Zombie

[Li'l Abner]

I have a Dell Windows XP SP3 here that has been spewing SPAM email. The
owner has been warned by his ISP. I must be Googling for the wrong thing
because all I can find about it is that it happens but no advice on what to
do about it. There's detection tools to use on networks, routers, servers,
etc. but nothing about the individual computer except for a couple of those
"wipe it and start over" replies. I've done a full scan with MSE, MBAM,
SAS, and ComboFix. MSE found nothing, MBAM found 18 MyWebSearch and 2
Trojan Vundo, SAS found a bunch of tracking cookies, and Combofix found
nothing at all.
For starters, how can I detect if the computer is still sending it?
If it is, is it a virus or some king of malware? What does it take to get
rid of it?

--
--- Everybody has a right to my opinion. ---

[Mike Easter]

Li'l Abner wrote:
> I have a Dell Windows XP SP3 here

What does 'here' mean to you?

> that has been spewing SPAM email.

How do you know? What is the evidence?

> The owner has been warned by his ISP.

So presumably/maybe there has been spam evidence provided to the ISP
abuse address -or- the ISP (maybe) sees network traffic profile and
notifies the IP user -or- something else. You are leaving out a lot of
important background and evidence details.

> I must be Googling for the wrong thing because all I can find about
> it is that it happens but no advice on what to do about it.

Should we assume that -1- in the beginning the owner/user was notified
by hir provider that s/he was sourcing spam and then -2- that owner/user
brought their computer to you to clean it up?

Or should we assume something else? What is going on here?

> There's detection tools to use on networks, routers, servers, etc.
> but nothing about the individual computer except for a couple of
> those "wipe it and start over" replies.

You could examine it thoroughly to see what you could find for the fun
of it. You could even wonder if there were something funky with the
BIOS while you were wondering about the bootsector.

For investigation purposes, it would be very very useful to know what
evidence there is that this machine had been doing bad. What is the
evidence against the machine - precisely? Or just evidence against the
owner/user's IP address?

> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
> bunch of tracking cookies, and Combofix found nothing at all.

Negative information doesn't help very much.

> For starters, how can I detect if the computer is still sending it?

Still sending *WHAT*? What is the evidence? Maybe there is some kind
of misinformation floating around. People make all kinds of 'mistakes'
about spam and such.

As a hypothetical example; maybe the owner/user is using a wireless
broadband gateway. Maybe someone in their neighborhood is usurping
their broadband wireless connectivity and spamming or whatever
intentionally or otherwise. Maybe the machine you are investigating is
clean and you need to be investigating the neighborhood machine spewing
from the user/owner's IP.

> If it is, is it a virus or some king of malware? What does it take to get
> rid of it?

More information, more information.


--
Mike Easter

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in
news:8lfirfFi0tU1@mid.individual.net:

> Li'l Abner wrote:
>> I have a Dell Windows XP SP3 here
>
> What does 'here' mean to you?
>
>> that has been spewing SPAM email.
>
> How do you know? What is the evidence?

I got a spam email from him myself. His friends have also complained.
His ISP threatened to blacklist him if it doesn't stop. Actually, he is
moving home from another area and will soon be hooked up to OUR ISP. And I
know for a fact they'll blacklist him if he spews email.
>
>> The owner has been warned by his ISP.
>
> So presumably/maybe there has been spam evidence provided to the ISP
> abuse address -or- the ISP (maybe) sees network traffic profile and
> notifies the IP user -or- something else. You are leaving out a lot of
> important background and evidence details.

This is all that he has told me. I have no doubt the computer was spewing
email.

>> I must be Googling for the wrong thing because all I can find about
>> it is that it happens but no advice on what to do about it.
>
> Should we assume that -1- in the beginning the owner/user was notified
> by hir provider that s/he was sourcing spam and then -2- that
> owner/user brought their computer to you to clean it up?

Yes.
>
> Or should we assume something else?

NO

> What is going on here?

