Register to reply

My email keep sending out virus

by yungman
Tags: email, sending, virus
Share this thread:
yungman
#1
Jun13-14, 12:33 AM
P: 3,904
I have problem with my email keep sending out email with virus to others. I have change password a few times and it did not help at all. I have Norton 360 already and that does not seems to help. What can I do to fix it?

It is a very new computer in service for about a month only and I have been careful not to open any suspicious emails.

Thanks
Phys.Org News Partner Science news on Phys.org
Physical constant is constant even in strong gravitational fields
Montreal VR headset team turns to crowdfunding for Totem
Researchers study vital 'on/off switches' that control when bacteria turn deadly
Borek
#2
Jun13-14, 02:32 AM
Admin
Borek's Avatar
P: 23,731
Are you sure it is YOUR computer sending these emails? Sender email can be easily faked.

Are you sure your email account is not hacked? It is not clear what password you have changed.
yungman
#3
Jun13-14, 02:34 AM
P: 3,904
Quote Quote by Borek View Post
Are you sure it is YOUR computer sending these emails? Sender email can be easily faked.

Are you sure your email account is not hacked? It is not clear what password you have changed.
My stepson told me he received email that's suspicious from me. That happened after I change the password the second time.

The password is my email account password.

I am not sure about whether my email account got hacked, how do I check it? The email account was created in the old computer and it had problem before. This is a new computer and is working perfect perfect otherwise. I just sign in the email account with the new computer.

SteamKing
#4
Jun13-14, 03:13 AM
Emeritus
Sci Advisor
HW Helper
Thanks
PF Gold
P: 6,755
My email keep sending out virus

You've probably had your old e-mail account infected with a virus. The virus doesn't need to know your e-mail password to propagate; the password is there so only you can read your email.

The virus apparently lies dormant in your system until you receive/send e-mails. Certain viruses propagate by reading your contact log/address book and getting the e-mail addresses stored there. The virus can either create and send the suspicious messages, in the hope that some unwary person will open the email and infect his computer, or it can piggy-back onto one of your legitimate messages.

Changing your e-mail password will not disinfect your system. You need to have a good anti-virus program go thru your system and check for viruses. If your e-mail provided doesn't scan incoming/outgoing messages for viruses, you should probably consider changing to a provider with this feature.
Borek
#5
Jun13-14, 03:22 AM
Admin
Borek's Avatar
P: 23,731
You email account is not on your computer.

Email that you send is "put" by your email client on the server where you account is. This server connects to other servers, where other people account are, and sends emails there. Whenever someone else sends an email to you the same happens, just they connect to their server and their server sends the email to your server. When you click on "check mail" you program connects to the server and fetches all emails that were delivered in the meantime.

Best thing is to check headers of these emails your stepson received, they should contain information about where did the email originated from. Checking headers is typically one of the options available when viewing the email, but how it is done depends on the particular email client.

Another thing to consider: compare the emails that your stepson received (and thinks they are suspicious) with the ones you have sent. Could be everything is OK, they are just flagged as suspicious by oversensitive antispam/antivirus program. Happens all the time. Doesn't mean to be not vigilant, just not every alarm is real.
yungman
#6
Jun13-14, 04:35 AM
P: 3,904
Quote Quote by Borek View Post
You email account is not on your computer.

Email that you send is "put" by your email client on the server where you account is. This server connects to other servers, where other people account are, and sends emails there. Whenever someone else sends an email to you the same happens, just they connect to their server and their server sends the email to your server. When you click on "check mail" you program connects to the server and fetches all emails that were delivered in the meantime.

Best thing is to check headers of these emails your stepson received, they should contain information about where did the email originated from. Checking headers is typically one of the options available when viewing the email, but how it is done depends on the particular email client.

Another thing to consider: compare the emails that your stepson received (and thinks they are suspicious) with the ones you have sent. Could be everything is OK, they are just flagged as suspicious by oversensitive antispam/antivirus program. Happens all the time. Doesn't mean to be not vigilant, just not every alarm is real.
Thanks for the reply, he called to confirm that we did not sent that email.

