Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

outlook keeps forwarding spam emails


  • Please log in to reply
7 replies to this topic

#1 bel85742

bel85742

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 28 October 2015 - 03:12 PM

outlook keeps creating spam emails delivered to the inbox and forwarding them to a gmail address that outlook doesn't even check. ran all the tools I can think of and have malwarebytes full version and use ms security av but outlook please help. thanks, brad

 

here was my original post

http://www.bleepingcomputer.com/forums/t/594157/outlook-keeps-creating-spam-emails/


Edited by hamluis, 28 October 2015 - 03:18 PM.
Moved from All Other Apps to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:05:09 PM

Posted 28 October 2015 - 08:45 PM

outlook keeps creating spam emails delivered to the inbox and forwarding them to a gmail address that outlook doesn't even check. ran all the tools I can think of and have malwarebytes full version and use ms security av but outlook please help. thanks, brad

 

here was my original post

http://www.bleepingcomputer.com/forums/t/594157/outlook-keeps-creating-spam-emails/

 

Extract the headers of the questionable e-mails and post them.  Looks like someone posted what they believe to be your issue in your original thread...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 bel85742

bel85742
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 28 October 2015 - 11:10 PM

Hello,

here are the headers from the inbox message that was forwarded and sitll stuck in the outbox

 

Return-Path: <ahbsal5xsrucv+k5mz4ig3q==_1101961273474_afq+wditeesdansuuple3q==@in.constantcontact.com>
Delivered-To: madonna@donshotrodshop.net
X-Envelope-To: madonna@donshotrodshop.net
Received: (qmail 8855 invoked by uid 399); 29 Oct 2015 00:18:49 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
mail601.opentransfer.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.9 required=5.0 tests=HTML_FONT_LOW_CONTRAST,
HTML_IMAGE_RATIO_02,HTML_MESSAGE,RDNS_NONE,SUBJ_BUY,URI_NOVOWEL
autolearn=disabled version=3.2.5
Received: from unknown (HELO ironport3.opentransfer.com) (none@76.162.254.118)
  by mail601.opentransfer.com with ESMTPM; 29 Oct 2015 00:18:49 -0000
X-Originating-IP: 76.162.254.118
Received: from ccm174.constantcontact.com ([208.75.123.174])
  by ironport3.opentransfer.com with ESMTP; 28 Oct 2015 20:18:55 -0400
Received: from p2-jbsvcs5177.ad.prodcc.net (p2-pen7.ad.prodcc.net [10.252.0.107])
by p2-mail199.ccm174.constantcontact.com (Postfix) with ESMTP id 8B321D24BF1
for <madonna@donshotrodshop.net>; Wed, 28 Oct 2015 20:18:55 -0400 (EDT)
DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=226963; d=foxtucsontheatre.ccsend.com; h=date:mime-version:subject:X-Feedback-ID:message-id:from:reply-to:list-unsubscribe:sender:to; bh=qHEgGxAByLU2SG5joGuToGxXZAOASVeQBiH1NlwuqQw=; b=KO8ANSRsK+VBgXg0nFX6ddtSAXP20P37ic6Foff1G/sK8X7BqnOV7NcUgZRuZISIau9Gd7fmAWG1yqq68JnQK3VvPg4O8/t5s6JiXXk2jIDitPGUpkDgjkIukkkLEk9AQgswQvs469rpP4/6Zbi/TaQA9aOFUfi73f8woXygqJg=
Message-ID: <1122710625242.1101961273474.1920886100.0.182017JL.1002@scheduler.constantcontact.com>
Date: Wed, 28 Oct 2015 20:18:55 -0400 (EDT)
From: Fox Tucson <boxoffice@foxtucson.com>
Reply-To: boxoffice@foxtucson.com
Sender: Fox Tucson <charity@foxtucsontheatre.ccsend.com>
To: madonna@donshotrodshop.net
Subject: BUY ONE GET ONE FREE! - Craig Wayne Boyd this Sunday!
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="----=_Part_93672183_1124019170.1446077935561"
X-Campaign-Activity-ID: 1c14802f-9c52-46e0-aff8-ae66678886dd
X-Channel-ID: 69f43ec0-3893-11e4-9d68-d4ae5292c4dd
X-Mailer: Roving Constant Contact 2012 (http://www.constantcontact.com)
X-Return-Path-Hint: AHBSAL5xSRuCv+K5mZ4iG3Q==_1101961273474_afQ+wDiTEeSdaNSuUpLE3Q==@in.constantcontact.com
X-Roving-Campaignid: 1122710625242
X-Roving-Id: 1101961273474.1920886100
X-Feedback-ID: 69f43ec0-3893-11e4-9d68-d4ae5292c4dd:1c14802f-9c52-46e0-aff8-ae66678886dd:1101961273474:CTCT
X-CTCT-ID: 69b89550-3893-11e4-9d2e-d4ae5292c4dd
 
 
it won't let me see the headers of the outbox message and strange part is i can't see the headers on one that was acutally sent.  
 
