Help resolving recurring spam issue with client email address

Posted on 2011-04-28
Last Modified: 2012-05-11
I've been removing viruses and spyware for years now, but lately Ive landed a case that I cant seem to fully resolve.

I have a customer who has 3 PCs - 1 windows XP SP3 fully patched desktop at work. 1 windows XP SP3 fully patched desktop at home. 1 windows 7 Home Premium fully patched laptop. He runs as a standard / limited user on these PCs and has MSE loaded on all 3. He accesses AOL for his email, and has the AOL program loaded on his PC :=|.

Every once in a while his friends (and me now that Im in his address book) will get a blatant (and misspelled) spam message from him. There is no rhyme or reason to the time it sends them. The last one was weeks ago, but it suddenly sent one out the night before last. Ive included the full message (minus some sanitizing of emails) to this ticket. Ive scanned these PCs with malware bytes, his AV, some cloud based antivirus tools, and even a couple of Root Kit detectors. I never find anything. And yet clearly his AOL account it being used to send this spam. Theres no indication the spam goes to anyone other than people in his address book. We've also tried intentionally not using the two home PCs for extended periods of time to determine which of the PCs is the culprit, but that hasnt helped us narrow it down because its so infrequent and so random. At one point we even changed his password (after verifying nothing could be found on the PC) and yet this problem persists, suggesting there may be aspects of a keylogger in place here. I suspect root kit, but cant detect one, and am not sure which of the 3 PCs it may be loaded on. Suggestions?
Received: by with SMTP id g10cs177622bka;
        Tue, 26 Apr 2011 16:15:10 -0700 (PDT)
Received: by with SMTP id mb14mr1103029qcb.21.1303859709074;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id x6si401403qcq.148.2011.;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender)
Received: from ( [])
	by (8.14.1/8.14.1) with ESMTP id p3QNE8FN011104;
	Tue, 26 Apr 2011 19:14:08 -0400
Received: from ( [])
	by (OMAG/Core Interface) with ESMTP id E927EE00008A;
	Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
To:, six other people whose email addys all start with e (including mine)
Content-Transfer-Encoding: quoted-printable
X-MB-Message-Source: WebUI
X-MB-Message-Type: User
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: AOL Webmail 33636-STANDARD
Received: from by ( with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
Message-Id: <>
X-Originating-IP: []
Date: Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:158786496:93952408  
x-aol-sid: 3039ac1d33cc4db751bf778d

Open in new window

Question by:Eric_Price
    LVL 38

    Assisted Solution

    by:Aaron Tomosky
    Probably just as likely aol is hacked ;)
    I'd suggest setting up a different signature or something to track each computer if that's possible.
    The header shows "" as the originating ip. Is that either his home or work ip?
    LVL 38

    Expert Comment

    Hi Eric,
    My first response to this type of situation is to always suspect "spoofing".
    The Internet is full of descriptions for how to spoof both email and IP addresses - and the sporadic nature of this problem would lend itself to that.

    If that is the case, there really isn't much you can do about it.

    Unfortunately, our real email addresses get 'forwarded' in plain text my so many ignorant emailers (pet peeve of mine), so harvesting them is no problem for the spoofers.

    If this is the case, the simplest solution is for your friend to create new email accounts (two) - one for real work and one to give to all of our friends/relatives who are going to share it with the world.
    LVL 87

    Assisted Solution

    I agree that most likely someone got his AOL account's password. Try changing that password, also try changing the AOL security Question if they have such a thing, then create a new Mail account for yourself from some other provider for testing purposes, and add that new address to your customer's address list. Then check if you get spam from him to that new account.

    Best course of action would be to ditch his old AOL account and get a new mail address.
    LVL 11

    Assisted Solution

    X-Mailer: AOL Webmail 33636-STANDARD
    Received: from by ( with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
    Message-Id: <>
    X-Originating-IP: []

    Is the spam in his Sent Items folder ? have seen this before with compromised accounts - change the password to something long and complex (don't let the end user choose it)
    LVL 29

    Accepted Solution

    Continuing on yarwell's investigation:
    Check the Originating IP address using url below and check for "Whois"

    X-Originating-IP: []

    This IP address belongs to some ISP in Romania. Is the user belongs to Romania, if not then most of the expert's comment are correct.
    Most likely account is been hacked and they are using user's account to send the spam

    I hope that would help

    LVL 1

    Author Closing Comment

    The whois does appear to be the most useful element here, and I awarded points accordingly. I had already came to the same conclusion, but am happy to see others repeat it. The different sigs would be a good idea, but he accesses his account via the web on all 3 PCs. The issue with changing his password is that weve already done that, and the spam continues. To me that suggests a keylogger, but none is present. Perhaps someone is tabjacking him. *shrug* Anyway, we'll move on I guess. Thanks to all who participated!

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
    It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now