I'm asking for some help :-)
>
>> There's detection tools to use on networks, routers, servers, etc.
>> but nothing about the individual computer except for a couple of
>> those "wipe it and start over" replies.
>
> You could examine it thoroughly to see what you could find for the fun
> of it. You could even wonder if there were something funky with the
> BIOS while you were wondering about the bootsector.
>
> For investigation purposes, it would be very very useful to know what
> evidence there is that this machine had been doing bad. What is the
> evidence against the machine - precisely? Or just evidence against the
> owner/user's IP address?
>
>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>> bunch of tracking cookies, and Combofix found nothing at all.
>
> Negative information doesn't help very much.
>
>> For starters, how can I detect if the computer is still sending it?
>
> Still sending *WHAT*? What is the evidence? Maybe there is some kind
> of misinformation floating around. People make all kinds of
> 'mistakes' about spam and such.
>
> As a hypothetical example; maybe the owner/user is using a wireless
> broadband gateway. Maybe someone in their neighborhood is usurping
> their broadband wireless connectivity and spamming or whatever
> intentionally or otherwise. Maybe the machine you are investigating
> is clean and you need to be investigating the neighborhood machine
> spewing from the user/owner's IP.

The spam I got from him had his own return email address, as did the others
who complained to him. How would they have known who to complain to if it
didn't come from his email address. You think his neighbor's machines would
send out email with *his* return address?

>
>> If it is, is it a virus or some king of malware? What does it take to
>> get rid of it?
>
> More information, more information.

It's 45.3 F, 66% humidity and the wind is E at 2.9 mph.
Forget it.

--
--- Everybody has a right to my opinion. ---

[David H. Lipman]

From: "Li'l Abner" <blvstk@dogpatch.com>

| I have a Dell Windows XP SP3 here that has been spewing SPAM email. The
| owner has been warned by his ISP. I must be Googling for the wrong thing
| because all I can find about it is that it happens but no advice on what to
| do about it. There's detection tools to use on networks, routers, servers,
| etc. but nothing about the individual computer except for a couple of those
| "wipe it and start over" replies. I've done a full scan with MSE, MBAM,
| SAS, and ComboFix. MSE found nothing, MBAM found 18 MyWebSearch and 2
| Trojan Vundo, SAS found a bunch of tracking cookies, and Combofix found
| nothing at all.
| For starters, how can I detect if the computer is still sending it?
| If it is, is it a virus or some king of malware? What does it take to get
| rid of it?

Use my Multi-AV Scanning Tool's Avira, Sophos, Emsisoft and Trend Micro's scanners.

You can tell if the PC is spewing spam, via a spam bot or some other mechanism, via
Wireshark.
Another simpler way is with TCPView by seeing of there are many connects to the Internet.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[John Mason Jr]

On 11/28/2010 12:11 PM, Li'l Abner wrote:
> I have a Dell Windows XP SP3 here that has been spewing SPAM email. The
> owner has been warned by his ISP. I must be Googling for the wrong thing
> because all I can find about it is that it happens but no advice on what to
> do about it. There's detection tools to use on networks, routers, servers,
> etc. but nothing about the individual computer except for a couple of those
> "wipe it and start over" replies. I've done a full scan with MSE, MBAM,
> SAS, and ComboFix. MSE found nothing, MBAM found 18 MyWebSearch and 2
> Trojan Vundo, SAS found a bunch of tracking cookies, and Combofix found
> nothing at all.
> For starters, how can I detect if the computer is still sending it?
> If it is, is it a virus or some king of malware? What does it take to get
> rid of it?
>

Are you sure the machine was used to send the spam and not just that the
account credentials were stolen?

Easiest way to determine if it is still trying to send email would be to
put it behind a firewall that blocks traffic and watch the logs

If that isn't possible you might be able to tell by using the following

http://technet.microsoft.com/en-us/s.../bb897437.aspx
http://www.wireshark.org/download.html

If you have a real hub available you could install wireshark on a
separate machine to monitor the traffic from the computer in question,
this would avoid the possibility that the infected machine has some
capability to hide what it is doing.

Another option is to remove the drive from the original machine and
slave it to a different box, might be easiest i use a usb to ide or sata
adapter.

