My Mom's laptop is driving me nuts, help please!

[digitalwanderer]

I got an e-mail from my Mom the other day that had nothing in it except this link:

http://hassie.fantasticdownloadzone.com/

The next day I got another from her for a different site:

http://www.bwb7.womanhealth-c.com/

I called her up and sure enough her laptop is sending out spam e-mails every night to everyone in her address book.

Now she's using and sbcglobal.net account she accesses through her Internet Explorer. Looking through by hand nothing looked really out of place, ESET nod32 said there was nothing, Malware found a couple of little things.

I have no clue what's going on.

I found an e-mail that was rejected by someone with the path and everything, but since I don't understand such things well I thought I'd put 'em up here so someone could explain to me how I'm missing the obvious.

For your convenience, the message is question is reproduced below:

Return-Path: <Mom@sbcglobal.net>
Received: from lists.n-email.net ([172.16.100.75]) by 172.16.2.5 with SMTP (Email Administrator WIN32 version 9.3e); Wed, 16 Jun 2010 12:16:52 -0400
Return-Path: <Mom@sbcglobal.net>
Received: from [76.96.27.212] ([76.96.27.212:40109] helo=qmta14.emeryville.ca.mail.comcast.net)
by ecelerity (envelope-from <Mom@sbcglobal.net>)
(ecelerity 3.0.22.36141 r(36141)) with ESMTP
id 4C/5C-31854-4F8F81C4; Wed, 16 Jun 2010 12:16:52 -0400
Received: from omta19.emeryville.ca.mail.comcast.net ([76.96.30.76])
by qmta14.emeryville.ca.mail.comcast.net with comcast
id WfKa1e0031eYJf8AEgGrqd; Wed, 16 Jun 2010 16:16:51 +0000
Received: from eandmlaw.com ([76.29.4.194])
by omta19.emeryville.ca.mail.comcast.net with comcast
id WgGq1e0044B9gRo01gGq7J; Wed, 16 Jun 2010 16:16:51 +0000
Received: from mail pickup service by eandmlaw.com with Microsoft SMTPSVC;
Wed, 16 Jun 2010 12:12:19 -0400
Received: from mail pickup service by eandmlaw.com with Microsoft SMTPSVC; Wed, 16 Jun 2010 10:15:31 -0400
thread-index: AcsNXmCdQkRqqftuQHexafRew++jAA==
Cc:
X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on psg1367.lexis-nexis.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=4.2 tests=HTML_MESSAGE autolearn=disabled version=3.1.6
X-Spam-Report: * 0.0 HTML_MESSAGE BODY: HTML included in message
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1276696938; bh=vXSYEVfulzrYk56CAJ/ytaJ90onH44pEd59itmTBo5M=; h=Message-ID:X-YMail-OSG:Received:X-Mailerate:From:Subject:To:MIME-Version:Content-Type; b=rPEi/5fjYax0hZsu4kKd+9ITaScBOMmVYstwPaKZfGA8u87NBf5hKJs5ffbFVIRbqqx4iLx1/lU0XABkwm1G9LyWYZ7Wkk/qodw6wn7VfL8/miz27ZaOrPKe4Luomccmd7xBdc4vXl+nU2NS4FXW56Dxdh8nmdAiYZw9Ytx82W8=
Message-ID: <4858B29170C040B981139E4DA3F9FB93@em.local>
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=sbcglobal.net; h=Message-ID:X-YMail-OSG:Received:X-Mailerate:From:Subject:To:MIME-Version:Content-Type; b=Tt5lZo1vaAjdrBSbujQm3NB1Ciu5yipzjN2Hjq7iNYko5ZKpCDYjUmIZdKeU/K00n+/60+D0hhH0b602sLJdRuH1osnWUXsDZFYoRCuMoHSudaXmb8I2Cs6CUu6a8Ua1JERPsTtzuR37d5aYF2dbEfFCfCXIoewq93Om7/smfCc=;
Content-Transfer-Encoding: 7bit
X-YMail-OSG: Yv3HJAIVM1nk9xXK885XSzVz3u9wAmGNK0rTSyRlPAMYYOB jYqaf9PxvR7GRX6WgHsB5G52_R1Ap5tFLc228Au0BEL3OitbmUeUbMk7r2js fBF9SzPrUgt9w.jn9_TMdjMlpPP7nwyB6JrrXIjJOgVzSLy2MVWUIKewXD8z A7DfiTIcDiexvR8sROSWmXH8UUjjhoNOadMJpuUmUmsYCQDjZqd3zI45lKw5 RVfTPvUrea8eA.bFBpd1GFNJsqzvBSxIwQ6.X1eH76gZ2Oona5LwDb5QAlOF GM4sxFaKVu4C.DYEZEQ--
X-Mailer: YahooMailRC/397.8 YahooMailWebService/0.8.103.269680
Date: Wed, 16 Jun 2010 10:15:30 -0400
From: "Mom" <Mom@sbcglobal.net>
Subject: Seeking Pinellas County, Fla lawyer referral
To: "Probate, Trust & Real Property Section" <inbar-ptrp@lists.n-email.net>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0-1121976119-1276696938=:96991"
List-Unsubscribe: <mailto:leave-12701819-105805452.5426972cc173803773a272e355f82647@lists.n-email.net>
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4657
Reply-To: "Mom" <mom@sbcglobal.net>
X-Binding: in-state-bar-assoc
X-Antivirus: Scanned by F-Prot Antivirus (http://www.f-prot.com)
X-OriginalArrivalTime: 16 Jun 2010 14:15:31.0140 (UTC) FILETIME=[60BEE040:01CB0D5E]

This is a multi-part message in MIME format.

