Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email Hijack


  • Please log in to reply
6 replies to this topic

#1 harvey101

harvey101

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 06 November 2013 - 05:35 PM

Windows 7 HP, SP 1; Explorer 10.0.10

 

I'm getting numerous bounced emails for my defunct email addys. I routinely run AVG Free 2014, I also downloaded and ran MS Safety Scan, MS Security Essentials, Spybot S&D and AdwCleaner. I found and removed some adware & tracking cookies, but the email problem remains. I have access to my Hotmail account and I have changed my password twice. I have looked at my account settings and they seem normal. Most of the bounces come from Cox.net. I am about ready to dump the email account. Enclosed below are two examples for the bounce messages. The 1st is the most numerous by far. Need some guidance.

 

x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSm0eBjyyDmyuUgmeUJZcpewLUPh3oLS8lYF3IicyMScH3ftwdDzkIsHfdxG/SXGZ8zVxRFacXAGPTEZmOxLN3fu+8uRxHCBN/HLQL8q/Cb0F8=
Authentication-Results: hotmail.com; spf=none (sender IP is 68.230.241.147) smtp.helo=fed1rmfepo202.cox.net; dkim=none header.d=cox.net; x-hmca=none header.id=Postmaster@cox.net
X-SID-PRA: Postmaster@cox.net
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD00
X-Message-Info: 11chDOWqoTnCPPeFzt6ocIdyoYTTE4vM5F4sEYYUylyy+hc86QxviDp7Ci44m0OO3lZtM4xuLkjkw2vTo2l0jwkgmytDAi8cj/KlL8eSzFa7W4L632R11SCt7D7CUmX6BHmhn82Mp6R1u7D7wPokeQ3Nbg7+kEn/9VwH3esNR/rJsGEOQqeuk+u0IV9QeeHEXT0IFeevrkv34o5DjaB9b82xdcwp74lb
Received: from fed1rmfepo202.cox.net ([68.230.241.147]) by SNT0-MC2-F50.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
  Wed, 6 Nov 2013 13:15:39 -0800
To: dave_rolling_stone@hotmail.com
From: Mail Administrator <Postmaster@cox.net>
Reply-To: <Postmaster@cox.net>
Subject: Mail System Error - Returned Mail
Date: Wed, 6 Nov 2013 16:15:39 -0500
Message-ID: <20131106211539.LIXQ9830.fed1rmfepo202.cox.net@fed1rmfepo202>
MIME-Version: 1.0
Content-Type: multipart/report;
  report-type=delivery-status;
  Boundary="===========================_ _= 428842(9830)1383772539"
Return-Path: <>
X-OriginalArrivalTime: 06 Nov 2013 21:15:39.0567 (UTC) FILETIME=[57F3D3F0:01CEDB35]

--===========================_ _= 428842(9830)1383772539
Content-Type: text/plain
 
 This Message was undeliverable due to the following reason:
 
 Each of the following recipients was rejected by a remote mail server.
The reasons given by the server are included to help you determine why
each recipient was rejected.

    Recipient: <bgrover@worldaccessnet.com>
    Reason:    5.1.1 <bgrover@worldaccessnet.com>: Recipient address rejected: User unknown in virtual mailbox table
 
 
 Please reply to <Postmaster@cox.net>
 if you feel this message to be in error.

--===========================_ _= 428842(9830)1383772539
Content-Type: message/delivery-status

Reporting-MTA: dns; fed1rmfepo202.cox.net
Arrival-Date: Wed, 6 Nov 2013 16:15:38 -0500
Received-From-MTA: dns; fed1rmimpo210 (68.230.241.161)

Final-Recipient: RFC822; <bgrover@worldaccessnet.com>
Action: failed
Status: 5.1.1
Remote-MTA: dns; mx1.hei.net (67.51.204.20)
Diagnostic-Code: smtp; 550 5.1.1 <bgrover@worldaccessnet.com>: Recipient address rejected: User unknown in virtual mailbox table

--===========================_ _= 428842(9830)1383772539
Content-Type: message/rfc822

