Urgent: Possible security problem

Hi I am having a bizarre problem that I am not able to discern whether
is Entourage based or not, but Entourage is my primary email client and
I use it every day for most email tasks.

Some people are receiving emails that I did not send from my Hotmail
account. One of them is receiving the emails otherwise blank but has
"Not read:" in the subject line. Another replied that an attachment had
been sent from me that she couldn't open, also has "Not read:" in the
subject line. I have not sent any email whatsoever to the latter
recipient in quite some time.

I have run virus scans on my computers with Norton and have not found
anything, however, I am concerned there is some kind of security issue
here. Can anyone tell what might be causing this?

My set-up:

Entourage 2004
Powerbook G4 1.5 GHz
OS X 10.4.4
Norton AV for Mac
Hotmail and Gmail

JE
Wed Jan 25 22:14:18 CST 2006

In article <1138244316.942537.247650@z14g2000cwz.googlegroups.com>,
"planethoth" <michael.pukin@gmail.com> wrote:

> I have run virus scans on my computers with Norton and have not found
> anything, however, I am concerned there is some kind of security issue
> here. Can anyone tell what might be causing this?

It's most likely that your address was spoofed. Have your correspondent
look at the headers. My guess is that the message won't have originated
from your isp.

planethoth
Wed Jan 25 22:18:07 CST 2006

If they know how to do this... assuming this is the case, what should I
be concerned about here and what action should I take?

planethoth
Thu Jan 26 00:36:38 CST 2006

So far, Norton AV and Mac Scan anti-spyware software have picked up
nothing. I am very worried about this, how do I shut down this spoofer
if I cannot find how they did it? And, in addition, is this possibly a
flaw in Entourage itself?

Daiya
Thu Jan 26 01:01:20 CST 2006

On 1/25/06 10:36 PM, "planethoth" wrote:

> So far, Norton AV and Mac Scan anti-spyware software have picked up
> nothing. I am very worried about this, how do I shut down this spoofer
> if I cannot find how they did it? And, in addition, is this possibly a
> flaw in Entourage itself?
>

It's not a flaw in Entourage, and I don't think there is anything you can do
about it.

Usually, I think the explanation is that someone you know is infected with a
virus. That virus went through their address book and grabbed all the email
addresses it could find, and probably both spoofed those addresses and sent
viruses to them.

But there is no virus on your computer for Norton to find.

E.g., here's an announcement from a university in Europe about this--you can
send such a link to your correspondents, as clearly they are not aware this
is common practice and that they should beware of such emails.
http://isservices.tcd.ie/security/spoofemail.php
http://www.lse.ac.uk/itservices/help/spamming&spoofing.htm

Here's another one about a virus that was big a while back:
http://antivirus.about.com/od/virusdescriptions/a/klezspoof.htm

Likewise, knowing such spoofing happens, people sending attachments should
be careful to include a brief cover message that prevents people from
fearing it may be a spoofed email.

(you can google "virus emails spoof" or some variation thereof, lots more
links out there)

planethoth
Thu Jan 26 01:08:51 CST 2006

Just want to be clear about what I am describing: these people I am
hearing from are getting these emails (allegedly) from me and I am only
hearing about it when they reply. These people are not strangers but
people I know. So might this suggest someone has stolen addresses from
either my Entourage address book or Hotmail?

Daiya
Thu Jan 26 01:23:58 CST 2006

On 1/25/06 11:08 PM, "planethoth" wrote:

> Just want to be clear about what I am describing: these people I am
> hearing from are getting these emails (allegedly) from me and I am only
> hearing about it when they reply. These people are not strangers but
> people I know. So might this suggest someone has stolen addresses from
> either my Entourage address book or Hotmail?
>
No. It suggests that a mutual acquaintance of both of you is infected with
a virus. The virus stole their address book, which had you *and* these
people's addresses, plus a whole bunch of other people.

There are strangers out there getting spoofed emails from you, but they know
to recognize it as a virus, cause they don't know who you are, or maybe the
message goes straight into junk mail.

But the people who know you are investigating, because it is barely
conceivable that you sent them something, since that *is* an address they
recognize, and their junk mail doesn't filter out people they regularly
correspond with.

Did you read the links from the university IT depts? Quote:
" In addition, if the virus uses your email address, people may think they
have received infected emails from you when in fact it is another machine
that is infected and is using your email address as the sender's address."

The first two links not only explain the process but tell people how to
examine the email headers to see where the message is really coming from.

Such spoofed emails are quite a common occurrence, though less common
lately. You'll be doing your correspondents a favor if you educate them
about it.

