Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


#223103 13-Sep-2017 00:37
Send private message

I've been asked by a friend to help her with an issue where her email account appears to be being used as a spam generator sending out hundreds of "Happy Birthday" emails every hour. I can see these sitting in the Sent Items folder of her Outlook.com (Hotmail) account. The animated "Happy Birthday" link in them appears to end up at myfriendlygift.com. Googling reveals lots of people asking if they safe or fraudulent and how to disable them, but no real answers.

 

The facts as I know them are:

 

  • My friend initially believed she was receiving some sort of electronic card from a family member and "clicked on on some things and filled in some information", but she has no idea what - although I'm guessing she provided her email address and password.
  • She has no PC currently and is using an iPad and a Windows mobile phone.
  • After discovering these emails were being sent, she changed her Hotmail account password, but this has made no difference.
  • From looking at her mailbox over the last three days, I can can definitely see periods of time when emails were being generated (5 hours, 6 hours, 5.5 hours), so they are not 24 x 7.

I'm not particularly proficient at deciphering email headers, but I have added a sample below. Is this telling me that something still has access to her email account and is sending these out via outlook.com? Is this "something" going to be locally installed on one of her devices?

 

These headers look totally different to genuine email in her Sent Items. Any ideas gratefully received.

 

Received: from ip-10-45-57-33 (10.174.93.36) by 
  SYXPR01MB1039.ausprd01.prod.outlook.com (10.169.174.149) with Microsoft SMTP 
  Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 
  15.20.35.12 via Mailbox Transport; Tue, 12 Sep 2017 05:10:55 +0000
Date: Tue, 12 Sep 2017 05:10:50 +0000
To: aaaaa@hotmail.com
From: zzzzz@hotmail.com
Subject: Happy Birthday!
Message-ID: <b67557f232492190d4cfae0834eb49e5@ip-10-45-57-33>
X-Mailer: PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer)
Content-Type: multipart/alternative;
             boundary="b1_b67557f232492190d4cfae0834eb49e5"
Content-Transfer-Encoding: 8bit
Return-Path: zzzzz@hotmail.com
X-MS-Exchange-Organization-Network-Message-Id: 2389de69-9b55-48a9-5127-08d4f99ca5b3
X-MS-Exchange-Organization-AuthSource: SYXPR01MB1039.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-TMN: [ruf6RdLiukVthEa3ciJSEAj3L1eLMpaT]
MIME-Version: 1.0


Create new topic

Stu

Stu
Hammered
8332 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1863174 13-Sep-2017 08:10
Send private message

If they're in her SENT items, someone has her password. Change the password and enable 2FA.




People often mistake me for an adult because of my age.

 

 

Keep calm, and carry on posting.

 

 

Referral Links: Sharesies - Backblaze

 

Are you happy with what you get from Geekzone? If so, please consider supporting us by subscribing.

 

No matter where you go, there you are.




Linux
11391 posts

Uber Geek

Trusted
Lifetime subscriber

  #1863184 13-Sep-2017 08:30
Send private message

Also scan the PC with Malwarebytes

 

Linux


  #1863317 13-Sep-2017 09:55
Send private message

Linux:

 

Also scan the PC with Malwarebytes

 

Linux

 

Umm, as above... "She has no PC currently and is using an iPad and a Windows mobile phone."




Linux
11391 posts

Uber Geek

Trusted
Lifetime subscriber

  #1863318 13-Sep-2017 09:57
Send private message

allan:

 

Linux:

 

Also scan the PC with Malwarebytes

 

Linux

 

Umm, as above... "She has no PC currently and is using an iPad and a Windows mobile phone."

 

 

This happens when you skim read sorry

 

Linux


yitz
2074 posts

Uber Geek


  #1864452 13-Sep-2017 12:43
Send private message

Is "ip-10-45-57-33" (is this unedited or has it been redacted?) a foreign IP or the IP of her broadband connection? That is where the connection to the outbound server has been reported to come from.

 

 

If you go to https://account.live.com under Security in the top menu you can review locations of recent account activity.

 

 

Either way as mentioned above change password and enable 2 factor.

 

 

You might also want to review Outlook.com add-ins ("apps"), I'm not sure whether emails that apps send out on her behalf would end up in the Sent Items folder though.

djtOtago
1149 posts

Uber Geek


  #1864459 13-Sep-2017 12:56
Send private message

Did she used to have a PC?

 

If so what happened to it, and where is it now?


  #1864535 13-Sep-2017 14:48
Send private message

yitz: Is "ip-10-45-57-33" (is this unedited or has it been redacted?) a foreign IP or the IP of her broadband connection? That is where the connection to the outbound server has been reported to come from. If you go to https://account.live.com under Security in the top menu you can review locations of recent account activity. Either way as mentioned above change password and enable 2 factor. You might also want to review Outlook.com add-ins ("apps"), I'm not sure whether emails that apps send out on her behalf would end up in the Sent Items folder though.

 

Yes unedited. It's not been redacted. I will contact her again this evening and step her through a further password reset and 2FA.

 

Until now, I'd never heard of add-ins for Outlook.com. The only one that appears to be turned on is Evernote and it seems like that is not been activated according to the note underneath it.


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
  #1864536 13-Sep-2017 14:49
Send private message

djtOtago:

 

Did she used to have a PC?

 

If so what happened to it, and where is it now? 

 

Yes, did used to have a PC. Died a death and is not functional I understand.


djtOtago
1149 posts

Uber Geek


  #1864608 13-Sep-2017 16:28
Send private message

Also

 

Login at https://account.microsoft.com
Goto "Security" then look for the link to "more security options" (bottom left of page)
Look for the section on "App Passwords" then "Remove existing app passwords"

 

While you are at it you may as well "Remove trusted devices" just to be sure.

 

 


Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.