Saturday, September 26, 2015

Email Sent Under My Name Not from Me to Addresses Stolen from My Email Account

First written:  Saturday, September 26th
Updated: Sunday, September 27th to include "Fw: read this" subject line and example of timing.

Updated: Monday, September 28th to include instructions for using the malwr.com web site and corrected subject line to "Fw: important message".
Updated: Tuesday, September 29th to include variant in helo string and remove information about malwr.com site.
Updated: Wednesday, September 30th to provide examples of recipient address patterns.
Updated:  Saturday, October 2nd to include a new subject line. 
Updated: Monday, October 4th to include list of email address domains and customized ausfish subject.
Updated: Tuesday, October 5th to provide link to a form to collect details of individual cases.
Updated: Wednesday, October 6th to provide results of form.
Updated: Monday, October 12th to add link to known Netgear router vulnerability.  Added some suggestions for possible actions even though it is not possible to stop the spoofing.  Added links to diet spam.
Updated: Thursday, October 15th to add link to botnet blog article. 
Updated: Sunday, October 18th to add more headers.
Updated: Saturday, October 24th to add new example with link to fraudulent malware program.
Updated: Saturday, February 20th to add links to Virgin Media users' Facebook group and associated article in the Register.
Updated: Saturday, March 12th to add new and historical references.
Updated: Thursday, May 19th and Saturday, May 28th, June 5th, and July 9th to add new subject lines. 
Updated: Saturday, October 22nd, automated subject-line collection, added new subject lines.


Perhaps you are having a problem recently with emails which appear to have been sent from your account; however, you did not send them.

You will know you did not send the messages for a variety of reasons.

- You did not compose the text.
- The text of the messages may be in English and you may not normally write in English.
- There are no matching messages in the sent items folder of your email account.

Your friends and colleagues who have received the messages will probably think that the emails came from your account because the return address will appear to be your address and the message may have your email address as a signature at the bottom.  This is outrageous, embarrassing, and quite frightening!

What you might see in your email box are messages which have been returned because they could not be delivered.  In addition, the kindness of your friends and family is likely to have caused them to let you know that they have received peculiar messages which appear to have been sent by you.

In this article, I am discussing a very particular set of emails which are further described below.  For these messages, there are patterns in the subject lines, the content of the messages, and the way in which the messages have been sent from an automated system.


Table 1.  Subject lines known to have been used between August 2015 and mid-May 2016.

Fw: try it out

Fw: news

Fw: important message

Fw: important message from ausfish

Fw: important

Fw: read this

Fw: new message

Fw: new important message

Re:






















The subject line has varied over time with new subject lines appearing periodically.  Beginning in May 2016, new subject lines appeared as shown in Table 2 below.  If you know of additional subject lines which are not already on this list, then I would be interested in updates. You can provide them in the comments section at the bottom of this page.


Table 2.  Subject lines from May 2016 onwards.

a bit of news
a close look
a couple of questions
a fabulous performance
a lot of cool stuff
a note from a friend
a piece of information
a question
absolutely gorgeous
advanced learning
amazing
amazing and exciting
amazing article
amazing day
amazing day with friends and family
amazing days out of town
amazing meeting
amazing new stuff
amazing news
amazing news!
amazing people
amazing people and place
amazing!
an amazing article
an important piece of information
an incredible story
an interesting article
an old famous friend
announcement
any ideas?
any suggestions?
are you interested in something like hat?
article issues
astonishing!
at long last
awesome book
awesome!
be prepared
better than ever
brainteaser
breaking news
cast your mind back
cool
cool news
cool people
cool place
cool places to visit
cool stuff
cooler than ever
could never imagine something like that
could that be real?
couldn't imagine smth like that
cozy and homelike place
crazy day
crazy stuff
creative mind
curious case
day full of surprises
Dear friend!
Dear!
different stuff
do you like it or not?
do you like that stuff?
don't miss that
don't miss that stuff
don't miss this
don't miss up that new stuff
easy stuff
energy
enjoyable experience
examples of my work
excellent article
excellent stuff
excitante
exciting
exciting day
exciting news
expedition
experimental methods
extraordinary people
extremely good stuff
extremely good!
extremely useful stuff
fantastic
fantastic place
feedback
found some nice stuff
found the solution
freelance
fresh info
funny stuff
fuss
Fw: a bit of news
Fw: a couple of questions
Fw: a lot of cool stuff
Fw: a note from a friend
Fw: a question
Fw: a splendid dinner
Fw: advanced learning
Fw: amazing article
Fw: amazing day
Fw: amazing days out of town
Fw: amazing meeting
Fw: amazing new stuff
Fw: amazing people
Fw: an amazing article
Fw: an important piece of information
Fw: announcement
Fw: any ideas?
Fw: any suggestions?
Fw: article issues
Fw: at long last
Fw: awesome book
Fw: be prepared
Fw: brainteaser
Fw: cool news
Fw: cool people
Fw: cool place
Fw: cool stuff
Fw: cooler than ever
Fw: could that be real?
Fw: couldn't imagine smth like that
Fw: cozy and homelike place
Fw: crazy day
Fw: crazy stuff
Fw: creative mind
Fw: day full of surprises
Fw: different stuff
Fw: do you like that stuff?
Fw: don't miss that stuff
Fw: energy
Fw: examples of my work
Fw: excellent stuff
Fw: exciting
Fw: exciting day
Fw: expedition
Fw: extremely good!
Fw: fantastic
Fw: feedback
Fw: found the solution
Fw: freelance
Fw: fresh info
Fw: funny stuff
Fw: fuss
Fw: Fw: just look at that
Fw: Fw: you've got to see that
Fw: Give it a try
Fw: good ideas
Fw: good news
Fw: good news from me
Fw: gorgeous!
Fw: grateful
Fw: great adventure
Fw: great article
Fw: great news
Fw: great news or you
Fw: Greetings,
Fw: Greetings,
Fw: group of turists
Fw: happy))
Fw: hard facts
Fw: have you been there yet?
Fw: have you ever been there?
Fw: Have you ever tried that stuff?
Fw: have you heard the news?
Fw: have you seen that amazing news?
Fw: have you seen that stuff?
Fw: have you seen those guys?
Fw: help me make my decision
Fw: helpful info
Fw: helpful stuff
Fw: home sweet home
Fw: house renovation
Fw: how about that?
Fw: how beautiful
Fw: how is it possible?
Fw: how you're doing?
Fw: How's it going
Fw: I found it!
Fw: i found the stuff
Fw: I guess I've found it at last
Fw: I left you a message
Fw: I like it
Fw: i like it!
Fw: I need your independent advice
Fw: i think you'll love this
Fw: I'm so excited about the latest news
Fw: I'm so excited!
Fw: I'm so grateful
Fw: I've found some great stuff
Fw: I've got it!
Fw: improvement
Fw: info
Fw: information
Fw: inspiration
Fw: interesting
Fw: interesting article
Fw: interesting articles
Fw: interesting book
Fw: interesting information
Fw: interesting moments
Fw: interesting stuff, just take a look
Fw: ironic comments
Fw: isn't it cool?
Fw: it is amazing
Fw: it's never too late
Fw: it's really not a joke
Fw: it's shocking
Fw: Jeez!
Fw: just a message
Fw: just a note
Fw: just a quick note
Fw: just hard facts
Fw: just hi
Fw: just info
Fw: just look at that
Fw: just take a look
Fw: just take a look at that
Fw: just wanted to say hi
Fw: juste un message
Fw: keep up the good work
Fw: last meeting
Fw: latest news
Fw: like it
Fw: look at that nice things
Fw: look at that stuff
Fw: look what I've found
Fw: look!
Fw: loook at that!
Fw: lovely and cozy place
Fw: lovely place
Fw: lovely things
Fw: many beautiful things
Fw: many thanks
Fw: means a lot to me
Fw: miss you
Fw: more useful info
Fw: musical performance
Fw: my article
Fw: my favourite place
Fw: my favourite stuff
Fw: my new hairstyle
Fw: need your advice
Fw: need your help
Fw: need your pieseof advice
Fw: new experience
Fw: new message
Fw: new movie
Fw: new stuff
Fw: new work
Fw: news from friends
Fw: news from me
Fw: nice music
Fw: nice people
Fw: nice place
Fw: nice story
Fw: nice stuff
Fw: nice to know
Fw: official information
Fw: oh my!
Fw: OMG it's true
Fw: page layout
Fw: perfect
Fw: pictures of my trip
Fw: pizza time
Fw: pleasant surprise
Fw: pleased and happy
Fw: precious memories
Fw: quelle surprise
Fw: Re: interesting things
Fw: Re: my message
Fw: really and truly
Fw: really great stuff
Fw: really great things
Fw: really nice stuff
Fw: recent conversation
Fw: share your opinion with me
Fw: since we've met last time
Fw: so amazing and beautiful
Fw: so exciting
Fw: so great and amazing!
Fw: so many amazing things happen
Fw: so many cool things
Fw: so many interesting stories
Fw: so nice I couldn't  pass it
Fw: so strange but interesting
Fw: some funny stuff
Fw: some info for you
Fw: some information
Fw: some new stuff
Fw: some stuff you'll like
Fw: something exciting
Fw: something useful, I think
Fw: sooo interesting
Fw: stuff we discussed
Fw: such a great stuff
Fw: suggestions
Fw: surprise surprise!
Fw: surprised but not really
Fw: surprising
Fw: surprising news
Fw: surprisingly interesting
Fw: take a look at my new driving glasses
Fw: tell what you think
Fw: tenter le coup
Fw: that is so great!
Fw: that is so nice
Fw: that's cool
Fw: that's exciting!
Fw: that's just amazing
Fw: that's no joke!
Fw: that's really amazing
Fw: that's really awesome
Fw: that's really nice
Fw: that's so amazing
Fw: that's so great
Fw: that's so interesting
Fw: that's so nice
Fw: the future
Fw: the latest info
Fw: the latest news
Fw: this is genious
Fw: those facts are unbelievable
Fw: true friends
Fw: true love
Fw: true story
Fw: try it
Fw: try that
Fw: try that stuff, it's awesome
Fw: unexpected surprise
Fw: unforgettable place
Fw: useful and nice stuff
Fw: useful info
Fw: useful links
Fw: useful things
Fw: usefull info
Fw: very important
Fw: very informative article
Fw: we're moving
Fw: what a news!
Fw: what a nice article
Fw: what a nice day
Fw: what a nice movie
Fw: what a nice surprise
Fw: what a surprise
Fw: what a surprise!
Fw: what an amazing place
Fw: what an amazing thing
Fw: what do you think about that?
Fw: what do you think?
Fw: what's that?
Fw: where have you been?
Fw: wonderful stuff
Fw: wow
Fw: wow, amazing!
Fw: wow, great stuff!
Fw: wow, look at that stuff!
Fw: wow, look at that!
Fw: wow!
Fw: wow! great stuff
Fw: wowsome
Fw: yeah, I've found it!
Fw: you'll love that
Fw: you'll love that news
Fw: you've got to see that
Give it a try
good idea
good ideas
good impression
good memories
good news
good news from me
good stuff
gorgeous
gorgeous!
gossip
grateful
great adventure
great app
great article
great journey
great news
great news or you
great place to visit
great stuff for summer
great stuff for you
Greetings! my dear
Greets
Greets :)
Greets =)
group of turists
happy))
hard facts
have you been there yet?
have you ever been there?
have you ever seen something like that?
Have you ever tried that stuff?
have you heard the news?
have you seen that amazing news?
have you seen that stuff?
have you seen that?
have you seen those guys?
hello
Hello :)
Hello [first name]
Hello 8-)
hello [first name]
Hello friend, my dear
Hello,
hello, my dear
hello!
hello! )
hello! =)
hello! 8-)
Hello! my dear
Hello) how are you?
help me make my decision
helpful article
helpful info
helpful information
helpful stuff
Hey friend, my dear
Hey here
Hey here )
Hey here 8)
Hey here!
hey there
hey there!
Hey!
hi
Hi [first name]
hi 8-)
Hi, my dear
hi!
hi! :)
Hi! =)
holiday camp
home
home sweet home
house renovation
how about a short story?
how about that?
how beautiful
how is it possible?
how lovely it is!
how you're doing?
How's it going
I found it!
i found the stuff
I found u
I found U =)
I found you
I guess I've found it at last
I left you a message
i like it
i like it!
I like that
I need your independent advice
I really appreciate your help
i think you'll love this
i'm slightly shocked
i'm so excited
I'm so excited about the latest news
I'm so excited!
I'm so grateful
I've found some great stuff
I've got it!
improvement
increased tax on goods
info
information
insomnia
inspiration
interesting
interesting article
interesting articles
interesting book
interesting info
interesting information
interesting moments
interesting stuff, just take a look
ironic comments
is that real?
isn't it amazing?
isn't it cool?
it is amazing
it's just a bombshell!
it's magic!
it's never too late
it's party time!
it's really not a joke
it's shocking
it's so unusual
Jeez!
journey
just a message
just a note
just a quick note
just for you
just great
just hard facts
just hi
just info
just some cool stuff
just some interesting info
just take a look
just take a look at that
just wanted to say hi
keep up the good work
last game
last meeting
last news
latest news
latest news from our friends
let's go camping!
like it
list of books
list of events
look at that nice things
look at that stuff
look at that, it's amazing!
look at that!
look what I've found
look!
looks nice
loook at that!
lovely
lovely and cozy place
lovely place
lovely things
many beautiful things
many nice things
many thanks
means a lot to me
meditation
message from me
miss you
missed me ?
missed me ? :)
missed me ? =)
Missed me ? 8)
mon article
more useful info
musical performance
must have
my article
my favourite book
my favourite place
my favourite stuff
my journey was amazing
my new article
my new hairstyle
need help
need your advice
need your help
need your pieseof advice
new acquaintances
new art gallery opening
new art project
new article
new catalogue
new experience
new methods
new movie
new recipe
new restaurant opening
new stuff
new technologies
new work
news
news from friends
news from me
news from my family
news on the deal
nice
nice music
nice news
nice people
nice place
nice story
nice stuff
nice surprise
nice to know
nice trip
not sure
oh my!
OMG it's true
ornaments
page layout
perfect
perfect words
pictures of my trip
pizza time
plans for the summer
pleasant surprise
pleased and happy
precious memories
previous experience
pure joy
quite good stuff
Re: a couple of questions
Re: a fabulous performance
Re: a lot of cool stuff
Re: a note from a friend
Re: a piece of information
Re: a question
Re: a splendid dinner
Re: absolutely gorgeous
Re: advanced learning
Re: amazing
Re: amazing and exciting
Re: amazing article
Re: amazing days out of town
Re: amazing new stuff
Re: amazing!
Re: an amazing article
Re: an important piece of information
Re: an incredible story
Re: announcement
Re: any ideas?
Re: any suggestions?
Re: are you interested in something like hat?
Re: article issues
Re: at long last
Re: be prepared
Re: cool
Re: cool news
Re: cool people
Re: cool place
Re: cool places to visit
Re: cool stuff
Re: could never imagine something like that
Re: could that be real?
Re: couldn't imagine smth like that
Re: cozy and homelike place
Re: crazy stuff
Re: curious case
Re: don't miss that
Re: don't miss that stuff
Re: don't miss this
Re: don't miss up that new stuff
Re: easy stuff
Re: energy
Re: examples of my work
Re: excellent article
Re: excellent stuff
Re: exciting
Re: exciting day
Re: exciting news
Re: expedition
Re: experimental methods
Re: extremely good stuff
Re: extremely good!
Re: extremely useful stuff
Re: feedback
Re: found some nice stuff
Re: found the solution
Re: freelance
Re: fresh info
Re: funny stuff
Re: fuss
Re: Fw: just look at that
Re: good idea
Re: good impression
Re: good memories
Re: good news
Re: good stuff
Re: gorgeous
Re: gossip
Re: great adventure
Re: great app
Re: great article
Re: great journey
Re: great news or you
Re: great place to visit
Re: great stuff for you
Re: happy))
Re: hard facts
Re: have you been there yet?
Re: have you ever seen something like that?
Re: have you heard the news?
Re: have you seen that stuff?
Re: have you seen that?
Re: have you seen those guys?
Re: Hello friend, my dear
Re: Hello!
Re: help me make my decision
Re: helpful info
Re: helpful information
Re: helpful stuff
Re: hi
Re: home
Re: home sweet home
Re: house renovation
Re: how about a short story?
Re: how about that?
Re: how is it possible?
Re: how lovely it is!
Re: how you're doing?
Re: I found it!
Re: i found the stuff
Re: I guess I've found it at last
Re: I left you a message
Re: I like it
Re: i like it!
Re: I like that
Re: I need your independent advice
Re: i'm slightly shocked
Re: i'm so excited
Re: I'm so excited about the latest news
Re: I'm so excited!
Re: I'm so grateful
Re: I've found some great stuff
Re: I've got it!
Re: increased tax on goods
Re: information
Re: informations utiles pour vous
Re: insomnia
Re: Inspiration
Re: interesting
Re: interesting article
Re: interesting information
Re: interesting moments
Re: interesting stuff, just take a look
Re: interesting things
Re: is that real?
Re: isn't it amazing?
Re: isn't it cool?
Re: it is amazing
Re: it's just a bombshell!
Re: it's magic!
Re: it's really not a joke
Re: it's shocking
Re: it's so unusual
Re: Jeez!
Re: journey
Re: just a message
Re: just a note
Re: just great
Re: just hi
Re: just info
Re: just take a look
Re: just wanted to say hi
Re: keep up the good work
Re: last game
Re: last meeting
Re: last news
Re: latest news
Re: let's go camping!
Re: liens utiles
Re: like it
Re: list of books
Re: look at that nice things
Re: look at that stuff
Re: look at that, it's amazing!
Re: look at that!
Re: look what I've found
Re: look!
Re: looks nice
Re: loook at that!
Re: lovely
Re: lovely place
Re: lovely things
Re: many beautiful things
Re: means a lot to me
Re: meditation
Re: message from me
Re: miss you
Re: more useful info
Re: my article
Re: my favourite book
Re: my favourite stuff
Re: my journey was amazing
Re: my message
Re: my new article
Re: my new hairstyle
Re: need help
Re: need your advice
Re: need your help
Re: need your pieseof advice
Re: new acquaintances
Re: new art gallery opening
Re: new article
Re: new catalogue
Re: new experience
Re: new methods
Re: new movie
Re: new recipe
Re: new restaurant opening
Re: new stuff
Re: new technologies
Re: new work
Re: news
Re: news from friends
Re: news from me
Re: news from my family
Re: news on the deal
Re: nice
Re: nice news
Re: nice people
Re: nice place
Re: nice story
Re: nice stuff
Re: nice surprise
Re: nice to know
Re: not sure
Re: oh my!
Re: OMG it's true
Re: ornaments
Re: page layout
Re: perfect
Re: pictures of my trip
Re: pizza time
Re: plans for the summer
Re: pleasant surprise
Re: pleased and happy
Re: previous experience
Re: pure joy
Re: quite good stuff
Re: Re: interesting things
Re: Re: my message
Re: Re: new stuff
Re: Re: useful information for you
Re: real facts
Re: real friends
Re: really and truly
Re: really cool things
Re: really great stuff
Re: really great things
Re: really interesting
Re: really nice stuff
Re: recent conversation
Re: recent photos
Re: renovation
Re: share your opinion with me
Re: shock and amazement
Re: shopping together
Re: since we've met last time
Re: so great and amazing!
Re: so many interesting stories
Re: so nice I couldn't  pass it
Re: some funny stuff
Re: some helpful information
Re: some information
Re: some interesting facts
Re: some interesting info
Re: some new info
Re: some new stuff
Re: something new and interesting!
Re: something new, don't miss up
Re: something really cool
Re: something useful
Re: something useful, I think
Re: source d'inspiration
Re: spectaculous
Re: spring break
Re: stuff we discussed
Re: suggestions
Re: super
Re: super cool
Re: surprise surprise!
Re: surprise!
Re: surprised but not really
Re: surprising
Re: surprising facts
Re: surprising news
Re: surprisingly interesting
Re: take a look at my new driving glasses
Re: tell me what you think
Re: thanks
Re: thanks for your support
Re: that impressed me
Re: that is  super cool!
Re: that is so great!
Re: that is so nice
Re: that's interesting
Re: that's just amazing
Re: that's just perfect!
Re: that's no joke!
Re: that's really amazing
Re: that's really awesome
Re: that's really nice
Re: that's so amazing
Re: that's so exciting
Re: that's so great
Re: that's so interesting
Re: that's so nice
Re: that's what you were looking for
Re: the best of its kind
Re: the latest info
Re: the latest news
Re: this is amazing
Re: this is genious
Re: this is so lovely
Re: this is worth seeing
Re: this really matters
Re: those facts are unbelievable
Re: true friends
Re: true love
Re: true story
Re: try that stuff, it's awesome
Re: une question
Re: unexpected surprise
Re: unforgettable place
Re: unique gifts
Re: useful and nice stuff
Re: useful info
Re: useful information
Re: useful information for you
Re: useful links
Re: useful stuff
Re: useful things
Re: very good news
Re: very important
Re: very important news
Re: very informative article
Re: we're moving
Re: weather forecast
Re: what a gorgeous stuff!
Re: what a nice article
Re: what a nice day
Re: what a nice movie
Re: what a nice surprise
Re: what a nice surprise!
Re: what a place
Re: what a pleasant surprise
Re: what a shame
Re: what about that stuff?
Re: what an amazing place
Re: what an amazing thing
Re: what do you think about that stuff?
Re: what do you think about that?
Re: what do you think?
Re: what's that?
Re: where have you been?
Re: wonderful news
Re: wonderful stuff
Re: wonderful things
Re: wow, amazing!
Re: wow, extremely good news!
Re: wow, great stuff!
Re: wow, just take a look!
Re: wow, look at that stuff!
Re: wow, nice stuff
Re: wow, that's cool
Re: wow, what a surprise
Re: wow!
Re: wow! great stuff
Re: wowsome
Re: yeah, I've found it!
Re: you'll love that
Re: you'll love that news
real facts
real friends
really and truly
really cool things
really great stuff
really great things
really interesting
really nice place
really nice stuff
recent conversation
recent photos
renovation
sad but true
share your opinion with me
shock and amazement
shopping together
since we've met last time
so amazing and beautiful
so exciting
so great and amazing!
so many amazing things happen
so many cool things
so many great things
so many interesting stories
so nice I couldn't  pass it
so strange but interesting
some funny stuff
some helpful articles
some helpful information
some info for you
some information
some information for thinking
some interesting facts
some interesting info
some new info
some new stuff
some stuff you'll like
something exciting
something new and interesting!
something new, don't miss up
something really cool
something useful
something useful, I think
sooo interesting
spectaculous
spring break
still looking for that stuff?
stuff we discussed
such a great stuff
suggestions
sup
sup :)
Sup 8-)
sup!
Sup! 8)
super
super cool
surprenant
surprise surprise!
surprise!
surprised and happy
surprised but not really
surprising
surprising facts
surprising news
surprisingly interesting
take a look at my new driving glasses
tell me what you think
tell what you think
thanks
thanks for everything
thanks for your support
that impressed me
that is  super cool!
that is not a joke!
that is so great!
that is so nice
that is unbelievable!
that's cool
that's exciting!
that's interesting
that's just amazing
that's just perfect!
that's no joke!
that's really amazing
that's really awesome
that's really nice
that's so amazing
that's so exciting
that's so gooood
that's so great
that's so interesting
that's so nice
that's what you were looking for
the best of its kind
the future
the latest info
the latest news
The most wonderful day of them all!
this is amazing
this is genious
this is so lovely
this is worth seeing
this really matters
those facts are unbelievable
true love
true story
try it
try that
try that stuff, it's awesome
unbelievable
une question
unexpected letter
unexpected surprise
unforgettable place
unique gifts
useful and nice stuff
useful docs
useful info
useful information
useful links
useful stuff
useful things
usefull info
very good news
very important
very important news
very informative article
very useful
we're moving
weather forecast
what a gorgeous stuff!
what a news!
what a nice article
what a nice day
what a nice movie
what a nice surprise
what a nice surprise!
what a place
what a pleasant surprise
what a shame
what a surprise
what a surprise!
what about that stuff?
what an amazing place
what an amazing surprise
what an amazing thing
what do you think about that stuff?
what do you think about that?
what do you think?
what's next?
what's that?
where have you been?
wonderful news
wonderful stuff
wonderful things
wow
wow, amazing!
wow, extremely good news!
wow, great stuff!
wow, just take a look!
wow, look at that stuff!
wow, look at that!
wow, nice stuff
wow, that's cool
wow, that's so amazing!
wow, that's so great
wow, what a surprise
wow!
wow! great stuff
wow! what a surprise!
wowsome
writer
yeah, I've found it!
yo
yo :)
Yo =)
yo 8)
Yo! my dear
You absolutely HAVE to see this!
you'll love that
you'll love that news
your opinion matters















































