You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Outgoing Mail Virus, Yes, Virus!

My Apple Mail client has been sending out messages with no record of them in my Sent items. First I saw messages leave in the activity bar and now I'm getting confirmation as Undeliverable alerts are appearing for addresses I've never seen, some in Europe (I'm in the US). Further evidence is the appearance of automated replies from a subscription package tracking service I cancelled. This service is receiving messages from me that I am not sending.

I've installed ClamXav, Norton and Symantec and they found nothing. I've read other references to this issue at these discussions but so far no solutions. Can anyone help?

2 MBPs, iMac-24, Flower-Pot iMac, iBook, Original iPod, 2 Classics, 1 Touch, Mac OS X (10.5.7)

Posted on Dec 26, 2009 9:43 PM

Reply
Question marked as Top-ranking reply

Posted on Dec 26, 2009 9:49 PM

Relax. You don't have a virus. Some spammer is spoofing your e-mail address. The spammer is sending out spam and making it look like it's coming from you. The e-mails being 'returned' to you were never sent from your computer in the first place; they were sent from the spammer's computer.

Not to worry.
54 replies
Question marked as Top-ranking reply

Dec 26, 2009 9:49 PM in response to OrganicBooks

Relax. You don't have a virus. Some spammer is spoofing your e-mail address. The spammer is sending out spam and making it look like it's coming from you. The e-mails being 'returned' to you were never sent from your computer in the first place; they were sent from the spammer's computer.

Not to worry.

Dec 27, 2009 5:52 PM in response to Király

Hmmm. While this is reassuring I wonder if this is the case how come the mail activity is a new thing when I've used Apple Mail as long as it's been around and never seen it before? Also I can't ignore the reports of others seeing the same thing. I guess I can't quite understand a spoof sending something from me to a service I used to use and also to people I have no acquaintance with whatsoever. If you can fill in that gap for me I'd appreciate it. In the meantime I'll keep thinking about it. Thanks so much.

Dec 27, 2009 8:20 PM in response to OrganicBooks

OrganicBooks wrote:
I guess I can't quite understand a spoof sending something from me to a service I used to use


It's possible that the spammer stole the service's e-mail list and got your address that way.

I get phishing e-mails from scammers pretending to be PayPal, and somehow they get my full name and put it into the body of their e-mail. I have no idea how they are getting my full name; as no other spammers seem to have it. But the get it somehow.

and also to people I have no acquaintance with whatsoever.


That's an easy one - the spammer has a million e-mail addresses, is sending mail to all of them, and disguising them to look like they are coming from you. It's the oldest trick in the spammer's book. But some of those e-mail addresses are bad, and so the servers are bouncing the message back to what the server thinks is the sender - you.

There's not much you can do about it, other than to stop using that e-mail address. Change your e-mail address and only give it out to people you know and trust. Don't use that e-mail address to register on websites or anything else. Set up a special e-mail account just for things like that.

Dec 27, 2009 9:51 PM in response to Király

I'm sorry but the service got my address from me. I subscribed to it and then I canceled it. After canceling this service continued receiving emails from me, emails that I did not send.

I say this again because I'm not sure whether I'm making the nature of the problem clear, especially when you suggest what you did. My problem is not at all like the one you describe. I, too, have seen those messages but that seems to me an entirely different situation.

Dec 28, 2009 7:32 AM in response to OrganicBooks

I think the problem is clear, but you do not have a virus, plain and simple. Whatever the exact method of the spammer getting those email addresses makes no difference; they have them and that's why you're getting all those bounced emails that you never sent. They could have hacked into your email account, so if you haven't done it already, change the password to something that is much more secure: say, at least 27 random characters long.

You might as well delete all those anti virus programs you installed, since they will do you no good. They cannot detect, or protect you from a virus that doesn't exist.

