13 Replies Latest reply: Jul 26, 2010 4:19 PM by Robert Loney
Robert Loney Level 1 Level 1 (0 points)
Hello,

I am a long time mac user, and have never encountered this problem before. In fact I've only heard about this on windows:
My home mac is sending out spam via my primary email address.

I discovered on Friday morning that sometime on Thursday afternoon a bunch of spam emails were sent out to people present in my addressbook while I was on my home Mac (there are other unfamiliar address too, but many from my addressbook). I checked my home directory for viruses using Norton Antivirus and found a virus: Trojan.ByteVerify and some related files. I deleted them, and rechecked the directory, and found nothing more, so I thought that was the end of it.

However I checked this afternoon and found two more batches of spam emails had been sent, yesterday early afternoon and again today late afternoon. Norton continues to find nothing in my home directory, nor does Little Snitch report any unsolicited activity.

I assume my Mac is to blame, as the emails have only gone out when I am active on the computer and connected to the internet.

I have the firewall on, and Norton checks all downloads, but beyond that I'm not sure what else I can do. I am right now working from an 'emergency' drive which I hope has not been affected.

I am prepared to erase my primary startup drive and rebuild it, IF that will solve the problem, but I am looking for some guidance. None of my tools seems to be reporting anything wrong, and yet something definitely is! I thought Mac OS X was immune to this sort of thing, but it appears not.

Any help would be appreciated as to what I can look for or do (aside from giving up and rebuilding the startup drive).

Thank you,
Rob

Mac Pro 2006 2.66 GHz, Mac OS X (10.6.4), latest Norton Antivirus, Little Snitch
  • Kappy Level 10 Level 10 (252,710 points)
    Most likely this has nothing to do with your computer. Spammers have gotten pretty sophisticated. They somehow find out your email address as well as people to whom you email, then the "spoof" your email address and use it as the person from whom the spam is sent. I've even received spam mail from myself! I wouldn't be too concerned.
  • Russa Level 4 Level 4 (1,315 points)
    .. perhaps delete your emails and empty the trash.. then run AntiVirus scan again.
  • Robert Loney Level 1 Level 1 (0 points)
    Hi,

    Thank you for your response.

    Hmmm... my Send Mail email box contains some of these spam emails, and the timing of when the emails are sent is only when my I am using my main system on my home Mac, and it is connected to the internet. These together lead me to believe that the emails are originating from my system.

    I am going to wait another day or two, and not go on the web live with the suspect system. If no further spam emails occur, that will be pretty strong evidence that my system is the source, and I will erase the drive and rebuild the system from scratch (unless I get another suggestion from someone else).

    Cheers,
    Rob
  • j.v. Level 5 Level 5 (4,155 points)
    If your email account is an IMAP account, your sent mailbox on your computer would synchronize with the sent mailbox on the IMAP server, if your Mail's preference's Account's Mailbox Behavior's "Store Sent Messages on Server" checkbox were checked and the "Delete Sent Messages When" pull-down menu were configured such that the rogue messages were still within the messages' retention window. So if the email account at the provider were hacked, that could explain how things are appearing in your sent mailbox.

    Granted, the fact that these messages appear to only be sent only when you know you are online is a little troublesome, but I'd be surprised if any such piece of malware could circumvent a piece of software like Little Snitch. Creating your own little unix shell script to monitor for the existence of Little Snitch's process ID, and if does not exist, report it to you and relaunch Little Snitch, and making it a launchd job, might not be a bad idea. People here or in the unix forum could probably help you craft something like that if you are not comfortable with shell scripting.