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































Beginning in June 2016, French accounts with this problem are associated with subject lines in French.  Table 3 below lists some of the subjects which have been used so far.


Table 3.  Subject lines associated with French accounts on and after June 2016.

admirable!
bonnes nouvelles
cela signifie beaucoup pour moi
choses faciles
conversation récente
de belles choses pour vous
info utile
Je l'ai trouvé!
je suis tellement excité
je voulais juste dire salut
jetez juste un coup d'œil
nouvelles incroyables!
nouvelles merveilleuses
oh mon Dieu!
Oh Mon Dieu c'est vrai
quelques infos pour vous
Re: nouveautés
si étrange mais intéressant
si excitant
très bonnes nouvelles
wow! Belles  choses
























The messages themselves are distinctive because they are short and don't show much more than a greeting, an entreaty to visit a link, and a name or email address as a signature.  Table 4 below shows a variety of examples found with a Google search.  Sometimes the messages are signed with an email address rather than a name, and from time to time the name or email address in the signature does not match the name of the person whose email address is attached to the message.

Table 4.  Appearance of the messages.


Hello!


Important message, visit http://idansanthaus.com/king.php?x0q


[Name]





Hello!


New message, please read http://funespar.org/watched.php


[Name]




Hey friend!


Check this out http://transportpierrat.com/spot.php?4y


[Name]


Hey!


New message, please read http://[link with php in text]


[name] at [email provider]


This email has been protected by [name of fraudulent malware scanner removed]




Hi,

I've read about some cool things recently and I though you might be inerested too, here is the link

[link]

Rushing, [email address]




Hey,

Have you seen this before? That's something really nice, more info here
[link]

Yours, [name]





Hello,I'm so excited to tell you that, I was impressed so much, please read here
[link]









































































 




To investigate further how these emails have been sent, you need to be able to find the full text of the email messages.  Messages contain many more details that you typically see in your email program.  There are additional lines in the header of each message which show where the message was sent from, which servers it passed through, and which email program sent it.

In Gmail to see email headers, open a particular message, look for the downward facing arrow to the right and select "Show original".  You will then see the complete message and its headers.  All other email programs have ways to see the full message with its headers.  Search on "view full email headers" to find instructions for your email program.  This web page might be helpful.



Where were the messages sent?

If the subject and contents of the messages resemble those in Tables 1 and 3 above and it is 2015, then you are likely to find in the email headers the text "WORLDST-UQ3K9Q0" or "WIN-NPPN1JPV75J".  Specifically this text will be in a line which begins with "Received".  There will be several lines beginning with "Received".  You are looking for the one that is furthest down.  Towards the end of 2015 and in 2016, the messages no longer contain these specific strings.  Instead, you'll find a line like those in the bottom-most examples in Table 4 in which there there is a domain name made up of four or five letters which does not spell anything in particular, such as "zpmn.org" or "fswvt.com".

Table 5 below shows some examples of that part of the headers found online and as a recipient in my own mailbox.  I have removed information about particular email addresses and replaced the details with the text [redacted].  Each paragraph is a separate example from a different account.

The server which did send the email is described by an IP address in this header, the bottom-most "Received" line.  For example, the first one shown below is [209.45.96.230].  You can look up the geographical location of the IP address using online tools.  You might be surprised to find that the messages with your email address attached originated in another part of the world.  This is common.


Table 5.  The bottom-most "Received" line from the headers and the common strings WORLDST-UQ3K9Q0 and WIN-NPPN1JPV75J.