Could also try one or more of the bootable AV CDs

http://www.avira.com/en/support-down...-rescue-system


A couple of other scanners I have had good results with

http://live.sunbeltsoftware.com/
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
and
Multi_av put together by Mr Lipman
http://www.pctipp.ch/index.cfm?pid=1411&pk=28470



If the scanners find something I would upload the file(s) to virustotal
The uploader can make this easy
http://www.virustotal.com/advanced.html#uploader

Also the Malware Hash Registry might be able to help

http://hash.cymru.com/
or the application
http://www.team-cymru.org/Services/MHR/WinMHR/




Of course before doing any type of cleanup, you should have a good
backup!!!!



Hope some of this helps
John

[VanguardLH]

Li'l Abner wrote:

> Mike Easter wrote:
>
>> Li'l Abner wrote:
>>
>> I got a spam email from him myself. His friends have also complained.
>> His ISP threatened to blacklist him if it doesn't stop. Actually, he
>> is moving home from another area and will soon be hooked up to OUR
>> ISP. And I know for a fact they'll blacklist him if he spews email.

Did you inspect the headers to see if the spam e-mail actually
originated from this user? The From and Reply-To path are *data*
headers added by the sender's e-mail client, not by a mail server. They
can contain whatever value the sender wants to put in those headers.
Extremely rare are mail servers that require the sender specify the
account in their From header through which they send an e-mail.

We would have to know what is the e-mail service provider (ESP) for your
user. We would also have to see the evidence of the spam e-mail but
just the headers is sufficient (munge out the username but not the
domain name in any e-mail addresses for the user, if present and
actually their own, and for any of the victimized recipients).

>> The owner has been warned by his ISP.

That the e-mail provider warned him of spam abuse reports simply means
they received spam abuse complaints. That doesn't mean they
interrogated the headers to determine that this user was the one that
actually sent the spam. Most users are boobs when it comes to reviewing
the headers of an e-mail (few even bother to actually look). They just
go by what is shown in the From header and assume that the sender would
never lie as to who they are. Yeah, sure, spammers never lie about
their e-mail address, uh huh.

>> So presumably/maybe there has been spam evidence provided to the ISP
>> abuse address -or- the ISP (maybe) sees network traffic profile and
>> notifies the IP user -or- something else. You are leaving out a lot of
>> important background and evidence details.
>
> This is all that he has told me. I have no doubt the computer was spewing
> email.

So with those network monitoring tools you claim to have, did you check
the traffic from this user's host to filter on and check for their
e-mail volume? So far, basing your "evidence" on what the user said
which provided no actual details then you do NOT know there is spam
coming from this host. Since any sender - you, the user, the spammer, a
malcontent, another employee, ANYONE - can put anything they want in the
From header (because it is *data* added by the sender's e-mail client as
the sender configured it themself), you don't know from where the spam
originated.

So just network tools have you actually used to monitor this user's host
regarding e-mail volume and recipients? Have you used any packet
sniffing tool to check how much traffic goes to e-mail ports (i.e.,
which traffic goes to mail servers)? Have you checked the recipients
specified in the RCPT-TO commands sent by this host to the mail server
(assuming they weren't SSL/TSL connects)?

If YOU aren't managing the mail server used by this accused user, how do
you know that his account with some other ESP has not been hacked?
Maybe he used a weak password. Maybe he divulged his login credentials
in reaction to some phish mail. Maybe the login credentials were
cracked using social engineering (e.g., a malicious site using CAPTCHA
input from its porn-hungry users employs those users to do the grunt
work of cracking passwords in the CAPTCHA screens of webmail providers).
Did this user ever bother to change their login credentials (and, this
time, use a STRONG password)? When they do change their password, also
have them change the personal detail info because that gets used with
the "Forgot Password" mechanism afforded by most ESPs.

>> There's detection tools to use on networks, routers, servers, etc.
>> but nothing about the individual computer except for a couple of
>> those "wipe it and start over" replies.

I have never seen a packet sniffer utility recommend some "wipe and
restart" notice. If this host is on a corporate network, why aren't
they monitoring their traffic down to each host? There would be little
value in some generic volume statistics that didn't help resolve
problems down to the sources for those problems.

