We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Help resolving recurring spam issue with client email address

Medium Priority
822 Views
Last Modified: 2012-05-11
I've been removing viruses and spyware for years now, but lately Ive landed a case that I cant seem to fully resolve.

I have a customer who has 3 PCs - 1 windows XP SP3 fully patched desktop at work. 1 windows XP SP3 fully patched desktop at home. 1 windows 7 Home Premium fully patched laptop. He runs as a standard / limited user on these PCs and has MSE loaded on all 3. He accesses AOL for his email, and has the AOL program loaded on his PC :=|.

Every once in a while his friends (and me now that Im in his address book) will get a blatant (and misspelled) spam message from him. There is no rhyme or reason to the time it sends them. The last one was weeks ago, but it suddenly sent one out the night before last. Ive included the full message (minus some sanitizing of emails) to this ticket. Ive scanned these PCs with malware bytes, his AV, some cloud based antivirus tools, and even a couple of Root Kit detectors. I never find anything. And yet clearly his AOL account it being used to send this spam. Theres no indication the spam goes to anyone other than people in his address book. We've also tried intentionally not using the two home PCs for extended periods of time to determine which of the PCs is the culprit, but that hasnt helped us narrow it down because its so infrequent and so random. At one point we even changed his aol.com password (after verifying nothing could be found on the PC) and yet this problem persists, suggesting there may be aspects of a keylogger in place here. I suspect root kit, but cant detect one, and am not sure which of the 3 PCs it may be loaded on. Suggestions?
Delivered-To: me@me.net
Received: by 10.204.14.138 with SMTP id g10cs177622bka;
        Tue, 26 Apr 2011 16:15:10 -0700 (PDT)
Received: by 10.229.247.78 with SMTP id mb14mr1103029qcb.21.1303859709074;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Return-Path: <him@aol.com>
Received: from imr-ma01.mx.aol.com (imr-ma01.mx.aol.com [64.12.206.39])
        by mx.google.com with ESMTP id x6si401403qcq.148.2011.04.26.16.15.07;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of him@aol.com designates 64.12.206.39 as permitted sender) client-ip=64.12.206.39;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of him@aol.com designates 64.12.206.39 as permitted sender) smtp.mail=him@aol.com
Received: from mtaomg-db06.r1000.mx.aol.com (mtaomg-db06.r1000.mx.aol.com [172.29.51.204])
	by imr-ma01.mx.aol.com (8.14.1/8.14.1) with ESMTP id p3QNE8FN011104;
	Tue, 26 Apr 2011 19:14:08 -0400
Received: from core-dad004b.r1000.mail.aol.com (core-dad004.r1000.mail.aol.com [172.29.14.208])
	by mtaomg-db06.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id E927EE00008A;
	Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
To: him@hisbizaddy.com, six other people whose email addys all start with e (including mine)
Content-Transfer-Encoding: quoted-printable
Subject: 
X-MB-Message-Source: WebUI
X-AOL-IP: 89.137.112.93
X-MB-Message-Type: User
MIME-Version: 1.0
From: him@aol.com
Content-Type: text/plain; charset="us-ascii"
X-Mailer: AOL Webmail 33636-STANDARD
Received: from 89.137.112.93 by webmail-d024.sysops.aol.com (205.188.181.18) with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
Message-Id: <8CDD27EC724983C-1760-13F4E@webmail-d024.sysops.aol.com>
X-Originating-IP: [89.137.112.93]
Date: Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:158786496:93952408  
X-AOL-SCOLL-URL_COUNT: 0  
x-aol-sid: 3039ac1d33cc4db751bf778d

http://awebdesigner.com.br/xJ3i352.html

Open in new window

Comment
Watch Question

Aaron TomoskyDirector, SD-WAN Solutions
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Hi Eric,
My first response to this type of situation is to always suspect "spoofing".
The Internet is full of descriptions for how to spoof both email and IP addresses - and the sporadic nature of this problem would lend itself to that.

If that is the case, there really isn't much you can do about it.

Unfortunately, our real email addresses get 'forwarded' in plain text my so many ignorant emailers (pet peeve of mine), so harvesting them is no problem for the spoofers.

If this is the case, the simplest solution is for your friend to create new email accounts (two) - one for real work and one to give to all of our friends/relatives who are going to share it with the world.
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Technical Designer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
The whois does appear to be the most useful element here, and I awarded points accordingly. I had already came to the same conclusion, but am happy to see others repeat it. The different sigs would be a good idea, but he accesses his account via the web on all 3 PCs. The issue with changing his password is that weve already done that, and the spam continues. To me that suggests a keylogger, but none is present. Perhaps someone is tabjacking him. *shrug* Anyway, we'll move on I guess. Thanks to all who participated!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.