is my PC sending emails undetected

Just after paying a ~$300 bill online last week by debit card I got
about 100 email responses, relating to my address which had bounced
from various email boxes in Russia and Eastern Europe. They bounced
mostly due to full inboxes.
There is no record of these emails in my sent folder in Outlook
Express and since that event there hasn't been any abnormal activity.
Could these be reports for keyboard loggers ? What is the best way to
find out. I have since changed my email password. Should I change
my debit card too ?

rusty

therustyone wrote:

>Just after paying a ~$300 bill online last week by debit card I got
>about 100 email responses, relating to my address which had bounced
>from various email boxes in Russia and Eastern Europe. They bounced
>mostly due to full inboxes.

So, it appears this bill you paid is the culprit? It would help if you
identify the site where you inputted information.


>There is no record of these emails in my sent folder in Outlook
>Express and since that event there hasn't been any abnormal activity.
>Could these be reports for keyboard loggers ?

Gee, I dunno. You didn't post an example.

> What is the best way to
>find out. I have since changed my email password.

Time for a malware scan for sure.

Manually update your A/V program and run a full scan.

Download and update BOTH:

http://www.malwarebytes.org/mbam-download.php
http://www.superantispyware.com/down...NTISPYWAREFREE

Run a full scan of each in safe-mode after the updates.

>Should I change my debit card too ?

Yes. Since, you didn't provide the vendor you gave your info to; that's
the best thing to do knowing what little I do about the transaction.

From: "therustyone" <johnedhudson@gmail.com>

> Just after paying a ~$300 bill online last week by debit card I got
> about 100 email responses, relating to my address which had bounced
> from various email boxes in Russia and Eastern Europe. They bounced
> mostly due to full inboxes.
> There is no record of these emails in my sent folder in Outlook
> Express and since that event there hasn't been any abnormal activity.
> Could these be reports for keyboard loggers ? What is the best way to
> find out. I have since changed my email password. Should I change
> my debit card too ?
>
> rusty
>

We don't know that your PC actually sent the email.
For all we know your email address was harvested and used in the "From:" field of the
email messages that failed.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

On May 31, 8:37*pm, G. Morgan <usenet_ab...@gawab.com> wrote:
> therustyone wrote:
> >Just after paying a ~$300 *bill online last week by debit card I got
> >about 100 email responses, relating to my address which had bounced
> >from various email boxes in Russia and Eastern Europe. *They bounced
> >mostly due to full inboxes.
>
> So, it appears this bill you paid is the culprit? *It would help if you
> identify the site where you inputted information.
>
> >There is no record of these emails in my sent folder in Outlook
> >Express and since that event there hasn't been any abnormal activity.
> >Could these be reports for keyboard loggers ?
>
> Gee, I dunno. *You didn't post an example.
>
> > What is the best way to
> >find out. *I have since changed my email password. *
>
> Time for a malware scan for sure.
>
> Manually update your A/V program and run a full scan.
>
> Download and update BOTH:
>
> http://www.malwarebytes.org/mbam-dow...ctid=SUPERANTI...
>
> Run a full scan of each in safe-mode after the updates.
>
> >Should I change my debit card too ?
>
> Yes. *Since, you didn't provide the vendor you gave your info to; that's
> the best thing to do knowing what little I do about the transaction.

The vendor was a Corel online sale so should be OK and the card is
Lloyds UK. A copy of one retrurned email from Argentina is below (I
modded my own address a bit) and it looks fairly harmless but there
are about 99 others to look t. Kaspersky Internet security is
installed and up to date.
A peculiarity of my ISP address is that the word before the "@" can be
changed arbitrarily and is accepted as my address and I notice that is
what they seem to be doing.

COPY OF ONE EMAIL:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:

info@pianosalvarado.com.ar
mailbox is full: retry timeout exceeded

------ This is a copy of the message, including all the headers.
------

Return-path: <iamjustsendingthisleter@h*********.fsnet.co.uk>
Received: from [77.126.148.78]
by server.seigenit.info with esmtp (Exim 4.69)
(envelope-from <iamjustsendingthisleter@h*********.fsnet.co.uk> )
id 1QPoNk-0003rZ-3k
for info@pianosalvarado.com.ar; Fri, 27 May 2011 00:10:40 -0400
From: "bertie meredith"
<iamjustsendingthisleter@h*********.fsnet.co.uk>
To: "ronny roald" <info@pianosalvarado.com.ar>
Date: 27 May 2011 05:35:29 +0200
MIME-Version: 1.0
Subject: Trabaja y gana
Message-ID:
<4DDF2435.3154.32010E@iamjustsendingthisleter.h*** ******.fsnet.co.uk>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.61)
Content-type: multipart/alternative; boundary="Alt-
Boundary-80984.7413154"

--Alt-Boundary-80984.7413154
Content-type: text/plain; charset="iso-8859-1"
Content-transfer-encoding: QUOTED-PRINTABLE
Content-description: Mail message body

Discurso de ape

Tengo correspondencia del administrador del departamento de recursos =
humanos de una compañía multinacional grande.


Nuestra empresa es muy conocida en diversos campos tales como:
- servicios de consultoría
- apertura y servicios de cuentas bancarias=20
- servicios de empresa privada
- etc.


Estamos buscando socios en Argentina y Chile:
- salario 2.500 euros + bono
- trabajo a tiempo parcial

- horario flexible


Si usted ha tomado la decisión de ser nuestro administrador =
regional le pedimos presentarnos los siguientes datos:=20
LucyLightfoot@citizencompact.com=20
Nombre completo:
País:
E-mail:
Móvil:





¡Atención! ¡Usted puede optar a esta vacante si tiene
el =
permiso de trabajo en el Argentina y Chile!

