Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




893 posts

Ultimate Geek
+1 received by user: 98

Subscriber

Topic # 223103 13-Sep-2017 00:37
Send private message quote this post

I've been asked by a friend to help her with an issue where her email account appears to be being used as a spam generator sending out hundreds of "Happy Birthday" emails every hour. I can see these sitting in the Sent Items folder of her Outlook.com (Hotmail) account. The animated "Happy Birthday" link in them appears to end up at myfriendlygift.com. Googling reveals lots of people asking if they safe or fraudulent and how to disable them, but no real answers.

 

The facts as I know them are:

 

  • My friend initially believed she was receiving some sort of electronic card from a family member and "clicked on on some things and filled in some information", but she has no idea what - although I'm guessing she provided her email address and password.
  • She has no PC currently and is using an iPad and a Windows mobile phone.
  • After discovering these emails were being sent, she changed her Hotmail account password, but this has made no difference.
  • From looking at her mailbox over the last three days, I can can definitely see periods of time when emails were being generated (5 hours, 6 hours, 5.5 hours), so they are not 24 x 7.

I'm not particularly proficient at deciphering email headers, but I have added a sample below. Is this telling me that something still has access to her email account and is sending these out via outlook.com? Is this "something" going to be locally installed on one of her devices?

 

These headers look totally different to genuine email in her Sent Items. Any ideas gratefully received.

 

Received: from ip-10-45-57-33 (10.174.93.36) by 
  SYXPR01MB1039.ausprd01.prod.outlook.com (10.169.174.149) with Microsoft SMTP 
  Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 
  15.20.35.12 via Mailbox Transport; Tue, 12 Sep 2017 05:10:55 +0000
Date: Tue, 12 Sep 2017 05:10:50 +0000
To: aaaaa@hotmail.com
From: zzzzz@hotmail.com
Subject: Happy Birthday!
Message-ID: <b67557f232492190d4cfae0834eb49e5@ip-10-45-57-33>
X-Mailer: PHPMailer 5.2.14 (https://github.com/PHPMailer/PHPMailer)
Content-Type: multipart/alternative;
             boundary="b1_b67557f232492190d4cfae0834eb49e5"
Content-Transfer-Encoding: 8bit
Return-Path: zzzzz@hotmail.com
X-MS-Exchange-Organization-Network-Message-Id: 2389de69-9b55-48a9-5127-08d4f99ca5b3
X-MS-Exchange-Organization-AuthSource: SYXPR01MB1039.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-TMN: [ruf6RdLiukVthEa3ciJSEAj3L1eLMpaT]
MIME-Version: 1.0


Create new topic

Stu

Hammered
4743 posts

Uber Geek
+1 received by user: 957

Moderator
Trusted
Subscriber

  Reply # 1863174 13-Sep-2017 08:10
One person supports this post
Send private message quote this post

If they're in her SENT items, someone has her password. Change the password and enable 2FA.




Keep calm, and carry on posting.

 

 

 

Click to see full size Click to see full size


1549 posts

Uber Geek
+1 received by user: 889

Trusted
Subscriber

  Reply # 1863184 13-Sep-2017 08:30
Send private message quote this post

Also scan the PC with Malwarebytes

 

Linux


 
 
 
 




893 posts

Ultimate Geek
+1 received by user: 98

Subscriber

  Reply # 1863317 13-Sep-2017 09:55
Send private message quote this post

Linux:

 

Also scan the PC with Malwarebytes

 

Linux

 

Umm, as above... "She has no PC currently and is using an iPad and a Windows mobile phone."


1549 posts

Uber Geek
+1 received by user: 889

Trusted
Subscriber

  Reply # 1863318 13-Sep-2017 09:57
Send private message quote this post

allan:

 

Linux:

 

Also scan the PC with Malwarebytes

 

Linux

 

Umm, as above... "She has no PC currently and is using an iPad and a Windows mobile phone."

