Zombie

[Li'l Abner]

I have a Dell Windows XP SP3 here that has been spewing SPAM email. The
owner has been warned by his ISP. I must be Googling for the wrong thing
because all I can find about it is that it happens but no advice on what to
do about it. There's detection tools to use on networks, routers, servers,
etc. but nothing about the individual computer except for a couple of those
"wipe it and start over" replies. I've done a full scan with MSE, MBAM,
SAS, and ComboFix. MSE found nothing, MBAM found 18 MyWebSearch and 2
Trojan Vundo, SAS found a bunch of tracking cookies, and Combofix found
nothing at all.
For starters, how can I detect if the computer is still sending it?
If it is, is it a virus or some king of malware? What does it take to get
rid of it?

--
--- Everybody has a right to my opinion. ---

[Mike Easter]

Li'l Abner wrote:
> I have a Dell Windows XP SP3 here

What does 'here' mean to you?

> that has been spewing SPAM email.

How do you know? What is the evidence?

> The owner has been warned by his ISP.

So presumably/maybe there has been spam evidence provided to the ISP
abuse address -or- the ISP (maybe) sees network traffic profile and
notifies the IP user -or- something else. You are leaving out a lot of
important background and evidence details.

> I must be Googling for the wrong thing because all I can find about
> it is that it happens but no advice on what to do about it.

Should we assume that -1- in the beginning the owner/user was notified
by hir provider that s/he was sourcing spam and then -2- that owner/user
brought their computer to you to clean it up?

Or should we assume something else? What is going on here?

> There's detection tools to use on networks, routers, servers, etc.
> but nothing about the individual computer except for a couple of
> those "wipe it and start over" replies.

You could examine it thoroughly to see what you could find for the fun
of it. You could even wonder if there were something funky with the
BIOS while you were wondering about the bootsector.

For investigation purposes, it would be very very useful to know what
evidence there is that this machine had been doing bad. What is the
evidence against the machine - precisely? Or just evidence against the
owner/user's IP address?

> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
> bunch of tracking cookies, and Combofix found nothing at all.

Negative information doesn't help very much.

> For starters, how can I detect if the computer is still sending it?

Still sending *WHAT*? What is the evidence? Maybe there is some kind
of misinformation floating around. People make all kinds of 'mistakes'
about spam and such.

As a hypothetical example; maybe the owner/user is using a wireless
broadband gateway. Maybe someone in their neighborhood is usurping
their broadband wireless connectivity and spamming or whatever
intentionally or otherwise. Maybe the machine you are investigating is
clean and you need to be investigating the neighborhood machine spewing
from the user/owner's IP.

> If it is, is it a virus or some king of malware? What does it take to get
> rid of it?

More information, more information.


--
Mike Easter

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in
news:8lfirfFi0tU1@mid.individual.net:

> Li'l Abner wrote:
>> I have a Dell Windows XP SP3 here
>
> What does 'here' mean to you?
>
>> that has been spewing SPAM email.
>
> How do you know? What is the evidence?

I got a spam email from him myself. His friends have also complained.
His ISP threatened to blacklist him if it doesn't stop. Actually, he is
moving home from another area and will soon be hooked up to OUR ISP. And I
know for a fact they'll blacklist him if he spews email.
>
>> The owner has been warned by his ISP.
>
> So presumably/maybe there has been spam evidence provided to the ISP
> abuse address -or- the ISP (maybe) sees network traffic profile and
> notifies the IP user -or- something else. You are leaving out a lot of
> important background and evidence details.

This is all that he has told me. I have no doubt the computer was spewing
email.

>> I must be Googling for the wrong thing because all I can find about
>> it is that it happens but no advice on what to do about it.
>
> Should we assume that -1- in the beginning the owner/user was notified
> by hir provider that s/he was sourcing spam and then -2- that
> owner/user brought their computer to you to clean it up?

Yes.
>
> Or should we assume something else?

NO

> What is going on here?

