Computer Newbies forum

General discussion

People receiving emails "from me" that I never sent.

by obsessed / August 10, 2004 7:16 AM PDT

I am assuming this is some kind of worm, but don't know how to find it or stop it. Typically, what happens is that someone asks me what's in the attachment I supposedly sent them, and I have to tell them, "Don't open it, I never sent you anything." Or I get returned mail as undeliverable, again, that I never sent, sometimes to people I don't even know. I have both AVG free version and Norton AntiVirus 2004, which I keep up-to-date, and the scans come up clean. I also have those dummy worm alert addresses at the beginning of my address book that I thought were supposed to prevent this sort of thing.

I have AOL (my ISP is also AOL), Windows XP home.

Post a reply
Discussion is locked
You are posting a reply to: People receiving emails "from me" that I never sent.
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: People receiving emails "from me" that I never sent.
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Here's why.
by R. Proffitt Forum moderator / August 10, 2004 7:37 AM PDT

A person you may or may not know that has your addrees in their address book has an emailing worm/virus. You are unlikely to be infected, but someone who has your email address could be.

Bob

Collapse -
What to do about it?
by obsessed / August 10, 2004 7:49 AM PDT
In reply to: Here's why.

Is it necessarily the person who receives this email "from me" who has the worm? Or can it be someone who actually did send it to this person with my address in the return address spot? And how do I protect the people I do email so that they know that an email actually came from me?

Collapse -
If nothing else,tell them that you
by Ray Harinec / August 10, 2004 7:58 AM PDT
In reply to: What to do about it?

will never send them an attachment without some form of prior agreement. If they open attachments that's their fault.

Very unlikely that you will find the culprit if you are popular and in many people's address book.

Collapse -
Re: What to do about it?
by Mighty / August 10, 2004 12:17 PM PDT
In reply to: What to do about it?

No, it's not the person who receives the email who has the virus/worm. It's a third party. It may be someone you don't even know.

Let's say a friend of yours finds a fun joke email and sends it to you and ten other people. Two of those people like it and forward it on to ten people they know. Your email is in the forwarded email. A few of those people forward it to some of their friends, and so on. Within a couple of forwards your email address might be on 50 computers of people you've never heard of.

Some viruses limit themselves to the address book. But some instead scan emails, doc files and text files and pick out emails from those.

When the virus sends itself on it picks a return address at random for each copy it sends. So every once in awhile your address will end up in the return address of the outgoing virus or spam mail.

Usually someone will complain about the offending machine to that user's ISP and it'll get cut off until they get it fixed. My experience is that usually happens within a few days. The longest for me was about two weeks. It flairs up every month or so when a new virus is released, but usually dies back down quickly.

If it lasts longer than a couple of weeks then you might want to enlist some help in tracking down the offending machine and get the ISP to force them to fix it.

Collapse -
Re: What to do about it?
by obsessed / August 11, 2004 4:10 AM PDT

You say:
Usually someone will complain about the offending machine to that user's ISP and it'll get cut off until they get it fixed. My experience is that usually happens within a few days. The longest for me was about two weeks. It flairs up every month or so when a new virus is released, but usually dies back down quickly.

If it lasts longer than a couple of weeks then you might want to enlist some help in tracking down the offending machine and get the ISP to force them to fix it.
-----------------
Well, if you don't know where it originated, how do you complain to the user's ISP?
And how do you enlist help in tracking down the offending machine? I don't even know how or where to start on this search mission.

Collapse -
Re: What to do about it?
by Mighty / August 11, 2004 6:37 AM PDT

How long has this been going on? Most of the time, that person's machine will also send an email to someone who already knows how to track down the source and it'll get taken care of for you. So my advice is to just ride it out. But, if you really have been dealing with this for very long then we can help you get at the headers in your email software and then you can post them here and we'll help you decipher one.

Generally speaking, the headers of an email record a trail back to the source. For a spam or virus from a zombie the original source is likely an IP address that you can look up at www.arin.net. From there, you can find the ISP that coresponds to that IP address and you can send an email to their abuse address.