So if the email account is infected in the server, what can I do to fix it. Doesn't sound like any anti virus program in my computer is going to do any good.
yungman
#7
Jun13-14, 04:39 AM
P: 3,904
Quote Quote by SteamKing View Post
You've probably had your old e-mail account infected with a virus. The virus doesn't need to know your e-mail password to propagate; the password is there so only you can read your email.

The virus apparently lies dormant in your system until you receive/send e-mails. Certain viruses propagate by reading your contact log/address book and getting the e-mail addresses stored there. The virus can either create and send the suspicious messages, in the hope that some unwary person will open the email and infect his computer, or it can piggy-back onto one of your legitimate messages.

Changing your e-mail password will not disinfect your system. You need to have a good anti-virus program go thru your system and check for viruses. If your e-mail provided doesn't scan incoming/outgoing messages for viruses, you should probably consider changing to a provider with this feature.
That's what I thought that the virus is dormant in the computer, but this is a very new computer and I definitely did not open any suspicious email yet. It feels like it stayed with the email account.

I have Norton 360 which seems to be a whole lot better than McAfee. Also, I have two email account, one for business and one for personal use, it's only the personal used one that is infected.
Borek
#8
Jun13-14, 05:01 AM
Admin
Borek's Avatar
P: 23,731
As I wrote before: without checking headers you can't still know if the email was sent from your account. Not that it is very likely, but it still can't be ruled out.

Quote Quote by yungman View Post
The password is my email account password.
What email program do you use? Do you use it for both email accounts?

Can your stepson check what virus was detected in the email from you?
yungman
#9
Jun13-14, 05:13 AM
P: 3,904
Quote Quote by Borek View Post
As I wrote before: without checking headers you can't still know if the email was sent from your account. Not that it is very likely, but it still can't be ruled out.



What email program do you use? Do you use it for both email accounts?

Can your stepson check what virus was detected in the email from you?
How do you check the headers?

I have to ask him. My email is Hotmail @live.com.

Thanks
Borek
#10
Jun13-14, 06:09 AM
Admin
Borek's Avatar
P: 23,731
Quote Quote by yungman View Post
How do you check the headers?
As I wrote earlier - it depends on the mail program he uses.

Typically you can select what is shown in some kind of a View menu, or in s local menu that shows after clicking displayed post with a right click.
ViperSRT3g
#11
Jun13-14, 11:09 AM
ViperSRT3g's Avatar
P: 42
It sounds as though it may be a spoofed email being sent to your stepson and made to look like it's coming from you.
yungman
#12
Jun13-14, 11:59 AM
P: 3,904
Quote Quote by Borek View Post
As I wrote earlier - it depends on the mail program he uses.

Typically you can select what is shown in some kind of a View menu, or in s local menu that shows after clicking displayed post with a right click.
Sounds like all of you here suspect the problem is on my stepson's side, not on my side!!! Right?

I did some experiment and I find the Header. I just go to the inbox and right click on the email and choose "Show full header".

For example, is it under:

Return-Path: <orders@weberorders.com>

This will show who actually sent the email? In this case the email is from <orders@weberorders.com> which is vaild. I should have my stepson read the full header on his computer to verify it's from us?

If that's the case, then all he need to do is to put email address as spam?

Thanks
Routaran
#13
Jun13-14, 12:22 PM
P: 293
The return path is just the reply to address. This can be altered to be anything by the sender. Take a look at the mail servers listed in the header, they are much more informative.
If the email came from your computer, your ISP's mail servers should be listed within the header also because the email would go from your system to your ISP's mail server before being sent to the destination.

Take a closer look at all the hostnames listed and see if you anything sticks out. If it's spam the sending server could be something really odd like a server from Russia or China (.ru or .cn address) Basically something that is not your ISP.

If you feel comfortable, you can post the header information here but keep in mind there may be personally identifiable information if it actually did come from your system.
AlephZero
#14
Jun13-14, 12:49 PM
Engineering
Sci Advisor
HW Helper
Thanks
P: 7,293
This is what a spoof email header looks like:
To: <personal information deleted>
Subject: You have received a tax refund payment
X-PHP-Originating-Script: 10002:mailer.php
From: HM Revenue & Customs <service@paypal.co.uk>
Reply-To: 
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <20140421074824.30855116D180@mail.imagix.fr>
... etc
it claims to be from the UK tax authorities, but the email address says "paypal", and it was actually sent from somewhere in France.