Barry
Thu Jan 26 01:44:36 CST 2006

On 26/1/06 07:08, in article
1138259331.787885.179720@f14g2000cwb.googlegroups.com, "planethoth"
<michael.pukin@gmail.com> wrote:

> Just want to be clear about what I am describing: these people I am
> hearing from are getting these emails (allegedly) from me and I am only
> hearing about it when they reply. These people are not strangers but
> people I know. So might this suggest someone has stolen addresses from
> either my Entourage address book or Hotmail?
>

The mails are NOT coming from you or your computer. They are being sent out
by a third party, but have your name & email address in the 'from' header.
This is very easy to fake.

There's not really anything you can do except tell the people who are
getting in touch with you that you are not responsible and that they should
not be opening the attachments! If they are windows users, it's quite
possible/likely that they are also now infected.

--
Barry Wainwright
Microsoft MVP (see http://mvp.support.microsoft.com for details)
Check out the Entourage User's WebLog for hints, tips and troubleshooting
<http://homepage.mac.com/barryw/weblog/weblog.html>

planethoth
Thu Jan 26 02:23:43 CST 2006

Let me recap three things about this problem:

1. the emails are coming, allegedly, from one of my email addresses
with my name
2. the name that is used, although my name, is not the form that i use
in my email accounts, i.e., these have First initial/name in full,
whereas I use First name in full/last name in full
3. The people who have received my emails are ALL people I know, but do
not know each other. They are not connected to each other in any way
other than that they know me, so they cannot have appeared on each
others' address books or list.

Only one of them has received an attachment.

Given this information, is it any clearer what this could be?

planethoth
Thu Jan 26 02:35:20 CST 2006

Although I am a moderately sophisticated computer user, most of the
people I know are not and have no clue about it when I try to explain
the internet headers, etc. I have had no luck with trying to get them
to explain what to look for. Hell, I am not even sure I know what I am
looking for. All I know is, it would be very strange for three
disparate people who all happen to be on my contact list to get emails
purporting to be from me if there wasn't something going on besides a
coincidence...

mmmmark
Thu Jan 26 08:15:59 CST 2006


"planethoth" <michael.pukin@gmail.com> wrote in message
news:1138264520.410335.145530@g44g2000cwa.googlegroups.com...
> Although I am a moderately sophisticated computer user, most of the
> people I know are not and have no clue about it when I try to explain
> the internet headers, etc. I have had no luck with trying to get them
> to explain what to look for. Hell, I am not even sure I know what I am
> looking for. All I know is, it would be very strange for three
> disparate people who all happen to be on my contact list to get emails
> purporting to be from me if there wasn't something going on besides a
> coincidence...
>

One thing that can prevent many of these problems is to use the BCC field
when forwarding emails to lots of people. If you include dozens of
addresses in the TO field, then usually EACH and EVERY person on that
forward list will (by default) have ALL those email addresses added to their
address book.

Then, if ANY of them is exposed to a virus/worm/trojan, you are going along
for the ride. Worse yet, by including people's names in the TO field,
you've sent everyone else along for that same ride. It is much like being
exposed to STDs.... There is a transitive property, affecting everyone
you've ever sent or received email from.

Granted, since you have a Mac you (currently) can't get a virus, but you can
be spoofed like you have been or you can be included on spam lists (more
likely these days). Spam can be minimized if people practice "safe
emailing" and proper use of the BCC field (it's like using protection).
;-)

regards,
-Mark

planethoth
Thu Jan 26 11:33:57 CST 2006

One thing that is not clear to me is: how are people I know getting
these bogus emails from me even when I have not communicated with them
for weeks? I virtually NEVER use multiple email addresses, for what
that is worth, and have not used them recently whatsoever. These
details are important to understanding what is going on here...

mmmmark
Thu Jan 26 14:57:02 CST 2006


"planethoth" <michael.pukin@gmail.com> wrote in message
news:1138296837.604543.114170@g14g2000cwa.googlegroups.com...
> One thing that is not clear to me is: how are people I know getting
> these bogus emails from me even when I have not communicated with them
> for weeks? I virtually NEVER use multiple email addresses, for what
> that is worth, and have not used them recently whatsoever. These
> details are important to understanding what is going on here...
>

You may need to re-read some of these responses in succession to more fully
understand. Your email address is in somebody's addressbook which has been
compromised by a virus/worm/trojan. It is sending out mail as if it were
from you (spoofing your address). To anyone that this mail goes to, it
appears to be from you and the reply-to address is also you.

None of this means that you have ever sent them an email. All it means is
that you and these people have a common 'friend' who has received a
virus/worm/trojan. Unluckily for you, your name is one (perhaps of many)
that is being spoofed. Welcome to the world of deception.

