I've been asked by a friend to help her with an issue where her email account appears to be being used as a spam generator sending out hundreds of "Happy Birthday" emails every hour. I can see these sitting in the Sent Items folder of her Outlook.com (Hotmail) account. The animated "Happy Birthday" link in them appears to end up at myfriendlygift.com. Googling reveals lots of people asking if they safe or fraudulent and how to disable them, but no real answers.
The facts as I know them are:
- My friend initially believed she was receiving some sort of electronic card from a family member and "clicked on on some things and filled in some information", but she has no idea what - although I'm guessing she provided her email address and password.
- She has no PC currently and is using an iPad and a Windows mobile phone.
- After discovering these emails were being sent, she changed her Hotmail account password, but this has made no difference.
- From looking at her mailbox over the last three days, I can can definitely see periods of time when emails were being generated (5 hours, 6 hours, 5.5 hours), so they are not 24 x 7.
I'm not particularly proficient at deciphering email headers, but I have added a sample below. Is this telling me that something still has access to her email account and is sending these out via outlook.com? Is this "something" going to be locally installed on one of her devices?
These headers look totally different to genuine email in her Sent Items. Any ideas gratefully received.
Received: from ip-10-45-57-33 (10.174.93.36) by
SYXPR01MB1039.ausprd01.prod.outlook.com (10.169.174.149) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.35.12 via Mailbox Transport; Tue, 12 Sep 2017 05:10:55 +0000
Date: Tue, 12 Sep 2017 05:10:50 +0000
To: aaaaa@hotmail.com
From: zzzzz@hotmail.com
Subject: Happy Birthday!
Message-ID: <b67557f232492190d4cfae0834eb49e5@ip-10-45-57-33>
X-Mailer: PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer)
Content-Type: multipart/alternative;
boundary="b1_b67557f232492190d4cfae0834eb49e5"
Content-Transfer-Encoding: 8bit
Return-Path: zzzzz@hotmail.com
X-MS-Exchange-Organization-Network-Message-Id: 2389de69-9b55-48a9-5127-08d4f99ca5b3
X-MS-Exchange-Organization-AuthSource: SYXPR01MB1039.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-TMN: [ruf6RdLiukVthEa3ciJSEAj3L1eLMpaT]
MIME-Version: 1.0
Trusted
