So I saw last night that I had 2 emails in my yahoo spam box and both where notifications of failed email deliveries to multiple contacts. People that I haven't emailed in years & possibly not even from this account. The message body of each was a link to a Canadian medication site to get cheap drugs. So I check my out box and the emails are not there so I don't know what is going on or if these emails where sent or not. Today my Mom asks why I sent her a Viagra link so the emails where indeed sent out. Any ideas as to how? I don't use outlook or windows mail to send/receive email. I wouldn't be able to do so anyway because my account isn't a plus account so I don't know how it was sent. Is there anything I should do?
I'm sure you know how to make sure there aren't any viruses in your system. I would just do that and then change your password to your email account.
Yeah I know.
I don't think that its virus/spyware because I haven't had anything else suspicious and because the account I use on my computer has no administrative access but I'm running scans anyway however just scans on the c-drive. I do full scans on sundays.
Assuming that you have a router, you can drop port 25 packets (assuming you
don't use smtp) & then check the security logs. You may have a malicious SMTP server spamming
I've seen this on a couple of our customers machines. It's not common, but I've certainly seen it.
What logs I found isn't much and is only for the last hours. I'm pm you what I find pertaining my ipaddress. This looks strange and I'm not sure what to make of it.
I don't know how to look up logs for a specific port. The scans haven't come up with anything.
My scanners have found nothing. I ran a complete scan with avira, a "quick" scan with superantispyware [which still took 2.5 hours] and a scan with spybot s&d. I wanted to run a scan with kaspersky online scanner but that isn't currently available. Can you think of anything else? I'm switching to windows 7 for now.
I know lycos mail was recently attacked, and they had to lock numerous accounts due to the issue. I doubt it's a problem on your computer, and more likely an issue with the service provider. They more than likely had a security hole that allowed access to accounts on their system. Really all you can do is change your password to ensure your account isn't accessed anymore. That's assuming the mail system is now secure...
Well I went into the account settings to do just that and I got a page saying that due to suspicious activity on my account they recommend that I change my password. Still before I trust Vista again I want to know what no2 thinks about my logs router logs considering most of the entries look suspicious to me. Earlier yesterday I did have the yahoo mail web page pull up mysterious in a new tab asking for my password. I thought I might have hit something that caused that. That was after no2 made his post so I closed it. But as I previously posted I'm careful as to what I do online, I have UAC enabled, and I don't run an administrator account so I doubt that I have anything. Is there anything that I can do other than scans to make sure? I'm not good with viruses. Would anyone be able to tell from a hjthis log if I posted one?
(02-19-2010 08:30 PM)townsbg Wrote: [ -> ]I don't know how to look up logs for a specific port.
Traffic to a specific port isn't logged unless it's being blocked. What type of router do you have, I'll try to make you a quick "how to".
The logs that you sent me won't do much good for this issue. You want to block port 25 outbound traffic, & then mark it for being logged. This way you'll see that there is traffic coming from your machine. It may not be a bad idea to check the DHCP logs as well, to see if you've got someone in your drive way, or a neighbor, hoping on your network & causing unwanted traffic.
Its a netgear wgr614. We are in the country so I doubt that there is anyone close enough that cares to use our router. Besides its encrypted and I had mac address filtering enabled. But how would I check such logs? I sent you what I found.
There is a way to block ports labeled as "block services" however there is no logging info option.
Setup port 25 under
services.
Service Name SMTP
Service Type TCP
Triggering Port 25
Connection Type TCP/UDP
Set both Ports to 25
Then under
Content Filters->Block Services select Block Services.
Starting Port 25
Ending Port 25
Service Type SMTP
All IP Address
Then go into the
security logs, select "clear logs", & reboot the machine in question.
Ok. What am I looking for in the logs?
Dropped traffic from your ip (192.168 subnet) address.
Mine shows as "dropped packets" but if you are seeing block, then I am sure that the phrase is interchangeable.
So far all I'm seeing are allows.
Then either the machine isn't sending out traffic on port 25, or you didn't set it up correctly.
I'm not trying to be a jerk, just saying those are the two possibilities. If you have not deleted the email can you post their headers? We can see if they are coming from your machine.
Quote:Return-Path: <*******@yahoo.com>
Received: (qmail 57957 invoked by uid 60001); 19 Feb 2010 05:59:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1266559191; bh=GQ4ScwTiBgR+UgScElVN392dGNkuqmeVH3s6z4EEt1Y=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:To:MIME-Version:Content-Type; b=2Loff6FQRf/7DEjZOKZNbycSOJYZDIA7Wj4QoHeQ+dqj/V6+tSjMCh3TteUrXHEsQxV/p8LHfcYt4xiNEWDguTxSrm1tNQWoKxUjUEU9Owdh1DHp+M5DZj/l5cYVvUsKt4Kya1QEwfwltQ4JKskXydaNF+9Cib4FV5snMGBdsJQ=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:To:MIME-Version:Content-Type;
b=ForxmmdkHGLGA1bD5tyDFrOesLQAjGXIq1EcrloZbDWhKWOi5DVdNR8NkuKypDpcfsP35QMVsTyRXJu+ROlbjtMsMrhDFAcU9cXISWOW4eNXZECDkLyWtRaA3Vi3HoiPm5FlMuNEqgjBdPUrEl4YJ2UuBB6uKFQGzp1wz+pxZj0=;
Message-ID: <387956.56491.qm@web55202.mail.re4.yahoo.com>
X-YMail-OSG: h1hePl0VM1mpsyokW5mVxcJ1_estmLewroAkw4ISz1cmvKFilAKcf4uUwBayK9jkUIPDcYIBwU1_hyaNrx0Gq7PQReaM1.9heVgcdPy7sXDs8hm9PfoiyPk6_D9EiSE2S6AMMoRigVXz3xhz.Zsrkda5jnAWAzRE8If.bFVwqazpo5MJNW55pO50aVrwxQ6DgFHELrJ54vYxylPb5SxDYn9kDggRoLbWafbkuJVHfj3tXT6Jxp9poFx7bjvUeuSEeMiLMv33Wz3u5vfBMrzYNaZbIT7JitQmlj9qryw04ZIepMc63gLb6KjEEfR7SUg3tmthKqyBpt0EFE_NqvAwJ2E4kG4mcbdaY.ROiUyCnEFNl7vbZVaS4FButHr.UsE-
Received: from [190.141.65.137] by web55202.mail.re4.yahoo.com via HTTP; Thu, 18 Feb 2010 21:59:51 PST
X-Mailer: YahooMailClassic/9.2.12 YahooMailWebService/0.8.100.260964
Date: Thu, 18 Feb 2010 21:59:51 -0800 (PST)
From: *******@yahoo.com
Reply-To: *******@yahoo.com
To: ***
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
If thats what you are looking for that isn't me. I wondered about that myself.
So how was this email sent to my contacts? Also are you saying that it didn't come from my computer?