Outgoing Mail Virus, Yes, Virus!

Relax. You don't have a virus. Some spammer is spoofing your e-mail address. The spammer is sending out spam and making it look like it's coming from you. The e-mails being 'returned' to you were never sent from your computer in the first place; they were sent from the spammer's computer.

Not to worry.

I do not think the outgoing mail activity and the spammer address spoofing are related at all. The activity in the Mail Activity window is probably just Mail communicating with your e-mail server.

OrganicBooks wrote:
I guess I can't quite understand a spoof sending something from me to a service I used to use

It's possible that the spammer stole the service's e-mail list and got your address that way.

I get phishing e-mails from scammers pretending to be PayPal, and somehow they get my full name and put it into the body of their e-mail. I have no idea how they are getting my full name; as no other spammers seem to have it. But the get it somehow.

and also to people I have no acquaintance with whatsoever.

That's an easy one - the spammer has a million e-mail addresses, is sending mail to all of them, and disguising them to look like they are coming from you. It's the oldest trick in the spammer's book. But some of those e-mail addresses are bad, and so the servers are bouncing the message back to what the server thinks is the sender - you.

There's not much you can do about it, other than to stop using that e-mail address. Change your e-mail address and only give it out to people you know and trust. Don't use that e-mail address to register on websites or anything else. Set up a special e-mail account just for things like that.

I think the problem is clear, but you do not have a virus, plain and simple. Whatever the exact method of the spammer getting those email addresses makes no difference; they have them and that's why you're getting all those bounced emails that you never sent. They could have hacked into your email account, so if you haven't done it already, change the password to something that is much more secure: say, at least 27 random characters long.

You might as well delete all those anti virus programs you installed, since they will do you no good. They cannot detect, or protect you from a virus that doesn't exist.

I too have had this to occur. The mail server (yahoo) reported a failure to send a message to a number of contacts and was reporting them as being undeliverable due to a non existant email account. Like you, I had suspected I was looking at a virus through apples mail app. I still have yet to nail down for certain where the problem lies, but I am suspicious that this occurred at the time I was using my powerbooks safari to view my email as some of the addresses appeared to mirror my contact list that is on yahoo rather than the addressbook app. I emailed yahoo about this. Their response, its on my system and not theirs. Once curious fact has surfaced. port 113 identD shows to be "closed" and port 443 shows to be open. I am unable to affect any closure inspite of whatever options I invoke on the security prefs firewall. With that, Im wondering if anyone unknown to me is tunneling to me and seeing what I am doing. MacScan does not report any cautions or redflags. When I look at yahoo's sent folder, I see where the email was "sent". Which I interpret as it was sent at a time when I was using my web browser and not the mail app. Get back with us if you too find that you have port 113 "closed" and port 443 "open". I use Gibson Research website here: http://www.grc.com/intro.htm
Once there I go to "SERVICES" / "SHIELDS UP" then select "COMMON PORTS".

Again, at this point I am unable to get the stealth mode of the firewall in osx 5.8 to work even though I check the box to do so.

When I look at yahoo's sent folder, I see where the email was "sent".

You mean that you can see emails in that folder that you did not send? If so, then someone may have hacked your yahoo account. Change your password.

Port 443 is used for https -- e.g. secure financial transactions. Why would you want to close it?

Tom Gewecke wrote:

You mean that you can see emails in that folder that you did not send? If so, then someone may have hacked your yahoo account. Change your password.

Port 443 is used for https -- e.g. secure financial transactions. Why would you want to close it?

YES. I can see emails in the "SENT" folder that I did not send as viewed by the web page displayed in Safari, not to be confused with the "SENT" folder as viewed by the Apple Mail app.
YES, I changed my password on Yahoo web mail & I deleted all of my yahoo web mail contacts as a precaution.
I agree that somehow my yahoo web mail account was compromised, but yahoo responded by saying that it was their belief that it apples mail client was the one that "sent" the email. I have POP access to my Yahoo mail on both my Imac and G4 Powerbook, the difference being that on the PB, I do not delete emails from the POP server.

It is my understanding that when the firewall is turned on and is operating in the "Stealth" mode, that the OSX should ignore any external probe requests and not respond in any way. True to form, when I switch on the OSX firewall, & check box "Block all incoming connections", then go to Gibson's web page to scan common ports, Gibson reports that on my desktop imac, that it had successfully ignored probe requests. This is a good thing since I don't want any response of any kind to give someone or some machine an indication that I exist. The only exception would be is when I initiate a secure transaction session, otherwise I want this port closed down. I feel the same way about port 113.

On my G4 Powerbook running Leopard (OS X.5.8), I am frustrated in not seemingly being able to set the firewall to operate in the stealth mode. The Gibson Research web page continues to report that my G4 Powerbook port 113 is closed and port 443 is open when I have not initiated any secure sessions. This reporting by Gibson Research's web page is the same using Safari 4 or the latest version of FireFox.

The concern revolves around when using a public access WI-FI hotspot, like a coffee house/ restaurant, or hospital waiting rooms, with the laptop of others that may be compromised, that in turn is probe scanning for other laptops / desktops seeking to do mischief. In this environment, you betcha, I want to be in the stealth mode, blocking all incoming transactions except for basic transactions like DHCP, Bonjour, & IPSec.

Perhaps the initial thread posting by Organicbooks might have been similar to my experience, that of having the apple mail app to access their yahoo web mail and at other times accessing the web mail by the use of a browser. The similarity of getting messages from the server of failed delivery of emails that appeared to have been sent, yet not showing up in the "SENT" folder in the mail app made me curious to go and view the SENT folder as viewed from Safari. In my case, that is where I had seen the emails that were sent.

YES, I changed my password on Yahoo web mail & I deleted all of my yahoo web mail contacts as a precaution.

Has the problem recurred since you did that?

Tom Gewecke wrote:

Has the problem recurred since you did that?

No. The problem has not repeated itself. Upon examining the reject message from the yahoo mail daemon, by reading this line, the mail was actually sent via http. Here is that line:

Received: from [123.161.74.93] by web38807.mail.mud.yahoo.com via HTTP; Fri, 25 Dec 2009 12:24:32 PST

But I am irked that somehow someway some script kitty was able to shoot and send email in my name via the web.

Organicbooks. I would be interested in knowing if you had more problems. As for me, I have not. I still am unable to reset my leopard firewall on my powerbook so that the Gibson Research Website so notes that ports 113 and port 443 does not respond to unsolicited port scans.

OrganicBooks wrote:
I forwarded a message containing a tracking number to an email address and the service extracted the info. before returning a confirmation message.

I have read that sentence over and over and I don't understand what you are trying to say. What "service"? What "info" was "extracted"?