Received: from WORLDST-UQ3K9Q0 (unknown [189.249.26.95]) (Authenticated sender: [redacted]@arcor.de) by mail-in-01.arcor-online.net (Postfix) with ESMTPSA id 3msg4X6P5FzFQb9; Thu, 13 Aug 2015 22:49:32 +0200 (CEST) 

Received: from WORLDST-UQ3K9Q0 ([93.175.225.75]) by smtp.googlemail.com with ESMTPSA id go5sm7064578wib.3.2015.09.16.17.33.44 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128/128); 
Wed, 16 Sep 2015 17:33:48 -0700 (PDT)

Received: from unknown (HELO WORLDST-UQ3K9Q0) (94.156.164.39) by dns.gammaufficio.eu with ESMTPSA (DHE-RSA-AES256-GCM SHA384 encrypted, authenticated); 

September 24, 2015 16:55:17 +0200
Change to WIN-NPPN1JPV75J beginning around 29 September:
Received: from WIN-NPPN1JPV75J (unknown [93.185.232.239]) by smtp02.udag.de (Postfix) with ESMTPA id 5D193A21;Tue, 29 Sep 2015 01:36:59 +0200 (CEST)

Received: from WIN-NPPN1JPV75J ([78.175.245.158]) by mrelay.perfora.net(mreueus003) with ESMTPSA (Nemesis) id 0M5vg7-1aXp120Otd-00xti7; Tue, 06 Oct 2015 04:20:55 +0200
Received: from 196-210-12-32.dynamic.isadsl.co.za ([196.210.12.32]:61151 helo=WIN-NPPN1JPV75J)
by server.bw2bill.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85) (envelope-from <[redacted]@arcor.de>) id 1ZkDrp-0004gW-3P; Thu, 08 Oct 2015 12:16:29 -0400

Received: from [159.146.51.103] (port=50710 helo=WIN-NPPN1JPV75J) by n67.mail01.mtsvc.net with esmtpsa (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.72) (envelope-from <[redacted]@[redacted].com>) id 1ZlD3j-000AQs-SG; Sun, 11 Oct 2015 05:36:52 -0400
Received: from [redacted] (helo=W­IN-NPPN1JPV75J) by vmemail9.rubalocloud.nmllab.com wit­h esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SH­A256:256)(Exim 4.80)­
(envelope-from <­[redacted]@free.fr­>)­ id 1Zmvzc-0006rx-4Z; Fri, 16 Oct 2015 ­05:47:45 +0200  


Received: from [41.215.210.96] (port=57744 helo=WIN-NPPN1JPV75J) by mhost-oasiteam2.micso.it with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86) (envelope-from <[redacted]@bluewin.ch>) id 1ZoTSB-0002sm-Qe; Tue, 20 Oct 2015 11:43:36 +0200

Received: from [46.10.128.232] (helo=WIN-NPPN1JPV75J)
by server1.bsname.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.84) (envelope-from <[redacted]@centrum.sk>)
id 1ZpDgK-000706-KG; Thu, 22 Oct 2015 19:05:17 +0800




Received: from zpmn.org (unknown [113.169.207.181])by agr.ehime-u.ac.jp (Postfix) with ESMTPSA id 2DF08583C9; Mon, 22 Feb 2016 23:48:45 +0900 (JST)

Received: from fswvt.com ([179.124.29.164]) by mrelay.perfora.net (mreueus002)with ESMTPSA (Nemesis) id 0MV45z-1bDl8z1KTl-00YTzw; Mon, 25 Apr 2016 13:55:58 +0200


What is the earliest example of this pattern I wonder?  So far the earliest version I have seen dates from the 13th of August.    A thread on the German CHIP forum suggests that the problem also existed in early August.  Does any one have earlier examples?

How could someone obtain a list of email addresses from inside my account?

Perhaps this is very easy.  If I import your emails into a Google Gmail account, then there is a helpful feature which allows someone with access to that account to export all of the email addresses which have been used in the account, going back to the beginning of time.  The resulting spreadsheet contains an alphabetized list of email addresses.  The email addresses are alphabetized by display name when one is available, and by email address if the display name is blank.  Duplicate entries will be exported.  In short, the characteristics of the resulting list matches the characteristics of the lists which are used in these spoofing cases.


What email program sent the messages?

To determine what kind of email program sent the message, look for a line in the header which begins with the text "X-Mailer:".  This will be followed by a description of the email program which sent the messages.  In all of these cases, the program used to send the messages is described as version 15 of Microsoft Outlook. You can see a table of the version numbers of their corresponding names on the Outlook wikipedia page.  Version 15 is more commonly known as Microsoft Outlook 2013.

X-Mailer: Microsoft Outlook 15.0

If you do not use the 2013 version of the Microsoft Outlook program, this is further evidence that you did not send the message.


Which email addresses have been affected?


Many people in a variety of different countries using email addresses provided by different servers have reported this problem. Based on a sample of more than 850 addresses known to be experiencing this problem, I have compiled a list of the 15 email address types with the most cases. Table 6 below lists the domains in order of decreasing number of cases.


Table 6.  Email address types with many cases of this problem.

yahoo.com
gmx.de
ntlworld.com
free.fr
talktalk.net
web.de
comcast.net
orange.fr
tiscali.co.uk
tiscali.it
virgin.net
blueyonder.co.uk
virgilio.it
charter.net
mail.com
 

A much longer list of other email types with this problem in many countries is available here.  There are known cases in the United Kingdom, the United States, Poland, Italy, France, Germany, Austria, the Czech Republic, Spain and Portugal, the Russian Federation, Vietnam, Brazil, Japan and China, as well as Australia.  I think there are likely to be some cases of this problem in Thailand and Indonesia, although I don't have any details yet.  If you do, add some information to the comments section please.

For those of you using an email account managed by Virgin Media, you might be interested in reports of this problem posted by other Virgin Media account holders,
http://wardinewrock.blogspot.com/2016/05/virgin-media-spoofing.html.

Similarly, here is a list of case reports for accounts managed by TalkTalk,
http://wardinewrock.blogspot.com/2015/10/talktalk-cases-of-stolen-email.html

If you have this problem with a Virgin Media account (virginmedia.com, virgin.net, ntlworld.com, blueyonder.co.uk), you can also join a Facebook group for other people with Virgin Media accounts where people with this problem are comparing notes and obtaining help from fellow sufferers at https://www.facebook.com/groups/VMspoofingemails/.

There is also a new Facebook group for anyone with this particular spoofing problem in which spam email is sent to addresses stolen from the email account.  You'll find it here:
https://www.facebook.com/groups/818591258275839/

And a collection of reports in German,
http://wardinewrock.blogspot.com/2016/05/german-cases-emails-sent-with-my.html


Why aren't my IT staff and email provider taking this issue more seriously and helping me?

A common theme in online discussions about these emails is that IT staff and email providers are not taking the problem seriously or might be trying to cover up a security problem on their servers.  I think there are other reasons IT staff and email providers might not have taken these emails seriously yet.


Your IT staff are probably tired. They may also be underpaid and overworked. Some of their colleagues may have taken new jobs recently and they are trying to do more work than is possible with limited staff.

They are tired of troubleshooting problems in which computer users become victims of phishing attacks and give away their passwords or use passwords which are too simple.

They are tired of explaining how to protect computer systems to people who do not follow their instructions.

They might be physically tired because their jobs involve solving problems at many different hours in the day, during weekends, and in the middle of the night.

They may be tired of computer users who jump to conclusions which are not true.

They are absolutely certainly tired of computer users who do not provide them with detailed information.

And finally they may be tired of people who do not believe what they say when they are trying to help!

Please help your computer helpers by providing them precise and detailed information so that they can assist you and accurately investigate the issue.
  • Tell them which email program/s you use, both the kind and the version number.  For example, perhaps you use Microsoft Outlook 2007.
  • Change your email password and tell them that you have updated your password. 
  • Update your virus definitions and perform a virus scan and let them know that this is complete. 
  • Obtain the full headers of the messages and be sure to report the complete headers without cutting any of the text off even if the result contains many many lines.   You may need to ask someone who has received the message purporting to be from you to send a copy to you so that you can obtain the full headers.
  • If a message has been sent as if it were from you, look carefully at the addresses to which the message has been sent.  Are they people with whom you have exchanged emails in the past?  How about the display names?  Carefully describe the characteristics of the email addresses to which the message was sent since this is what distinguishes these messages from more common spam.

Patterns in the email addresses used

Each of these spam messages is sent to a list of recipients.  The recipients are tightly correlated to the person who owns the spoofed from address.  I've seen examples of four to 54 recipients on a message.  The number varies and is probably purposely kept small to reduce the possibility of being blocked by the receiving email server if there are too many recipients since a message with many recipients is a characteristic of spam messages.

Furthermore, the list of recipients will be alphabetized by the first letter of the display name.

There may be duplicate addresses as recipients for any particular message.  Duplicates that are exactly the same as well as several addresses for the same person, with slightly different display names or a work address and a personal address for the same person.

The list of recipients may include people with whom you have not corresponded for years as well as addresses which have not existed for some time.  

The list of recipients may include people with whom you have not ever corresponded, but I think if you search, you will find that these addresses exist somewhere in your email account as an address in an email thread where the address you do not recognize is someone else who also received the message.

The examples below are made up and show the patterns I've seen.

Multiple address for the same person
"Andrea L. Smith" <andrea@work.com>
"Andrea Smith" <andreasmith@home.com>

Duplicate addresses with different display names
"Honey boo boo" <honey@woods.edu>
"honey boo" <honey@woods.edu>

The same recipient emailed more than once in the same message
Name of mailing list <mailinglist@nowhere.com>
Name of mailing list <mailinglist@nowhere.com>

Temporary addresses used as recipients kkxv2-4080906488@sale.craigslist.org

It is extremely unsettling to find that the list of your email correspondents has been exposed in this manner!


Why after changing the password for my email account have more emails been sent appearing to be from my address?


Since the emails are not being sent directly from your email account, the computer program which is sending the emails does not need to know your user name and password.  The program has access to other email accounts for which it knows the usernames and passwords.  Your changing your own password does not stop the computer program from camouflaging the emails it is sending by attaching your email address to the from line.

One characteristic of these emails is that messages have been sent out in repeated waves.  There may be five or six days between the sending of messages which appear to have been sent from your email account.  Here is an example for single email address for someone who has changed their password several times in the past few weeks.

9 September, messages sent with subject "Fw: important"
9 September, two hours later, messages sent with subject "Fw: news"
15 September, messages sent with subject "Fw: important message"
26 September, messages sent with subject "Fw: read this"
5 October, messages sent with subject "Fw: new message".


Why hasn't my anti-virus program found the problem?

Anti-virus programs check for problems that have been already noticed and understood.  If this is a new piece of malware, it is possible that the companies which provide anti-virus protection have not yet discovered it and had time to update the anti-virus program so that it can detect the problem.  If your anti-virus program has not found a problem,  this does not mean that your computer is not infected with something new and unrecognized.

Looking for Trends

The source of the address lists which are in use is not clear.  Please consider filling out this short list of questions to describe your experience:

Questions about your experience with this problem

Perhaps we can use the results to rule out some of the possibilities.  For example, are there people who are affected who do not ever use a Windows computer to read their email?

This link contains results of the forms after they have been checked manually to make sure that there is no personally identifiable information such as a full email address:

Results of questions about your experience

From the above results, we can graph the days each person reports that email was sent as if it came from their email address.  Figure 1 below shows the patterns and how often each email address and recipient list were used.  Each person is a different color.


Emails sent by date.


Figure 1.  Emails sent by date.




What to do if you are experiencing this problem

Note that there are no particular easy cures for this problem!  You are not alone; there are hundreds of people with this problem at the moment using email accounts at many different locations with many different email providers.
  • Change your email password.
  • If you have ever used your email address and the same email password for any other application or web site, change that password too.
  • Use strong passwords which do not contain any words in any language, either forwards or words spelled backwards.
  • If you are synchronizing any email content to another account since as LinkedIn, turn off the email synchronization.
  • Search your computers using an anti-virus program.
  • Search your mobile phone for problems, for example, using Malwarebytes.
  • Apply all updates to your computers.
  • Apply all available firmware updates to your wireless router.
We see that the addresses which have been collected are being stored and used by automated computer programs which will send spam to your correspondents periodically several times a month.  This is a chronic problem which may cause you professional and personal distress and lead your correspondents to ignore additional messages from you.  If emails are being sent to mailing lists under your name, your email address is likely to be banned from those mailing lists.

Since stopping this problem is not under your control and stopping the outgoing emails is not something that your email provider can do either since these emails are not passing through their servers, then you may want to consider obtaining a new email address.  I would recommend a Google Gmail account with two-factor authentication turned on.  Two-factor authentication means that anyone logging in to the email account needs a second piece of information, such as a temporary access code in addition to the email account password.

Since it is clear that email addresses have been collected which match the list of email accounts present inside your email mailbox, then it may not be possible to rule out the fact that the text contents of your email account have also been collected.  Consider what the ramifications of disclosure of the email might be.  A good rule of thumb for email content is "Never send in an email information you would not like to see on the front page of the newspaper".

Consider asking the recipients of the spam email to send back to you examples of the emails.  You will probably have received a number, perhaps a large number, of automated emails from email systems letting you know that your message cannot be delivered to some of the recipients.  Look in these messages and in examples sent to you by your correspondents to create a full list of the recipients.  Depending on how many people you email, this might be a very long list.  You might as well have this list by compiling it yourself since the list is being used by others!    Since the list of email recipients is alphabetized by the display names, you may need to consult many people to piece together the full list of recipients.

Then having created the list, you might want to explain the problem to your recipients.  You can suggest that they add filters for any of the subjects listed above.  If they have a good email provider, it is probably already marking this messages as spam since messages of this type have been circulating for more than a month.

Finally, the two most important actions to take are:

1) Open a new email account and start using it.  Something about your current account together with the way you use it has allowed someone else to collect a long list of email addresses inside the account.  Moreover, your current email provider does not have sufficient protection in place to protect accounts from spoofing.  You want to take your email life to a new space where you have more protection.  I suggest a free Gmail account from Google for these reasons:


  • Google accounts have excellent spam protection.
  • A Google account will let you know if someone has logged into your account from an usual geographic location or different computer.  This helps to let you know in a case where someone else has obtained your password and used it to log into your account.
  • A Google account allows you to turn on two-step verification to reduce the possibility that if someone else has obtained your password, they could log into the account.  
  • A Google account has protection in place to limit spoofing.
2) The second action to take is to write to your correspondents, the people who are receiving ongoing spam emails with your address attached, and ask them to forward examples of these emails to spam@uce.gov, an address associated with the Federal Trade Commission of the United States government.  Recently the Federal Trade Commission has taken legal action against one group which was sending very similar spam.


Similarities to the Spam for Diet Pills in April 2014

Further consideration of this problem shows that those behind it have a very similar method of operation to those sending spam messages to addresses at the American email provider AOL in April 2014.  You can read more about this diet-pill scamming and spamming and the response of the Federal Trade Commission in this associated blog post:

http://wardinewrock.blogspot.com/2015/10/purpose-of-spoofing-from-worldst.html

Note that at the time, there was a report of an Android trojan as well.


Further Reading

These particular emails have been discussed briefly in a few German news web sites.  Users of German email accounts were reporting this problem several weeks before I saw evidence of it in North America in early September.  You can also find discussions by puzzled participants in several question and answer forums in French, German, and Dutch, and in a growing number of blog entries.  If you do not read German, you can use the Chrome browser to translate the German articles in the references below.


