Overclock.net banner

1 - 13 of 13 Posts

·
Registered
Joined
·
417 Posts
Discussion Starter · #1 ·
I'm looking for suggestions to fix this problem.

Last week I had mass email sent from what appeared to be my account. I got several complaints from people in my contact list. I have since, changed my password and scanned all of my systems. Everything came up clean.

Apparently, last night the same thing happened.

This is a yahoo email account that is sending out these emails.

The email does not show in my "sent" folder. If I was just looking at my account, I would never know that these emails are being sent.
 

·
Premium Member
Joined
·
10,774 Posts
Do you have any samples of messages that were sent by your imposter? The headers should tell us some more info about the path the message took.
 

·
Registered
Joined
·
417 Posts
Discussion Starter · #3 ·
Quote:
Originally Posted by tompsonn View Post

Do you have any samples of messages that were sent by your imposter? The headers should tell us some more info about the path the message took.
I've asked a couple of people to forward them to me. It's real early on a Sunday morning here though, so no one has responded yet. All I have are those that bounced back to me, that couldn't be delivered. Would that work? or do you need the actual emails that were sent out?
 

·
Premium Member
Joined
·
10,774 Posts
Quote:
Originally Posted by Dittoz View Post

I've asked a couple of people to forward them to me. It's real early on a Sunday morning here though, so no one has responded yet. All I have are those that bounced back to me, that couldn't be delivered. Would that work? or do you need the actual emails that were sent out?
'

The bounce backs if they contain the original message + headers should be OK at the moment.
 

·
Registered
Joined
·
417 Posts
Discussion Starter · #5 ·
From Mail Delivery System Sat Mar 29 09:21:05 2014
X-Apparently-To:(my email address, I've edited out)@yahoo.com via 98.137.13.238; Sat, 29 Mar 2014 09:21:08 +0000
Return-Path: <>
X-YahooFilteredBulk: 213.5.176.14
Received-SPF: none (domain of nike.thewebhostserver.com does not designate permitted sender hosts)
X-YMailISG: 4lbMAXMWLDu.u0NFSUQ9C.Qh_zWNRvMgDjlUeIsgZRiKQzZi
v.YQI82GU00hyxoCGyHiKw41_VMYEIeVgiaQO76QJiTYu2N3sBldqyICAL97
S3tGc.irdq6WpWm5EUB.tCUDvpSnxUwAQwmQg9wPmqNoZyCi8dIQl2W2wtx.
4UwrNenflotKkhM.C_60gPlJZ0w_SQZeLVkedSoMv0O66pbEKi0IYbp0_ju0
Ch6h.m4Acv8Q3Wycqc_LaTmCHPHn9.Aj3v_DzoxQnebaaVJnWpEsQIOiY32S
RBgsEO._yq3NOjVzEnBbK9m63SERC5YYWrN5uifgYgvzApU0cFSe6osPRSWH
qlrQf3v_eDucAT7I09s.z7rFQhAWl6XW6JUtmeiXFuPfACvUFyCv.EIQSGr7
oN_zGtFTy7.5d.xJiXnlYV3nivNq1ZLd7_0eMNhWskrzK8WSKYEJw_SxfR9l
7udG2h4b1fZ_KfPauh9LQ9iycpKKbOPP.G8agdapmxULUuRsvhfWN7ZlHQRn
YyeSY.f4wfdG5hD3nf7RHKbDabbJUzX3ADTU4x7NhMgmHBtOLhPEZUTKkl8V
dnUY0WFgC2pPjW3hmXza3YICe2gkgLdvBkJhLgAIdAyEXS4fhyLlmZsIgGgH
bsIG_tOmrhhx4Mmx10kwKO9Yliip6f_T3FUqqCWsq3TVPPM3he3R5Xr3kKdv
Vxnvwfc5jmgazYKy943lO2rLc__ClF4ZSiMHpfz50Q6H9lpRllesXu2SO40z
8AXDJspzy.8A.TU65ITu.Qdlr1LQ5wDgk4HDF0lcIy_lypDHcfU_FLMOF3Ys
LqTz7mNzSHIcDQAMTitBlJlRlYJCwV_ExJkUnVy29kQj6YjGYkJKvg--
X-Originating-IP: [213.5.176.14]
Authentication-Results: mta1400.mail.ne1.yahoo.com from=nike.thewebhostserver.com; domainkeys=neutral (no sig); from=nike.thewebhostserver.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO nike.thewebhostserver.com) (213.5.176.14)
by mta1400.mail.ne1.yahoo.com with SMTPS; Sat, 29 Mar 2014 09:21:08 +0000
Received: from mailnull by nike.thewebhostserver.com with local (Exim 4.82)
id 1WTpRp-002QXp-Dj
for (my email address, I've edited out)@yahoo.com; Sat, 29 Mar 2014 09:21:05 +0000
X-Failed-Recipients: [email protected]
Auto-Submitted: auto-replied
From: Mail Delivery System
To: (my email address, I've edited out)@yahoo.com
Subject: Mail delivery failed: returning message to sender
Message-Id:
Date: Sat, 29 Mar 2014 09:21:05 +0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - nike.thewebhostserver.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: nike.thewebhostserver.com: none
Content-Length: 2565
 

