Kitz Forum
Internet => Web Browsing & Email => Topic started by: silversurfer44 on April 19, 2012, 11:03:33 AM
-
First off I am not worried, just curious.
I received some spam Yesterday and it was addressed to a fabricated name that I use on a laptop.
The name is not kept anywhere other than this particular laptop, which uses the strongest possible encrypted wifi.
Now the address that it was addressed to is of the variety 'name<proper email address at o2.co.uk>'. The proper email address is known by only a few trusted people. I know it can still be harvested.
All my computers run on Linux, which some of you may of heard of <big grin> so therefore I am not worried that a computer may have been infected. In fact I run scans quite often looking for rootkit's and the like + they are all (bar one) switched off at night & none are run with root permissions.
What I would like to know is :-
How did someone manage to put the two elements together. That is the fake name and genuine email address?
Suggestions please?
Thank you.
-
I guess that no-one has any further insight.
Thanks for looking. :)
-
Sorry, SS44, but it is a total mystery to me. :-\
-
I should think the most likely reason is that unfortunately its one of those few trusted people that has/had some sort of worm on their pc. :/
Once resident on a PC the worm specifically searches the infected drive looking for contact details. Depending on the worm variant it will usually look for either email addresses are most common as they are easily identified by the @. msn contacts though are another common target, as are mail lists address book etc on the host computer.
Once the virus has compiled its list of contacts from the infected PC, it then targets those other addresses either to continue the replication process (hoping it will reach further unprotected PC's and continue to spread).. or it could be just plain spam.
The klez variant of worms are very adept at doing this sort of thing (I only mention klez because its one of the common worms that I investigated whilst doing my dissertation, but there are many similar types which can also do this) klez became infamous due to its mail engine and ability to spam and replicate. They're not so much a nasty horrible wreck the PC virus.. just damn annoying.
Depending on the type of virus and the spoof .. sometimes if you look closely at the full email header you can sometimes suss some clues as to where its really come from.
Many years ago I had something similar, and I identied it to my uncles PC by looking at the header message source which in that particular instance quoted his PC name. Depends how clever the worm is though at hiding its tracks I guess.
-
Thank you burakkucat, and the interesting thoughts kitz. The I dragged the offending mail from the wastebin, which I should have deleted, and checked the headers again.
What I did find curious is this
'Return-Path: <bounce-1123346-27699000@email.get-pdfsuite.com>'
at the very top.
Now I have had spam from get-pdfsuite on a number of occasions, but not addressed the the named email account.
The logon name that was used belongs to the laptop that occasionally use which has never been used to send an email from.
I am therefore looking closer to home and wondering if there is some kind of virus on one of my Linux machines. ???
Time to have a look at clamav I think. The rootkit checks have not found anything. A real mystery.
-
TBH SS I think its unlikely that the problem is with your own machine.
When you send out mail via an authenticated server, then you often will send out information in the header which machine you have used. The format would be something like 'name<proper email address at o2.co.uk>'.
At a guess its more likely that email correspondence that you sent out at some time is still sat on someone's compromised machine somewhere and thats where the worm has got the info from.
I had an email address that was personal, I kept a tight lid on it and it never got any spam at all...... until someone elses system was hacked and hijacked for spam from the other machines email box. :/
-
Thank you for that Kitz. You are probably correct. I haven't had the laptop on for a few days so I will have a check tomorrow to see if I sent any mail whilst I was on that computer. I don't recall doing so but with my memory I could have sent one yesterday and I would have forgotten. I really mean that. :'(
Thank you again.
-
>>> I don't recall doing so but with my memory I could have sent one yesterday and I would have forgotten.
It could be long long ago.... not necessarily recently. If the other compromised machine still has that email sitting somewhere on their PC then the worm will have been able to pick it up. :(