If instead this host was brought to you where you don't have a
corporate-level network and monitoring tools setup then why not go look
on the host as to what is making all the network connections? There are
plenty of on-host monitoring utilities available, like SysInternals'
TCPview. However, it's probably better not to disturb the software
configuration on the problematic host and instead sniff the traffic by
having that host's traffic go through a gateway or router host where you
can separately monitor its traffic (but you won't know which process
generated the traffic but you'll know to where that traffic goes and
what it contains if not encrypted).

>>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>>> bunch of tracking cookies, and Combofix found nothing at all.

I may not be known malware doing the spamming. Could be a zero-day
pest. While some security programs monitor the behavior of the e-mail
clients (to see if they are spamming), not many spambots use the
installed e-mail clients but instead make their own connects. If the
pest can't be easily found by anti-malware products then it's time for
you to monitor the behavior of the host. See what processes are making
network connections, how often, for how long, and to where they connect.

> The spam I got from him had his own return email address, as did the others
> who complained to him. How would they have known who to complain to if it
> didn't come from his email address. You think his neighbor's machines would
> send out email with *his* return address?

It doesn't appear you are adept at interpreting the headers of e-mails.
Most e-mail users don't understand those headers (and there are some
anomalies that I'm not used to for some ESPs). Sorry, but without the
headers for *us* to inspect then we can't verify your conclusion that
the spam e-mails actually came from this user's host or that they
originated from this user's ESP. Please provide evidence in the form of
the headers for the spam e-mails that are purporting coming from this
user or their account. Leave domains intact (since those aren't
sufficient for anyone to try cracking this user's account). Munge or
X-out the usernames on the accounts (for sender and recipients) to
protect their accounts from spambots that harvest e-mail addresses from
Usenet posts. Make sure to include ALL headers, not just the ones you
think are relevant.

That the spam may originate from the user's account does NOT mean they
originate from the user's host. How certain are you that the user's
account hasn't been hacked? Spambots are handy but harder to get
working on even partially secured hosts. It's pretty easy to send spam
if you can hack into someone's account and directly use it for your
spamming. However, considering how easy it is to get free e-mail
accounts, it's usually easier to obtain those and spam from there (and
lie about the sender's e-mail address).

[Mike Easter]

Li'l Abner wrote:

> The spam I got from him had his own return email address, as did the others
> who complained to him. How would they have known who to complain to if it
> didn't come from his email address. You think his neighbor's machines would
> send out email with *his* return address?

As a general rule, the vast majority of spam sourced from the zombies
does *not* have the From of the computer which sourced the spam.

You do not determine the source of a spam from the From. You determine
the source of a spam by carefully examining the headers to determine the
source IP.

The small minority of spam which comes from a mail account in which the
From actually *does* represent th source of the spam comes from cracked
webmail passwords, so the source of the spam in those cases is the
From's webmail account.

In such a case the machine in question is not the source of the webmail.

As a general rule, except for the cracked webmail account example above,
the source of a spam is *not* the From.


--
Mike Easter

[Mike Easter]

Li'l Abner wrote:

> I got a spam email from him myself.

If you still have the spam, the email's headers can be examined by
someone with sufficient skill to determine the IP address of the source.

From what you've said so far, it is more likely that the machine is
clean and the mechanism of the spam generation with his From is some way
other than his machine generating the spam.



--
Mike Easter

[Dustin]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9E3E71C809AA4butter@wefb973cbe498:

> I have a Dell Windows XP SP3 here that has been spewing SPAM email.
> The owner has been warned by his ISP. I must be Googling for the
> wrong thing because all I can find about it is that it happens but
> no advice on what to do about it. There's detection tools to use on
> networks, routers, servers, etc. but nothing about the individual
> computer except for a couple of those "wipe it and start over"
> replies. I've done a full scan with MSE, MBAM, SAS, and ComboFix.
> MSE found nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS
> found a bunch of tracking cookies, and Combofix found nothing at
> all. For starters, how can I detect if the computer is still sending
> it? If it is, is it a virus or some king of malware? What does it
> take to get rid of it?

Hi Abner.