There is little to nothing you can do about it. Just try to educate others
based on what you read here so that they can 1) understand that you did
nothing wrong and 2) be more careful with their email conversations and
better use discretion with who has their email address and how they use the
TO and BCC fields. It is poor netiquette to address emails to large numbers
of people in the TO field. If you need more information on BCC I'm sure
there are plenty of links in Google explaining its use.

I feel for you. My sister-in-law had an acquaintance who got hit a few
months ago and many people were aggravated as a result. My S-I-L forwards
emails to hundreds of people and sometimes includes my name amongst the
addresses. In this manner, I am inadvertently added to all those people's
address books. One of them got hit and since then, I've received about 5
spams a day. Normally I don't use my primary address for forwarding "junk"
around. I use a separate one. Unfortunately, my S-I-L picked my wrong
address and now I am paying in spam.

Don't let it bother you too much. Life's too short to lose sleep over this.
Live. Laugh. Love. Smile :-)

Best Regards,
-Mark

planethoth
Thu Jan 26 20:20:08 CST 2006

Let me again be clear: I have not sent ANY multiple-address emails. I
simply do not use this technique, as common as it is for others. The
issue of BCC etc. is good practice but it absolutely does not come into
play here---in addition, my contacts would NOT be communicating with
each other as they are entirely unrelated to each other. These people
have also not sent any multiple address emails to me. Even though I may
be in any of their address books, none of their names can be in each
others address books. Their only commonality is that they know me.
Someone logically HAS to have access to my address book or contact list
somehow, am I wrong?

Again, for what it is worth, I have taken the following steps which
have NOT stopped this problem:

- Turned on the Mac's OS X firewall
- Changed my Hotmail/MSN password
- Scanned the computer using Norton AV and MacScan (nothing found)

planethoth
Thu Jan 26 23:15:31 CST 2006

I have fully read every response in this forum. But I must insist:
There is a logical descrepancy here, because I don't think it is
possible that my email is being spoofed from SOMEONE ELSE'S email
address. Why? Because of the following:

* ALL of the people are unconnected to each other. They happen to know
me, but they do not know each other, receive emails from each other,
forwards from me or each other, or multiple-address emails from each
other.

*In addition, in the subject line, after the phrase "Not read:", at
least a few of the cases contain wording from subject lines that had
been in previous email exchanges between me and them! This would not be
possible if only my name and email address were taken.

This is NOT an issue of me not reading the responses in this forum
carefully. IF I am being unclear about these facts, let me know. But it
seems that in fact it is other people who are not reading what I wrote
before they answer me. The details are extremely important here...

Chris
Fri Jan 27 04:30:01 CST 2006

On 27/1/06 2:20, in article
1138328408.219785.199410@g43g2000cwa.googlegroups.com, "planethoth"
<michael.pukin@gmail.com> wrote:

> Let me again be clear: I have not sent ANY multiple-address emails. I
> simply do not use this technique, as common as it is for others. The
> issue of BCC etc. is good practice but it absolutely does not come into
> play here---in addition, my contacts would NOT be communicating with
> each other as they are entirely unrelated to each other. These people
> have also not sent any multiple address emails to me. Even though I may
> be in any of their address books, none of their names can be in each
> others address books. Their only commonality is that they know me.
> Someone logically HAS to have access to my address book or contact list
> somehow, am I wrong?
>
> Again, for what it is worth, I have taken the following steps which
> have NOT stopped this problem:
>
> - Turned on the Mac's OS X firewall
> - Changed my Hotmail/MSN password
> - Scanned the computer using Norton AV and MacScan (nothing found)

Of course they won't make a difference.

The infected machine (or machines) *already* has your email address and at
least one of your contacts' email addresses. You're not closing the stable
door after the horse has bolted, you're closing the *wrong* stable door :-)

Your machine has *not* been infected by anything, and the addresses have
*not* been stolen from your machine. Seriously.

You know the "six degrees of separation" game (aka "six degrees of Kevin
Bacon")? Well, that's almost certainly the reason why your contacts are
getting mail from each other even though you think their only common contact
is you.

Don't worry about it, and don't spend too much time worrying how it all
happened. One infected Windows box is all it takes.

