My web-based email account sends out spam

[LKK]

I used a web-based email account. (AOL to be precise.) I don't have an email address book on my laptop. It's hosted exclusively on the web server. Three times now, my email has sent a spam email to everyone in my address book. I assume some program on my laptop is kicking off the spam. I have run McAfee virus, Ad-Aware, and Malwarebytes. None have reported any infections.

I'm hoping that someone can offer advice on what I can do to prevent yet another spam outbreak. I've run out of ideas to try. Help, please?

[xris]

Have you considered that someone may have obtained your AOL email password and is simply using your account. Have you tried changing your AOL email password?

[LKK]

No, that hadn't occurred to me.
I'll try that. It's time to change my password regardless.

[Vexx]

It may not even be "coming from your account". Someone simply harvested your email address and used it to *forge* email from their own system.

An examination of the email header lines would show whether that was the case or not.

I recently got a dozen "admin bounce" emails for "spamming" from a russian ISP. The email headers indicated the actual origination was in an east european country. I replied to the russian ISP with headers highlighted and they sent a nice thank you. However, harvesting emails to use as phony "origination" points is epidemic - made worse because many email readers "pretty up" the headers and hide all that scary email relay information from the average user.

In addition to changing your password.... you might also run some 'rootkit' detectors and see if something is lurking that the usual adware/AV stuff won't spot.

[LKK]

I still have a few copies of delivery failure notices in my box. I'll see what sort of info I can gleam from them. I'll also look into rootkit detectors. Thanks for the advice!

[SeijiSensei]

Quote:

Originally Posted by LKK

I still have a few copies of delivery failure notices in my box. I'll see what sort of info I can gleam from them. I'll also look into rootkit detectors. Thanks for the advice!

What would be even more useful are complete copies of the messages that the people in your address book received. It's often hard to get mail programs to provide the complete message with all the headers. (In Thunderbird, it's right there under View > Message Source.) You'll know if you have a complete message because the top line will begin with "Return-Path:". After that comes a list of "Received:" headers reporting every mail exchanger through which the message passed. You're especially interested in the last of these, since that will give you the identity of the originating server.

Here's a sample of what you're looking for from one of the thousands of spams I filter each day:

Received: from sh79.grapeanswer.info(66.197.229.227) via SMTP by mail.example.com, id smtpdt6X87v; Fri Apr 30 06:21:10 2010

The exact text of the message will vary depending on the server software the recipient's ISP uses. Regardless of the format, you should see both the hostname and the IP address of the originating host. This one looks to be coming from a server in a hosting facility rather than the usual army of compromised spambots in homes and offices.

[Vexx]

Aye... several of the Return to Sender messages I've received have been worthless because the ISP bouncing the forged mail stupidly snips off the smtp headers. They usually get a snarky F.U. letter and suggest their autobot not cut off the headers or don't bother sending the auto-whine. (my own BOFH moments)

[demonix]

Quote:

Originally Posted by Vexx

It may not even be "coming from your account". Someone simply harvested your email address and used it to *forge* email from their own system.

It could also be that the OP uses the same password for the e-mail account for another site (which uses the e-mail address as a login ID) and that site has been compromised to send that data to a third party who then uses it to send out spam (this is probably the most logical explanation).

The best way to check is to look at those delivery failure notices and see if it has any information on the source of the sender (if it actually got sent through the AOL web mail system) also it should tell you the reason why the delivery has failed and the IP address of the sender (if the IP address is from a known spammer then the reason for delivery failure would be for a untrusted IP address).

[LKK]

Thanks for all the advice, everyone. I'm going to research the headers more thoroughly. I don't think I know anyone who still has some of the spam that they could forward back to me to examine. But if it happens again (Heaven forbid!), I'll ask a friend to send me back the email.

[synaesthetic]

Vexx, do you know if there's any way to make gmail display the e-mail header by default? It gets annoying to always have to click to show it.