You may have sent an email sometime in the past to someone whose computer was infected with a virus, that collected the contents of their address book. That's one way that email fraudsters get "real" email addresses, to send out fake messages that appear to come from somebody you know, so you are more likely to open them.
yungman
#15
Jun13-14, 12:56 PM
P: 3,904
Quote Quote by Routaran View Post
The return path is just the reply to address. This can be altered to be anything by the sender. Take a look at the mail servers listed in the header, they are much more informative.
If the email came from your computer, your ISP's mail servers should be listed within the header also because the email would go from your system to your ISP's mail server before being sent to the destination.

Take a closer look at all the hostnames listed and see if you anything sticks out. If it's spam the sending server could be something really odd like a server from Russia or China (.ru or .cn address) Basically something that is not your ISP.

If you feel comfortable, you can post the header information here but keep in mind there may be personally identifiable information if it actually did come from your system.
This is extracted from one of my old email account. I deleted out things that did not make sense and change some numbers. Can you tell me what to look for?


From PreSonus Audio Electronics Mon Jun 9 13:01:33 2014
X-Apparently-To: alanchan@yahoo.com via 12.34.567.890; Mon, 09 Jun 2014 20:01:35 +0000
Return-Path: <support@presonus.zendesk.com>
Received-SPF: pass (domain of presonus.zendesk.com designates 123.124.47.3 as permitted sender)


X-Originating-IP:
Authentication-Results:
Received: from 127.0.0.1 (EHLO out1.pod2.sac1.zdsys.com) (123.124.47.3)
by mta1535.mail.ne1.yahoo.com with SMTPS; Mon, 09 Jun 2014 20:01:34 +0000
Received: from zendesk.com (work2.pod2.sac1.zdsys.com [32.45.3.6])
by out1.pod2.sac1.zdsys.com (Postfix) with ESMTP id AB88B780031
for <alanchan@yahoo.com>; Mon, 9 Jun 2014 20:01:33 +0000 (UTC)
From: PreSonus Audio Electronics <support@presonus.zendesk.com>
Reply-To: PreSonus Audio Electronics <support+id186630@presonus.zendesk.com>
To: Me <alanchan@yahoo.com>
Message-ID: <Z9N1S1G3_5396129d43c15_eee3fd05c0b340490107f_sprut@zendesk.com>
In-Reply-To: <Z9N1S1G3@zendesk.com>
Subject: [PreSonus Audio Electronics] Pending request: Program cannot locate
the sound files.
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_675679da4ae0_eee5fd08c0b192735a6";
charset=utf-8
Content-Transfer-Encoding: 7bit
Auto-Submitted: auto-generated
X-Mailer: Zendesk Mailer
X-Delivery-Context:
Content-Length: 12698
Routaran
#16
Jun13-14, 01:21 PM
P: 293
Quote Quote by yungman View Post
Return-Path: <support@presonus.zendesk.com>
Received-SPF: pass (domain of presonus.zendesk.com designates 123.124.47.3 as permitted sender)
This first bit is a good indicator. The SPF (Sender Policy Framework) is a basic check that the mail is not spoofed. In this case, it's coming from where it's supposed to be coming from, it got a pass.

Quote Quote by yungman View Post
Received: from 127.0.0.1 (EHLO out1.pod2.sac1.zdsys.com) (123.124.47.3)
by mta1535.mail.ne1.yahoo.com with SMTPS; Mon, 09 Jun 2014 20:01:34 +0000
Received: from zendesk.com (work2.pod2.sac1.zdsys.com [32.45.3.6])
by out1.pod2.sac1.zdsys.com (Postfix) with ESMTP id AB88B780031
for <alanchan@yahoo.com>; Mon, 9 Jun 2014 20:01:33 +0000 (UTC)
This part here is the path the email took to get to you. This also looks legit, i did a google search and zdsys.com appears to be zendesk
This email came from out1.pod2.sac1.zdsys.com and arrived at a Yahoo mail server mta1535.mail.ne1.yahoo.com
The return address says zendesk, the mail came through a zendesk server. Someone else isn't faking it, its actually coming from where the mail says it's from.