what do you mean by 
"Looks like someone posted what they believe to be your issue in your original thread..."
 
thanks, brad


#4 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:09 PM

Posted 29 October 2015 - 06:49 AM

1. In outlook you can see the spam messages in the sent folder, correct?

 

2. Are you located in Ohio?

 

3. Ask your previous helper if they think your system is clean and post the answer here.

 

4. I'd like to see some information about your IP configuration. Please download this tool and check "List IP Configuration" then click go, and copy and post the report it generates.


Edited by irvin_than_allyl, 29 October 2015 - 06:50 AM.


#5 bel85742

bel85742
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 29 October 2015 - 08:07 AM

Hello,

1. Yes they show in the send folder after being sent

 

2. no we are in tucson arizona

 

3. they had me run Farbar and then created a fixlist file which i did. prior to asking for help i ran full scans with all the tools first i could think of like 

malwarebytes 

superAntispyware
microsoft security essentials
eset
emsisoft 
Kaspersky
BitDefender
F-Secure
hitmanpro
tds killer
comboFix 
 
4. no link to download was provided but used cmd for now
Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\Madonna>ipconfig/all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : OFFICE2
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Home
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : F4-6D-04-F0-59-2F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f86f:9b10:d6bd:edba%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, October 26, 2015 3:58:56 PM
   Lease Expires . . . . . . . . . . : Friday, October 30, 2015 3:58:56 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 250899716
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-EA-17-BD-F4-6D-04-F0-59-2F
 
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       205.171.2.65
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.Home:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
 
maybe the outlook pst is corrupted
 
i turned back on the outgoing mail server to see the headers on a sent email and the Microsoft Office Outlook Test Message shows "this message was autoforwarded" to the gmail address. i found a rule and deleted it. i will try this.
 
thanks, brad
 
 
 


#6 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:09 PM

Posted 29 October 2015 - 09:16 AM

1. I apologize, I forgot to post the link to the MiniToolBox tool I was going to have you run. The information you provided is sufficient, thanks.

 

2. Are you running a mail server? What do you mean by "i turned back on the outgoing mail server to see the headers on a sent email"

 

3. Did any of the tools you ran indicate you had a malware infection?

 

4. Are you associated with the Fox Tuscon theater?


Edited by irvin_than_allyl, 29 October 2015 - 09:17 AM.


#7 bel85742

bel85742
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:09 PM

Posted 29 October 2015 - 10:46 AM

Hello,

1. ok good

2. no mail server. just a pop account associated with the domain name. i put the smtp info back in the mail account settings to be able to send mail. right now i am preventing it from being able to send mail which is why i see them building up in the outbox.

3. not much but removed anything found.

4. not associated with fox theater.

 

Thanks, Brad



#8 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:09 PM

Posted 30 October 2015 - 10:45 AM

Haven't forgotten about you, just need to do some reading up on this before I can get back to you. Also, I'm a full time student and have assignments due this weekend, so I might not be able to respond further until next week. Someone else may chime in though. 

 

In the meantime, if you read the ask leo article linked to you in the other thread, you'll see that seeing spam emails in your outgoing folder indicates that your email account has been compromised, so this gives me some concern. So what I'd like to do is have you run GMER, and MalwareBytes Anti-Rootkit, and post the results of both.

 

Download and save GMER to your desktop. Run it and leave all the default boxes checked, hit scan and post the results.

http://www.bleepingcomputer.com/download/gmer/

 

Download and save MBAR to your desktop. Double click the icon and extract to your desktop. Leave default boxes checked and run a scan. Follow any prompts if there is a prompt for cleanup, and post the results.

https://www.malwarebytes.org/antirootkit/

 

Also go ahead and post any other email headers from spam messages you may have received that were sent from your account and show up in your Outlook sent messages folder.


Edited by irvin_than_allyl, 30 October 2015 - 10:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users