 

 

This happens when you skim read sorry

 

Linux


935 posts

Ultimate Geek
+1 received by user: 179


  Reply # 1864452 13-Sep-2017 12:43
Send private message quote this post

Is "ip-10-45-57-33" (is this unedited or has it been redacted?) a foreign IP or the IP of her broadband connection? That is where the connection to the outbound server has been reported to come from.

 

 

If you go to https://account.live.com under Security in the top menu you can review locations of recent account activity.

 

 

Either way as mentioned above change password and enable 2 factor.

 

 

You might also want to review Outlook.com add-ins ("apps"), I'm not sure whether emails that apps send out on her behalf would end up in the Sent Items folder though.

246 posts

Master Geek
+1 received by user: 103

Subscriber

  Reply # 1864459 13-Sep-2017 12:56
Send private message quote this post

Did she used to have a PC?

 

If so what happened to it, and where is it now?




893 posts

Ultimate Geek
+1 received by user: 98

Subscriber

  Reply # 1864535 13-Sep-2017 14:48
Send private message quote this post

yitz: Is "ip-10-45-57-33" (is this unedited or has it been redacted?) a foreign IP or the IP of her broadband connection? That is where the connection to the outbound server has been reported to come from. If you go to https://account.live.com under Security in the top menu you can review locations of recent account activity. Either way as mentioned above change password and enable 2 factor. You might also want to review Outlook.com add-ins ("apps"), I'm not sure whether emails that apps send out on her behalf would end up in the Sent Items folder though.

 

Yes unedited. It's not been redacted. I will contact her again this evening and step her through a further password reset and 2FA.

 

Until now, I'd never heard of add-ins for Outlook.com. The only one that appears to be turned on is Evernote and it seems like that is not been activated according to the note underneath it.




893 posts

Ultimate Geek
+1 received by user: 98

Subscriber

  Reply # 1864536 13-Sep-2017 14:49
Send private message quote this post

djtOtago:

 

Did she used to have a PC?

 

If so what happened to it, and where is it now? 

 

Yes, did used to have a PC. Died a death and is not functional I understand.


246 posts

Master Geek
+1 received by user: 103

Subscriber

  Reply # 1864608 13-Sep-2017 16:28
Send private message quote this post

Also

 

Login at https://account.microsoft.com
Goto "Security" then look for the link to "more security options" (bottom left of page)
Look for the section on "App Passwords" then "Remove existing app passwords"

 

While you are at it you may as well "Remove trusted devices" just to be sure.

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Phone prices rising as users move upmarket
Posted 24-Nov-2017 17:16


Talking net neutrality on RNZ Nine-to-Noon
Posted 24-Nov-2017 12:11


Air New Zealand experiments with blockchain technology
Posted 23-Nov-2017 15:39


Symantec selects Amazon Web Services to deliver cloud security
Posted 23-Nov-2017 10:40


New Zealand Ministry of Education chooses Unisys for cloud-based education resourcing management system
Posted 22-Nov-2017 22:00


Business analytics software powers profits for NZ wine producers
Posted 22-Nov-2017 21:52


Pyrios strikes up alliance with Microsoft integrator UC Logiq
Posted 22-Nov-2017 21:51


The New Zealand IT services ecosystem - it's all digital down here
Posted 22-Nov-2017 21:49


Volvo to supply tens of thousands of autonomous drive compatible cars to Uber
Posted 22-Nov-2017 21:46


From small to medium and beyond: Navigating the ERP battlefield
Posted 21-Nov-2017 21:12


Business owners: ERP software selection starts (and finishes) with you
Posted 21-Nov-2017 21:11


Why I'm not an early adopter
Posted 21-Nov-2017 10:39


Netatmo launches smart home products in New Zealand
Posted 20-Nov-2017 20:06


Huawei Mate 10: Punchy, long battery life, artificial intelligence
Posted 20-Nov-2017 16:30


Propel launch Disney Star Wars Laser Battle Drones
Posted 19-Nov-2017 21:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.