I'm asking for some help :-)
>
>> There's detection tools to use on networks, routers, servers, etc.
>> but nothing about the individual computer except for a couple of
>> those "wipe it and start over" replies.
>
> You could examine it thoroughly to see what you could find for the fun
> of it. You could even wonder if there were something funky with the
> BIOS while you were wondering about the bootsector.
>
> For investigation purposes, it would be very very useful to know what
> evidence there is that this machine had been doing bad. What is the
> evidence against the machine - precisely? Or just evidence against the
> owner/user's IP address?
>
>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>> bunch of tracking cookies, and Combofix found nothing at all.
>
> Negative information doesn't help very much.
>
>> For starters, how can I detect if the computer is still sending it?
>
> Still sending *WHAT*? What is the evidence? Maybe there is some kind
> of misinformation floating around. People make all kinds of
> 'mistakes' about spam and such.
>
> As a hypothetical example; maybe the owner/user is using a wireless
> broadband gateway. Maybe someone in their neighborhood is usurping
> their broadband wireless connectivity and spamming or whatever
> intentionally or otherwise. Maybe the machine you are investigating
> is clean and you need to be investigating the neighborhood machine
> spewing from the user/owner's IP.

The spam I got from him had his own return email address, as did the others
who complained to him. How would they have known who to complain to if it
didn't come from his email address. You think his neighbor's machines would
send out email with *his* return address?

>
>> If it is, is it a virus or some king of malware? What does it take to
>> get rid of it?
>
> More information, more information.

It's 45.3 F, 66% humidity and the wind is E at 2.9 mph.
Forget it.

--
--- Everybody has a right to my opinion. ---

[VanguardLH]

Li'l Abner wrote:

> Mike Easter wrote:
>
>> Li'l Abner wrote:
>>
>> I got a spam email from him myself. His friends have also complained.
>> His ISP threatened to blacklist him if it doesn't stop. Actually, he
>> is moving home from another area and will soon be hooked up to OUR
>> ISP. And I know for a fact they'll blacklist him if he spews email.

Did you inspect the headers to see if the spam e-mail actually
originated from this user? The From and Reply-To path are *data*
headers added by the sender's e-mail client, not by a mail server. They
can contain whatever value the sender wants to put in those headers.
Extremely rare are mail servers that require the sender specify the
account in their From header through which they send an e-mail.

We would have to know what is the e-mail service provider (ESP) for your
user. We would also have to see the evidence of the spam e-mail but
just the headers is sufficient (munge out the username but not the
domain name in any e-mail addresses for the user, if present and
actually their own, and for any of the victimized recipients).

>> The owner has been warned by his ISP.

That the e-mail provider warned him of spam abuse reports simply means
they received spam abuse complaints. That doesn't mean they
interrogated the headers to determine that this user was the one that
actually sent the spam. Most users are boobs when it comes to reviewing
the headers of an e-mail (few even bother to actually look). They just
go by what is shown in the From header and assume that the sender would
never lie as to who they are. Yeah, sure, spammers never lie about
their e-mail address, uh huh.

>> So presumably/maybe there has been spam evidence provided to the ISP
>> abuse address -or- the ISP (maybe) sees network traffic profile and
>> notifies the IP user -or- something else. You are leaving out a lot of
>> important background and evidence details.
>
> This is all that he has told me. I have no doubt the computer was spewing
> email.

So with those network monitoring tools you claim to have, did you check
the traffic from this user's host to filter on and check for their
e-mail volume? So far, basing your "evidence" on what the user said
which provided no actual details then you do NOT know there is spam
coming from this host. Since any sender - you, the user, the spammer, a
malcontent, another employee, ANYONE - can put anything they want in the
From header (because it is *data* added by the sender's e-mail client as
the sender configured it themself), you don't know from where the spam
originated.

So just network tools have you actually used to monitor this user's host
regarding e-mail volume and recipients? Have you used any packet
sniffing tool to check how much traffic goes to e-mail ports (i.e.,
which traffic goes to mail servers)? Have you checked the recipients
specified in the RCPT-TO commands sent by this host to the mail server
(assuming they weren't SSL/TSL connects)?

If YOU aren't managing the mail server used by this accused user, how do
you know that his account with some other ESP has not been hacked?
Maybe he used a weak password. Maybe he divulged his login credentials
in reaction to some phish mail. Maybe the login credentials were
cracked using social engineering (e.g., a malicious site using CAPTCHA
input from its porn-hungry users employs those users to do the grunt
work of cracking passwords in the CAPTCHA screens of webmail providers).
Did this user ever bother to change their login credentials (and, this
time, use a STRONG password)? When they do change their password, also
have them change the personal detail info because that gets used with
the "Forgot Password" mechanism afforded by most ESPs.