Sounds like you might have a windows system file patched. I'd recommend
you check the digital signatures on them. In order to determine if the
computer is still spamming, fire up Wireshark or SmartSniff and start
looking at the screen. You'll see it pretty quickly if the computer is
still being a nuisance.

fdsv is an excellent command line utility for verifying digital
signatures in files. You can find it here: http://www.kztechs.com

Boot the machine from a bart disc, use fdsv in each windows folder for
the .dlls and exe files. You can also check the system drivers. MS
files are digitally signed. When you find one that isn't; replace him
with one that is. You may be able to find a good copy in the dllcache
folder. Worst case, you'll have to extract one from a windows XP cd,
already with sp3.






--
Hackers are generally only very weakly motivated by conventional
rewards such as social approval or money. They tend to be attracted by
challenges and excited by interesting toys, and to judge the interest
of work or other activities in terms of the challenges offered and the
toys they get to play with.

[Li'l Abner]

VanguardLH <V@nguard.LH> wrote in news:icu964$257$1@news.albasani.net:

> Li'l Abner wrote:
>
>> Mike Easter wrote:
>>
>>> Li'l Abner wrote:
>>>
>>> I got a spam email from him myself. His friends have also
>>> complained. His ISP threatened to blacklist him if it doesn't stop.
>>> Actually, he is moving home from another area and will soon be
>>> hooked up to OUR ISP. And I know for a fact they'll blacklist him
>>> if he spews email.
>
> Did you inspect the headers to see if the spam e-mail actually
> originated from this user? The From and Reply-To path are *data*
> headers added by the sender's e-mail client, not by a mail server.
> They can contain whatever value the sender wants to put in those
> headers. Extremely rare are mail servers that require the sender
> specify the account in their From header through which they send an
> e-mail.
>
> We would have to know what is the e-mail service provider (ESP) for
> your user. We would also have to see the evidence of the spam e-mail
> but just the headers is sufficient (munge out the username but not the
> domain name in any e-mail addresses for the user, if present and
> actually their own, and for any of the victimized recipients).
Return-path: <name@msn.com>
Authentication-Results: Moxie (my home webserver machine)
from=name@msn.com
Received: from cgp.netins.net (cgpb3.cgp.netins.net [167.142.228.193])
by whereIgetmymail.com (Moxie [127.0.0.1])
(MDaemon.PRO.v8.0.1.R)
with ESMTP id md50000019383.msg
for <whereIgetmymail@alongthewapsie.com>; Sat, 23 Oct 2010 13:20:06 -
0500
Received: from <me@mywebsite.com>
by cgpb3.cgp.netins.net (CommuniGate Pro RULE 5.3.5)
with RULE id 15404969; Sat, 23 Oct 2010 13:20:02 -0500
X-Autogenerated: Mirror
Resent-From: <me@mywebsite.com>
Resent-Date: Sat, 23 Oct 2010 13:20:02 -0500
X-netINS-MPP: scanned
X-CMAE-Analysis: v=1.1 cv=WxJF1VDbLPz87kwnK5Z6N9h/xFZv98MAp55Y8YjkWXE= c=1
sm=0 a=iIA-D8pQHtsA:10 a=6mTG4oFJl2gA:10 a=rcPezLW4KkcA:10
a=iIhfYXcc7WEA:10 a=sX4QNpHQAAAA:8 a=EYYNmg7Ii8W-6741qdoA:9 a=
4EqpzSdUbuoDeUKPFykPi2e4rgUA:4 a=wPNLvfGTeEIA:10 a=yTWE7UZ2c4M_qe87r-0A:9
a=ME_c6FR5cJdZpVCpFAwA:7 a=kB7mM4nxsM6OzWl_f3mySRcfIT4A:4
a=I29xm3ipk0ty28YiwSULUA==:117
Received: from [65.55.116.26] (HELO blu0-omc1-s15.blu0.hotmail.com)
by cgpf2.cgp.netins.net (CommuniGate Pro SMTP 5.3.5)
with ESMTP id 67075202 for me@mywebsite.com; Sat, 23 Oct 2010 13:20:02 -
0500
Received-SPF: pass
receiver=cgpf2.cgp.netins.net; client-ip=65.55.116.26; envelope-
from=name@msn.com
Received: from BLU111-W17 ([65.55.116.8]) by blu0-omc1-s15.blu0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 23 Oct 2010 11:19:51 -0700
Message-ID: <BLU111-W177D3FBDA7AA096FE3C4E9DF5F0@phx.gbl>
X-Original-Return-Path: name@msn.com
Content-Type: multipart/alternative;
boundary="_d9e780f7-d2f2-4e83-8502-a5be660194c7_"
X-Originating-IP: [89.102.206.74]
From: Name <name@msn.com>
To: <someoneelse@aol.com>, <name@msn.com>, <someoneelse@mi.is>,
<someoneelse@msn.com>, <someoneelse@aol.com>,
<someoneelse@yahoo.com>,
<me@mywebsite.com>
Subject:
Date: Sat, 23 Oct 2010 18:19:51 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 23 Oct 2010 18:19:52.0069 (UTC) FILETIME=
[E2A0DB50:01CB72DE]
X-Spam-Processed: Moxie, Sat, 23 Oct 2010 13:20:06 -0500
(not processed: sender in recipient's private address book)
X-MDRcpt-To: me@whereIgetmymail.com
X-Rcpt-To: me@whereIgetmymail.com
X-MDRemoteIP: 167.142.228.193 (netins.net email server)
X-Return-Path: name@msn.com
X-MDaemon-Deliver-To: me@whereIgetmymail.com (my machine, Moxie)

