest setting up a different signature or something to track each computer if that's possible.
The header shows "" as the originating ip. Is that either his home or work ip?
Hi Eric,
My first response to this type of situation is to always suspect "spoofing".
The Internet is full of descriptions for how to spoof both email and IP addresses - and the sporadic nature of this problem would lend itself to that.

If that is the case, there really isn't much you can do about it.

Unfortunately, our real email addresses get 'forwarded' in plain text my so many ignorant emailers (pet peeve of mine), so harvesting them is no problem for the spoofers.

If this is the case, the simplest solution is for your friend to create new email accounts (two) - one for real work and one to give to all of our friends/relatives who are going to share it with the world.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I agree that most likely someone got his AOL account's password. Try changing that password, also try changing the AOL security Question if they have such a thing, then create a new Mail account for yourself from some other provider for testing purposes, and add that new address to your customer's address list. Then check if you get spam from him to that new account.

Best course of action would be to ditch his old AOL account and get a new mail address.
X-Mailer: AOL Webmail 33636-STANDARD
Received: from by ( with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
Message-Id: <>
X-Originating-IP: []

Is the spam in his Sent Items folder ? have seen this before with compromised accounts - change the password to something long and complex (don't let the end user choose it)
Eric_PriceAuthor Commented:
The whois does appear to be the most useful element here, and I awarded points accordingly. I had already came to the same conclusion, but am happy to see others repeat it. The different sigs would be a good idea, but he accesses his account via the web on all 3 PCs. The issue with changing his password is that weve already done that, and the spam continues. To me that suggests a keylogger, but none is present. Perhaps someone is tabjacking him. *shrug* Anyway, we'll move on I guess. Thanks to all who participated!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.