    As a side note, if you are running your day-to-day activities as an administratively privileged user, consider creating a new admin account strictly for computer administrative duties, and converting your existing user account to a standard account for this very reason - to restrict the ability of bad stuff, if it exists and somehow finds its way onto your system, to have carte blanche access to the bowels of your computer because you inadvertently received a malicious payload while operating administratively privileged.
  • dbsneddon Level 4 Level 4 (1,525 points)
    I didn't notice what email client you are using...
    Just because an email has your address in the "From:" field does not mean it
    came from you, that is relatively easy to fudge. The best thing to do would
    be to check the full headers of the messages to track down where they are
    coming from. If they originate from your Mac, you will see that in the headers.
    Since you didn't mention what email client you are using I can't tell you how
    to check the headers.

    Dave
  • Robert Loney Level 1 Level 1 (0 points)
    Hi,

    Thanks for the tips...

    I am using Safari and the spam emails being sent out are all using an IMAP account, and you are correct, I store sent messages on the server, so this is not a good indicator of whether it actually came from my computer.

    I am pretty careful about security, but I will admit I had set up my everyday account to be 'normal' as opposed to 'administrator'; it is a good idea to avoid the administrator level most of the time. I find it a bit of a hassle to use 'normal' level, because some software, like the new version of Drive Genius, requires administrator access for its background process 'Drive Pulse', and so asks me for administrator password every startup. But in light of recent events perhaps I should not complain if it gives me better security.

    I am also surprised that Little Snitch didn't catch this, nor for that matter Norton AntiVirus, which did not report any viruses to incoming downloads, but did find a virus in my User Account's Library when I did a disk scan on Friday evening. This all started on Thursday afternoon, after I downloaded, installed, and played a poker game for "OS X". I have a feeling that this install might have installed more than just the game, and ?maybe? this extra something sends out these spam emails when I use OS X Mail (can't confirm this for sure, since I didn't record exactly when I was in Mail, but the timing is very close), so Little Snitch doesn't see anything unusual... just more emails being sent out.

    I have decided to wipe the drive and reinstall a fresh copy of Snow Leopard (I do this once and a while, and it was about that time), and build a new system from scratch. I'll be sure not to copy any files from my old system backup... I have pre-problem backups of all my critical files.

    And I'll watch to see if the spam emails recur. If they do, I guess I'll have to dump that email account (free anyway) and get a new one, and communicate with everyone to ignore the old account.

    Cheers,
    Rob
  • Robert Loney Level 1 Level 1 (0 points)
    Hi,

    Thank you for your help. I am using "OS X" Mail.

    Here is the long header from one of the spam emails (from my "Sent" box):
    Subject:
    From: Robert Loney <rkloney5 (zt) aol (dot) com>
    Date: June 27, 2010 4:40:36 PM EDT
    To: webadmin (at) greenparty(dot)ca, webmaster (at)mostlydigital (dot)ca
    Return-Path: <rkloney5@aol.com>
    Received: from smtprly-mb02.mx(dot)aol(dot)com (smtprly-mb02.mx.aol.com [64.12.207.149]) by cia-ma03.mx.aol.com (v129.4) with ESMTP id MAILCIAMA038-5c684c27b7442ff; Sun, 27 Jun 2010 16:40:41 -0400
    Received: from webmail-m103 (webmail-m103.sim.aol.com [64.12.224.157]) by smtprly-mb02.mx.aol.com (v129.4) with ESMTP id MAILSMTPRLYMB026-5c684c27b7442ff; Sun, 27 Jun 2010 16:40:36 -0400
    Received: from 24.208.227.247 by webmail-m103.sysops(at)aol(dot)com (64.12.224.157) with HTTP (WebMailUI); Sun, 27 Jun 2010 16:40:36 -0400
    Content-Transfer-Encoding: quoted-printable
    X-Mb-Message-Source: WebUI
    X-Aol-Ip: 24.208.227.247
    X-Mb-Message-Type: User
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"
    X-Mailer: AOL Webmail 32131-MOBILE
    Message-Id: <8CCE4502188EAFB-3328-1D08F(at)webmail-m103.sysops.aol(dot)com>