hxxp://pefofebi.t35.com/ (website now blocked for phishing)

To avoid confusion, I should point out that it was sent to my email address
at a website I have that is hosted by my proved with is Iowa Network
Services (netins.net). All the mail that I get there is forwarded to my
webserver I host myself at home (whereIgetmymail.com (Moxie))
>
>>> The owner has been warned by his ISP.
>
> That the e-mail provider warned him of spam abuse reports simply means
> they received spam abuse complaints. That doesn't mean they
> interrogated the headers to determine that this user was the one that
> actually sent the spam. Most users are boobs when it comes to
> reviewing the headers of an e-mail (few even bother to actually look).
> They just go by what is shown in the From header and assume that the
> sender would never lie as to who they are. Yeah, sure, spammers never
> lie about their e-mail address, uh huh.
>
>>> So presumably/maybe there has been spam evidence provided to the ISP
>>> abuse address -or- the ISP (maybe) sees network traffic profile and
>>> notifies the IP user -or- something else. You are leaving out a lot
>>> of important background and evidence details.

OK, I have sent you a copy of the email. Hopefully I've munged the names
and other stuff properly. Hey, I just maybe latched onto something here.
The X-Originating IP (89.102.206.74) resolves to...
Official name: ip-89-102-206-74.net.upcbroadband.cz
Now that certainly isn't msn.com
>>
>> This is all that he has told me. I have no doubt the computer was
>> spewing email.
>
> So with those network monitoring tools you claim to have, did you
> check the traffic from this user's host to filter on and check for
> their e-mail volume? So far, basing your "evidence" on what the user
> said which provided no actual details then you do NOT know there is
> spam coming from this host. Since any sender - you, the user, the
> spammer, a malcontent, another employee, ANYONE - can put anything
> they want in the From header (because it is *data* added by the
> sender's e-mail client as the sender configured it themself), you
> don't know from where the spam originated.

No, I didn't claim to have any such tools. I had Googled and was looking
for something to check the computer itself with; not the network. I now
have it connected directly to the ISP. I am using a static IP (I work for
the phone company) so if it gets blacklisted it'll be easy to trace. I have
talked to netins tech support. They told me to just leave it hooked up and
that if it was indeed spewing spam they'd know it within 24 hours. A third
party outfit actually monitors that stuff and notifies the. Maybe
spamhaus.org or one of those.