References

2015

August 18

Discussion in German of this problem by August 2015 sufferers
http://www.administrator.de/frage/account-spam-missbraucht-tipps-parat-280474.html

August 19

German news article, translated title "Deutsche Telekom warns of spam wave"
http://www.heise.de/security/meldung/Deutsche-Telekom-warnt-vor-Spam-Welle-2786008.html

August 20
German article at Spiegel online, translated title "Telekom warns of spam wave with dangerous emails"
http://www.spiegel.de/netzwelt/web/telekom-warnt-vor-spam-welle-mit-gefaehrlichen-e-mails-a-1048961.html

August 21

German article at t-online, 
http://www.t-online.de/computer/sicherheit/id_75115714/deutsche-telekom-warnt-spam-welle-erreicht-t-online-de-konten.html

September 8 and 13
Brown University, Rhode Island, USA, examples of the spam
https://it.brown.edu/alerts/read/fw-important
https://it.brown.edu/alerts/read/fw-important-message

September 16
Malwr automated analysis of submitted file
https://malwr.com/analysis/YjVkOGNhMjlhODc4NDkxZTlkYTViMzZkZjgyNzQ2ZDg/#

September 17
Discussion on Virgin Media community forum of these spam messages and possible causes
http://community.virginmedia.com/t5/Email-Cloud-and-Webspace/Recieved-about-20-of-these-has-my-e-mail-or-system-been-hacked/td-p/2912431

September 20
Austrian blog entry with translated title "WORLDST-UQ3K9Q0 - A Far Under-rated New Super Hack??" 
http://www.agoradesign.at/blog/worldst-uq3k9q0-ein-weit-unterschaetzter-neuer-super-hack

September 25, German blog entry with translated title "Spam wave, many Telekom customers receive Fw: important"
http://totterturm-pr.de/spamwelle-viele-telekom-kunden-betroffen-fw-important/

September 25, another blog entry in German
http://blog.trisepo.com/archives/2113/

September 26, Dutch discussion about a case
http://gathering.tweakers.net/forum/list_messages/1651593

September 28, Australian fishing forum showing evidence of "WIN-NPPN1JPV75J"
http://www.ausfish.com.au/vforum/showthread.php/203208-spam-mesage-recieved-under-the-name-of-ausfish-support?p=1600841

October 13, Blog article in English about botnet behind the emails
http://www.evilsec.net/2015/10/new-threat-the-win-nppn1jpv75j-botnet/

October 20, German notification for members of a local sports club
http://www.svwilhelmshorst01.de/108-spam-attacken

December 18, Facebook group for users of Virgin Media accounts with this problem
https://www.facebook.com/groups/VMspoofingemails/


2016

February 9, The Register article about users of Virgin Media accounts with this problem
http://www.theregister.co.uk/2016/02/09/virgin_media_spoof_email_issues/

List of reports from Virgin Media account holders
http://wardinewrock.blogspot.com/2016/05/virgin-media-spoofing.html

April 24, German case with gmx account (second page)
http://www.trojaner-board.de/177917-tr-dropper-msil-gen-c-windows-installer-msi2935-tmp-gefunden-avira.html

HISTORICAL ARTICLES about very similar problems

Twitter, Compromised Accounts Sending Diet-Pill Spam Links, early April 2014, by Satnam Narang of Symantec,
http://www.symantec.com/connect/blogs/twitter-spam-compromised-accounts-and-websites-lead-diet-spam


AOL Diet-Pill Spoofing and Breach, mid-April 2014, DMARC applied
List of 2014 articles


Skype Spam, July 2015 and ongoing 
List of articles


142 comments:

  1. Great post about this WORLDST-UQ3K9Q0 hack/spammer. We've been seeing this for quite a while now, and the only info I can find via Google is in German. Again, thanks for the info, and if you've got any updates, keep us posted!

    ReplyDelete
  2. Starting this morning, we're getting the exact same messages with the helo 'WIN-NPPN1JPV75J'

    ReplyDelete
  3. Thanks for the tip. I see an example of 'WIN-NPPN1JPV75J' instead of 'WORLDST-UQ3K9Q0' in the link below. The subject is "Fw: read this", the pattern of recipients is the same and content takes the same form. That is rather lacking in creativity. I'd like to see a little bit more imagination on the part of the senders...

    http://discard.email/en/pillory/fw-read-this_6054408317270507865-bd657f4a7dfd7cae42c9a5677bccde63.htm

    ReplyDelete
  4. Excellent article. It describes in detail the issues I have been having since 17/09/15.

    I realise that now the person initiating these emails has the email addresses in their possession there is little I can do to prevent them being used. What I don't understand is how the email addresses were harvested from my mailbox in the first place. I don't think that my user name and password were compromised, although that is a possibilty, so that leaves the servers that they are held on have been hacked or someone with appropriate access rights has deliberately passed on email addresses to a 3rd party. I'm assuming data isn't stored offshore to save on costs.

    ReplyDelete
  5. Indeed, Steve, it does appear from the instances I've observed that the computer program which is sending the spam is storing the email address and display name as well as a list of associated email addresses which appear to have been collected from the email account. As a result, once the email addresses have been collected, their future use is not under your control. I'm interested in hearing more about that dates when emails are sent and how many rounds occur. I have observed three rounds of email sent spaced between five and six days apart. Will there be a fourth and fifth?

    This problem is affecting people who have email accounts on a variety of different servers in different parts of the world. There are cases in Germany and in the United States. What other countries and types of accounts are affected I wonder?

    I too am wondering how the email addresses have been collected. One possibility would be that a round of phishing emails preceded the collection of the addresses and some portion of the recipients of the phish were unfortunate enough to enter their user names and passwords on a web site that collected them for future use. Then these user names and passwords were used to connect to email accounts. If that is the case, your email service provider may be able to find connection records that show that a connection was made to your account from an unusual location in the days or weeks before the first use of your address list.

    ReplyDelete
  6. Hi Wrock.

    In my case I received 5 batches of returned mail on the 17/09/15. Each batch comprised of varying numbers of emails but all came from WORLDST-UQ3K9Q0. There may have been more than 5 batches if all the messages in a particular batch were delivered without any being returned.

    The next set arrived yesterday 30/09/15. 3 batches as far as I can tell but this time all came from WIN-NPPN1JPV75J.

    If this problem is affecting a variety of servers in different parts of the world then your suggestion about a round of phishing sounds possible. Unfortunately my service provider Virgin Media is very difficult to get hold of and I don't hold out much hope of getting them to investigate unusual activity on my account in the days or weeks before the first use of my address list.

    ReplyDelete
    Replies
    1. There is an active Facebook group of more than 200 users of Virgin Media accounts (blueyonder.co.uk, ntlworld.co.uk, etc) who have this problem. The members are providing each other with ideas on how to proceed. You might consider joining if you haven't already: https://www.facebook.com/groups/VMspoofingemails/

      Delete
  7. I am having this exact spam issue. I have been trying to narrow down what could have caused this and think it's one of two things: my outlook 2013 being hacked or they hacked directly into the servers.of my email provider. Are there people who have the same issue but didn't use outlook 2013?
    Really frustrating to know they have harvested every email address there is to find in my email history and that the spam is sent out sometimes with my name but other times the name linked to the other email addresses (but the return address is always my email address). I use my email for my business and am very embarressed. I hope we can find out more on this.

    ReplyDelete
  8. Hi,
    I think I've seen your posts on the Virgin Forum on this.
    Its gotta be a breach at Virgins end... too many people reporting this and all pretty certain of no malware/virus or phishing then lo and behold following VMs email migration we all become exposed to spoofing which seems to have robbed all our historical email contacts which are now all being spammed.

    The silence from VM is astounding. Any attempts of 'help'appear to be directed to reports about receiving SPAM which seems to a related issue.

    Any ideas what can be done?

    Would disabling the email adress solve the problem... ?

    I'm reluctant to do so as I've been using this email for 17 years and its linked in to a lot of stuff.

    ReplyDelete
  9. Hello,

    Sorry you probably have me confused with another on the vm forum. My provider is dutch and called DDS.

    Disabling your email account probably won't do any good at first because the spam will presumebly just continue. Seems if this continues there isn't much choice but to get rid of this account and tell everybody to block your old address and make a new one pff. I have been using mine for 20 years! If you walk this path don't get rid of your old account before changing your email details on websites you made accounts on with your old address!

    Martin

    ReplyDelete
  10. The infected computer "WIN-NPPN1JPV75J" seems to be :

    DELL Service Tag 1JPV75J
    Computer Model OptiPlex 990
    Shipping Date 12/29/2011
    Country Germany

    ReplyDelete
  11. Thanks for gathering all the info. Two waves were sent out from my email address (company account, but thtough Google apps services). After the first wave I took the typical steps of changing my password to something ridiculously complicated and use various virus as malware scans. Despite all that the 2nd wave went out, as I read from your post possible just using only my data and addressbook, not my actual account. I have a technical question about this: I can still see also the actually sent messages in my sent folder (for the 2nd wave google placed also the messages I've sent out in the Spam folder directly). Does that prove that the messages were sent from my account (so though google's SMTP server using my credentials)? Or are there alternative explanations possible for seeing sent spam in my folders?
    Thanks!

    ReplyDelete
  12. In my DDS account I also see sent messages in my spam folder just as you are explaining. My provider nevertheless declares that the spam didn't go through their smtp servers so "hopefully" the same can be said about your account.

    Martin

    ReplyDelete
  13. Thanks Martin, that doesn't fully satisfy my curiosity about how that's even possible, but at least makes me believe its possible.

    Another thing that may be worth checking, I noticed that some addresses that were first used in August do not appear in my spam list, so makes me think that maybe the addresses were harvested from my account before that. Could you check if this applies to your case as well. If it's true, it will help figure out when exactly were hacked.

    ReplyDelete
  14. In my case the first spam wave started on Sept 22nd. Going through my emails it seems that any addresses newer than around the end of August haven't been harvested in my case.

    Martin

    ReplyDelete
    Replies
    1. Thanks Martin. I haven't found any leads yet on how we might have gotten hacked in the first place. brute force seems highly unlikely (10 chars, incl. a capital and a number). I have a rooted android phone. Anyone that got hacked that doesn't have any android based device at all?

      Delete
    2. I used a rooted android phone up until Sept 10th (after that a new non-rooted android phone).
      I suspect 1 of three things:
      - malware that hacked into my outlook 2013 on my windows 8.1 machine (I'm usually very careful and only thing I suspect would be an install of the PC game Mad Max, windows defender doesn't like a file in the cracked version (steamclient64.dll, says infected with VirTool:Win32/Obfuscator.XZ) but lot's of people said this bad identity is false so I trusted it.
      - perhaps login info was intercepted during use of unsecured open wifi hotspots on my vacation in Italy during the end of August and beginning of September.
      - brute force or lucky guessing of password (somehow seems unlikely to me because this exact spam problem has just recently become a problem for a number of different people since August I believe).

      I hope everybody with this problem can find something we all have in common, that way we might narrow down on the cause. Not that we can stop the spam but I would really really like to know what caused this!!

      Martin

      Delete
    3. One more thing I wanted to add: I only used my android phone on those unsecured wifi hotspots to check my mail on vacation.

      Martin

      Delete
    4. As addition to your information, In my case this was also starting mid September, but i have strong belief that it was the webmail address list that was captured.

      I have 4 email addresses on that account, so far being, 2 of those addresses are compromised, mine and my wife's, the contact persons that "I am mailing" are ancient contacts and recent ones, all were in the address book on the webmail (apparently the imap exchange on my Phone and tablet adds to the webmail contact list, that declares the "newer" contacts)

      Now all is empty on every online mail account, but i think the harm is done, i am seriously considering to give up my mail address, after 15 years of use, but as long as the email providers find no solution for the spoofing problem, there is nothing more we can do to stop this...

      Bert

      Delete
    5. Same thing happening with my wife's account here. She's on all Apple devices (iPhone, iPad, MacBook) with an IMAP mail connection to a host at 1and1. Doesn't seem to be related to much except that at some point, the e-mail accounts were accessed so that the addresses could be harvested from the mail folders (not the address book). It appears that they're reusing the collected addresses and using the list to send spam to those users from open mail relays or hacked servers at different locations around the globe.

      Received: from srv2.letzgohost.be ([109.70.6.43])
      Received: from mout-xforward.kundenserver.de ([82.165.159.6])
      Received: from mr005msr.fastwebnet.it ([85.18.95.68])
      Received: from admin.balto.dk ([62.75.152.50])
      Received: from jenni2.inet.fi ([62.71.2.229])

      Delete
  15. Yes, let's explore what ties the many people experiencing this problem together. Are there trends in the operating systems or email programs in use? I've updated the article to include a link to a Google form to fill out. I will check submissions to make sure that no personally identifiable information has been included and then will share the information as a spreadsheet for your analysis.

    Readers of this article in the past week have been located in the United States, the United Kingdom, Germany, the Netherlands, France, Belgium, Portugal, Sweden, Switzerland, and several other countries. I'm not aware yet of any cases in the Soviet Union or China.

    ReplyDelete
  16. As I already posted in the other blog-article, my freenet.de-account got infected, too. Like Martin, my case is kind of similar because all three possibilities he mentioned are also accurate for me. I'm in Lithuania at the moment and before the attack I heavily used free public Wi-Fi (without password protection). I receive my e-mail on my old Symbian smartphone and on new rooted android with CM 12.1 (OS 5.1.1) via IMAP. On the PC (Win 8.1) I use Outlook 2013 (365) and the modern UI App. Machine was protected by windows defender but now is replaced by Kaspersky IS (but nothing alarming was found after various scans)

    Maybe an important fact. I got an email from my provider around a day/ half a day (in the night at 3 AM) before the first spam-mail, that SMTP is deactivated because of possibly abuse. In my opinion this was the moment it got hacked.

    Hope that we will find the real cause ;-)

    Marcel

    ReplyDelete
    Replies
    1. I have to add that my android phone always logged into my IMAP mail server using SSL so I would expected chances are slim my login details could get intercepted in that case, even on using open wifi hot spots?

      Also, I forgot to mention my fourth possible cause, namely a hack directly at my provider. This or an Outlook 2013 hack seem to be the most logical explanations for me at the moment.

      The last fact you gave Marcel seems to be too unlikely to be coincidence. That and the hack at T-Mobile in Germany makes me think a provider hack is the most logical explantion. Anyway, the search continues!

      Martin

      Delete
  17. I have this problem with two accounts: 1and1.com and 1und1.de

    if I well understood I cannot stop it, right?

    ReplyDelete
    Replies
    1. Afraid not :(

      Martin

      Delete
    2. Yes, unfortunately, for people who are experiencing this problem, the email address and a list of associated email addresses appear to be stored and re-used a number of times. Therefore, you cannot stop the sending of the emails. You can warn your recipients to block email the subjects specified in this article using a filter, although there may be new subject lines which will arise. Good email providers will be marking the messages sent under your name as spam because the messages have been in circulation for a number of weeks and should be known to the programs used to mark spam.

      Delete
    3. Thanks, I still have the problem... yesterday night all my contacts received again the spam :(

      Delete
  18. Same problem here. I'm in Spain but using One.com host located in Denmark. Win8.1 with Thunderbird as mail client, Windows Phone 8.1 + Nexus tablet. Problems started September 22. I have been asking my host to provide me web mail access logs for the period preceding the e-mail spoofing wave but they are stalling and uncooperative. I find it unlikely that this is happening because of local malware as I have several different mail accounts in Thunderbird and only one of them has had the contact list compromised.

