My first post-outside spammer using my address book and PC to send out spam

Hi folks

This is my first post to the Forum. Looking at the background of the monitors I feel my name should have been “The-Ancient-One’ as I am 69. However, I don’t think I am a grumpy old men, “yet”.

I am hopping that someone will be able to help me with the following problem:

I have been having a serious problem with my email over the last 12 months caused by an outside spammer using my address book and PC to send out spam. It is not just related to my address book as i receive some 30 rejected emails from all over the world after downloading my email. I have tried everything i know firewalls, add-were and spam programs without success. The last result is to format my c: drive however; i am always hopeful that there is another way. The problem may arise from my web site as some of the emails addresses are originating from email addresses listen on it.

If this is the wrong place to post this I would be grateful if you can direct me to somewhere where I may be able to get some help.


My email program is Outlook running on XP Pro, service pack 2 + Office 2007
Security programes
Just installed: COMODO
Spam Away

Hi Eric and welcome,

The first thin you could do is running full scans with the scanner built in CFP, AVG, and Ad-Aware, if you haven’t already. Luckily they might find something during the full scan that they missed during normal operation. I don’t think your anti-spam program will help here, since its mission is to filter spam sent to you, not curtailing malware installed in your computer.

It’s your lucky day too, since Comodo now offers a free malware removal service:

Definitely give it a try and see if it solves your problem.

Another option, if your already installed programs haven’t detected the spambot, is to try others. It’s normal that any scanner should miss some virus, but if you try a couple of them you may get lucky. Also use a rootkit scanner in case. But first I’d recommend you to try the service linked above.

Good luck :slight_smile:

Have a look at

It covers how to “hide” the email links within HTML pages. It’s not guaranteed to prevent the addresses being harvested, but it’s a good start.

Ewen :slight_smile:

You’re getting bounce notices that other sites have rejected spam that they claim is sent from your email address?

If that is the case, then your machine is probably quite clean. What you’re most likely experiencing is called “backscatter” (a description at ). What the spammers are doing, is forging your email address as the sender, and a mail server somewhere absorbs the spam, discovers it can’t be sent, and then helpfully(??) sends a bounce message to you telling you the forged message can’t be delivered.

I do email admin work (amongst other things) on the dayjob. Backscatter is a nasty little problem because it involves trying to convince somebody to change their mail server configuration so it doesn’t absorb a message that can’t be delivered. Until and unless that happens, the individual whose address is being forged either gets a really really good email filter to get rid of the bounce messages, or gets a new email address.

If you’re not getting that kind of bounce message, I can eyeball some of the email headers to get some sense of what’s going on if you would PM the messages to me. Spam hunting is another aspect of the dayjob.

“You’re getting bounce notices that other sites have rejected spam that they claim is sent from your email address?”

What you described is exactly what I is happening. I did not know what to call it so now I know it’s “backscatter”. The annoying think is I did change some of my email addresses but the problem seems to follow me. I do run a Web site which has one email

Tanks also to Japo and Panic for provided valuable insight that will help me overcome this problem.

A standing rule on the dayjob site, is that any email address on a web page will be used as a “receive-only” email address. This simplifies the mail server filters, allowing the Internet facing mail server to reject any bounce messages, and has the internal-facing mail server to reject any attempt to send mail off site. This takes the backscatter problem completely off the table.

It does presume some control over how the mail server is configured. For some smaller sites, setting up an intermediate mail server to function as a choke-point turns out to be a viable solution when the upstream ISP proves less than able to provide the needed filters. Mercury/32 ( has proven to be a good solution or a teaching tool to understand what’s needed to handle the problem. Commerical servers, like MDaemon (, provide more capability but at a price.

If you get into the *ix/BSD servers, then mail servers like Exim or Postfix will give you incredible control, but with the requiste wall of knobs-and-switches to learn. The Postfix documentation describes the rules needed to block backscatter ( ).

Grue, precisely today something happened to me. At work the boss sent me a message to my Yahoo email instead of my company one for some reason, so in order to read it I was forced to log into my Yahoo account from my work computer inside the company’s network. My Yahoo account had some email contacts although I didn’t use them since long ago. When I came back home I had received, at my Hotmail account (which was one of the contacts in the Yahoo account), a spam message whose sender was forged as another one of the contacts in my Yahoo account, whom I haven’t been in contact with for years.

Am I right at guessing that the company’s network is being eavesdropped somehow (we receive tons of spam messages in our company emails, many more than in my personal ones), and that when I used Yahoo inside it I gave away everyone in my address book? :frowning: If not what would you make of it?

Two possibilities come to mind.

One is that it was just plain dumb coincidence. Long shot odds, but sometimes it does happen, like lightning strikes.

The other, is as you suspect, that the office LAN is somehow compromised. Given the nature of spam these days, all it takes is for one person to click one wrong link for a worm to get in that takes over the entire LAN. There is a fairly simple test to support that possibility:

From home, create a throw away account on Yahoo/Hotmail/somewhere. Make it something unique, and very unlikely to be guessed by somebody. Then, from the office, and only from the office, either put the address in your address book, or send some mail to that address. If you get spam on that newly created unique account, then odds are you’ve got yourself a LAN network sniffer at the office. Or, at least, an infected office PC. Repeat as needed with unique throw away accounts to confirm or deny the problem.

Like you, I’m more inclined to believe there’s a problem in the LAN security.

And I’d suggest changing passwords on your Yahoo account, from home and not from the office. Just in case.

Thanks a lot for your expert input man. I know coincidence is always a theoretical possibility, but it’s been years since I didn’t contact that address, and yet it was in my very limited Yahoo contacts list and in no other one, and I had just accessed Yahoo and no other from the office…

If you think about it, it’s already a huge coincidence that this happened to me right now when this thread is hot, LOL.

■■■■, I never liked the idea of accessing my personal account from the office, I should have worked around it… The moral of the story for me: never, never again will I trust a computer or network that isn’t admin’ed by myself, to perform anything private, even trivial. This isn’t catastrophic, of course I wouldn’t have handed credit card info etcetera, this is a very minor event, but still there’s no reason to take risks; my private email is for me even if it’s not sensitive, if the office network is compromised let my office email and computer be spied but not my private email.

I’ll change passwords, thanks again. (CLY)

I’ll tell at the office, although I’m sceptical that the IT guys at the end of the line will do something, even if the person whom I tell should take me seriously–since I’m no IT. Besides at least here in Spain I see a lot of computer professionals who have some scant qualifications on paper but they know the bare minimum to be paid.

I’m now thinking about another related issue, but I think I’ll open a new topic since this is about email and it would be off topic.

That is why in any “untrusted network” (that is defined by pretty much any network you do not control) you should use “TrustConnect”!!


Certainly. In this case I couldn’t trust the computer more than the network, but I’d bet that the former was likely clean and the sniffer was outside roaming the network. Let’s say I had to connect a laptop of mine to the office’s network, then I wouldn’t do anything remotely private without TrustConnect.