Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


987 posts

Ultimate Geek
+1 received by user: 136

Subscriber

Topic # 223103 13-Sep-2017 00:37
Send private message

I've been asked by a friend to help her with an issue where her email account appears to be being used as a spam generator sending out hundreds of "Happy Birthday" emails every hour. I can see these sitting in the Sent Items folder of her Outlook.com (Hotmail) account. The animated "Happy Birthday" link in them appears to end up at myfriendlygift.com. Googling reveals lots of people asking if they safe or fraudulent and how to disable them, but no real answers.

 

The facts as I know them are:

 

  • My friend initially believed she was receiving some sort of electronic card from a family member and "clicked on on some things and filled in some information", but she has no idea what - although I'm guessing she provided her email address and password.
  • She has no PC currently and is using an iPad and a Windows mobile phone.
  • After discovering these emails were being sent, she changed her Hotmail account password, but this has made no difference.
  • From looking at her mailbox over the last three days, I can can definitely see periods of time when emails were being generated (5 hours, 6 hours, 5.5 hours), so they are not 24 x 7.

I'm not particularly proficient at deciphering email headers, but I have added a sample below. Is this telling me that something still has access to her email account and is sending these out via outlook.com? Is this "something" going to be locally installed on one of her devices?

 

These headers look totally different to genuine email in her Sent Items. Any ideas gratefully received.

 

Received: from ip-10-45-57-33 (10.174.93.36) by 
  SYXPR01MB1039.ausprd01.prod.outlook.com (10.169.174.149) with Microsoft SMTP 
  Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 
  15.20.35.12 via Mailbox Transport; Tue, 12 Sep 2017 05:10:55 +0000
Date: Tue, 12 Sep 2017 05:10:50 +0000
To: aaaaa@hotmail.com
From: zzzzz@hotmail.com
Subject: Happy Birthday!
Message-ID: <b67557f232492190d4cfae0834eb49e5@ip-10-45-57-33>
X-Mailer: PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer)
Content-Type: multipart/alternative;
             boundary="b1_b67557f232492190d4cfae0834eb49e5"
Content-Transfer-Encoding: 8bit
Return-Path: zzzzz@hotmail.com
X-MS-Exchange-Organization-Network-Message-Id: 2389de69-9b55-48a9-5127-08d4f99ca5b3
X-MS-Exchange-Organization-AuthSource: SYXPR01MB1039.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-TMN: [ruf6RdLiukVthEa3ciJSEAj3L1eLMpaT]
MIME-Version: 1.0


Create new topic

Stu

Hammered
4972 posts

Uber Geek
+1 received by user: 1035

Moderator
Trusted
Lifetime subscriber

  Reply # 1863174 13-Sep-2017 08:10
One person supports this post
Send private message

If they're in her SENT items, someone has her password. Change the password and enable 2FA.




Keep calm, and carry on posting.

 

 

 

Click to see full size Click to see full size


3025 posts

Uber Geek
+1 received by user: 1678

Trusted
Lifetime subscriber

  Reply # 1863184 13-Sep-2017 08:30
Send private message

Also scan the PC with Malwarebytes

 

Linux





Ex JohnR VodafoneNZ 17 years 4 days



987 posts

Ultimate Geek
+1 received by user: 136

Subscriber

  Reply # 1863317 13-Sep-2017 09:55
Send private message

Linux:

 

Also scan the PC with Malwarebytes

 

Linux

 

Umm, as above... "She has no PC currently and is using an iPad and a Windows mobile phone."


3025 posts

Uber Geek
+1 received by user: 1678

Trusted
Lifetime subscriber

  Reply # 1863318 13-Sep-2017 09:57
Send private message

allan:

 

Linux:

 

Also scan the PC with Malwarebytes

 

Linux

 

Umm, as above... "She has no PC currently and is using an iPad and a Windows mobile phone."

 

 

This happens when you skim read sorry

 

Linux





Ex JohnR VodafoneNZ 17 years 4 days

1178 posts

Uber Geek
+1 received by user: 262


  Reply # 1864452 13-Sep-2017 12:43
Send private message

Is "ip-10-45-57-33" (is this unedited or has it been redacted?) a foreign IP or the IP of her broadband connection? That is where the connection to the outbound server has been reported to come from.

 

 

If you go to https://account.live.com under Security in the top menu you can review locations of recent account activity.

 

 

Either way as mentioned above change password and enable 2 factor.

 

 

You might also want to review Outlook.com add-ins ("apps"), I'm not sure whether emails that apps send out on her behalf would end up in the Sent Items folder though.

344 posts

Ultimate Geek
+1 received by user: 130

Subscriber

  Reply # 1864459 13-Sep-2017 12:56
Send private message

Did she used to have a PC?

 

If so what happened to it, and where is it now?




987 posts

Ultimate Geek
+1 received by user: 136

Subscriber

  Reply # 1864535 13-Sep-2017 14:48
Send private message

yitz: Is "ip-10-45-57-33" (is this unedited or has it been redacted?) a foreign IP or the IP of her broadband connection? That is where the connection to the outbound server has been reported to come from. If you go to https://account.live.com under Security in the top menu you can review locations of recent account activity. Either way as mentioned above change password and enable 2 factor. You might also want to review Outlook.com add-ins ("apps"), I'm not sure whether emails that apps send out on her behalf would end up in the Sent Items folder though.

 

Yes unedited. It's not been redacted. I will contact her again this evening and step her through a further password reset and 2FA.

 

Until now, I'd never heard of add-ins for Outlook.com. The only one that appears to be turned on is Evernote and it seems like that is not been activated according to the note underneath it.




987 posts

Ultimate Geek
+1 received by user: 136

Subscriber

  Reply # 1864536 13-Sep-2017 14:49
Send private message

djtOtago:

 

Did she used to have a PC?

 

If so what happened to it, and where is it now? 

 

Yes, did used to have a PC. Died a death and is not functional I understand.


344 posts

Ultimate Geek
+1 received by user: 130

Subscriber

  Reply # 1864608 13-Sep-2017 16:28
Send private message

Also

 

Login at https://account.microsoft.com
Goto "Security" then look for the link to "more security options" (bottom left of page)
Look for the section on "App Passwords" then "Remove existing app passwords"

 

While you are at it you may as well "Remove trusted devices" just to be sure.

 

 


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.