    For comparison, here is an example of a long header from a legitimate email I sent around the same time:
    From: Robert Loney <rkloney5@aol.com>
    Subject: my mac had a virus!
    Date: June 25, 2010 9:23:45 PM EDT
    To: Peter Omnet <somnet(at)sympatico.ca>
    Return-Path: <rkloney5(at)aol.com>
    Received: from mtain-db03.r1000.mx.aol.com (mtain-db03.r1000.mx.aol(Dot)com [172.29.64.87]) by air-dc03.mail.aol.com (v129.4) with ESMTP id MAILINDC034-86a14c2556a637; Fri, 25 Jun 2010 21:23:50 -0400
    Received: from fipsb03.cogeco(dot)net (smtp3.cogeco.ca [216.221.81.30]) by mtain-db03.r1000.mx.aol.com (Internet Inbound) with ESMTP id 3941F380000CB for <rkloney5(at)aol.com>; Fri, 25 Jun 2010 21:23:46 -0400 (EDT)
    Received: from d24-235-154-16.home1.cgocable(dot)net ([24.235.154.16]) by fipsb03.cogeco.net with ESMTP; 25 Jun 2010 21:23:45 -0400
    X-Ironport-Anti-Spam-Filtered: true
    X-Ironport-Anti-Spam-Result: AkkFACHzJEwY65oQ/2dsb2JhbACBPAeRB4xgccILglscgisE
    X-Ironport-Av: E=Sophos;i="4.53,484,1272859200"; d="scan'208,217";a="114790916"
    Mime-Version: 1.0 (Apple Message framework v1081)
    Content-Type: multipart/alternative; boundary=Apple-Mail-4-707998684
    References: <79661926-2B97-42F2-8DCE-C21D76857384(at)aol(dot)com>
    Message-Id: <658973A7-B406-46D8-9E10-903B82616DAD(at)aol(dot)com>
    X-Mailer: Apple Mail (2.1081)
    X-Aol-Global-Disposition: G
    X-Aol-Sid: 3039ac1d40574c2556a23bec
    X-Aol-Ip: 216.221.81.30

    I'm afraid I'm not sure how to read the differences, but one thing I notice is the X-Mailer is different. The legitimate email says Apple Mail 2.1081, while the spam email says AOL Webmail 32131-MOBILE. I own no mobile devices capable of email.

    Cheers,
    Rob
  • thomas_r. Level 7 Level 7 (30,135 points)
    I checked my home directory for viruses using Norton Antivirus and found a virus: Trojan.ByteVerify and some related files.


    That trojan affects only Windows. It cannot have any effect on a Mac.

    As others have said, it's extremely unlikely that this is a problem with malware on your Mac. See my [Mac Virus guide|http://www.reedcorner.net/thomas/guides/macvirus> for more information about this sort of thing. Note that I've got no known Mac malware in the catalog on that page that sends spam.

    If you have ever e-mailed a significant portion of your Address Book, with the addresses on the To or CC lines, and a spammer got hold of that e-mail, that could explain why those people are being spammed with your address spoofed on the From line. Alternately, your account could have been compromised, and if you sync addresses from Address Book to your mail server, that would do the trick. I'd advise immediately changing the password on your e-mail account to ensure this isn't the problem.

    Ultimately, though, there's nothing you can do to prevent spammers from spoofing your e-mail address on the From line. Even if there were a law against it in this country, many spammers are in other countries. Folks from Russia, for example, have been doing a lot of illegal net-related stuff lately, like spamming, phishing and other scams.
  • Barney-15E Level 8 Level 8 (41,410 points)
    Check you account settings and make sure they have not added themselves to your email notifications.
    Change all of your account passwords.
    The headers indicate it is coming from a web-based email client.
  • thomas_r. Level 7 Level 7 (30,135 points)
    Note that, if you trace the Received headers back to the original sending machine, it's different in these two e-mails. In the spam:

    Received: from 24.208.227.247


    In the legit e-mail:

    Received: from d24-235-154-16.home1.cgocable(dot)net (http://24.235.154.16)
  • Robert Loney Level 1 Level 1 (0 points)
    Hi folks,

    An update 10 days after the problem first appeared...