    ReplyDelete
  19. Same problem with the Swisscom (Bluewin) Provider in Switzerland. I'm using an Android Smartphone as well. From my point of view the android smartphone can be the key to the mail access. But yes, this is just my personal think.

    ReplyDelete
  20. Same here, and from Spain too. The problem for me started August 18; I´m using Gmail in my own domain with Thunderbird as mail client too. Only 3 accounts in my Thunderbird was compromised (10 in total). In my case, "I" sent the spam three times since August...

    ReplyDelete
  21. Here in United States Windstream.net email account compromised. Sent infected emails in three waves. Online account does not have address book, but sent to addresses exist on the server in old emails.
    Partial header:
    Received: from WIN-NPPN1JPV75J ([88.235.185.36]) by mrelayeu.kundenserver.de (mreue003) with ESMTPSA (Nemesis) id 0MKuxg-1Zihfa10ro-0004fG; Sun, 04 Oct 2015 13:41:36 +0200

    ReplyDelete
  22. Today, "I" sent the fourth wave since August 18 :(.

    ReplyDelete
    Replies
    1. It seems to have been a busy few days for the engines which are churning out the spam. Plenty of new rounds of spoofing for those affected went out on the 17, 18, and 19th of October I understand. Two months in, it is a bit much, isn't it?

      Delete
  23. My wife's account is experiencing this problem for the first time today. She only checks her email on her Windows Phone and on through the Telus webmail interface. She has never used Outlook. So either she was phished or someone was able to access her webmail info, I think.

    ReplyDelete
    Replies
    1. I have received three messages "from" a Telus account, sent Oct. 27 also. Same account also sent one on Dec 12. "From" other Telus accounts also on Dec. 4, 11, 13 and 14.
      Has anyone followed up on the target of the links embedded in the message? They seem to consistently be to .php pages with a parameter passed.
      geomaticlub.com/lips.php?d
      sucesslife.com/think.php?dnl9
      shoppingsignal.com/few.php?d7
      montear.info/give.php?zl
      campingmeetingpoint.com/your.php?e3pl
      antistatikzeminkaplama.com/surprised.php?v22z
      carrollcoar.com/part.php?oo

      Delete
    2. Yes, the spam being sent always has a PHP link inside. This PHP link redirects once or twice to another web page entirely. In fact, the links can send you to one web site one day, and a week later the same PHP link might have a different web-site destination. It is a flexible and fly-by-night set up.

      Delete
  24. The domain of my spoofed email address is also hosted on one.com i Denmark.

    Is it possible that there's a vulnerability in their webmail system? And that system is also used by other providers.

    // René, DK



    ReplyDelete
    Replies
    1. Good to hear I am not alone on one.com. I am convinced this is a problem on their end. As far as I have been able to determine there is no other logical explanation.

      Delete
  25. Hi, I also use one.com (dk) for hosting my emailservice and have experienced the same problem.

    This morgning was the third time it happened. (Oct 22nd, Oct 31st, and now Nov 5th).

    ReplyDelete
  26. I'm also using one.com (DK) and experiencing this issue.
    Mails were sent on Oct 22nd, OCt 31st and now again this morning Nov 5th.

    ReplyDelete
    Replies
    1. Hi!
      My wife is experiencing this as well. Also using one.com as webhotel

      Delete
  27. Same Problem for a one person of my work. Provider "1und1.de", Windows 7, Outlook and IPhone. Everything without malware and virus (scanned with Gdata & Malwarebytes). He send emails to actual colleagues (employee since one month) and former colleagues (ex employee since 5 years). Webmailer includes just emails of the last two weeks and he does not have an address book in the webmailer and Outlook. We cannot understand the consistence in the email recipients.

    ReplyDelete
    Replies
    1. On any mobile devices, for 1&1 users, was email used from the web browser, and did the web browser have cookies turned off? There was an interesting vulnerability that gave access to 1&1 accounts in August 2015. You can read more, in German, here: https://www.wired.de/collection/latest/so-konnten-fremde-euer-postfach-bei-web-de-gmx-oder-1-1-eindringen/

      Delete
  28. Hi. Why providers (smtp) doen'y kill all messages coming from WIN-NPPN1JPV75J else relaying them ?

    ReplyDelete
  29. I believe as mentioned in others previous posts, that once the email addresses are obtained they are used either randomly or per scheduler on the remote host. Observing some of the NDR's with the original email/header I can state that they do not derive from the Outlook address book, but perhaps the Outlook .NK2 (AppData\Roaming\Microsoft\Outlook) or in more recent 2010/2013 MS Office versions the Stream_ files located under AppData\Local\Microsoft\Outlook\RoamCache. This may explain the alphabetical ordering system used as to stop "too many hops" or "too many recipients" often received as a non delivery report (NDR). The email addresses would presumably be accessible under IMAP on the email web account if using a web based delivery server (pop/smtp/IMAP). I guess it is a fairly simple operation for the perpetrator to write .js or vbs script to pull these files direct via the web browser on the client PC. I have yet to see a regular pattern (apart from compostion: "Subject: Fw: important message, Hello, New message, please read") but often email website SpamCop which at least is able to contact the web admin/host to inform of SPAM being sent in the form of this spoofing attack. I think I will run a root kit detector this evening to see what is detected, if anything, but again, once the address file is uploaded there is nothing to stop the spammer reutilising the address multiple times.

    ReplyDelete
  30. Hello, I've had this happen for the third time in less than six weeks. I got woken up at 6:30 a.m. eastern by texts from people telling me my email was sending upwards of 15 spam emails with "FW: new message" as the subject line. Changing my password is useless and I've run both Malwarebytes and Panda. Both turn up empty handed in finding anything each time my address has bombed the world. And of course then there are the incessant "delivery failure" notifications that climb as high as about one thousand. Has anyone found a solution?

    ReplyDelete
  31. I have the same issue. It started, when I was on vacation in Canada. All my PC's are off at this this time for ~1.5 weeks. Only my android phone was one. Maybe they have stolen my address book on my android phone when I tried to connect to a infected wifi hotspot? When you are traveling on vacation and you want to check your emails you are using starbucks or camping-site hotspot, and hope that they are not infected.....

    ReplyDelete
    Replies
    1. On the Android phone, were you using web mail (reading email using the web browser rather than an email app), and if so, were cookies turned off in the web browser?

      Delete
  32. Same issue also in Belgium. started in September and going on on a regular basis. Also today mails have been sent. Already any more news how this can be avoided?

    ReplyDelete
  33. I posted my comment on 11/22. This happened again yesterday. Shutting off my computer didn't help. I had to change my password twice and then shut it down. Then it ceased. Somehow something is buried and undetectable by FOUR anti-virus programs.I'm going to try and upgrade from Windows 7 to Windows 10 to see if this helps.

    ReplyDelete
    Replies
    1. I don't expect an operating system upgrade to solve the problem, although it is generally a good idea to upgrade. Since many people have been using anti-virus programs to look for the source of the problem over six or seven months and none have reported finding anything, a computer virus doesn't seem to be the cause.

      Delete
  34. New wave today...I also have mail hosted @ one.com

    Subject "fw: new message"
    Received: by 10.37.40.137 with SMTP id o131csp3172313ybo;
    Wed, 2 Dec 2015 17:32:03 -0800 (PST)
    X-Received: by 10.55.15.101 with SMTP id z98mr1223407qkg.60.1449106323660;
    Wed, 02 Dec 2015 17:32:03 -0800 (PST)

    ReplyDelete
  35. I´m so thankful to have found this blog. My problems started when I was on holidays in Italy, Sept. 14th. Most of the time Ì´m using my iPad for reading and sending emails. Only once in a while I check emails on my desktop (at that time windows 8; thunderbird). In Italy I only used my iPad.
    What I did there was to enable a friend to exchange photos via icloud-photo-sharing.
    I did a lot of changing passwords, running antivirus programs and informing my provider (1&1).
    The problem is occuring every 14-20 days. So I had about 6 times by now.
    I have given up.
    My husband is using the same domain and desktop, but they luckily didn´t get into his account as well.
    He is not using my iPad for emails. Could that be a hint that the iPad was hacked?

    ReplyDelete
  36. 4 of our accounts started sending "Fw: new important message" emails this weekend. They're at it again...

    ReplyDelete
  37. New wave today as well. im from switzerland. What can I do? Im not english native so sorry if this is a silly question, but it is not a Problem on my PC/Laptop right? Like there is no trojan or whatsoever on my PC? Only my Mailaccound? so it would help if i change my mailadress?

    ReplyDelete
  38. I'm glad I found this string. We have been dealing with this for a few months. We switched from Gmail to Microsoft hosting and it immediately started happening to one account. Not all. I'm curious if upgrading to Windows 10 changed anything. We've tried all of the ideas above without success. We just had another one this after noon. Is there anything I can post here to help people troubleshoot it?

    ReplyDelete
  39. I have the same issue but different provider. What I have seen is the sended IP belongs to one&one.

    ReplyDelete
  40. And another wave today from Spain :(

    ReplyDelete
  41. Yesterday a new wave, I'm from Italy. Looking st header they are sent from China

    ReplyDelete
  42. Thanks goodness for this string which has partially saved my sanity. I am in Australia; a second wave went out from my address on 17 December and a third wave on 31st. I am bracing myself for the next. It is so embarrassing and distressing. My ISP (one of the largest) doesn't know what I am talking about so obviously it is not yet big news here in Australia. It would be hugely inconvenient for me to change my email address and as I read it, would make no difference anyway as the emails do not emanate from either me or my ISP. At the moment I am advising close friends of the situation and hoping others have a robust spam email filter that (sooner or later) will recognise these spam emails for what they are and block them.

    ReplyDelete
    Replies
    1. It is an embarrassing, distressing and outrageous problem! The spam emails sneak past many automated spam filters because they are short, have generic subjects, and contain just a link. There have been a few people in Australia reading this blog for several months, but not in large numbers compared to European countries and the United States.

      Delete
  43. I am in the USA. I cannot find evidence of the specific headers as mentioned early in this page. I've been getting hit about once a week for 2 months now - almost always occurs on Saturday AM (I live in California.)

    Nobody has clearly stated, "Here's how I got rid of it" which is what I am (desperately) looking for as this has been my same email for 15 years. I use GoDaddy email on my private domain (no other domains have been infected and I use 7 different email accounts within outlook 2013.)

    ReplyDelete
    Replies
    1. Da Man is right, the spammer has changed his approach and no longer uses the "WORLDST-UQ3K9Q0" or "WIN-NPPN1JPV75J" identifiers, they are more varied now, but there is a pattern, they are all short domain names, most look like jibberish but at least some exist. In my last 2 waves (31 Dec, 26 Jan) the following were used: goqx.com, ouag.com, yfzl.com, wkdjof.com, zeeux.com, qortll.com, wakd.com, nrrgr.com, gwcjd.com, nnlbi.com, glbaqm.com, wucg.com, ridzgg.com, orbhgh.com, knsfg.com, blwl.com, nlqd.com, bswyb.com, wpilc.com, jxlfe.com, ntmia.com, wylp.com, ifrk.com, yotz.com, bnjer.com, olyj.com, uxljsg.com and ubeigy.com. You'll find these in the email header, either after the phrase "HELO" or "Received: From ", if you see multiple, you're looking for the one further down.

      Delete
    2. Furthermore Da Man, I have a on theory why only 1 of your 7 accounts was affected (many of us reported here they used private domains): I think the spammer checked which domains didn't have the proper security set-up, mainly SPF, maybe DKIM. Please check if you have a well functioning SPF for your domain, you can check it here http://mxtoolbox.com/spf.aspx
      Many of the domains listed on http://wardinewrock.blogspot.pt/2015/10/domains-spoofed-by.html don't have SPF, and the ones that do may have (like me) added it only after the spam problem started.

      That brings me to what you can do. Barely anything. But setting up SPF is a good idea, first it can help spam filters to better filter it out, and also what I worried most about, that my email address or domain would be put on a blacklist or spammers list becomes less likely. Next step would be a DKIM signature, that should help your regular email passing through spam filters. Only after those you can implement DMARC, which will give you the ability to instruct email servers that look at DMARC to block email not sent through the email servers in your SPF and not DKIM signed by you, and you even get notifications of the blocked emails from each participating server. It takes some doing, but it gives you back some control.

      Delete
    3. Email protocols were not originally designed to prevent spoofing, so there is no solution to the problem. The spammer has a list of contacts that were stolen from you, and the spammer will spoof your name+email to the contacts they stole from you.

      Now maybe the spammer will stop spoofing yours if it becomes less effective at tricking your contacts into clicking the spam links. So far, this spammer doesn't seem to care about resource efficiency -- even spamming "noreply@..." email addresses.

      Now, when I learn of a user with a weak password that hasn't yet been compromised, I tell them to change it right away. Changing to a secure password *after* the spammer has harvested your contacts will not stop the spoofing, so people should do everything possible to prevent it from happening in the first place.

      I've helped a few people create a new email address (usually with Gmail). We configure the old email account to forward messages to the new one. We configure the new one to automatically apply a label to those messages. Then, I advise the users to send a mass email telling their contacts that they can block messages that appear to come from the old email account (being sure all the recipient addresses are in the BCC field, so their addresses are not exposed to each other).

      Maybe you're not ready to break up with your old email account. That's how many people feel. In that case, you can only hope the botnet spammer gets tired of spoofing yours. Even if the botnet gets shut down, I suspect the people operating it will still have the stolen contacts somewhere, still associated with your name+email. They might sell it to other hackers or feed that data into the next botnet they build.

      Delete
    4. Ichi-ni-san, indeed, it is quite remarkable that the spammers are still sending to lists of email addresses used repeatedly for more than six months. Those are worn out address by now! It is also interesting that there is no indication that the address collections have been sold onwards. The spam continues to have the same themes as it did months ago.

      You are certainly on the right track shifting people with this problem to new addresses. How many cases are you working with?

      Delete
    5. Sadly, Dan, we are not describing "how to get rid of it" since that is not under your control now that your address and list of correspondents has escaped. If this problem continues for another two years, would you still want your current email address? My best advice is to cut your losses now and restore your reputation with your correspondents by creating a new email address.

      Yes, the HELO strings which were present in the summer and early autumn of 2015 are not present in recent examples. The subject lines and pattern of the spam as well as content of the web pages to which the links redirect remain consistent and predictable.

      Delete
  44. I'm the one that posted on 11/22 and 12/1. This happened again on 12/23 and today. But here's the crazy part- my computer was off on the 23rd, and unplugged today. I figured out the culprit: GotoMyPC. The email address this keeps happening to is the one I use it with, and recently what I thought was a glitch was actually a big deal: GotoMyPC showed my computer as "logged in since" the time it had been shut down. A turned off computer should be offline. None of my other email addresses have been impacted, though they did receive the spam bombs. I uninstalled GotoMyPC and then reinstalled it, this time using a different email address. Upon the reinstall, my computer froze and I had to manually shut it down. I turned it back on, turned it off and then checked to see what would happen if I tried to login to GotoMyPC from the devices I had the app on- all showed me as logged in since the time I'd shut the computer down. I deleted the program again. I need to understand what is hijacking GotoMyPC, does anyone have any ideas? Oh and PS- today it did something new: the spam posted to ever Facebook group I belong to, several times. Facebook was open on the iPad I used to access GotoMyPC's app.