Quote Quote by yungman View Post
From: PreSonus Audio Electronics <support@presonus.zendesk.com>
Reply-To: PreSonus Audio Electronics <support+id186630@presonus.zendesk.com>
To: Me <alanchan@yahoo.com>
Message-ID: <Z9N1S1G3_5396129d43c15_eee3fd05c0b340490107f_sprut@zendesk.com>
In-Reply-To: <Z9N1S1G3@zendesk.com>
Subject: [PreSonus Audio Electronics] Pending request: Program cannot locate
the sound files.
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_675679da4ae0_eee5fd08c0b192735a6";
charset=utf-8
Content-Transfer-Encoding: 7bit
Auto-Submitted: auto-generated
X-Mailer: Zendesk Mailer
X-Delivery-Context:
Content-Length: 12698
All of this stuff doesn't matter too too much. Depending on circumstances, the Message-ID may be useful but the rest of it you can programatically changed when you're sending the email.

So from the information above, I would be confident in claiming that the email message actually came from the source that the message claims to be from.
Now with the spam mail in question, you'll need to check to see if it actually came from your system in a similar manner. If it did, then there's a chance that your computer is infected and is sending out spam to your contact list.
But if it turns out that the mail didn't come from your system/network/ISP, then just tell the person that got it to delete it without opening any attachments. That's all that you can do.
yungman
#17
Jun13-14, 02:26 PM
P: 3,904
Quote Quote by AlephZero View Post
This is what a spoof email header looks like:
To: <personal information deleted>
Subject: You have received a tax refund payment
X-PHP-Originating-Script: 10002:mailer.php
From: HM Revenue & Customs <service@paypal.co.uk>
Is this where it said from paypal of uk
Reply-To: 


MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <20140421074824.30855116D180@mail.imagix.fr>
... etc
Is this where it tell you the message is from France?


it claims to be from the UK tax authorities, but the email address says "paypal", and it was actually sent from somewhere in France.

You may have sent an email sometime in the past to someone whose computer was infected with a virus, that collected the contents of their address book. That's one way that email fraudsters get "real" email addresses, to send out fake messages that appear to come from somebody you know, so you are more likely to open them.
Thanks for your example.

1)Is the last two characters tell you what country it comes from?

2) So I should compare the "From" to the "Message ID" to see whether there is inconsistency?

3) What if they all from US? Do I compare "20140421074824.30855116D180@mail.imagix" in the "Message ID" with " HM Revenue & Customs <service@paypal.co.uk>" in the "From"?

Any other hint?

Thanks for your help.
Routaran
#18
Jun13-14, 02:51 PM
P: 293
1) Yes, the last bit of a hostname tells you where the address is from. In the example that AlephZero presented, the From field was service@paypal.co.uk
anything.co.uk means this address is from the United Kingdom.
google.ca means the address is from Canada
.ru is Russia, .fr is France, .in is India, etc.
It's an easy way to identify where the address is located.

2) This email claims it's from the United Kingdom (the From field) but the Message ID shows that the message in fact originated in France. Someone deliberately changed the From address. This is a very good indication that something fishy is going on.

3) The first part of the message ID (before the @) is usually just a timestamp. in the example:
20140421074824.30855116D180@mail.imagix.fr

20140421074824 is:
Year 2014
Month 04
Day 21
Hour: 07
Min: 48
Sec: 24

I don't know what the 2nd part(.30855116D180) the server added was. The important bit is the stuff after the @ sign as it is the domain that the sending server belongs to. This will let you know more about the origin of the message.


Register to reply

Related Discussions
Sending a Follow-Up Email 3 Weeks After the Interview? Career Guidance 4
Virus Removal, New viruses acting as anti-virus scanners Computers 17
Gmail: trying to hide the address I'm sending email from Computers 2
Computer infected by an anti-virus conpany's virus Computers 21