Cheers,

Chris

mmmmark
Fri Jan 27 07:48:35 CST 2006


"planethoth" <michael.pukin@gmail.com> wrote in message
news:1138338931.266398.69380@g14g2000cwa.googlegroups.com...
>I have fully read every response in this forum. But I must insist:
> There is a logical descrepancy here, because I don't think it is
> possible that my email is being spoofed from SOMEONE ELSE'S email
> address. Why? Because of the following:
>
> * ALL of the people are unconnected to each other. They happen to know
> me, but they do not know each other, receive emails from each other,
> forwards from me or each other, or multiple-address emails from each
> other.
>
> *In addition, in the subject line, after the phrase "Not read:", at
> least a few of the cases contain wording from subject lines that had
> been in previous email exchanges between me and them! This would not be
> possible if only my name and email address were taken.
>
> This is NOT an issue of me not reading the responses in this forum
> carefully. IF I am being unclear about these facts, let me know. But it
> seems that in fact it is other people who are not reading what I wrote
> before they answer me. The details are extremely important here...
>

I'm not saying for certain that a TO/BCC issue has been the culprit. I just
jump on that soapbox anytime I get a chance--and it is certainly worth
repeating.

All it takes is one computer of someone you know and all this can happen.
Think carefully about the "safe sex" analogy I spoke of. Everyone is
affected by everyone they've EVER sent mail to (and whoever they sent email
to.......etc).

Good luck,
-Mark

planethoth
Fri Jan 27 13:27:30 CST 2006

The analogy to six degrees of separation is well understood by me, but
there seems to be a problem with it. I can guarantee you that, except
for me, there is not any likely webbing holding these five people
together. As an example, my parents were the first ones to report
receiving these emails---they live in another city far from here and
really only have contact with me and my brothers in this city. My
brothers have not received these things. No contacts that my brothers
and me could possibly have in common (there are very few) have received
them either.

These emails have gone to people who have totally disparate social
circles and even ages---the connections back would be incredibly slim
and far removed. It simply does not make sense.

But the biggest death blow to this theory that my address was just
taken from someone else's address book is that the subject lines are
often containing text that was in previous emails BETWEEN myself and
that recipient. If this does not suggest some breach of my account, I
do not know what would.

mmmmark
Fri Jan 27 13:41:31 CST 2006


"planethoth" <michael.pukin@gmail.com> wrote in message
news:1138390050.620758.243410@g14g2000cwa.googlegroups.com...
> The analogy to six degrees of separation is well understood by me, but
> there seems to be a problem with it. I can guarantee you that, except
> for me, there is not any likely webbing holding these five people
> together. As an example, my parents were the first ones to report
> receiving these emails---they live in another city far from here and
> really only have contact with me and my brothers in this city. My
> brothers have not received these things. No contacts that my brothers
> and me could possibly have in common (there are very few) have received
> them either.
>
> These emails have gone to people who have totally disparate social
> circles and even ages---the connections back would be incredibly slim
> and far removed. It simply does not make sense.
>
> But the biggest death blow to this theory that my address was just
> taken from someone else's address book is that the subject lines are
> often containing text that was in previous emails BETWEEN myself and
> that recipient. If this does not suggest some breach of my account, I
> do not know what would.
>

How do you access your email? Is it always through Entourage? Or do you
access it via webmail from your ISP or through another service like
mail2web, etc.?

It might be possible that your email account has been compromised by someone
who sniffed your password, but this is extremely, extremely unlikely.

Do you also check this mail from a work computer? Is it a PC running
Outlook/Outlook Express? This is a possibility that this computer had a
virus/worm/trojan.

I don't know what else to tell you. This sort of stuff is becoming part of
life in this digital age. It sucks, yes. But at some point we just have to
take it on the chin and move on.

Did this happen as one event or is it ongoing? Any "exes" in your life that
might have known a password?

-Mark

planethoth
Fri Jan 27 14:11:47 CST 2006

* 98-99% of the time I check my email on this Mac Powerbook, through
Entourage. Occasionally, I use Apple's Mail.app.

* I cannot even recall the last time I checked my email on another
computer. Nobody except me has ever had my password. I do not do
automatic log-ins for MSN Messenger or things like that.

* I also use Gmail through Entourage. It has not been involved.

It seems to me most logical to conclude that this is either an
Entourage problem or a Hotmail problem, no?

mmmmark
Fri Jan 27 14:15:49 CST 2006


"planethoth" <michael.pukin@gmail.com> wrote in message
news:1138392707.868004.85730@g14g2000cwa.googlegroups.com...
>* 98-99% of the time I check my email on this Mac Powerbook, through
> Entourage. Occasionally, I use Apple's Mail.app.
>
> * I cannot even recall the last time I checked my email on another
> computer. Nobody except me has ever had my password. I do not do
> automatic log-ins for MSN Messenger or things like that.
>
> * I also use Gmail through Entourage. It has not been involved.
>
> It seems to me most logical to conclude that this is either an
> Entourage problem or a Hotmail problem, no?
>

Starting to sound like a Hotmail problem, although I haven't a clue about
the probabilities of that.