>
> So just network tools have you actually used to monitor this user's
> host regarding e-mail volume and recipients? Have you used any packet
> sniffing tool to check how much traffic goes to e-mail ports (i.e.,
> which traffic goes to mail servers)? Have you checked the recipients
> specified in the RCPT-TO commands sent by this host to the mail server
> (assuming they weren't SSL/TSL connects)?
>
> If YOU aren't managing the mail server used by this accused user, how
> do you know that his account with some other ESP has not been hacked?
> Maybe he used a weak password. Maybe he divulged his login
> credentials in reaction to some phish mail. Maybe the login
> credentials were cracked using social engineering (e.g., a malicious
> site using CAPTCHA input from its porn-hungry users employs those
> users to do the grunt work of cracking passwords in the CAPTCHA
> screens of webmail providers). Did this user ever bother to change
> their login credentials (and, this time, use a STRONG password)? When
> they do change their password, also have them change the personal
> detail info because that gets used with the "Forgot Password"
> mechanism afforded by most ESPs.
>
>>> There's detection tools to use on networks, routers, servers, etc.
>>> but nothing about the individual computer except for a couple of
>>> those "wipe it and start over" replies.
>
> I have never seen a packet sniffer utility recommend some "wipe and
> restart" notice.

No, this was just a reply I got in another newsgroup about a similar
problem some time back... :-) A lot of people think that's the easy way
out.

If this host is on a corporate network, why aren't
> they monitoring their traffic down to each host? There would be
> little value in some generic volume statistics that didn't help
> resolve problems down to the sources for those problems.
>
> If instead this host was brought to you where you don't have a
> corporate-level network and monitoring tools setup then why not go
> look on the host as to what is making all the network connections?
> There are plenty of on-host monitoring utilities available, like
> SysInternals' TCPview. However, it's probably better not to disturb
> the software configuration on the problematic host and instead sniff
> the traffic by having that host's traffic go through a gateway or
> router host where you can separately monitor its traffic (but you
> won't know which process generated the traffic but you'll know to
> where that traffic goes and what it contains if not encrypted).
>
>>>> I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE found
>>>> nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS found a
>>>> bunch of tracking cookies, and Combofix found nothing at all.
>
> I may not be known malware doing the spamming. Could be a zero-day
> pest. While some security programs monitor the behavior of the e-mail
> clients (to see if they are spamming), not many spambots use the
> installed e-mail clients but instead make their own connects. If the
> pest can't be easily found by anti-malware products then it's time for
> you to monitor the behavior of the host. See what processes are
> making network connections, how often, for how long, and to where they
> connect.
>
>> The spam I got from him had his own return email address, as did the
>> others who complained to him. How would they have known who to
>> complain to if it didn't come from his email address. You think his
>> neighbor's machines would send out email with *his* return address?
>
> It doesn't appear you are adept at interpreting the headers of
> e-mails. Most e-mail users don't understand those headers (and there
> are some anomalies that I'm not used to for some ESPs). Sorry, but
> without the headers for *us* to inspect then we can't verify your
> conclusion that the spam e-mails actually came from this user's host
> or that they originated from this user's ESP. Please provide evidence
> in the form of the headers for the spam e-mails that are purporting
> coming from this user or their account. Leave domains intact (since
> those aren't sufficient for anyone to try cracking this user's
> account). Munge or X-out the usernames on the accounts (for sender
> and recipients) to protect their accounts from spambots that harvest
> e-mail addresses from Usenet posts. Make sure to include ALL headers,
> not just the ones you think are relevant.

Yep... did that above. In the process I discovered that
ip-89-102-206-74.net.upcbroadband.cz thing. This is probably a pretty good
indication that it didn't come from msn.com. Is it possible that the emails
aren't even originating from his computer but as you say below some malware
may have hijacked all his headers and is using them? I'm sure he uses
webmail since he has no email client that will do MSN. I'm lost... :-)

>
> That the spam may originate from the user's account does NOT mean they
> originate from the user's host. How certain are you that the user's
> account hasn't been hacked? Spambots are handy but harder to get
> working on even partially secured hosts. It's pretty easy to send
> spam if you can hack into someone's account and directly use it for
> your spamming. However, considering how easy it is to get free e-mail
> accounts, it's usually easier to obtain those and spam from there (and
> lie about the sender's e-mail address).

Thanks. I've given you all the information I have the ability or know how
to retrieve. As I mentioned above, it has been connected for a few hours
now and I'll just leave it run a couple of days. I see now that I have some
other good replies. I will refer those back to this post for information.
Thanks!

--
--- Everybody has a right to my opinion. ---