With bounced emails, you need to make sure you're looking at the header to the original email, and not the header of the bounce notification from the receiving email server. Some servers forward the bounced email to you, thus there's only one set of headers. Some servers wrap up the original email in an attachement and attach that to the bounce notification, which is a brand new email.

It's one of those things that looks a lot more complicated at first than it really is. It's actually pretty straightforward.

Drake

Collapse -
Re: People receiving emails
by juditte / August 11, 2004 2:38 AM PDT

The most likely reason is that your email is in someone else's computer address book and they have a virus/worm on their system. It is sending its nasty payload out to everyone in their address book but using your address (and probably a few other innocent victims) as the sender in order to cover its tracks. Finding where it could actually be coming from is very difficult. If you are sure your computer is clean of "nasties" you just have to ignore it and respond as you have to those people who query you with the above explanation.

I recommend that you install a software firewall such as the Norton one or Zone Alarm (which has a free version) or one of the others available. Then set it so that it gives you an alert for every attempt to come or go from your system. It takes time for a while but it is very informative and you might have a few surprises. Then I highly recommend that you start proseltyzing amongst all of your contacts that they also have both an AV and a Firewall installed on their computers. Once you all get used to using the these tools and everyones systems are cleaned up then you should see a decrease in these "spoofed" malware emails.

And by the way I highly recommend doing at least weekly checks of your system for spy and adware. Try Spybot S&D and Adware. If you like them then contribute. You can Google any of these products to find the websites for download. Unfortunately with all the nonsense out on the net we have to do a lot of housekeeping on our computers to improve the whole experience.
Good luck
Juditte

Collapse -
Re: People receiving emails
by obsessed / August 11, 2004 4:07 AM PDT

Thanks for the great advice... I do have Adaware and run it regularly, as well as the free version of ZoneAlarm (now that I've settled on version 4.5 I've eliminated all the aggravation from later versions), but what exactly do you mean when you say I might find some surprises in the alerts? I am not sure what to look for when I see the alerts, and what I should be making of all the IP addresses. Just looks like a bunch of numbers to my untrained eyes.

Collapse -
About those alerts, Obsessed:
by Paul C / August 11, 2004 11:37 PM PDT

They're actually not that hard to figure out.

Let's for example pull 3 entries from my Zone Alarm log:

1. ACCESS,2004/08/12,05:30:14 -5:00 GMT,Messenger was blocked from connecting to the Internet (205.188.146.146:DNS).,N/A,N/A

What we have here is an attempt of a program - in this case, Windows Messenger (a well-known channel for SPAM) to "phone home". I have ZA set to prevent this from happening, so this is logged every time WM tries to connect.

2. FWIN,2004/08/12,04:57:10 -5:00 GMT,4.255.29.181:28009,172.132.77.31:1026,UDP; FWIN,2004/08/12,05:00:58 -5:00 GMT,218.85.231.48:1069,172.132.77.31:1023,TCP (flags:S)

These are two attempts to reach my PC from the outside that the firewall has blocked. In the first example, the machine seeking access used the User Datagram Protocol (UDP); the second used the Transmission Control Protocol (TCP). Both these methods bypass the main network protocols and were designed to transfer streams of data securely, making them ideal for the unscrupulous among us to send garbage. The first string of numbers is the IP address of the sending machine (where it's located on the Web). The second string is my IP address at the time of the intrusion (since I'm on dialup, my IP address changes every time I go online).

This is oversimplified, Obsessed, but I post it just so you can get an idea of what the firewall is actually doing. In practice, your concern with malware on your PC is limited to programs trying to "phone home". When ZA tells you that a program is requesting access to the Internet - or potentially worse, trying to set itself up as a server - you should make darn sure that you in fact want that program to access the Web. If not, clock it and tell ZA to remember that in the future.

If you're not sure, block it without telling ZA to remember it, check it out here or by Googling the application, and then decide.

In the case of your email dilemma, none of this is of any practical use. As others have noted, the probability is very high that the emails being sent out in "your name" are probably originating from the PC of someone who's not even on your address book...

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the school year

Smart tech for smart students

Forget the pencils and notebooks. Gear up your students with these portable and powerful note-taking machines.