·
Premium Member
Joined
·
10,774 Posts
Nah there's only a trace from recipient back to Yahoo for the NDR in those headers. I'll need an actual message.

What pisses me off is that Yahoo have absolutely no SPF records to even try and stop address spoofing.

P.S you missed one spot in removing your address
smile.gif
 

·
Registered
Joined
·
417 Posts
Discussion Starter · #7 ·
lol I knew I'd miss atleast one. Thanks, fixed.

I'll get you those headers as soon as I can get them.

And I'm done with yahoo. Such as a terrible service. Switched to gmail, but I want this account to quit sending out this garbage.
 

·
Premium Member
Joined
·
10,774 Posts
Quote:
Originally Posted by Dittoz View Post

lol I knew I'd miss atleast one. Thanks, fixed.

I'll get you those headers as soon as I can get them.

And I'm done with yahoo. Such as a terrible service. Switched to gmail, but I want this account to quit sending out this garbage.
Yeah. Well it might be pretty difficult depending on where its coming from. But we'll see.
 

·
Registered
Joined
·
417 Posts
Discussion Starter · #9 ·
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensaUSop/gUCq+B9zkm6J83e2bCZ1t17c1Zobu0dGaa7XWZb3s0rN0JntAJBBDIy6wVdGDOjDAxoEwQMkuX8TQ7njWzT/1adQNki50iQ3t9zFJo22jW9KJ79w== Authentication-Results: hotmail.com; spf=none (sender IP is 64.26.60.134; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=(edited)@yahoo.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=yahoo.com; x-hmca=none header.id=(edited)@yahoo.com X-SID-PRA: (edited)@yahoo.com X-AUTH-Result: NONE X-SID-Result: NONE X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: G7D4bOr+l5Gk0hSAmnHYGNBcFHN1MgJcPPCgP9mwOJYbNyT1+s/kjlxxdCkDSmnQhMO8o2ymK1hbH7XpcqNnPFrN+O2YuSkcdUfHouqbKBS+4kmeBwR5Oh8uoVVhDoidMXq4YIew80O4gNHfBj47Qtwo8PaKyunO2lxOBC4wqbxMB6tfkQCu8PpnLDAlbWSvCqXN5zNyDw9IHpT146etWuiSQH3lnqHa Received: from smtpauth03.mfg.siteprotect.com ([64.26.60.134]) by COL0-MC2-F19.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Sat, 29 Mar 2014 17:38:25 -0700 Received: from cityofmorrow.com (unknown [186.129.18.207]) (Authenticated sender: [email protected]) by smtpauth03.mfg.siteprotect.com (Postfix) with ESMTPA id A0CDAC75D; Sat, 29 Mar 2014 19:37:53 -0500 (CDT) Message-ID: <[email protected]> From: (edited)@yahoo.com> To: "(edited) Subject: News Date: Sat, 30 Mar 2014 01:37:52 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_7098_981A30FF.0A6E4E75" X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 16.4.3522.110 X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3522.110 X-CTCH-Spam: Unknown X-CTCH-RefID: str=0001.0A020201.53376781.00FF,ss=1,re=0.000,fgs=0 Return-Path: (edited)@yahoo.com X-OriginalArrivalTime: 30 Mar 2014 00:38:26.0017 (UTC) FILETIME=[5CCB0510:01CF4BB0] This is a multi-part message in MIME format.