Por favor, escriba su nombre y número de teléfono para que =
nuestro administrador ponga en contacto con usted y haga una
entrevista.
--Alt-Boundary-80984.7413154
Content-type: text/html; charset="ISO-8859-1"
Content-transfer-encoding: QUOTED-PRINTABLE
Content-description: Mail message body

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml" xml:lang=3D"en" =
lang=3D"en"><head>
<title></title>
<meta http-equiv=3D"content-type" =
content=3D"text/html;charset=3Diso-8859-1""/>
<meta http-equiv=3D"Content-Style-Type" content=3D"text/css"/>
</head>
<body>
<div align=3D"left"><font face=3D"Arial" size=3D"4"><span style=3D"=
font-size:14pt">
Discurso de ape<br><br>
Tengo correspondencia del administrador del departamento de recursos =
humanos de una compañía multinacional grande.<br><br>
<b>Nuestra empresa es muy conocida en diversos campos tales =
como:</b><br>=20
- servicios de consultoría<br>- apertura y servicios de cuentas =
bancarias <br>- servicios de empresa privada<br>- etc.
<br><br>
<b>Estamos buscando socios en Argentina y Chile:</b><br>
- salario 2.500 euros + bono<br>
- trabajo a tiempo parcial<br><br>
- horario flexible<br><br><br>
Si usted ha tomado la decisión de ser nuestro administrador =
regional le pedimos presentarnos los siguientes datos: <b><a =
href=3D"mailto:LucyLightfoot@citizencompact.com =
">LucyLightfoot@citizencompact.com </a></b><br>
Nombre completo:<br>País:<br>E-mail:<br>Móvil:<br> <br>
<br>
<br>
<b><b>¡Atención! ¡Usted puede optar a esta vacante si =
tiene el permiso de trabajo en el Argentina y Chile!</b></b>
<br><br>
Por favor, escriba su nombre y número de teléfono para que =
nuestro administrador ponga en contacto con usted y haga una =
entrevista.</span></font></div>
</body>
</html>
--Alt-Boundary-80984.7413154--

therustyone wrote:

>From: "bertie meredith"
><iamjustsendingthisleter@h*********.fsnet.co.uk >

If this is your email address, it's was a just forged "From:" field.


The message came from here:

IP address [?]: 77.126.148.78
IP country code: IL
IP address country: Israel
IP address state: Tel Aviv
IP address city: Tel Aviv
IP address latitude: 32.0667
IP address longitude: 34.7667
ISP of this IP [?]: Golden Lines Cable
Organization: Golden Lines Cable

On May 31, 11:59*pm, G. Morgan <usenet_ab...@gawab.com> wrote:
> therustyone wrote:
> >From: "bertie meredith"
> ><iamjustsendingthisleter@h*********.fsnet.co.uk >
>
> If this is your email address, it's was a just forged "From:" field.
>
> The message came from here:
>
> IP address [?]: * * * * 77.126.148.78
> IP country code: * * * *IL
> IP address country: *Israel
> IP address state: Tel Aviv
> IP address city: * * * *Tel Aviv
> IP address latitude: * *32.0667
> IP address longitude: * 34.7667
> ISP of this IP [?]: * * Golden Lines Cable
> Organization: * Golden Lines Cable

yes my real email address is john@h*********.fsnet.co.uk
but I can optionally use &%£()@h*********.fsnet.co.uk for up to five
different accounts.

So you're saying there's no proof I have a keyboard logger ? I
normally use Kaspersky's virtual keyboard for finanancial pass words
but forgot last week, and also entered the 3-digit number on the back
of the card via the keyboard. Then got a blizzard of bounced emails
over the next two days which was suspicious. I guess I need to keep
a watch on this bank account until the card expires in a couple of
months.

I changed the ISP password, not too easy, then found the router
stopped working. It had to be configured into that also.

rusty

therustyone wrote:
> Just after paying a ~$300 bill online last week by debit card I got
> about 100 email responses, relating to my address which had bounced
> from various email boxes in Russia and Eastern Europe. They bounced
> mostly due to full inboxes.
> There is no record of these emails in my sent folder in Outlook

That alone proves little as there are other programs that can send email.

> Express and since that event there hasn't been any abnormal activity.
> Could these be reports for keyboard loggers ? What is the best way to
> find out. I have since changed my email password.

Good job.

The odds are that your email address was used as a FAKE "return address".
We have all experienced things like that.


> Should I change
> my debit card too ?

No. Just pay attention to the on-line information rather than just waiting for your
monthly statement to arrive. This lets you quickly respond to any irregular charges.

Get another email address, such as gmail, in case this deluge of
bogus bounces does not dry up!

therustyone wrote:

>So you're saying there's no proof I have a keyboard logger ?

I can't say that for sure. Did you run both malware programs I
suggested?

Here is a more advanced program that can detect all auto-runs.

http://www.online-solutions.ru/en/pr...n-manager.html

Also, check for root kits.

http://www.gmer.net/

On Jun 1, 11:30*pm, G. Morgan <usenet_ab...@gawab.com> wrote:
> therustyone wrote:
> >So you're saying there's no proof I have a keyboard logger ?
>
> I can't say that for sure. *Did you run both malware programs I
> suggested?
>
> Here is a more advanced program that can detect all auto-runs.
>
> http://www.online-solutions.ru/en/pr...n-manager.html
>
> Also, check for root kits.
>
> http://www.gmer.net/

I'm very suspicious of freeware security packages in general as they
are usually sales fronts, but I'll certainly have a look at this and
others.
The account in question is *only* used for a debit card so I can top
it up online with minimal amounts. Then if gets cleaned out by
villains, it's not a problem.

Thanks to everyone for all the help, much happier now.


rusty

Nice message