>> There's detection tools to use on networks, routers, servers, etc.
>> but nothing about the individual computer except for a couple of
>> those "wipe it and start over" replies.

I have never seen a packet sniffer utility recommend some "wipe and
restart" notice. If this host is on a corporate network, why aren't
they monitoring their traffic down to each host? There would be little
value in some generic volume statistics that didn't help resolve
problems down to the sources for those problems.

If instead this host was brought to you where you don't have a
corporate-level network and monitoring tools setup then why not go look
on the host as to what is making all the network connections? There are
plenty of on-host monitoring utilities available, like SysInternals'
TCPview. However, it's probably better not to disturb the software
configuration on the problematic host and instead sniff the traffic by
having that host's traffic go through a gateway or router host where you
can separately monitor its traffic (but you won't know which process
generated the traffic but you'll know to where that traffic goes and
what it contains if not encrypted).

>>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>>> bunch of tracking cookies, and Combofix found nothing at all.

I may not be known malware doing the spamming. Could be a zero-day
pest. While some security programs monitor the behavior of the e-mail
clients (to see if they are spamming), not many spambots use the
installed e-mail clients but instead make their own connects. If the
pest can't be easily found by anti-malware products then it's time for
you to monitor the behavior of the host. See what processes are making
network connections, how often, for how long, and to where they connect.

> The spam I got from him had his own return email address, as did the others
> who complained to him. How would they have known who to complain to if it
> didn't come from his email address. You think his neighbor's machines would
> send out email with *his* return address?

It doesn't appear you are adept at interpreting the headers of e-mails.
Most e-mail users don't understand those headers (and there are some
anomalies that I'm not used to for some ESPs). Sorry, but without the
headers for *us* to inspect then we can't verify your conclusion that
the spam e-mails actually came from this user's host or that they
originated from this user's ESP. Please provide evidence in the form of
the headers for the spam e-mails that are purporting coming from this
user or their account. Leave domains intact (since those aren't
sufficient for anyone to try cracking this user's account). Munge or
X-out the usernames on the accounts (for sender and recipients) to
protect their accounts from spambots that harvest e-mail addresses from
Usenet posts. Make sure to include ALL headers, not just the ones you
think are relevant.

That the spam may originate from the user's account does NOT mean they
originate from the user's host. How certain are you that the user's
account hasn't been hacked? Spambots are handy but harder to get
working on even partially secured hosts. It's pretty easy to send spam
if you can hack into someone's account and directly use it for your
spamming. However, considering how easy it is to get free e-mail
accounts, it's usually easier to obtain those and spam from there (and
lie about the sender's e-mail address).

[Li'l Abner]

VanguardLH <V@nguard.LH> wrote in news:icu964$257$1@news.albasani.net:

> Li'l Abner wrote:
>
>> Mike Easter wrote:
>>
>>> Li'l Abner wrote:
>>>
>>> I got a spam email from him myself. His friends have also
>>> complained. His ISP threatened to blacklist him if it doesn't stop.
>>> Actually, he is moving home from another area and will soon be
>>> hooked up to OUR ISP. And I know for a fact they'll blacklist him
>>> if he spews email.
>
> Did you inspect the headers to see if the spam e-mail actually
> originated from this user? The From and Reply-To path are *data*
> headers added by the sender's e-mail client, not by a mail server.
> They can contain whatever value the sender wants to put in those
> headers. Extremely rare are mail servers that require the sender
> specify the account in their From header through which they send an
> e-mail.
>
> We would have to know what is the e-mail service provider (ESP) for
> your user. We would also have to see the evidence of the spam e-mail
> but just the headers is sufficient (munge out the username but not the
> domain name in any e-mail addresses for the user, if present and
> actually their own, and for any of the victimized recipients).
Return-path: <name@msn.com>
Authentication-Results: Moxie (my home webserver machine)
from=name@msn.com
Received: from cgp.netins.net (cgpb3.cgp.netins.net [167.142.228.193])
by whereIgetmymail.com (Moxie [127.0.0.1])
(MDaemon.PRO.v8.0.1.R)
with ESMTP id md50000019383.msg
for <whereIgetmymail@alongthewapsie.com>; Sat, 23 Oct 2010 13:20:06 -
0500
Received: from <me@mywebsite.com>
by cgpb3.cgp.netins.net (CommuniGate Pro RULE 5.3.5)
with RULE id 15404969; Sat, 23 Oct 2010 13:20:02 -0500
X-Autogenerated: Mirror
Resent-From: <me@mywebsite.com>
Resent-Date: Sat, 23 Oct 2010 13:20:02 -0500
X-netINS-MPP: scanned
X-CMAE-Analysis: v=1.1 cv=WxJF1VDbLPz87kwnK5Z6N9h/xFZv98MAp55Y8YjkWXE= c=1
sm=0 a=iIA-D8pQHtsA:10 a=6mTG4oFJl2gA:10 a=rcPezLW4KkcA:10
a=iIhfYXcc7WEA:10 a=sX4QNpHQAAAA:8 a=EYYNmg7Ii8W-6741qdoA:9 a=
4EqpzSdUbuoDeUKPFykPi2e4rgUA:4 a=wPNLvfGTeEIA:10 a=yTWE7UZ2c4M_qe87r-0A:9
a=ME_c6FR5cJdZpVCpFAwA:7 a=kB7mM4nxsM6OzWl_f3mySRcfIT4A:4
a=I29xm3ipk0ty28YiwSULUA==:117
Received: from [65.55.116.26] (HELO blu0-omc1-s15.blu0.hotmail.com)
by cgpf2.cgp.netins.net (CommuniGate Pro SMTP 5.3.5)
with ESMTP id 67075202 for me@mywebsite.com; Sat, 23 Oct 2010 13:20:02 -
0500
Received-SPF: pass
receiver=cgpf2.cgp.netins.net; client-ip=65.55.116.26; envelope-
from=name@msn.com
Received: from BLU111-W17 ([65.55.116.8]) by blu0-omc1-s15.blu0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 23 Oct 2010 11:19:51 -0700
Message-ID: <BLU111-W177D3FBDA7AA096FE3C4E9DF5F0@phx.gbl>
X-Original-Return-Path: name@msn.com
Content-Type: multipart/alternative;
boundary="_d9e780f7-d2f2-4e83-8502-a5be660194c7_"
X-Originating-IP: [89.102.206.74]
From: Name <name@msn.com>
To: <someoneelse@aol.com>, <name@msn.com>, <someoneelse@mi.is>,
<someoneelse@msn.com>, <someoneelse@aol.com>,
<someoneelse@yahoo.com>,
<me@mywebsite.com>
Subject:
Date: Sat, 23 Oct 2010 18:19:51 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 23 Oct 2010 18:19:52.0069 (UTC) FILETIME=
[E2A0DB50:01CB72DE]
X-Spam-Processed: Moxie, Sat, 23 Oct 2010 13:20:06 -0500
(not processed: sender in recipient's private address book)
X-MDRcpt-To: me@whereIgetmymail.com
X-Rcpt-To: me@whereIgetmymail.com
X-MDRemoteIP: 167.142.228.193 (netins.net email server)
X-Return-Path: name@msn.com
X-MDaemon-Deliver-To: me@whereIgetmymail.com (my machine, Moxie)

hxxp://pefofebi.t35.com/ (website now blocked for phishing)

To avoid confusion, I should point out that it was sent to my email address
at a website I have that is hosted by my proved with is Iowa Network
Services (netins.net). All the mail that I get there is forwarded to my
webserver I host myself at home (whereIgetmymail.com (Moxie))
>
>>> The owner has been warned by his ISP.
>
> That the e-mail provider warned him of spam abuse reports simply means
> they received spam abuse complaints. That doesn't mean they
> interrogated the headers to determine that this user was the one that
> actually sent the spam. Most users are boobs when it comes to
> reviewing the headers of an e-mail (few even bother to actually look).
> They just go by what is shown in the From header and assume that the
> sender would never lie as to who they are. Yeah, sure, spammers never
> lie about their e-mail address, uh huh.
>
>>> So presumably/maybe there has been spam evidence provided to the ISP
>>> abuse address -or- the ISP (maybe) sees network traffic profile and
>>> notifies the IP user -or- something else. You are leaving out a lot
>>> of important background and evidence details.