Received: from fed1rmimpo210 ([68.230.241.161]) by fed1rmfepo202.cox.net
          (InterMail vM.8.01.05.09 201-2260-151-124-20120717) with ESMTP
          id <20131106211538.LIXM9830.fed1rmfepo202.cox.net@fed1rmimpo210>
          for <bgrover@worldaccessnet.com>; Wed, 6 Nov 2013 16:15:38 -0500
Received: from cox.net ([109.254.86.209])
 by fed1rmimpo210 with cox
 id mMFb1m00M4WzuGD01MFcj7; Wed, 06 Nov 2013 16:15:38 -0500
X-CT-Class: Clean
X-CT-Score: 0.00
X-CT-RefID: str=0001.0A02020A.527AB17A.007D,ss=1,re=0.100,fgs=0
X-CT-Spam: 0
X-Authority-Analysis: v=2.0 cv=drIF/Sc4 c=1 sm=1 p=8NScc08L904A:10
 a=YmUq72NJyo/EQnmFpEVdrg==:17 a=8uJ5MO_MQBgA:10 a=69EAbJreAAAA:8
 a=YE046jVxfEwA:10 a=w-5y2CD8AAAA:8 a=LJ6g9IJkr0zZGFmjIOQA:9 a=CjuIK1q_8ugA:10
 a=tgsdM9_44ewA:10 a=yha0xLFlKg4A:10 a=or5JHvpn_bsA:10 a=_W_S_7VecoQA:10
 a=LiympfkZp4UzUfls:21 a=YmUq72NJyo/EQnmFpEVdrg==:117
X-CM-Score: 97.00
Authentication-Results: cox.net; auth=pass (LOGIN) smtp.auth=mkessler4@cox.net
From: "Dave Woody" <dave_rolling_stone@hotmail.com>
To: "Barbara E Grover" <bgrover@worldaccessnet.com>
Subject: Salutations, Barbara E Grover
Date: Wed, 6 Nov 2013 22:15:34 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_0052_25M9MT6U.GBYQP727"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
Message-Id: <20131106211538.LIXM9830.fed1rmfepo202.cox.net@fed1rmimpo210>

This is a multi-part message in MIME format.

------=_NextPart_000_0052_25M9MT6U.GBYQP727
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: 7bit

     
        
      
    
 
 

http://solartuff.com/wp-includes/videos.php?truc102wbvh

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Wed, 6 Nov 2013 22:15:34
 

     ====================
    
Extra cash today, generic box shifter tomorrow, rotting corpse the day after. -- Robert Harley
 
 
------=_NextPart_000_0052_25M9MT6U.GBYQP727
Content-Type: text/html;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

  <HTML>   =20=0D
     <HEAD>   =20=0D
     <META http-equiv=3D"content-type" content=3D"text/html; charset=3Dus-a=
scii"> =20=0D
   </HEAD> =20=0D
 <BODY lang=3DEN-US>=0D
  <br>
<br>
<a href=3D"http://solartuff.com/wp-includes/videos.php?truc102wbvh">http://=
solartuff.com/wp-includes/videos.php?truc102wbvh</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
 Wed, 6 Nov 2013 22:15:34<br>

 

-------------------------------------------------------------------------------------------------------------------------------------------

 

 

x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSmNphQ3OF+T9E=
Authentication-Results: hotmail.com; spf=none (sender IP is 199.246.2.50) smtp.helo=post.kos.net; dkim=none header.d=zeus.kos.net; x-hmca=none header.id=MAILER-DAEMON@zeus.kos.net
X-SID-PRA: MAILER-DAEMON@zeus.kos.net
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD00
X-Message-Info: 11chDOWqoTmep3nvutvO7QKCITkxbVb7TgyUBiCppH4LSeyTzrVqOpXK5jfjGllgrjOpyeZWLv0L3j3z884kc/evI5ysrnESfkCqHR4pAm/5mMAce5ZA4LG25zwM3fFKY94ntgPIZ6xqwgZGjUGctralyubJAXQh6lizyU3cARra6opEkjyE3zndX+I3d4FXHiz/OrqNvoNEPiE4ZWBIfyPLuxanStp/
Received: from post.kos.net ([199.246.2.50]) by SNT0-MC4-F47.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
  Tue, 5 Nov 2013 22:11:36 -0800
Received: (qmail 14694 invoked for bounce); 6 Nov 2013 06:11:38 -0000
Date: 6 Nov 2013 06:11:38 -0000
From: MAILER-DAEMON@zeus.kos.net
To: dave_rolling_stone@hotmail.com
Subject: failure notice
Return-Path: <>
Message-ID: <SNT0-MC4-F47b2tyFGc0013c440@SNT0-MC4-F47.Snt0.hotmail.com>
X-OriginalArrivalTime: 06 Nov 2013 06:11:36.0418 (UTC) FILETIME=[0C842420:01CEDAB7]

Hi. This is the qmail-send program at zeus.kos.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<bbethea@aol.com>:
205.188.103.2 does not like recipient.
Remote host said: 550 5.1.1 <bbethea@aol.com>: Recipient address rejected: aol.com
Giving up on 205.188.103.2.

--- Below this line is a copy of the message.

Return-Path: <dave_rolling_stone@hotmail.com>
Received: (qmail 14690 invoked by uid 89); 6 Nov 2013 06:11:38 -0000
Received: from unknown (HELO kos.net) (89.69.89.1)
  by zeus.kos.net with SMTP; 6 Nov 2013 06:11:37 -0000
From: "Dave Woody" <dave_rolling_stone@hotmail.com>
To: "Bbethea" <bbethea@aol.com>
Subject: Yo Bbethea
Date: Wed, 6 Nov 2013 07:11:32 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_0083_UX6NHM8V.P07AWV8S"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609

This is a multi-part message in MIME format.

