D
Deuce_IT
I have a client's office in which 2 users just reported receiving ~500
and ~400 messages over the course of the day with no identifying
information. Checked the headers and they look very short (known IPs
and names have been changed to protect privacy):
* (qmail 30056 invoked from network); 26 Jun 2008 15:24:20 -0500
* from mail.geitech.com (HELO aedesk11) (xx.x.226.186) by 157587-
www1.xxxxxxx.com with SMTP; 26 Jun 2008 15:24:20 -0500 QUIT
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on 157587-
www1.xxxxxxx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=4.0
tests=BAYES_00,MISSING_HB_SEP, MISSING_SUBJECT,TO_CC_NONE autolearn=no
version=3.1.9
So, I understand that mail.geitech.com resolves to 199.231.136.136
which is located in Kentucky (not affiliated with our client's office
in California), however a friend of mine at the email provider (these
are POP accounts) said it was brought to their attention that the 1
user at the office (not one of the two that received all these emails)
had authenticated hundreds of times to send out these emails. Sounds
like a compromised email password, however I've completed Spybot,
Adaware, SuperAntiSpyware, Symantec Endpoint AV scan, reviewed
Hijackthis log, and there is NOTHING out of the ordinary, nor have the
scans returned ANY threats.
And MOREOVER...these emails that were sent, started roughly the same
time the user's (the one who's credentials were used to authenticate
with the SMTP server) PC had been turned on and Outlook started, and
stopped once the PC was shutdown. Once the mail provider changed the
password the messages had stopped, however we have not entered the new
PW into Outlook.
So to recap...
Blank Emails.
Headers state the origin is in KY
User PC in CA
Starts and stops in conjunction with the user's PC in CA
No scans result in any threat, nor do Hijackthis log show anything out
of the ordinary.
Any ideas?
Thanks for the help!
-Jeff
and ~400 messages over the course of the day with no identifying
information. Checked the headers and they look very short (known IPs
and names have been changed to protect privacy):
* (qmail 30056 invoked from network); 26 Jun 2008 15:24:20 -0500
* from mail.geitech.com (HELO aedesk11) (xx.x.226.186) by 157587-
www1.xxxxxxx.com with SMTP; 26 Jun 2008 15:24:20 -0500 QUIT
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on 157587-
www1.xxxxxxx.com
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=4.0
tests=BAYES_00,MISSING_HB_SEP, MISSING_SUBJECT,TO_CC_NONE autolearn=no
version=3.1.9
So, I understand that mail.geitech.com resolves to 199.231.136.136
which is located in Kentucky (not affiliated with our client's office
in California), however a friend of mine at the email provider (these
are POP accounts) said it was brought to their attention that the 1
user at the office (not one of the two that received all these emails)
had authenticated hundreds of times to send out these emails. Sounds
like a compromised email password, however I've completed Spybot,
Adaware, SuperAntiSpyware, Symantec Endpoint AV scan, reviewed
Hijackthis log, and there is NOTHING out of the ordinary, nor have the
scans returned ANY threats.
And MOREOVER...these emails that were sent, started roughly the same
time the user's (the one who's credentials were used to authenticate
with the SMTP server) PC had been turned on and Outlook started, and
stopped once the PC was shutdown. Once the mail provider changed the
password the messages had stopped, however we have not entered the new
PW into Outlook.
So to recap...
Blank Emails.
Headers state the origin is in KY
User PC in CA
Starts and stops in conjunction with the user's PC in CA
No scans result in any threat, nor do Hijackthis log show anything out
of the ordinary.
Any ideas?
Thanks for the help!
-Jeff