OK, I have sent you a copy of the email. Hopefully I've munged the names
and other stuff properly. Hey, I just maybe latched onto something here.
The X-Originating IP (89.102.206.74) resolves to...
Official name: ip-89-102-206-74.net.upcbroadband.cz
Now that certainly isn't msn.com
>>
>> This is all that he has told me. I have no doubt the computer was
>> spewing email.
>
> So with those network monitoring tools you claim to have, did you
> check the traffic from this user's host to filter on and check for
> their e-mail volume? So far, basing your "evidence" on what the user
> said which provided no actual details then you do NOT know there is
> spam coming from this host. Since any sender - you, the user, the
> spammer, a malcontent, another employee, ANYONE - can put anything
> they want in the From header (because it is *data* added by the
> sender's e-mail client as the sender configured it themself), you
> don't know from where the spam originated.

No, I didn't claim to have any such tools. I had Googled and was looking
for something to check the computer itself with; not the network. I now
have it connected directly to the ISP. I am using a static IP (I work for
the phone company) so if it gets blacklisted it'll be easy to trace. I have
talked to netins tech support. They told me to just leave it hooked up and
that if it was indeed spewing spam they'd know it within 24 hours. A third
party outfit actually monitors that stuff and notifies the. Maybe
spamhaus.org or one of those.

>
> So just network tools have you actually used to monitor this user's
> host regarding e-mail volume and recipients? Have you used any packet
> sniffing tool to check how much traffic goes to e-mail ports (i.e.,
> which traffic goes to mail servers)? Have you checked the recipients
> specified in the RCPT-TO commands sent by this host to the mail server
> (assuming they weren't SSL/TSL connects)?
>
> If YOU aren't managing the mail server used by this accused user, how
> do you know that his account with some other ESP has not been hacked?
> Maybe he used a weak password. Maybe he divulged his login
> credentials in reaction to some phish mail. Maybe the login
> credentials were cracked using social engineering (e.g., a malicious
> site using CAPTCHA input from its porn-hungry users employs those
> users to do the grunt work of cracking passwords in the CAPTCHA
> screens of webmail providers). Did this user ever bother to change
> their login credentials (and, this time, use a STRONG password)? When
> they do change their password, also have them change the personal
> detail info because that gets used with the "Forgot Password"
> mechanism afforded by most ESPs.
>
>>> There's detection tools to use on networks, routers, servers, etc.
>>> but nothing about the individual computer except for a couple of
>>> those "wipe it and start over" replies.
>
> I have never seen a packet sniffer utility recommend some "wipe and
> restart" notice.

No, this was just a reply I got in another newsgroup about a similar
problem some time back... :-) A lot of people think that's the easy way
out.

If this host is on a corporate network, why aren't
> they monitoring their traffic down to each host? There would be
> little value in some generic volume statistics that didn't help
> resolve problems down to the sources for those problems.
>
> If instead this host was brought to you where you don't have a
> corporate-level network and monitoring tools setup then why not go
> look on the host as to what is making all the network connections?
> There are plenty of on-host monitoring utilities available, like
> SysInternals' TCPview. However, it's probably better not to disturb
> the software configuration on the problematic host and instead sniff
> the traffic by having that host's traffic go through a gateway or
> router host where you can separately monitor its traffic (but you
> won't know which process generated the traffic but you'll know to
> where that traffic goes and what it contains if not encrypted).
>
>>>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>>>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>>>> bunch of tracking cookies, and Combofix found nothing at all.
>
> I may not be known malware doing the spamming. Could be a zero-day
> pest. While some security programs monitor the behavior of the e-mail
> clients (to see if they are spamming), not many spambots use the
> installed e-mail clients but instead make their own connects. If the
> pest can't be easily found by anti-malware products then it's time for
> you to monitor the behavior of the host. See what processes are
> making network connections, how often, for how long, and to where they
> connect.
>
>> The spam I got from him had his own return email address, as did the
>> others who complained to him. How would they have known who to
>> complain to if it didn't come from his email address. You think his
>> neighbor's machines would send out email with *his* return address?
>
> It doesn't appear you are adept at interpreting the headers of
> e-mails. Most e-mail users don't understand those headers (and there
> are some anomalies that I'm not used to for some ESPs). Sorry, but
> without the headers for *us* to inspect then we can't verify your
> conclusion that the spam e-mails actually came from this user's host
> or that they originated from this user's ESP. Please provide evidence
> in the form of the headers for the spam e-mails that are purporting
> coming from this user or their account. Leave domains intact (since
> those aren't sufficient for anyone to try cracking this user's
> account). Munge or X-out the usernames on the accounts (for sender
> and recipients) to protect their accounts from spambots that harvest
> e-mail addresses from Usenet posts. Make sure to include ALL headers,
> not just the ones you think are relevant.