=_NextPart_000_7098_981A30FF.0A6E4E75 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 Hello! http://restaurant.yazilimmania.com/we/br-news.php =20 (edited)=20

=_NextPart_000_7098_981A30FF.0A6E4E75 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello! http://restaurant.yazilimmania.com/we/br-news.php

(edited)

=_NextPart_000_7098_981A30FF.0A6E4E75-- Thread-Index: AenbqRoLlGwwam93MG9qbDgxdG9oaQ==
 

·
Registered
Joined
·
417 Posts
Discussion Starter · #10 ·
With regards to the above header, I don't know how to read headers, but I do not recognize the email address: [email protected]

I have never received nor sent an email to this address.
 

·
Premium Member
Joined
·
10,774 Posts
First thing to look at here is who generated the message, and it looks to be simply Windows Live Mail:

Code:

Code:
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110 
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3522.110
So we know the messages are probably coming from a regular user's PC somewhere in the world and this probably indicates they are infected with something.

It looks like the originating server is an SMTP directly sending or proxying mail for cityofmorrow.com. The address [email protected] is actually a user who has authenticated via SMTP to the cityofmorrow.com sending server (it would appear). This is probably the person in the company whose PC is infected (or intentionally sending spam).

The message then travels via their SMTP proxy at smtpauth03.mfg.siteprotect.com (looks like siteprotect.com offer some sort of mail routing service) on its way to the destination to your contact I assume at Hotmail. The receiving mail server for cityofmorrow.com is also with siteprotect.com so it looks like they are offering their mail server. Possibly some anti-spam filtering, however if that is correct, its not very good
tongue.gif


Now, had Yahoo implemented SPF records, the message would have been stopped at Microsoft's destination for Hotmail messages because the last hop at 64.26.60.134 would NOT have been an authenticated sender for the yahoo.com domain. I'm glad you switched to gmail, because they get it right:

Code:

Code:
gmail.com: v=spf1 redirect=_spf.google.com
_spf.google.com: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
Which basically says only email originating from Google's mail servers can be sent with the sender domain "gmail.com". SPF is not foolproof because it is not part of the SMTP requirement that mail servers adhere to it, but it goes a long way. Many anti-spam products look at SPF records and Hotmail is one of them.

Looks like cityofmorrow.com is a local government: http://www.cityofmorrow.com/

The IP address in the headers (186.129.18.207) is actually located in Argentina and the address belongs to Speedy.com.ar who are an ISP in Argentina. That is the fishy part, I have no idea what is happening there.

WHOIS lookup on ciytofmorrow.com domain is here: http://whois.domaintools.com/cityofmorrow.com

Your first point of contact is probably the technical contact on that WHOIS page.
 

·
Registered
Joined
·
417 Posts
Discussion Starter · #12 ·
Thank you very much. I just emailed the City of Morrow's administrator. I'll let you know what response I get.
 

·
Premium Member
Joined
·
10,774 Posts
Quote:
Originally Posted by Dittoz View Post

Thank you very much. I just emailed the City of Morrow's administrator. I'll let you know what response I get.
No problem. I just realized, it is certainly possible the [email protected] user may be on holiday or other travel purpose perhaps in Argentina, using their emails from a potentially infected personal laptop connected to the corporate mail server back in the US via Windows Live Mail and that may explain the reason for the Argentinian IP address.
 
1 - 13 of 13 Posts
Top