100s of bounced email messages after a customer opened a .zip file in their email

Posted on 2014-08-09
Last Modified: 2014-12-17
Ive ran super anti spy and mbam and other av software and removed "mind spark" sw and some other rubbish.

The question is do they have the email password and are spamming from another machine and not the customers.
The customer is on hols now and Im just researching what to do next if thats the case ....  

========== example 1 =====================

Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

    SMTP error from remote mail server after RCPT TO:<*****>:
    host []: 550 5.1.1
    Recipient address rejected:

========== example 2 =====================

Subject: Warning: message 1XFTEs-0006Ds-Bc delayed 24 hours

This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its recipients after more than 24 hours on the queue on

The message identifier is:     1XFTEs-0006Ds-Bc
The date of the message is:    Thu, 07 Aug 2014 22:19:00 +0300
The subject of the message is: Notice of appearance in court No#3302

The address to which the message has not yet been delivered is:


No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you.
Question by:feck1
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    unplug the machine from the network.  on the exchange server delete the outgoing messages that this user/machine has queued to be sent.

    now on the infected machine  you can either re-image it or run antivirus and antimalware tools i.e. malwarebytes .. once you are confident that the machine is clean then reattach it to the network.  Unfortunately you may have more infected machines in your network as right now your network is compromised.

    Re-imaging the PC is usually the fastest route and the one that gives you 100% confidence in the PC
    LVL 11

    Accepted Solution

    The bounce messages indicate an infection by a mass mailing malware. I think it's not possible to anwer your question whether the malware has obtained the mail password to continue spamming from another machine. The malware was sent by a ZIP file that's not a sign for a very sophisticated attack. So it might only be a mass mailing malware without more sophisticated functions. But this is only an assumption and you shouldn't trust on assumptions in this case.

    It seems that you have already cleaned the machine. However I would also think about a clean OS install because you don't know for sure what happened on that machine. In addition I would change the password for all mail accounts that were configured in mail client software on the infected machine. If the user has stored further passwords (for example for web sites in the browser) I would recommend to change these too.

    Just a final thought you should keep in mind: If the user uses multiple computers/devices with the same mail account (for example at home or mobile) the mass mailing malware infection could also be on this device.

    Author Comment

    Thanks all.  I was thinking along the same lines.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
    Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now