[Last Call] Learn how to a build a cloud-first strategyRegister Now


100s of bounced email messages after a customer opened a .zip file in their email

Posted on 2014-08-09
Medium Priority
Last Modified: 2014-12-17
Ive ran super anti spy and mbam and other av software and removed "mind spark" sw and some other rubbish.

The question is do they have the email password and are spamming from another machine and not the customers.
The customer is on hols now and Im just researching what to do next if thats the case ....  

========== example 1 =====================

Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

    SMTP error from remote mail server after RCPT TO:<*****@aol.com>:
    host mailin-02.mx.aol.com []: 550 5.1.1
    Recipient address rejected: aol.com

========== example 2 =====================

Subject: Warning: message 1XFTEs-0006Ds-Bc delayed 24 hours

This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its recipients after more than 24 hours on the queue on smtp.hosts.co.uk.

The message identifier is:     1XFTEs-0006Ds-Bc
The date of the message is:    Thu, 07 Aug 2014 22:19:00 +0300
The subject of the message is: Notice of appearance in court No#3302

The address to which the message has not yet been delivered is:


No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you.
Question by:feck1
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 40251035
unplug the machine from the network.  on the exchange server delete the outgoing messages that this user/machine has queued to be sent.

now on the infected machine  you can either re-image it or run antivirus and antimalware tools i.e. malwarebytes .. once you are confident that the machine is clean then reattach it to the network.  Unfortunately you may have more infected machines in your network as right now your network is compromised.

Re-imaging the PC is usually the fastest route and the one that gives you 100% confidence in the PC
LVL 11

Accepted Solution

ghana earned 1000 total points
ID: 40251535
The bounce messages indicate an infection by a mass mailing malware. I think it's not possible to anwer your question whether the malware has obtained the mail password to continue spamming from another machine. The malware was sent by a ZIP file that's not a sign for a very sophisticated attack. So it might only be a mass mailing malware without more sophisticated functions. But this is only an assumption and you shouldn't trust on assumptions in this case.

It seems that you have already cleaned the machine. However I would also think about a clean OS install because you don't know for sure what happened on that machine. In addition I would change the password for all mail accounts that were configured in mail client software on the infected machine. If the user has stored further passwords (for example for web sites in the browser) I would recommend to change these too.

Just a final thought you should keep in mind: If the user uses multiple computers/devices with the same mail account (for example at home or mobile) the mass mailing malware infection could also be on this device.

Author Comment

ID: 40252613
Thanks all.  I was thinking along the same lines.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question