Yep... did that above. In the process I discovered that
ip-89-102-206-74.net.upcbroadband.cz thing. This is probably a pretty good
indication that it didn't come from msn.com. Is it possible that the emails
aren't even originating from his computer but as you say below some malware
may have hijacked all his headers and is using them? I'm sure he uses
webmail since he has no email client that will do MSN. I'm lost... :-)

>
> That the spam may originate from the user's account does NOT mean they
> originate from the user's host. How certain are you that the user's
> account hasn't been hacked? Spambots are handy but harder to get
> working on even partially secured hosts. It's pretty easy to send
> spam if you can hack into someone's account and directly use it for
> your spamming. However, considering how easy it is to get free e-mail
> accounts, it's usually easier to obtain those and spam from there (and
> lie about the sender's e-mail address).

Thanks. I've given you all the information I have the ability or know how
to retrieve. As I mentioned above, it has been connected for a few hours
now and I'll just leave it run a couple of days. I see now that I have some
other good replies. I will refer those back to this post for information.
Thanks!

--
--- Everybody has a right to my opinion. ---

[VanguardLH]

Received #1
from cgp.netins.net (cgpb3.cgp.netins.net [167.142.228.193])
by whereIgetmymail.com
for <whereIgetmymail@alongthewapsie.com>
Received #2
from <me@mywebsite.com>
by cgpb3.cgp.netins.net
Received #3
from [65.55.116.26] (HELO blu0-omc1-s15.blu0.hotmail.com)
by cgpf2.cgp.netins.net
Received #4
from BLU111-W17 ([65.55.116.8])
by blu0-omc1-s15.blu0.hotmail.com

Received headers are prepended to the header section in the order the
mail hosts are hit. That is, the topmost Received header is the latest
one (for the recipient's mail host) and the bottom-most Received header
is the first one (for the sender's mail host) - *if* none of the
Received headers are forgeries. You follow the chain backwards in
top-down order from the last to first mail host. The 'from' host in a
Received header should be the same as the 'by' host in the prior
Received header. A break in the chain indicates a bogus Received
header; however, some internal routing may not contain both the 'from'
or 'by' hosts. The value in square brackets is inserted by the
receiving mail host's to identify the IP address of the host that
connects to it (since every host knows the IP adddress of the other host
that connects to it). It is suspect if the IP address reported by the
receiving mail host doesn't match the IP address or host announced by
the sending mail host.

For Received header #1 (the last one for you receiving mail host), the
'by' host is your mail server (where you got the e-mail). For the
'from' host, a rDNS on 167.142.228.193 returns cgpb3.cgp.netins.net
which the receiving mail host also noted. This happens to match the
string sent by the sending host in the 'hello' or 'ehlo' command. Looks
good so far. The next Received header's 'by' host should match on this
header's 'from' host.

For Received header #2, it's 'by' host matches on the next Received
header's 'from' host so the chain is looking good. What I don't
understand is why its 'from' host is just "<me@mywebsite.com>". That
would be the *comment* for what that mail host claims is its name. The
parameters showing what was the IP address and rDNS of the host
connecting to it are missing. That is, the 'from' field in Received #2
is incomplete. Since the next Received header has it's 'by' host still
back at netins.net, are you using some webhosting service at netins.net
to get your e-mails? If this is not a bogus header (inserted by the
spammer) then it might be an anomalous Received header to reflect
internal routing. I'll assume this is not a bogus header and continue
parsing through the chain of Received headers.

For Received header #3, I'll have to assume its 'by' host is valid. Its
'from' header said it got the e-mail from a Hotmail account. The
receiving mail host at netins.net shows the IP address (65.55.116.26).
An rDNS on that returns the same value as the comment field in the HELO
command issued by the sender's mail host. Still looking good.

For Received header #4, it's 'by' host matches on the 'from' host in
Received header #3. So the chain appears unbroken from last to this
first Received header. The 'from' host has no rDNS lookup on the shown
IP address but then 65.55.116.x is a block assigned to Microsoft so it
is probably an internal routing anomaly again.