    ReplyDelete
    Replies
    1. The spam messages will continue to be sent whether or not your computer is turned on. The messages originate from an international botnet which has stored your email address and the email addresses of your correspondents and uses them periodically to send emails which look as if they have originated from your email address.

      Delete
    2. Yes, indeed, you'll find that the spam messages are sent to groups and blog addresses and mailing list address. Particularly hard hit have been some computer mailing lists and bird-watching lists. If an address is inside your mailbox, then spam may be sent to it. This has caused some people to be banned from mailing lists they belong to because of the continued spam which appears to originate from their addresses.

      Delete
    3. Thank you for replying. I left a comment earlier today (along with the above and in another one of your posts back in November). I think what's really aggravating is not only the actual Spam Bombs and 1000+ "undeliverable" notifications, but then the people who think they're helping by emailing, "change your password, you've been hacked...!" Or my favorite, "Do you know about anti-virus? I think you need one..." Uh, gee thanks. I suspect Forbes was my "ground zero," since I NEVER click on email links. http://www.networkworld.com/article/3021113/security/forbes-malware-ad-blocker-advertisements.html

      Delete
  45. Another wave Yesterday from Italy

    ReplyDelete
    Replies
    1. I have not yet heard of a case for which this problem has begun and has actually stopped. You can expect it to continue. It is quite a remarkable way to send spam since the value of an address which has received repeated spam is surely not much to those who are doing the "marketing". Perhaps the spammers are being paid by the number of emails sent and so are not worrying about overusing the recipient addresses.

      Delete
  46. I may have a lead in this case. I'm a systems admin, so I monitor a lot of postmaster@ and abuse@ aliases on various mail servers -- which means I see failed mail and "mailer daemon" e-mails a lot.

    I've seen these kinds of spams in various places, including ones that purport to be from some of my contacts. I've suspected for a while that the correlated address pairs (i.e. how the spammers decide whom to forge a message being 'to' and 'from') might be coming from mail logs or traffic sniffing, rather than compromised address books. My main reason for thinking this is that I've seen to/from pairs from accounts that were very unlikely to be compromised.

    Anyway, this morning I encountered one of these spams sent "from" some random address I don't recognize, and addressed "to" MAILER-DAEMON@ (various domain names). One of the domain names was a mail server I manage, which is how I got the message.

    No one has "mailer-daemon@" addresses in their address book -- humans practically never have cause to directly mail these aliases; they're system aliases where last-ditch failure messages go. The fact that the spammers created a correlated address pair with a bunch of mailer-daemon addresses in the "to" field suggests that they didn't create that pair by looking at someone's address book, or even by looking at someone's computer or mailbox (because no one would have mails from all of these mailer-daemon addresses; most humans wouldn't even keep a single mailer-daemon e-mail once they'd read the error message).

    This spam message, I think, makes the most sense if its addressing was created from an algorithm that processes mail traffic logs -- it saw that e-mail to and from this particular address was correlated with mail to and from mailer-daemon addresses. This would happen if the address was bad -- if all mail sent to this address resulted in an immediate reply from a mailer-daemon address, a mail admin like me would say, "hm, I bet there's something wrong with that address", but an algorithm unaware of the special meaning of mailer-daemon aliases might think, "hm, this address talks to mailer-daemons a lot; I bet they're his friends -- so if I create a message purporting to be from him and send it to mailer-daemons, I bet they'll be likely to open a message from their friend!".

    The source & full headers of the mail in question is here:

    http://skeena.net/blog/important_message_spam/mailer_daemon_example.txt

    So, this prompts the question, how are spammers getting access to mail logs? There could be lots of ways -- maybe some e-mail providers have been hacked, maybe the spammers have someone on their payroll with access to Internet core routers that they can traffic-sniff (most e-mail is sent completely unencrypted, so this would be easy), or maybe someone at the NSA is making side money by selling their traffic correlation records. Who knows.

    ReplyDelete
    Replies
    1. The algorithm which collects the addresses for a particular account always alphabetizes the results and now sends to small chunks of addresses which have alphabetized, so it is not surprizing to see a spam message sent to five addresses all beginning with the same letter. Back in September, the spam messages were sent to longer lists of recipients and then the alphabetization was more obvious. I think you will find that the email account of the person whose address has been spoofed contains messages from the mailer-daemon addresses.

      The number of affected accounts at a particular email provider tends to remain low as a percentage, for example, 0.1 %. Providers such as Virgin Media have resisted suggestions that their servers have been compromised perhaps because the number of reports they have received are an extremely small percentage of their user base.

      Delete
    2. Felix,

      I like your thinking on this but my range of addresses that are being spammed are from a very wide range of dates some of which precede the mail system being run by VM so you are talking about a sniffer being in place for a very long period of time.

      Delete
  47. This has been happening to me since mid-October. Every two weeks or so, a large number of my contacts get spammed (and I receive hundreds of mail failures). I'm in the UK and my mail is hosted by 1&1.

    ReplyDelete
    Replies
    1. Our sympathies. You'll probably want to create filters to delete the messages about the mail-delivery failures since the spamming and failure messages are likely to continue and can make it hard to see your actual mail.

      Delete
  48. Having received another phish, reporting to be me, one of my colleagues just speculated as follows:

    I may have a lead on these spam mails -- this morning I got one with this addressing pattern:

    From: bzctoons@free.fr
    To: Mail Delivery System , Mail Delivery System , Mail Delivery System , Mail Delivery System , Mail Delivery System

    I think that would happen if the addressing patterns are being created by an algorithm that processes mail logs from an ISP -- no human would have a bunch of MAILER-DAEMON addresses in their address book, but mail to bzctoons@free.fr resulting in lots of replies by MAILER-DAEMON is what you'd see in a mail log if bzctoons@free.fr was a bad address (mailbox full, address no longer exists, etc.).

    The spammers' algorithm doesn't know the special meaning of the MAILER-DAEMON alias, so it sent me that spam because it assumes that MAILER-DAEMON@victoria.tc.ca and bzctoons@free.fr are friends ("why else would they be mailing each other a lot?").

    Still leaves the question of how they're getting access to mail logs, but it does mean:

    - It's probably not an infection on the client computers (i.e. Garth's mac is probably fine)

    - There's nothing that can be easily done about these messages

    (The above spam implies that the mail log at the "free.fr" server is what's been compromised, not us -- because from us they would see the bzctoons@free.fr <-> MAILER-DAEMON@victoria.tc.ca correlation, but not any of the others.)

    ReplyDelete
    Replies
    1. Were there five recipients or four? The examples I've seen late in 2015 all had exactly four recipients.

      Indeed, there is nothing that can be easily done about these messages. The best a victim can do is side-step the problem by creating a new email address and letting their correspondents know to filter and delete all messages from the old address.

      One important characteristic of this problem is that the spam is sent to address which are not a list from the address book. The addresses are a collection found inside the message in the account. As a result the collection of email addresses to which the spam is sent can include email addresses only used years ago and email addresses to which the victim has never sent email but which might have been present on a CC in a message sent by someone else to the victim. Since the collection of email addresses to which the spam is sent appear to be those email addresses present in the email in the account, the addresses can include mailer daemon addresses. In the cases, I've checked, every address to which spam has been sent can be found in an email inside the account, even if the victim does not recognize the address at first glance.

      Delete
    2. In my case, all have five or six recipients. Problem started March 2016.

      Delete
  49. Sorry about readability. I removed most punctuation because the comment platform thinks I an using HTML. I have information that is not contained in this article!

    I work for a small cable ISP called NuLink and I have dealt with hundreds of these cases. Most of our affected customers have numail.org accounts but some have summergrove.net and a handful of other vanity domains. For email hosting we had used Google Apps for ISPs from late-2010 to June 15 2015. We had to switch hosting to Tucows because Google ended the Google Apps for ISPs platform. Email for all of our domains is now hosted by Tucows. During that transition all contacts from the Google platform were imported to the user address book in the Tucows Roundcube webmail system. That includes the contents of the Other Contacts group from the Google system. On the Google platform the Other Contacts group contained practically every email address the user had sent to or received from.

    Initially a user account with a weak password is compromised on the Tucows system. The spammer collects all contacts from the user account. This could be harvested from email message headers but also could be collected from the Tucows address book. While the spammer still has access to the user account it sends as much spam as possible. At this point the spambot is spoofing other email accounts so there will be no delivery errors returned to the compromised user. Eventually the user account is throttled by the Tucows SMTP server. The spammer keeps trying to send and the account is throttled again almost as soon as the throttle expires. Eventually the user tries to send email and gets an error message due to throttling. This is the only indication that the account was compromised. The error message is not specific enough for a user to know what it means (USER not permitted to relay). The user calls me to change the password. In numerous cases I have learned that the original password was incredibly weak like 12345. Once the spammer is locked from the account the spammer switches modes and starts using the botnet to spoof the user name and email to the contacts that were stolen from that user account (even to the noreply email addresses). This helps the spammer avoid honeypot email addresses that would get all of the participants quickly added to a public blacklist. The user is bombarded with delivery failure messages and angry replies. Many users incorrectly assume their account is being repeatedly compromised. They might try to change their passwords multiple times.

    The mail host keeps suggesting that these users scan their computers for malware. That is never a bad idea but I do not believe end-user malware is the problem. After learning that so many affected users had incredibly weak passwords I am certain the spammers are using a simple dictionary attack to compromise the accounts initially.

    This all started happening late July or early August. That was not long after the switch from Google to Tucows. I will try to find the earliest examples I have and report those.

    ReplyDelete
  50. Interestingly, my scenario also happens Saturday AM

    ReplyDelete
  51. Is there anyone out there that is getting close to this?

    ReplyDelete
    Replies
    1. Close to understanding the method by which the spammers have collected the list of addresses?

      I wonder if there is any correlation between the topic of weight loss and people who find their email address hijacked. Are you all members of particular fitness or weight-loss web sites?

      Delete
    2. I am not a member or subscriber of anything related to fitness or weight loss. I believe mine originated with something related to Forbes: http://www.networkworld.com/article/3021113/security/forbes-malware-ad-blocker-advertisements.html (I never turned anything off, but Panda didn't block any ads.)

      Delete
  52. I commented on another Wrock thread somewhere back in November. I'm the US, Northeast region. I started experiencing this "Spoof Spam Bomb" issue at the end of the August. The second occurred six weeks later, the next about four weeks, then less than four weeks, then two weeks. Since January it's become a weekly occurrence with the most recent happening yesterday. Here are some consistencies I've observed from my experience:

    *It’s my default Outlook address and not any of the others in there.
    *I do not have an Outlook address book, so it combed and collected every address in emails, including spams and others, which is why I’ve never heard of a ton of the addresses these Spams go to.
    *It happens whether my computer is on or off.
    *If my computer is on, it posts to Facebook groups I subscribe to.
    *Ever since this started, my GotomyPC showed as logged in, even if my computer was off. I’ve removed that program, but the spam bombs still occur.
    *On a couple of occasions the spam bombs took place with all iPads and computers disconnected from the internet (modem shut off and computer unplugged from the wall)
    *Beginning in December, every time I shut down my computer, I changed my password to my email on different devices that aren’t on my network, wondering if the spam was launching as a result of my password being entered into Outlook on my computer. Spam bombs still occurred.
    *Panda, MalwareBytes and Spybot were all used and unable to catch the issue leading to the spoof spam bombs.

    ReplyDelete
    Replies
    1. On your iPad and other mobile devices, do you use web mail, and if so, do you have cookies turned off in the web browser?

      Delete
    2. Sorry for missing this- I don't generally email from my iPad. The only time is when it uses gmail as a default if I want to forward articles. That account is so rarely used, but based on the names in the Spam Bombs, this email gathering occurred with my desktop pc. And these new email subject lines and content are brutal. I had a wave occur last weekend and by the time I noticed it, I had over 1500 "Mail not delivered" notifications. One of my other email accounts was gathered by the spam program and that received NINE of the messages. I can only imagine how many other people's addresses received. So annoying.

      Delete
    3. Yes, this problem is both annoying and destructive! Have you opened a new email account yet. While receiving so many "Mail not delivered" notifications makes it very hard to find your real email in between those messages, it is a good sign because every one of those "Mail not delivered" messages is one of these pieces of spam which did not reach the recipient. If you still have the nine examples which arrived in your other account, forward them to spam@uce.gov, an address belonging to the Federal Trade Commission. They have been investigating and taking legal action against a spam campaign very much like this one.

      Delete
  53. "Spoof Spam Bomb" is a great descriptive term for this outrageous problem. Yes, you are certainly correct about the "combing every address in emails". That is a very particular and unusual characteristic of this problem.

    I don't expect you to find a connection between the times that your computer is on or off and the times when the emails are sent. Once your email address and list of email correspondents have been collected and stored by the perpetrators of the spam, the spam emails are sent from computers around the world. Your computer could be turned off for months and the spam would still be sent.

    Changing your password at least once is important. Also changing your password on any other web sites on which you might have used the email address and email password is very important. If you are worried about not being able to remember many different passwords, start using a computer program to store passwords. Since the spam emails are not sent from your computer or email account, changing the password after each "spam bomb" will not prevent additional bombs.

    ReplyDelete
    Replies
    1. You've been super helpful in identifying this issue, so I'm very grateful. It's one thing to have a problem and know why, but it's super stressful to have a problem and have people bent out of shape over "why you're spamming them" when you're not... or at least not directly. My one continued concern is, while I obviously cannot do anything about the emails being sent in the future, what about posts to Facebook groups and such? I am careful to always shut down my computer when it's unattended and all passwords to all services have been changed, but I'm thinking there's something active in my computer that's being called upon to post (in my case, Facebook groups) when my computer is on and connected to the Internet. Also, what about "whatever it is" returning to collect new email addresses? Interestingly enough, no one new whom I've been emailing with since at least December has received the Spoof Spam Bombs. I'm curious as to whether or not anyone has reported anything new anywhere in logs or what have you that would indicate a malware or virus plant.

      Delete
    2. LizE, I've not heard of anyone with this problem so far identifying a virus or malware on their computers and mobile devices, and hundreds of people have been looking. I'm also not aware of anyone reporting new email addresses being added to the list of people who receive messages. In other words, my understanding is that the list of addresses is collected at a single time point and does not update after that. If your email account contained a Facebook-posting email address, or addresses of mailing lists, or addresses for posting to blogs, then those addresses also receive the spam.

      Delete
  54. I have this problem and am pretty sure I know what caused it. I was grabbing my Android phone to answer a call and accidently hit the .php link in one of these e-mails sent to me. Almost immediately, I got a call from a friend that it looked like my e-mail had been hacked, and I started to see a bunch of not delivered messages. I immediately turned off the phone, and the not delivered messages stopped.

