Weird e-mail “spam” problem
Suddenly, my e-mail spam was spiking on one of my domain accounts. I’d been extremely careful with that address. It was NOWHERE to be found on the web. I still got the occasional spam. Probably hand harvested, but probably not sold yet.
So, suddenly I get a lot of “spam”.
I didn’t understand it. Some of them even have my name (which isn’t visible in my e-mail address) and an IP address. It looked as though this company was keeping track of how the address was harvested, and that somebody had subscribed me to something.
So I start trying to trace the number. Couldn’t find anything. Silly me, I should have searched my harddrive, because I would have found it…
Today I got a bounced message I didn’t send. And the content of said message solved the mystery. It was sent out through a service called tafmaster.com. And the contents of the mail was from a sweet old lady I know, who’s been having repeated issues with spam on her machine. She’s quite often had trouble cleaning it. So my first hunch is that she has some kind of malware on it.
Tafmaster is a service that earns money for people who send out stuff to their friends, so it’s possible someone sent out a virus or trojan to mass send mail to contacts of his/her victims.
The mail looked as though it was sent by me, and sent to someone I don’t know, but x-sender and sender was typical of the service. The mail contents looked as though it was from the sent mail folder of my friend. It contained enough identifying information I knew at once who it was. And the IP address noted in the spam I’d received matched as well.
I haven’t heard back from my friend, and in the meantime, the spam keeps pouring in. I suspect most of it is actually mailing lists, but I’ve even had some 411 spam (multiples from the same name even).
So my question here is: Assuming this sweet old lady hasn’t misconfigured her computer so it sends out e-mail as me? What could it be that she has on her computer? It could be some old malware, but since this became a problem just a few days ago, it might be a new strain.
August 29th, 2005 at 12:15 pm
I’d love to see a HijackThis log from that machine.
If you can guide her to tomcoyote.com/hjt and generate a log, we’ll see if there’s malware on it.
August 29th, 2005 at 1:39 pm
Thanks, I’ll let her know. But considering she’s struggling a bit, she’s totally lost right now. Hopefully that site tells it in baby steps enough for her.
August 30th, 2005 at 4:07 am
From your description, if I had to guess, she likely has been infected with W32.mytob.HL or something similar.
August 30th, 2005 at 4:23 am
Hmm, just a minute, I think I’ll have to reconsider. A worm like W32.Mytob isn’t sufficient to describe your symptoms - although I suppose it could be part of the problem. Any number of worms could have scraped your address from her address book and sent a forged e-mail containing your name as the “From” address to new potential victims, but that wouldn’t account for tafmaster.com appearing in the mail headers. Perhaps she was infected by a worm and it somehow sent a forged e-mail to the tafmaster.com “service” that it interpreted as you joining their list?
August 30th, 2005 at 7:26 am
She’s uncooperative, and I get more and more junk. LOADS of 411 letters, suddenly. Hadn’t gotten any of those for a long time. And many lists of various sorts, that bear an IP number from her ISP, and MY NAME!
And I think she deep down thinks it can’t be her.
She tried to run Spybot yesterday. It tried to update, then was sitting there for 20 minutes, doing who knows what, before she killed it.
I wish I’d known a geek in her neighborhood. Anyone in Arizona who’d be willing to help out an old granny? She’s feisty, but usually very sweet.
September 8th, 2005 at 10:18 am
go safe mode and start scanning i guess….