[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 787
  • Last Modified:

Help resolving recurring spam issue with client email address

I've been removing viruses and spyware for years now, but lately Ive landed a case that I cant seem to fully resolve.

I have a customer who has 3 PCs - 1 windows XP SP3 fully patched desktop at work. 1 windows XP SP3 fully patched desktop at home. 1 windows 7 Home Premium fully patched laptop. He runs as a standard / limited user on these PCs and has MSE loaded on all 3. He accesses AOL for his email, and has the AOL program loaded on his PC :=|.

Every once in a while his friends (and me now that Im in his address book) will get a blatant (and misspelled) spam message from him. There is no rhyme or reason to the time it sends them. The last one was weeks ago, but it suddenly sent one out the night before last. Ive included the full message (minus some sanitizing of emails) to this ticket. Ive scanned these PCs with malware bytes, his AV, some cloud based antivirus tools, and even a couple of Root Kit detectors. I never find anything. And yet clearly his AOL account it being used to send this spam. Theres no indication the spam goes to anyone other than people in his address book. We've also tried intentionally not using the two home PCs for extended periods of time to determine which of the PCs is the culprit, but that hasnt helped us narrow it down because its so infrequent and so random. At one point we even changed his aol.com password (after verifying nothing could be found on the PC) and yet this problem persists, suggesting there may be aspects of a keylogger in place here. I suspect root kit, but cant detect one, and am not sure which of the 3 PCs it may be loaded on. Suggestions?
Delivered-To: me@me.net
Received: by with SMTP id g10cs177622bka;
        Tue, 26 Apr 2011 16:15:10 -0700 (PDT)
Received: by with SMTP id mb14mr1103029qcb.21.1303859709074;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Return-Path: <him@aol.com>
Received: from imr-ma01.mx.aol.com (imr-ma01.mx.aol.com [])
        by mx.google.com with ESMTP id x6si401403qcq.148.2011.;
        Tue, 26 Apr 2011 16:15:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of him@aol.com designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of him@aol.com designates as permitted sender) smtp.mail=him@aol.com
Received: from mtaomg-db06.r1000.mx.aol.com (mtaomg-db06.r1000.mx.aol.com [])
	by imr-ma01.mx.aol.com (8.14.1/8.14.1) with ESMTP id p3QNE8FN011104;
	Tue, 26 Apr 2011 19:14:08 -0400
Received: from core-dad004b.r1000.mail.aol.com (core-dad004.r1000.mail.aol.com [])
	by mtaomg-db06.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id E927EE00008A;
	Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
To: him@hisbizaddy.com, six other people whose email addys all start with e (including mine)
Content-Transfer-Encoding: quoted-printable
X-MB-Message-Source: WebUI
X-MB-Message-Type: User
MIME-Version: 1.0
From: him@aol.com
Content-Type: text/plain; charset="us-ascii"
X-Mailer: AOL Webmail 33636-STANDARD
Received: from by webmail-d024.sysops.aol.com ( with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
Message-Id: <8CDD27EC724983C-1760-13F4E@webmail-d024.sysops.aol.com>
X-Originating-IP: []
Date: Tue, 26 Apr 2011 19:14:07 -0400 (EDT)
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:158786496:93952408  
x-aol-sid: 3039ac1d33cc4db751bf778d


Open in new window

4 Solutions
Aaron TomoskyTechnology ConsultantCommented:
Probably just as likely aol is hacked ;)
I'd suggest setting up a different signature or something to track each computer if that's possible.
The header shows "" as the originating ip. Is that either his home or work ip?
Hi Eric,
My first response to this type of situation is to always suspect "spoofing".
The Internet is full of descriptions for how to spoof both email and IP addresses - and the sporadic nature of this problem would lend itself to that.

If that is the case, there really isn't much you can do about it.

Unfortunately, our real email addresses get 'forwarded' in plain text my so many ignorant emailers (pet peeve of mine), so harvesting them is no problem for the spoofers.

If this is the case, the simplest solution is for your friend to create new email accounts (two) - one for real work and one to give to all of our friends/relatives who are going to share it with the world.
I agree that most likely someone got his AOL account's password. Try changing that password, also try changing the AOL security Question if they have such a thing, then create a new Mail account for yourself from some other provider for testing purposes, and add that new address to your customer's address list. Then check if you get spam from him to that new account.

Best course of action would be to ditch his old AOL account and get a new mail address.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

X-Mailer: AOL Webmail 33636-STANDARD
Received: from by webmail-d024.sysops.aol.com ( with HTTP (WebMailUI); Tue, 26 Apr 2011 19:14:07 -0400
Message-Id: <8CDD27EC724983C-1760-13F4E@webmail-d024.sysops.aol.com>
X-Originating-IP: []

Is the spam in his Sent Items folder ? have seen this before with compromised accounts - change the password to something long and complex (don't let the end user choose it)
Sudeep SharmaTechnical DesignerCommented:
Continuing on yarwell's investigation:
Check the Originating IP address using url below and check for "Whois"

X-Originating-IP: []

This IP address belongs to some ISP in Romania. Is the user belongs to Romania, if not then most of the expert's comment are correct.
Most likely account is been hacked and they are using user's account to send the spam

I hope that would help

Eric_PriceAuthor Commented:
The whois does appear to be the most useful element here, and I awarded points accordingly. I had already came to the same conclusion, but am happy to see others repeat it. The different sigs would be a good idea, but he accesses his account via the web on all 3 PCs. The issue with changing his password is that weve already done that, and the spam continues. To me that suggests a keylogger, but none is present. Perhaps someone is tabjacking him. *shrug* Anyway, we'll move on I guess. Thanks to all who participated!

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now