    I subsequently changed e-mail passwords and reinstalled the phone from scratch, but the e-mail addresses that did get grabbed continue to periodically get the spoofed messages. It looks like I stopped it midstream, as only some of the e-mail addresses I use, toward the top of the alphabet, got grabbed, and it doesn't seem like any new ones have been added. I can also confirm that at least some of the addresses taken were grabbed from e-mail traffic, as they were not in my contacts or any address book.

    ReplyDelete
    Replies
    1. There are cases of this problem for people who do not use Android phones.

      Delete
    2. What was your email provider and were you using web mail with cookies on the browser turned off?

      Delete
  55. I have numerous email accounts hosted by 1and1 and I believe their servers are in Germany and Pennsylvania. The oldest one is 17 years old and this is the email address name that is most often being spoofed. Many of these accounts are used exclusively for forwarding Twitter messages from numerous Twitter accounts I maintain. I have been getting Spoof Spam Bombed in waves going back to September. They continue even though I have changed my password. Latest attack was yesterday.

    My suspicion is that 1and1 mail servers were compromised as they are now promoting"free upgrades."

    ReplyDelete
    Replies
    1. For all 1&1 account holders, I'm wondering if you are also users of web mail with a mobile device where the mobile device had cookies turned off in August 2015.

      Delete
    2. Hi Wrock, Just revisiting my 2/17/2016 post and saw your and others remarks focused in on 1&1. Yes, I access their webmail servers from a mobile device and have for awhile. Still do. I have private browsing enabled on that mobile device and cookies probably turned off too (for privacy, or so I thought). Will post source code of a message typical of ones that have been inundating the field

      Return-Path:
      Received: from [74.208.5.3] ([74.208.5.3]) by mx.perfora.net (mxeueus001) with
      ESMTP (Nemesis) id 0MZW0J-1au7p231gr-00LGPH for ;
      Fri, 03 Jun 2016 12:31:51 +0200
      Received: from wobosm03.netvigator.com ([219.76.95.119]) by mx.perfora.net
      (mxeueus001) with ESMTP (Nemesis) id 0M1poS-1bTBrL2ySY-00tlwW for
      ; Fri, 03 Jun 2016 12:31:49 +0200
      Received: from wsgmta04.netvigator.com (wsgmta04.netvigator.com [218.102.62.240])
      by wobosm03.netvigator.com (8.14.5/8.14.5) with ESMTP id u53A1POA006950;
      Fri, 3 Jun 2016 18:31:44 +0800
      Received: from ubia.com ([212.117.23.97])
      by wsgmta04.netvigator.com with bizsmtp
      id 2AXe1t00125hKqk01AXkK7; Fri, 03 Jun 2016 18:31:48 +0800
      From: XXXXXXXXXX via Twitter
      To: "XXXXXXXXXX.com" ,
      "XXXXXXXXXX.com"
      ,
      XXXXXXXXXX.com>,
      "XXXXXXXXXX.com"
      ,
      "XXXXXXXXXX.com>
      Subject: look at that!
      Date: Fri, 3 Jun 2016 13:31:39 +0300
      Message-ID: <0000c7841455$e0e4411f$f6410be6$XXXXXXXXXX.com>
      MIME-Version: 1.0
      Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0001_2D283AAD.657ADD65"
      X-Mailer: Microsoft Outlook 15.0
      Thread-Index: AdHG181iX3QtxcWcJaPzYD5FXr3GeQ==
      Content-Language: en-us
      Envelope-To:
      X-UI-Filterresults: notjunk:1;V01:K0:bj40jeReXV0=:PGAxJYkNKqWb9MTzPGFPK2S34D
      bB3w8ktL/a2EXaVPtMx3z0FRXHbJtbglcPCcxiXwv+KE0jBNz/1bUbb7Psx6YHcF4wyprW0Es
      DAPtV63uKcFgskdLe6FHINblDJTqbN92QeWFAIgEOughoDb0EvY7gmeGAhm7Uoiby1cvXb8H4
      TxD/+fXsT99Y6hANFawxlTonKsIgewjeI9EtATLCi4XubB/VbMPUBY3ld5Fj7MJ00+y38vd/X
      IviTYFM/NGipSscvhkAZt9ku7ZhtqDuVfB4n7m38YBVgezt2DS/4biRojj/za58PpuHrvdgFC
      +E8hYBAU+LlxzQfLAXwncuqOc2TiRi7huj7ceNkHPJ64XsFeqYDm/QHAWjBD5V7FW6S/arfe6
      O7kJ0Fu8bzfuZLIH5wK5Ltj8o7GnT05iIpeJ+2F3LkPlh5l0blguobhmUe34ADJNu7RQf8XAo
      94b70oe3rqWSi/gAghAgMUtpwQr+Hn+R0ObZCgxhV0YpLsrYFELmKBQhyNBmNO9nIHpLKxri5
      yzT8h7k3Ekw3g1/hSBnc2peoeFfIjZLZYs9yxyyXmUHnT0RsCPxDbvN1nNgtQGLRA5UgvAdHG
      bjuABLeOSyoOQ7jVbOJxPAEAUy7Kar06NIvRySvAq1EDVB1SKUPyNcIuUx8gDj6EATorXTWeF
      dwAZN23U5AGcJRb6d1bKOCEUjxus8XmJnxUdE1+xj8bSfKNwlF18BLRfOjbT1Ru2Ud9AG06wh
      gE0ciViHtClmmX5xzYUHVopeyTrCzm1S3Lyyt5hkcjFMwR9q4Umb0fjfpOzUzfKC1VOrz06Og
      pMO5zAgNgvorlJfibtva/b7hZIKT1+L0sbPoCuX346g6+JlOHv0ibByC8GsBcP6tdl7iJF+GO
      0kXPpRQT8k24mXcpB7BO5UVCz3EWDtCFeWvbSRTIjZNtclkld7dsAcZ2wUePEZNRNEjYOXrqh
      XVu2LGki5weYFhqvx0mgoyeiny5G3fPv4x2YPcvxOxR8k39virDrQcEtmZ3KGYsHp2nOjMHVl
      DbLBApsR62ckcBRf2T8v9i5k5zVPnLP42mNpjabLWkotpbQdJ71aIZMv69rZyN2yTGKqp1Mvd
      9pttOqDsM/zJlfPSZU41rDcANFhbu+q8XjWbULQ++c/YDY/v15D34y6bu8RaKcV4wALwBW6W2
      F3WWvyK2GPGp+yroX0sDLvA+ZK32N7CK/1YQM/WqxKSTtJ24lZFbj0DJsc7QtQEL+4eIZFwrq
      e7ih0MkPXyIurXr0FhNE/bTapVW0ngwERbXLZ5W1njMQjRdZCYJkPa5qYJxvoD5mXPuxA3Tcs
      1z+goVm6TZT3pcHeKHrSMorYv97yRnaXmYiWmNM2uafUBzdQWRFEn9BrJoHfADgzf8dj2AZb9
      5zX+UKBeHQlefUpo/8WXc5e/gR6YRx+W4FkBad8jwLB+De+tDmj+5iQXgRF1tlIgIEKkrVzHF
      SSt3ucvG4aTKS6ayOFem9IevA068cfcI2FfxsJs2DD+D/JzJhuBTuZnNxJfMDdEK87gMgZyQ=
      =

      This is a multipart message in MIME format.

      ------=_NextPart_000_0001_2D283AAD.657ADD65
      Content-Type: text/plain; charset="us-ascii"
      Content-Transfer-Encoding: 7bit

      Hello,

      I've suddenly came sccross that information and thought it may be useful for you, read more here please

      Yours truly, XXXXXXXXXX via Twitter

      Hi,

      Look at that stuff! It's just amazing, you are gonna love it, I swear! Take a look here

      Yours truly, XXXXXXXXXX via Twitter


      XXXXXXXXXX

      ------=_NextPart_000_0001_2D283AAD.657ADD65--

      Delete
    3. Wrock - Using this Autoresponder message in my 1&1 account now to meet the challenge of informing Spoof Spam Bomb recipients of this most perplexing issue. And it is perplexing. People who I have thoroughly explained the issue to still don't understand that the messages are not coming from me. The evil spammer has gotten more sophisticated btw adding a plain text salutation to Message subject " usefull info ":

      Warmest regards, My Name


      This email account is CLOSED due to spoofing. Spoofing is when someone puts myname@myname.com in the "From" of an email - sometimes masked by another name as well but if you hover over it the spoofed email address myname@myname.com is revealed.) If you received SPAM that appears to have come from this account - IT DID NOT. However, to avoid confusion it is now CLOSED. Sorry for any inconvenience.

      Delete
    4. Also want to let you know what a comfort it is to know there are people like Wrock in this world

      Delete
    5. The spam sent under your good name is a perplexing problem - it is also a destructive problem and illegal. Fight it by asking the recipients of these spam emails to send them to spam@uce.gov, an address managed by the United States Federal Trade Commission who have been taking legal action against a similar spam operation.

      Delete
    6. Thanks again for your always helpful advice. My new autoresponder message reads as follows:

      This email account is CLOSED due to spoofing. (Spoofing is when someone puts your@name.com in the "From" of an email - sometimes masked by another name as well but if you hover over it the spoofed email address is revealed.) If you received SPAM that appears to have come from this account - IT DID NOT. However, to avoid confusion it is now CLOSED. Sorry for any inconvenience. IF YOU RECEIVE ANY MESSAGE FROM THIS ACCOUNT other than this autoresponder message PLEASE FORWARD IT TO spam@uce.gov, an address managed by the United States Federal Trade Commission, as evidence for use in LEGAL ACTION against this CRIMINAL spam operation. Then DELETE IT

      Delete
  56. I am in Canada. Exact same problem is happening to me. Except at the same time these 'fake' emails were being sent out, I was having the same message posted to facebook as me! Was wondering if you have any insight? Thanks so much, it was a relief to find a page that explains what's going on.

    ReplyDelete
    Replies
    1. I would expect that you'll find inside your email account somewhere an email address for posting messages to Facebook. The process that collected your other addresses also picked that one up too is my guess.

      Delete
  57. I am from Denmark. My GMAIL account was tapped with exact same pattern. Except the sending server was different:
    Original message headers:
    Received: from BLUPR02CA061.namprd02.prod.outlook.com (10.160.23.179) by
    BY2PR02MB123.namprd02.prod.outlook.com (10.242.43.148) with Microsoft SMTP
    Server (TLS) id 15.1.415.20; Tue, 1 Mar 2016 20:38:41 +0000
    Received: from BL2FFO11OLC011.protection.gbl (2a01:111:f400:7c09::191) by
    BLUPR02CA061.outlook.office365.com (2a01:111:e400:8ad::51) with Microsoft
    SMTP Server (TLS) id 15.1.415.20 via Frontend Transport; Tue, 1 Mar 2016
    20:38:41 +0000
    Authentication-Results: spf=none (sender IP is 212.83.146.36)
    smtp.mailfrom=monoloop.com; sandisk.com; dkim=none (message not signed)
    header.d=none;sandisk.com; dmarc=none action=none header.from=monoloop.com;
    Received-SPF: None (protection.outlook.com: monoloop.com does not designate
    permitted sender hosts)
    Received: from server.grecianconsulting.com (212.83.146.36) by
    BL2FFO11OLC011.mail.protection.outlook.com (10.173.160.157) with Microsoft
    SMTP Server (TLS) id 15.1.427.7 via Frontend Transport; Tue, 1 Mar 2016
    20:38:40 +0000
    Received: from [103.197.30.17] (port=50463 helo=ruun.com)
    by server.grecianconsulting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    (Exim 4.86)
    (envelope-from <(my email)@monoloop.com>)
    id 1aar2F-0000ZU-2G; Tue, 01 Mar 2016 22:36:48 +0200
    From: (my name) <(my email)@monoloop.com>
    To: valentin.radu (list of 5 emails from my account)
    Subject: Fw: new important message
    Date: Tue, 1 Mar 2016 23:38:11 +0300
    Message-ID: <0000f62266c4$47020ed5$ac2693e9$@monoloop.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0001_3D21DDDC.7EF74950"
    X-Mailer: Microsoft Outlook 15.0
    Thread-Index: AdF4v7CQH1BnuPx7G0vVT2IP/ShDGg==
    Content-Language: en-us
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.grecianconsulting.com
    X-AntiAbuse: Original Domain - sandisk.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - monoloop.com
    X-Get-Message-Sender-Via: server.grecianconsulting.com: authenticated_id: used@automarin.gr
    X-Authenticated-Sender: server.grecianconsulting.com: used@automarin.gr
    Return-Path: (my email)@monoloop.com
    X-EOPAttributedMessage: 0
    X-EOPTenantAttributedMessage: fcd9ea9c-ae8c-460c-ab3c-3db42d7ac64d:0
    X-Microsoft-Exchange-Diagnostics: 1;BL2FFO11OLC011;1:Y/mTTGvheV6Z8nEW7R5zm6JcC6duRMR6HngKwHkpK6V1ZAx1Qi3j4bMd/YWRhcVaAISBTv53+nUcqdscpiI9BEXi2r/aHHyK9itLvr8ETzrJpbVKbr/IM11H46wpVK0knV8XrBuGje/fhZ4zAUfiU3NPqSf5RyMISiORdCcdKOhH2Uot8Lf3nDiygKO3UlEzHhboQanMERJxpNW9yMLg+i2NrD//+XuBLQfeUpjBZzhRIr/ly8NKqdlvJWYIZ+HOPmVm+yIv42r7rhn8Bu7PeFWnkEJORJnthpV1+pNudAnwYZT2xKEzVN66y5VgmbmGssm0CKx6SrHrRP1YPQp17BtiENCnKtiGXyi5HUBq57jPGM1Bow08gd1cXACA1ZyGxXWztNHaC+ec7PG7sgW5mWOu+HIJCY/3e+lKakjDP4M=
    X-Forefront-Antispam-Report: CIP:212.83.146.36;CTRY:FR;IPV:NLI;EFV:NLI;
    X-Microsoft-Exchange-Diagnostics:

    ReplyDelete
  58. For anyone still struggling with this issue..... I may have stopped it on my account, i haven't had any spam email bouncebacks for a few weeks now (i was getting them every few days, and alot of them). I moved any important messages to a new folder in outlook, and deleted ALL other emails. I got one set of spams a couple of days later, but noticed that it was only a couple of addresses. Since then I have been keeping my inbox clean and haven't had any more spam bouncebacks. (had also previously changed pwd's etc several times, but that alone didn't seem to help at all)
    Can someone else try this and see if it fixes the problem for them also?

    ReplyDelete
    Replies
    1. That seems an unlikely fix to me since there have been no signs of ongoing access to the email accounts. Keep us informed of what happens next.