------=_NextPart_000_0083_UX6NHM8V.P07AWV8S
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: 7bit

       
       
     
         
   http://jjhweb.co.uk/likeit.php?extcf102th

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

    dave_rolling_stone@hotmail.com
    

 *********************************

    Wed, 6 Nov 2013 07:11:32    
       
------=_NextPart_000_0083_UX6NHM8V.P07AWV8S
Content-Type: text/html;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

    <HTML>   =20=0D
     <HEAD>  =20=0D
   <META http-equiv=3D"content-type" content=3D"text/html; charset=3Dus-asc=
ii">  =20=0D
     </HEAD>    =20=0D
 <BODY link=3Dblue vlink=3Dpurple>  <a href=3D"http://jjhweb.co.uk/likeit.p=
hp?extcf102th">http://jjhweb.co.uk/likeit.php?extcf102th</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
    dave_rolling_stone@hotmail.com<br>
     <br>
<br>
 *********************************=0D<br>
<br>
<br>
    Wed, 6 Nov 2013 07:11:32 </BODY>   =20=0D
   </HTML>    
------=_NextPart_000_0083_UX6NHM8V.P07AWV8S--

 <br>
<br>
     =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D     <b=
r>
Extra cash today, generic box shifter tomorrow, rotting corpse the day afte=
r. -- Robert Harley=0D=0D
 </BODY>=0D
 </HTML>
------=_NextPart_000_0052_25M9MT6U.GBYQP727--

--===========================_ _= 428842(9830)1383772539--

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 06 November 2013 - 07:51 PM

If your Hotmail/Outlook email account has been hacked or spoofed (email address forged as the sender), the recommended solution is to change or reset your Microsoft account password if using Hotmail/Outlook.

If you did that, please note that Microsoft also has a new private secure online form to report various Microsoft account issues. See Microsoft Account Support. At the bottom of this support page is a note that says "If you can't sign in with your Microsoft account, create a temporary account at https://signup.live.com.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:25 AM

Posted 13 November 2013 - 07:10 AM

Received: from cox.net ([109.254.86.209])

 

 

No worries.  Unless you are in the Ukraine, this mail didn't originate with you.  

 

Spammers have mailer programs that can take a list of email addresses and a list of open servers, and start mailing out random combinations of the email addresses, one in sender and one in recipient, also switching off the servers so they don't get blocked for sending too many.  They many times buy these lists of email addresses, and the cheaper the list, the more likely they are to contain old addresses.  In these cases, your current address won the lotto as the sender address, and occasionally one of your old addresses came up as the recipient.  There were undoubtedly thousands/millions of others without your address as sender.

 

Cox shouldn't be bouncing spam, and have probably heard from not a few admins of other servers about this by now.  Normally these things will taper off and die when the spammer doesn't get the desired result, or servers like Cox fix their settings.  If it hasn't stopped for you by now, it probably will soon.  Personally, I wouldn't nuke a perfectly good email address because of it.



#4 harvey101

harvey101
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 13 November 2013 - 08:35 AM

Thanks to both of my responders for the explanation & advice. Although I did finally figure how to send MS a trouble report and someone cleared out my account info and I changed my password yet again, the account info going forward is exactly the same as before and during the incident. Also, I was not receiving complaints from the many active email users in my email file. Just bounces from dead addys. But as MzLindy predicted, the bounces have gradually diminished and I have not received one in several days. BTW: The tech level of the explanation given by MzLindy was excellent for me and it fit the circumstances perfectly. So I can stop looking for a virus in my machines. Although I can decipher some of the info in my email headers, some of it is impossible for me to figure out. I feel that if I could have read the headers completely, I could have figured out the problem for myself. Or, at least, this ability would have helped me discount the virus possibility. Can anyone recommend a site that can help me read these headers completely? That is, a site that addresses this aspect in a relative easy to understand manner.

 

Thanks again for the assistance. I am a researcher and I surf the web a lot. I can usually stay out of trouble, so I very rarely need this kind of help. I like to think that I can help other less knowledgeable folks in my research field; however, I have found that it is sometimes difficult to provide advice at a level understandable to my correspondent. So I really do appreciate those knowledgeable folks who will take the time to provide advice at a level that I can easily understand. Cheers.  



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 13 November 2013 - 09:24 AM

Learning about Email headers:Dealing with Spam and hacked Email:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 harvey101

harvey101
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 13 November 2013 - 12:28 PM

Thanks very much for the links. Now that I understand the headers, I can see that my email addy was spoofed and, after finding an IP lookup site, that the forger/spammer is in Kharkiv, Kharkivs'ka Oblast', Ukraine. A lovely place, I'm sure.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 13 November 2013 - 12:56 PM

Yes in most cases its spoofing (forged email).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users