3 replies to this topic

[X52004]

The short version of my question is can I save somehow an email that was sent by Flixster spam and especially save the headers of this email? Or does keeping a copy of such things on my pc create some kind of security risk? I don’t want to loose all these data because it took two weeks to find out that I did not have a Trojan, but was being spoofed after a friend of mind apparently gave one of my e-addresses to Flixster who then spammed me. The longer version is below in case someone would be willing to comment on the details. My primary pc is a Dell XPS 410 with Visa Home Premium running Office 2007 (plus an XPS 600 with Xp Pro SP2 at the Office and a Latitude laptop with Xp Pro SP2). Using a router and the current version of NIS, has sheltered me from security problem for several years so the learning curve of all the current issues has been a challenge. Of late there have been emails that I seemed difficult to explain. On March 16 I received a suspicious email from a friend that involved Flixster. For one of the only times in my life, I clicked on the Flixster link inside the email. The body of the text starts with the Flixster web and then /serviet/invite/650915076azaA650923531Btlkhln3CM As the investigation has developed, I now believe that my friend gave one of my e-addresses to Flixster and that when I clicked on the link inside the email it opened me to being spoofed. Circa May 14 and then May 23, I received email sent using my personal primary e-address and my photo. I have very few photos in Outlook 2007 and that is one of them. The one that arrived May 23 had the heading "Daily News 975609" followed by Investor Petra then my e-address with photo in the upper right hand corner. This email was also flagged as high importance. The body of the email was a graphic blocked by Outlook so I do not know what it said since I quickly deleted the email which also means I did not get the headers. This is not an AOL, Yahoo, et al account, but one tied to my small academic web. I will say that when I had a "catch-all" e-address for my little academic web that some days I would delete 700 rejected emails because a variation of my email was spoofed by spammers and the return messages were from undelivered email. But when I still monitored those errant emails, I don't remember them using my actual address and certainly not my photo. I have been proactive since getting the first email with my photo. I have done multiple scans with NIS 2007, Symantec AV (Enterprise edition at office), Spybot, Ad-aware person SE Edition, Vista Defender, AVG Anti-Spyware, eTrust Antivirus, Stinger, Trend Micro HouseCall 6.6, Super Antispyware and clean up with PC Optimizer among others. In spite of all this and having followed various suggested experiments, the only "infections" found were a low risk tracking cookies (Super Antispyware caught 171 such cookies). The early reviews were that a trojan must be involved. That was partly influenced by the fact that I originally thought the Flixster email was generated by a wrong version of my friend’s e-address in my address book (which I learned last night is likely not the case). But no Trojan showed up in the HJT logs and the worst infection found by all the scans was the Adware BestOffer which I hope is truly gone because it showed up on all three of my computer. I don’t want to do a clean install of all three computers to make sure about this. Anyway the current conclusion (friend gave address to Flixster then I triggered spoof) might be correct, but if I have further problems and complications I would like to have access to the original data. Thus the question arises about how to save the original email and headers in case they are needed in subsequent analysis. I am assuming that simply leaving the original email in Vista’s Microsoft mail is a security risk. I did find it curious that when I tried to send the headers to a specialist for analysis that my ISP blocked the outgoing email on the grounds that the message contained spam. Now I wonder how it missed it coming in because even Barracuda that filters spam on this account shows in the headers that it was spam. Specifically my Barracuda "spam firewall" report that says: "0.28 MAIL_TO_SPAM_ADDR URI: Includes a link to a likely spammer email". It also shows the reply email as "bounce@flixster.com".

[X52004]

Well, I just got another email claiming to be sent from my e-address and using my photo. Is there some place I can copy the headers and have them analyzed to make sure this is just spoofing? The headers make no mention of Flixster.

[Doug]

Once your username gets listed with a spammer it is public and"beyond your reach" and will likely persist for quite some time. Activity may subside over time if you continue to delete and remain non-responsive to the emails. If you respond to even one, it is more likely that additional spam will be heading your way. _______ Of possibly greater concern, is that you prior one-time "click" could have infected your machine which now may be generating spam emails (also infected) to others of your online associates. Alternatively, the machine of one of your online associates may be infected and may be generating emails to their own Address Book where you are listed. Might be helpful for you to alert the folks that may be involved. You describe a sequence of attempts to clean your machine using well respected antimalware tools. Hopefully you've been successful. You may benefit from posting your machine's HJT Log over in our Malware Removal Forum for expert advice, if you have not already done so. _________ As to sending the header to an analyst. Just "zip" the header information to make it safe to attach. (note: The above is an example of "why not" to open "zipped attachments".) Not sure what you're hoping to accomplish by "analyzing" the header information. If you "find" the spammer, what do you hope to do? Spammers are more likely to disappear and re-emerge from a new address, than to politely apologize and then cease and desist. One method used by spammers is to include a line in their email allowing the recipient to opt-out or un-enroll from the offer. If you do reply with a request to "opt-out" you are simply confirming that they "have a live one". You may, in fact, stop receiving emails from that particular offer, but later find that your email address has been sold to a more widely distributed listing for spammers with a resultant onslaught of new offers. In general, the best response to Spam is No Response at all. Best Regards

[X52004]

Once your username gets listed with a spammer it is public and"beyond your reach" and will likely persist for quite some time.
Activity may subside over time if you continue to delete and remain non-responsive to the emails.
If you respond to even one, it is more likely that additional spam will be heading your way.
_______

Of possibly greater concern, is that you prior one-time "click" could have infected your machine which now may be generating spam emails (also infected) to others of your online associates. Alternatively, the machine of one of your online associates may be infected and may be generating emails to their own Address Book where you are listed.
Might be helpful for you to alert the folks that may be involved.

You describe a sequence of attempts to clean your machine using well respected antimalware tools.
Hopefully you've been successful.
You may benefit from posting your machine's HJT Log over in our Malware Removal Forum for expert advice, if you have not already done so.
_________

As to sending the header to an analyst.
Just "zip" the header information to make it safe to attach.
(note: The above is an example of "why not" to open "zipped attachments".)

Not sure what you're hoping to accomplish by "analyzing" the header information.
If you "find" the spammer, what do you hope to do?
Spammers are more likely to disappear and re-emerge from a new address, than to politely apologize and then cease and desist.

One method used by spammers is to include a line in their email allowing the recipient to opt-out or un-enroll from the offer.
If you do reply with a request to "opt-out" you are simply confirming that they "have a live one".
You may, in fact, stop receiving emails from that particular offer, but later find that your email address has been sold to a more widely distributed listing for spammers with a resultant onslaught of new offers.

In general, the best response to Spam is No Response at all.

Best Regards

Thanks for a quick and helpful response. I have now posted a HJT log in the appropriate forum.

I have often taken the path of ignoring spam and some giving up, but these increased emails with my address and photo bother me the most. I suppose I am simply being distracted by the photo which is not the central concern when looking for infected files on a pc.

In terms of the headers, a friend wanted to see them implying that she could determine if the email was simple spam or spoof or something more malicious.