cancel
Showing results for 
Search instead for 
Did you mean: 

Question re outbound spam

N/A

Question re outbound spam

After some messing around, I've managed to trap most incoming spam, either by filtering via GoogleMail or using the PN Spam folder. I've logged into the SquirrelMail today and I can see several messages in my 'Sent' folder.

For example, one message is alledgedly from HALIFAX PLC" <customercare-005325630@halifax.co.uk> and addressed to enquiry@mydomain.co.uk. This message is timed at 4:23am today (Friday 25 May).

My primary domain is hosted elsewhere. All email addressed to any mailbox is forwarded to GoogleMail, where I've collected 9,078 spam messages in the last month. Non-spam is then forwarded again to my PN mailbox, from where I collect it via Outlook.

Although I used to use the old AtMail Webmail, when I was on the road working, I've been using GMail for the past two months. I've certainly never sent anything via SquirrelMail.

I'm at a loss to understand how emails might be ending up in my 'Sent' box. Even if I did have some sort of trojan virus, surely any emails sent would be in my Outlook files somewhere and not on the PN mail servers?

Any advice, suggestions or assistance to determine where this may have originated from would be very helpful.

Cheers,

JR
10 REPLIES
N/A

Question re outbound spam

Do you use IMAP or POP3 to send and receive e-mail on your computer? If you use IMAP then typically sent messages are stored on a server side sent mail folder, and this may be what you're seeing.

I'd certainly do a full anti-virus and spyware check to be on the safe side.
N/A

Question re outbound spam

I should add that messages that you sent in @mail will have been transferred over to the new SquirrelMail interface, but the dates seem the preclude this possibility.
N/A

Question re outbound spam

Thanks, Les.

I'm a POP Person, my antivirus and spyware is up to date and the most recent scans reported no issues and I was also surprised by the dates.

Still thinking ...
Ianwild
Grafter
Posts: 3,835
Registered: 05-04-2007

Question re outbound spam

Can you just check it is dated today in the full headers? I'm not all that convinced by squirrelmails interpretation of sent dates personally.

I can't give you an explanation without more investigation, but there are some logical reasons why you might see this in the normal course of events.

Ian
dhumble
Grafter
Posts: 94
Registered: 19-08-2007

Question re outbound spam

Hi,

First, a bit of advice. Including an email address in a forum posting will only increase the amount of SPAM that is going to be sent to that email address. So, you may like to edit that out of your above posting.

If I was asked to guess, from what you have sent thus far. A message has been sent via PN's SMTP server. That is all that I can tell you, so far.

To work out from where, i.e. do you have a worm on your PC?, can only be gathered from looking at the message headers. These tell you how the message entered PN's mail system.

As you have not devulged it here and, I do not suggest that you do. Only you know what IP address PN have given you. Look at the message headers and if the hostname and IP address of the host, that passed the message to PN's SMTP server, does not bear any relation to yours, then it is a spoof email.

Spoof emails are messages that are injected into a SMTP server, perporting to be from someone, that they are not. A securely set up server would not alow these through normally, because the senders credentials would be checked against the MX record for the 'sender' address.

HTH because only the message headers would give you a clue as to how and where these messages came from.

David
N/A

Question re outbound spam

Quote
Can you just check it is dated today in the full headers? I'm not all that convinced by squirrelmails interpretation of sent dates personally.


OK, Ian - you were right - the header shows this date:

Delivery-date: Tue, 14 Mar 2006 02:13:15 +0000

i.e. not today.

You might be right, but I'm somewhat less than overwhelmed by SquirrelMail though! Are there any other little goodies in there that might be confusing?
N/A

Question re outbound spam

Quote
First, a bit of advice. Including an email address in a forum posting will only increase the amount of SPAM that is going to be sent to that email address. So, you may like to edit that out of your above posting.


Umm, yeah - you're correct and I've done that. Although I'm now up to 9,114 spam messages in the GoogleMail spam folder (in 30 days), I'm not sure how much worse any increase might be!

Quote
Look at the message headers and if the hostname and IP address of the host, that passed the message to PN's SMTP server, does not bear any relation to yours, then it is a spoof email.


Well, as per Ian's comment, it transpires that it was a message from March, 2006 i.e. not today as implied by SquirrelMail. And as far as I can tell, the message was not originated from my IP address.

It obviously originated elsewhere, but I'm still at a loss as to how it's in *MY* "SENT" folder.

Quote
A securely set up server would not alow these through normally, because the senders credentials would be checked against the MX record for the 'sender' address.


If I'm reading that right, you're implying that there may have been some insecurity on 14 March 2006?
Ianwild
Grafter
Posts: 3,835
Registered: 05-04-2007

Question re outbound spam

If the mails are in your Sent folder there, that is your IMAP sent folder and not specifically related to webmail. They sound like they have been sitting there for a long time. Thinking back 15 months, are you sure you can't pin down something that might have used your IMAP settings to send this email?

Does anyone else see something stored in their Sent mail folder that looks the same?

Ian
dhumble
Grafter
Posts: 94
Registered: 19-08-2007

Question re outbound spam

As an aside Jeremy, goto to http://mxtoolbox.com/
and type that domainname in. It'll tell you what SMTP server your mail gets forwarded to. Now click on the 'Diagnostic' button and you'll see that this particular SMTP server is currently failing the 'Open Relay' test. Yes, it says it is only warning you but ordinarily, this should report as 'Good'. My personal Postfix SMTP server certainly passes all diagnostic tests.

Now look at all this SPAM you have been getting and see if that server's hostname appears in all the mails message headers.

Better still, if you are getting a lot of bounce back mail with your email address as the originating sender AND that original mail's headers show that it had been sent via the above SMTP server then, yes, it is most likely open relay and others are sending out junk, purporting it to have been sent by you.

Good luck,

David
N/A

Question re outbound spam

Quote
If the mails are in your Sent folder there, that is your IMAP sent folder and not specifically related to webmail. They sound like they have been sitting there for a long time. Thinking back 15 months, are you sure you can't pin down something that might have used your IMAP settings to send this email?
Ian


Ian, it's a fair question but the answer's gonna be less fair.

I'm looking at the other side of my half century and whilst I'm still breathing, I can't remember what happened last weekend! I've never used IMAP settings to the best of my knowledge - I cart my laptop everywhere and use that for Outlook (and Webmail to send - until I discovered GoogleMail).

Briefly, I dunno.