      Delete
  59. Ugh, I have the same thing I am on an Apple computer and iPhone 4S (I also use 1&1). I also noticed that recipients that I have never personally emailed, but I was a recipient of a CC or BCC message are also getting messages from me. There appears to have been a new scrape of email contacts. I have run numerous malware scans and cannot find anything. I find no evidence of the mails being sent from my account.

    ReplyDelete
    Replies
    1. This sounds like a very typical case of this spoofing problem. I've just read an interesting article from August 2015 which makes me wonder if the affected 1&1 users are all users of web mail on a mobile device with cookies turned off? There was a vulnerability, solved on August 14th which allowed full access to a 1&1 web mail account by web sites visited after clicking on a link if the visit was from web mail used on a mobile device with cookies turned off. The article in German describing the problem is here: https://www.wired.de/collection/latest/so-konnten-fremde-euer-postfach-bei-web-de-gmx-oder-1-1-eindringen/

      Tell us more about the new scrape of email contacts. So far I've thought that the email address collection has been a one-time process and that new addresses inside the account do not start receiving the spoofed spam after the date on which the addresses have been collected. For example, if there was access to an account on August 13th 2015 and all addresses in that account were collected and start to receive spam, then new addresses used in the account after that date, for example in November 2015, do not receive spam.

      Delete
  60. Thanks for all your help Wrock. Would deleting the email account entirely stop the problem? Would people stop getting spam if the email account no longer exists?

    ReplyDelete
    Replies
    1. If only it were as simple as deleting the email account to solve the problem... Since the spam is not being sent from your email account, the computers which are sending the spam can continue to attach your email address to the outgoing messages whether or not the email account to which the address belongs exists. So no, I would not expect that deleting the account would stop your correspondents from receiving the spam.

      You should, however, move from the email account to another one with better protection against this sort of nonsense. Clearly, some process has obtained access to your account and at one point in time been able to collect all of the email addresses inside the email in the account. It is not a safe place for you to be. Obtain a new email address, for example a free Gmail account because it has many protections. Use those protections such as turning on two-step verification. The process which harvested the email addresses of your correspondences may also have had access to the contents of the email messages themselves. That could leave you vulnerable to identity theft and other sorts of fraud.

      As for the people who are receiving the spam messages, their very best actions are first to report the spam to the Federal Trade Commission, here: https://www.consumer.ftc.gov/articles/0038-spam#report And next to apply a filter to delete all messages which arrive from your old address.

      Delete
  61. I've been having this problem since September 2015. My mail is hosted by 1&1 in the UK (with my own domain name). I was advised by someone to create an SPF Record on my domain to help servers detect these spoof mails. I contacted 1&1 yesterday about this and they advised me to create an SPF Record on my domain (which you can do via the control panel) with a value of:

    "v=spf1 a:mout.perfora.net a:mout.kundenserver.de a:mout-xforward.kundenserver.de a:mout-bounce.kundenserver.de a:pmt.perfora.net a:pmt2.perfora.net -all"

    I've now done this so it will be very interesting to see if the spoof emails now get stopped by more servers.

    ReplyDelete
    Replies
    1. Has the SPF record had a useful effect?

      Since your email is hosted by 1&1, I wonder if you were using web mail on a mobile device where the mobile device had cookies turned off this summer? If so, there is a very interesting vulnerability that would have allowed the owners of web sites you visited to access your web mail account without knowing the password. The vulnerability was resolved on August 14th 2015 and is described in German in this WIRED magazine article, https://www.wired.de/collection/latest/so-konnten-fremde-euer-postfach-bei-web-de-gmx-oder-1-1-eindringen/

      Delete
    2. Actually I think the SPF record has helped. When the spoofing occurs (it happens every couple of weeks) I seem to be getting more undelivered reports back into my own spam folder - so I assume less are getting through due to some servers out there using SPF checks. The ironic thing is that 1&1 themselves don't support SPF checking on their own mail servers so any of these spoof mails actually sent to me from my own account actually reach my own inbox (still).

      Delete
    3. And also, regarding your question I don't think I ever accessed my 1 & 1 mail via a mobile device (not webmail anyway) so I doubt that was my issue. I still suspect there was some sort of hack into a 1&1 server.

      Delete
  62. Interesting about the 1&1 article. I have a rarely used account that was mainly for log ins etc that started with this problem on 27 Aug 2015 and my contacts, or anyone who has ever sent or received an email from that account going back over the last 14 years have repeatedly been bombarded with Spam since. I spoke with them in Sept about this problem and they said that it could only be a compromised password even though there is no evidence of the email originating from my account. In addition the last email that was sent from the account was in fact on 14 Aug 2015.

    ReplyDelete
    Replies
    1. If you were using a 1&1 account in the period before 14 August 2015 and have this spoofing problem, then what emails did you receive in that account containing a link which you might have clicked? Perhaps you have deleted the emails many months ago and no longer remember. Since the Wired article reports that accounts at 1&1 when used on a mobile browser for web mail with cookies turned off were accessible by a stranger, namely the owner of a web site who reviewed their referral logs after sending a link through email on which the 1&1 account holder clicked, then do you fall into that group? In other words, were you a user of a mobile web browser for your email with cookies turned off before the middle of August? And if that is the case, then what links might you have clicked? I would think that the most likely link would be the ones that were propagating through the spoofing. In which case, there would be a slightly contagious aspect to this problem. The correspondents of the person with a 1&1 account whose address was being attached to the messages would some of them, if also using a 1&1 account on mobile browser for web mail with cookies turned off and if they clicked on the link sent in the spoofed email, become new sufferers of the malady.

      If that were so, then we ought to be able to trace cases from one person to another and model the problem using epidemiological calculations used for the spread of diseases.

      Reference: Wired article in German explaining a web mail vulnerability present in early August 2015 in 1&1, gmx and web.de accounts, https://www.wired.de/collection/latest/so-konnten-fremde-euer-postfach-bei-web-de-gmx-oder-1-1-eindringen/

      Delete
  63. I've had this problem for months. The latest incident was this morning. I have not ever used 1&1. My ISP is a Canadian company called Telus. I've scanned everything I can for malware, changed all passwords, and still it continues. Would love it when someone can solve this.

    ReplyDelete
    Replies
    1. Indeed, there are other people with Telus accounts who have this problem. You've taken the right actions. I also suggest that you move your email life to a free account elsewhere such as a Gmail account and turn on two-step verification for your protection.

      Delete
  64. For - AnonymousOctober 6, 2015 who wrote: "perhaps login info was intercepted during use of unsecured open wifi hotspots on my vacation in Italy during the end of August and beginning of September. "
    I believe my problem started after the same thing, in Naples Airport, Italy in March this year. I used an iPhone to download my email to my Mail app. I have a google GMAIL account. Problem ongoing since then.

    ReplyDelete
    Replies
    1. That's useful information. I've noticed very few reports from Gmail accounts, and so I've been hoping that Google email accounts were immune. Do your correspondents receive the messages? Or does Google block the messages from being delivered? This press release from October 2015 explains that Google will implement DMARC.

      https://dmarc.org/2015/10/global-mailbox-providers-deploying-dmarc-to-protect-users/

      Perhaps it is already available? DMARC is specifically designed to provide a mechanism to stop spoofing.

      Delete
    2. Wrock - Yes, many of the emails do 'arrive'. I don't know how many of course, only the (often irate) friends who let me know. But I have hundreds - thousands - of bounce backs which I suppose is a 'good' thing.
      I've been told by Google Apps support team to implement DMARC but it all seemed so terribly complex, I've already spent hours and hours - days on all of this. I just received the following email from the support team (I linked them to this page: "With the Dmarc you will be able to apply the policy that you want to the messages that are not sent directly from your account so you should be able to solve completely the issue."
      OK off to do that now.

      Delete
    3. Wrock, just to add that like "Anonymous October 10, 2015 at 3:34 PM"I am using GMAIL with my own domain. I think this changes the DMARC issue as I myself have to input a DMARC record in my Wordpress.com website DNS records (I use Wordpress nameservers as this is where my website is hosted). I've just done this today, with the first level of 'strictness' of 'quarantine'. I can set a stricter level later once I check the reports.

      Delete
    4. Please ask your friends who are reporting the problem to you to forward every email they receive with your name or email address attached to spam@uce.gov. This is an email address for the United States Federal Trade Commission who have taken legal action this past year against a group who were operating a very similar spamming operation. When reporting the spam, your recipients could add a message that "This spam resembles to Sale Slash case". You could also let Google know that your case resembles the email violations in the Federal Trade Commission Sale Slash legal case from May 2015.

      Delete
    5. You are on the right track applying DMARC. You are aiming to reach "p=reject" after working through the intermediate stages and monitoring the reports. You are lucky to have the ability to do this yourself. Many others with this problem are hanging onto email addresses they feel sentimentally attached to on email systems run by email administrators who are not applying DMARC policies. Waiting for someone else to solve the problem is the wrong choice. Anyone with this chronic problem should get out of the affected account/s to a safer place if the provider of the account does not offer safeguards such as a DMARC "p=reject" policy and two-factor verification. This is not a benign problem.

      Delete
  65. Examples of two bottommost 'received' lines:

    May 8:

    Received: from [131.161.7.62] (port=47997 helo=ddwoc.com)
    by web96.dnchosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

    March 26:
    Received: from epubjv.com (unknown [118.68.127.50])
    by ns1.flyingservers.eu (Postfix) with ESMTPSA id A6A9318D703;
    Sat, 26 Mar 2016 16:30:11 +0100 (CET)

    Not sure if I'm doing this right but neither epubjv.com nor ddwoc.com can be found in the iCann look up.

    Been going on in waves since March. I believe it started a few days after accessing unprotected wifi in Naples airport, Italy with my iPhone, downloading mail to my Mail app in the phone. I use Google Gmail - wordpress.com nameservers as my domain name is used for a wordpress.org website, but the domain name is held by Namecheap -but this stuff confuses me. I can only assume my GMAIL was hacked into. I've been talking to Google Apps and they have guided me through adding an SPF and DKIM record and now suggest DMARC. But will this solve the issue, in the sense that fewer - or none - of the spams will actually arrive at their destination? I realise they will probably keep being sent.



    ReplyDelete
    Replies
    1. You are correct. Both "epubjv.com" and "ddwoc.com" have been made up and are not registered.

      I'll be interested to hear the results of your application of DMARC once it is set to "p=reject". When AOL accounts had this problem in April 2014, Andrew Conway of Cloudmark reported that their application of DMARC reject policy had a dramatic effect on the problem. It may not be a complete cure. It should certainly help together with your recipients sending the messages they are receiving to the Federal Trade Commission.

      Here is an article about AOL applying DMARC to all of their accounts: https://blog.cloudmark.com/2014/04/29/aols-dmarc-change-fends-off-com-spammers-attack-but-data-breach-still-not-explained/

      Delete
  66. Wrock, two more subject lines for you:
    Subject: announcement
    Subject: a question

    ReplyDelete
    Replies
    1. Thank you for the additional subject lines.

      Delete
  67. Three more email subjects I've had (virgin.net / ntlworld) in the past week on bouncebacks:

    In case of you mislay virtue on a cot, this isnt a doubts
    just a message
    some information

    ReplyDelete
    Replies
    1. Thank you very much for the additional subject lines. The first one you list looks as if it was written by someone else compared to the rest of the list.

      Delete
  68. Hi! Thanks for your blog post - I'm now suffering the same problem, with emails and support tickets being logged using my email address (which I've had since 1997). The odd thing is that my email is hosted via google apps and I have an SPF record set to only allow mail sent via Google, and I've changed my password regularly (I work in IT)
    I understand that I can't stop my mail being spoofed but I wonder why so many people are receiving the messages when I have a valid and restrictive SPF record.

    ReplyDelete
    Replies
    1. I didn't have SPF set when my Google Apps account was hacked -at least I think this is what started my problem - I accessed unprotected wifi in Naples airport Italy in March from my iPhone - I was downloading mail to my Apple Mail app, and the issue started a few days after this. I've now set SPF, DKIM and DMARC. But some spoofed emails still going through to destination however.

      Delete
  69. Just got a whole bunch of non-delivery notifications again... This time the subject was: Pizza Time. @Telus.net is the email being spoofed. Would love to find a fix for this.

    ReplyDelete
  70. New subject lines:
    Subject: miss you
    Subject: wow, that's cool
    Subject: look at that stuff
    Subject: breaking news
    Subject: perfect words
    Subject: good impression
    Subject: sooo interesting
    Subject: precious memories

    and some cleverer text in the body:

    I haven't heard anything from you lately, so I wanted to share with you some of my thoughts, you can read them here [link to website]
    Have you already seen the latest news from our dear friend? You've got to see that for sure [link to website]
    I was reading an article and suddenly came accross those words, they are just perfect, you can find the article here [link to website]
    My best to you, [my email address]

    I found some old photos of us, these are really precious memories for me, just take a look [link to website]

    ReplyDelete
  71. Another subject line:
    Subject: crazy day

    With the following message:
    Hey,

    I've had a crazy day yesterday and I wanted to share some the story of it with you, you can find it here [URL]

    Pardon my monkey thumbs, [my first and last name]

    ReplyDelete
  72. New Subject lines in today's Spoof Spam Bomb wave (a partial list - the new Subjects seem to go on forever):

    thats so exciting

    just a note

    good news

    that is not a joke

    very important news

    that’s so amazing

    amazing article

    that’s just perfect

    new article

    amazing

    so many great things

    be prepared

    How’s it going

    news

    excellent stuff

    just take a look

    feedback

    wow! great stuff

    it’s so unusual

    good impression

    astonishng

    Automatic reply: this really matters

    surprise!

    that’s so exciting

    your opinion matters

    just for you

    hi

    is that real?

    just wanted to say hi

    good news

    so great and amazing

    some information

    true love

    really nice stuff!

    cool

    a question

    nice to know

    latest news

    real facts

    don’t miss that

    some new info

    meditation

    I found it!

    look at that, it’s amazing

    Jeez!

    ReplyDelete
  73. Latest ploy: nothing in the subject line, nothing in the body of the email. All sent out in the same fashion as the other waves of spoofed spam, to five recipients in my contact list.

    ReplyDelete
  74. It may be useful if people checked the "From" addresses against https://haveibeenpwned.com/ too. The data breaches which contained email addresses and passwords give a destination server and username to hack, and a first try at a password.

    There have also been many, many Wordpress and web bulletin sites hacked. (Aren't the spam links pointing at compromised Wordpress sites? I've been afraid to look.) If you registered for a bulletin board five years ago, and then reused the password this year for email, you're still in trouble.

    This is only a guess. Still, I draw this lesson the hard way: make sure your email password is unique: different from all other passwords you have ever used, or may ever use.



    ReplyDelete
  75. Also, I found the analysis at https://www.leakedsource.com/blog/twitter interesting. Ephemeral malware, and particularly malware that doesn't try too hard to break out of a browser process sounds hard to find. But I am way behind on browser security architecture.

    Leakedsource also has their own database of disclosed accounts.

    ReplyDelete

Comments are welcome in all languages.