Dec 29, 2009 4:10 PM in response to OrganicBooks

I too have had this to occur. The mail server (yahoo) reported a failure to send a message to a number of contacts and was reporting them as being undeliverable due to a non existant email account. Like you, I had suspected I was looking at a virus through apples mail app. I still have yet to nail down for certain where the problem lies, but I am suspicious that this occurred at the time I was using my powerbooks safari to view my email as some of the addresses appeared to mirror my contact list that is on yahoo rather than the addressbook app. I emailed yahoo about this. Their response, its on my system and not theirs. Once curious fact has surfaced. port 113 identD shows to be "closed" and port 443 shows to be open. I am unable to affect any closure inspite of whatever options I invoke on the security prefs firewall. With that, Im wondering if anyone unknown to me is tunneling to me and seeing what I am doing. MacScan does not report any cautions or redflags. When I look at yahoo's sent folder, I see where the email was "sent". Which I interpret as it was sent at a time when I was using my web browser and not the mail app. Get back with us if you too find that you have port 113 "closed" and port 443 "open". I use Gibson Research website here: http://www.grc.com/intro.htm
Once there I go to "SERVICES" / "SHIELDS UP" then select "COMMON PORTS".

Again, at this point I am unable to get the stealth mode of the firewall in osx 5.8 to work even though I check the box to do so.

Dec 30, 2009 2:00 AM in response to Tom Gewecke

Tom Gewecke wrote:

You mean that you can see emails in that folder that you did not send? If so, then someone may have hacked your yahoo account. Change your password.

Port 443 is used for https -- e.g. secure financial transactions. Why would you want to close it?




YES. I can see emails in the "SENT" folder that I did not send as viewed by the web page displayed in Safari, not to be confused with the "SENT" folder as viewed by the Apple Mail app.
YES, I changed my password on Yahoo web mail & I deleted all of my yahoo web mail contacts as a precaution.
I agree that somehow my yahoo web mail account was compromised, but yahoo responded by saying that it was their belief that it apples mail client was the one that "sent" the email. I have POP access to my Yahoo mail on both my Imac and G4 Powerbook, the difference being that on the PB, I do not delete emails from the POP server.

It is my understanding that when the firewall is turned on and is operating in the "Stealth" mode, that the OSX should ignore any external probe requests and not respond in any way. True to form, when I switch on the OSX firewall, & check box "Block all incoming connections", then go to Gibson's web page to scan common ports, Gibson reports that on my desktop imac, that it had successfully ignored probe requests. This is a good thing since I don't want any response of any kind to give someone or some machine an indication that I exist. The only exception would be is when I initiate a secure transaction session, otherwise I want this port closed down. I feel the same way about port 113.

On my G4 Powerbook running Leopard (OS X.5.8), I am frustrated in not seemingly being able to set the firewall to operate in the stealth mode. The Gibson Research web page continues to report that my G4 Powerbook port 113 is closed and port 443 is open when I have not initiated any secure sessions. This reporting by Gibson Research's web page is the same using Safari 4 or the latest version of FireFox.

The concern revolves around when using a public access WI-FI hotspot, like a coffee house/ restaurant, or hospital waiting rooms, with the laptop of others that may be compromised, that in turn is probe scanning for other laptops / desktops seeking to do mischief. In this environment, you betcha, I want to be in the stealth mode, blocking all incoming transactions except for basic transactions like DHCP, Bonjour, & IPSec.

Perhaps the initial thread posting by Organicbooks might have been similar to my experience, that of having the apple mail app to access their yahoo web mail and at other times accessing the web mail by the use of a browser. The similarity of getting messages from the server of failed delivery of emails that appeared to have been sent, yet not showing up in the "SENT" folder in the mail app made me curious to go and view the SENT folder as viewed from Safari. In my case, that is where I had seen the emails that were sent.

Dec 30, 2009 6:50 PM in response to Tom Gewecke

Tom Gewecke wrote:


Has the problem recurred since you did that?


No. The problem has not repeated itself. Upon examining the reject message from the yahoo mail daemon, by reading this line, the mail was actually sent via http. Here is that line:

Received: from [123.161.74.93] by web38807.mail.mud.yahoo.com via HTTP; Fri, 25 Dec 2009 12:24:32 PST

But I am irked that somehow someway some script kitty was able to shoot and send email in my name via the web.

Jan 9, 2010 5:22 PM in response to Terrence

Yes, my problem persists. I only know about it because I briefly signed-up for automated package tracking. I forwarded a message containing a tracking number to an email address and the service extracted the info. before returning a confirmation message. I stopped the service but continue to get the confirmations, which means that something in my email client continues to forward them. Who knows where else I'm unknowingly sending messages.

Outgoing Mail Virus, Yes, Virus!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.