So it appears that the e-mail originates from Hotmail. Does the user
accused of sending spam have a Hotmail account?
If so, it appears they have an old MSN Hotmail account (the
"name@msn.com") by looking at the headers:

[X-]Return-path: <name@msn.com>
X-Original-Return-Path: name@msn.com

as well as:

Message-ID: <BLU111-W177D3FBDA7AA096FE3C4E9DF5F0@phx.gbl>

since phx.gbl is one of Microsoft's right-tokens used in their MID
values.

Considering this user is using an ISP in Czech Republic (and is himself
probably located there), have they yet changed their login credentials
for their Hotmail account? Is your user actually living in
Czechoslovakia? That's the IP address of whomever used that Hotmail
account to send the spam e-mail as shown in the X-header that Hotmail
adds to whomever logs into a Hotmail account and sends e-mail from
there.

X-Originating-IP: [89.102.206.74]

An rDNS on 89.102.206.74 returns ip-89-102-206-74.net.upcbroadband.cz.
The .cz TLD (top-level domain) is for the Czech Republic. When I do a
IPwhois on that IP address, it is assigned to an ISP in Czechoslovakia.
So just WHERE is your client located? Are they really using a Czech ISP
for Internet access (and then connecting to Hotmail from there)?

Oh, the spam did originate from a Hotmail account (which might be what
your client uses) but does it look like the Czech user is your user? If
not, CHANGE THE PASSWORD on the Hotmail account. Do it now!

[Mike Easter]

Li'l Abner wrote:

> The spam I got from him had his own return email address, as did the others
> who complained to him. How would they have known who to complain to if it
> didn't come from his email address. You think his neighbor's machines would
> send out email with *his* return address?

As a general rule, the vast majority of spam sourced from the zombies
does *not* have the From of the computer which sourced the spam.

You do not determine the source of a spam from the From. You determine
the source of a spam by carefully examining the headers to determine the
source IP.

The small minority of spam which comes from a mail account in which the
From actually *does* represent th source of the spam comes from cracked
webmail passwords, so the source of the spam in those cases is the
From's webmail account.

In such a case the machine in question is not the source of the webmail.

As a general rule, except for the cracked webmail account example above,
the source of a spam is *not* the From.


--
Mike Easter

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in
news:8lfr5iF8f5U1@mid.individual.net:

> Li'l Abner wrote:
>
>> The spam I got from him had his own return email address, as did the
>> others who complained to him. How would they have known who to
>> complain to if it didn't come from his email address. You think his
>> neighbor's machines would send out email with *his* return address?
>
> As a general rule, the vast majority of spam sourced from the zombies
> does *not* have the From of the computer which sourced the spam.
>
> You do not determine the source of a spam from the From. You determine
> the source of a spam by carefully examining the headers to determine
> the source IP.
>
> The small minority of spam which comes from a mail account in which
> the
> From actually *does* represent th source of the spam comes from
> cracked
> webmail passwords, so the source of the spam in those cases is the
> From's webmail account.
>
> In such a case the machine in question is not the source of the
> webmail.
>
> As a general rule, except for the cracked webmail account example
> above, the source of a spam is *not* the From.

Please see my reply to VanguardLH. It may contain a lot of that "more
informatioo" you were requesting.

--
--- Everybody has a right to my opinion. ---

[Mike Easter]

Li'l Abner wrote:

> I got a spam email from him myself.

If you still have the spam, the email's headers can be examined by
someone with sufficient skill to determine the IP address of the source.

From what you've said so far, it is more likely that the machine is
clean and the mechanism of the spam generation with his From is some way
other than his machine generating the spam.



--
Mike Easter

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in news:8lfs0gFdp3U1
@mid.individual.net:

> Li'l Abner wrote:
>
>> I got a spam email from him myself.
>
> If you still have the spam, the email's headers can be examined by
> someone with sufficient skill to determine the IP address of the source.

Why didn't you say that before? :-)

I'm sorry I got frustrated at your older post. I thought I was doing the
best I could but you wanted more. If you examine the headers which I put in
my reply to VanguardLH the answer may be there in that X-Originating-IP
which I noticed myself and looked up.

Thanks for sticking with me.

--
--- Everybody has a right to my opinion. ---