--0-1121976119-1276696938=:96991
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Only thing I changed was her name and e-dress.

Any and all help/input is appreciated, thank you.

 

[Mize]

1. the spam could be coming from somewhere else and spoofing her as the sender.
2. If she's using webmail and the spam is truly coming from there then it's sbcglobal with the problem.
3. If she has malware it's likely NOT going through sbcglobal, but opening a direct smtp connection to destinations. See if she has activity on port 25 or port 465 or simply close those ports to all traffic in her firewall.

If you want to PM me her detailed headers I can usually tell if something is simply spoofing her address as the sender. Usually it is then coming from a machine belonging to someone who has BOTH of you in their address book.

 

[digitalwanderer]

Thanks Mize, you are my new personal god.

 

[Davros]

Death to spammers, lets all kill Digi's mom

 

[chavvdarrr]

looks like someone who has yours and hers emails in address book is infected and the infection is spoofing her...

Why don't you ask her to send you a email and then compare headers

 

[digitalwanderer]

Mize took a look at the headers from some good e-mails I had from her from before and these recent ones and found that the spam e-mails were coming out of Italy. Someone phished/stole her username/password and had been just logging in somewhere else and spamming.

I changed her password, problem solved. Many respects, kisses, and hugs to Mize for holding my hand and helping me out with the problem...if you ever have legal hassles in Indiana Mize let us know, me Mommy owes you one.

Thanks everyone else too, but Mize helping me through PMs got it all sorted.

 

[Silent_Buddha]

Always nice to see a story with a happy ending.

Regards,
SB

 

[Davros]

question is how did they get her password ?

 

[Simon F]

Perhaps it was "digitalwanderer"

 

[Mize]

question is how did they get her password ?

There are two common ways to get someone's email password. One is to guess simple passwords (same as username, 1234, etc.) and the other is to sniff port 80 (for webmail) or port 25/110 for SMTP/POP. That's why using good passwords and encryption (https or ssl for pop/smtp/imap) is so important.

 

[digitalwanderer]

question is how did they get her password ?

I don't know! She used her username and everything!









Thanks again Mize, no more mysterious e-mails have gone out.

 

[Unknown Soldier]

d/l Superantispyware(Freeware version) and run it. It should be able to pick up virus/Trojans etc. Also make sure her antivirus is working and updating properly.

 

[Mize]

I don't know! She used her username and everything!









Thanks again Mize, no more mysterious e-mails have gone out.

So she was using her username for her password? I had a funny feeling...

 

[digitalwanderer]

No, I was joking. Her password was very similar to "secret9275", still pretty lame.

 

[John Reynolds]

Death to Italians is the lesson I'm gleaning from this thread. Unless they're female and attractive.

 

[Mize]

Death to Italians is the lesson I'm gleaning from this thread. Unless they're female and attractive.

Don't forget the cooks. Life without good Italian food would be gray indeed.

 

[John Reynolds]

 

[Mize]

LOL...they recalled it all!

 

[Blazkowicz]

you can get mom's password simply by asking her

There are two common ways to get someone's email password. One is to guess simple passwords (same as username, 1234, etc.) and the other is to sniff port 80 (for webmail) or port 25/110 for SMTP/POP. That's why using good passwords and encryption (https or ssl for pop/smtp/imap) is so important.

have some bullshit registration form on a web page that allows her to play a lottery, sign a petition or anything frivolous.
a minimalist one will have her only enter mail address and password to secure her new account.

90% users will enter the same password they use for their mail account. so it is!
there also are such simple scams where one ask you to enter your MSN login information so that you can see some images a friend wants to share with you.

solution is to use several passwords, which is boring but is fundamental part of security (I only have two and a half passwords on the internet, one more for some other, net-accessible place, then mostly root passwords here and there)

I propose she uses one password for mail only, one serious password (for beyond3D forum and highly reputable stores) and a frivolous password for gaming sites and bullshit registration. That can be simplified in one serious and one weak password, but better in that situation is to entirely segregate mail I believe.

banking is a separate thing if she uses that (my bank login system doesn't allow me to use whatever password I use elsewhere and I'm glad it's set that way)

lastly, a quick tip : a reasonably strong and easy to remember password is a sentence such as "My cat loves to eat boobs all day."
another one would be to wipe the laptop and install the latest ubuntu on it. it's ridiculously good-looking and easy to use these days.

 

[Mize]

Agreed.
I have two frivolous passwords (one is totally frivolous - forums, etc.) and the other less so. I then have several medium pwds for computer logons (non-remote) and then three 13+ random character passwords for permanent email/su that are committed to memory.

I'm totally opposed to required pwd changes after so many days as it just leads to people writing them on post-its and sticking them to their monitors.