    It seems clear that:
    - someone is able to mimic my old email address and send spam to people, making it look like it is coming from my address. At least some of these spam emails are showing up in my "Sent" messages folder in the compromised email account.
    - Somehow, the spammer has obtained my address book, which is being used (in part) as a source of addresses for spam recipients. I know this because among some unknown spam destinations are scattered addresses I have in my address book from both work and personal life. I have no idea how this could have happened. I have not emailed my address book anywhere. I have in the last month or so used dropbox to start synchronizing address book between home and work macs (so the master resides on dropbox), Those are the only places my address book resides. I see no sign that my dropbox account is compromised, but I might abandon cloud computing for now after this!
    - Spam (pretending to be me as a source) is only being sent out when I am actually using my home macintosh computer. I am certain of this now, after 10 days of viewing the pattern. The first spam was Thursday June 24, when I was on the Mac, and there have since been about 6 or so spam 'waves'. None on the 25th, but on the 26th, 27th, 29th, and 30th. I did not turn on my home Mac on the 25th, 28th, nor between July 1-5, and there has been no spam on those days. Is it possible for someone to monitor my IP address and send spam out when the monitor sees me communicating with the outside world?

    What I've done:
    - I created a new mac OS system from scratch on my home computer, containing no files with modified date June 24 or later. That new system is using Norton Antivirus for Mac, firewall on in stealth mode (allowing only email, web, and normal system operation), Little Snitch (I've enabled very few operations to be allowed automatically), and using a Mac OS X account that does not have administrative access.

    - I have tried to change the settings of the AOL free account (at least change the password), but am unable to do so. When I log into my account on the web, click settings and change password, it asks me my security question, then I get a French page (not my choice) showing some of my account settings, with nothing to click that would allow me to change settings. There also seems to be no way to delete or cancel an aol free email address account; the best advice I've seen is that it will be deactivated after 90 days of inactivity, which in this case won't happen if spam is being sent from that address and appearing in the Sent folder. I will continue to investigate ways to do this; I might end up having to write a snail mail letter to AOL Canada asking them to delete the compromised account.

    - I have pretty well abandoned the compromised email account, migrating most of my email subscriptions to a new email address and informing who I can that the old email is a spam source. Is there any way to report the email address as spam centrally?

    - Finally, I am going to contact my ISP today and see what they can do; maybe I can get a different IP address at home...


    If anyone has further suggestions I would appreciate it. What a nightmare!

    Thank you,
    Rob
  • thomas_r. Level 7 Level 7 (30,135 points)
    Sounds like you've done a lot of useless flailing - no offense meant. The one thing that you most needed to do - changing your password on the affected account - you have not managed to do. If AOL's settings won't let you do that, then you need to contact them to either have them delete the account or change the password for you. As long as the password remains unchanged, your account remains compromised.

    Access to the Address Book is not required for the attacker to send messages to people in your Address Book. If you have sent mail to those people - and chances are pretty good that you have - then the attacker can probably see that with access to the account online. They do not need access to your machine.

    The pattern that you have seen of abuses only when you are using your computer could be simple coincidence. It's also possible that the attacker has some way of getting access to the account when you are connected. I don't know a whole lot about how secure AOL's e-mail servers are. In any case, though, it's extremely unlikely that anything is coming from your Mac itself when you've got AV software installed as well as Little Snitch monitoring everything outgoing. Especially if you have other e-mail accounts in use on that machine that are not sending spam.

    Try completely deleting the account from Mail (make sure to move messages to "On my Mac" mailboxes first if you want to keep them). If the spam still gets sent, and Little Snitch doesn't report any suspicious connections to the AOL SMTP server, then it's not coming from your machine.
  • Robert Loney Level 1 Level 1 (0 points)
    Hi Thomas,

    You're right, I've flailed uselessly! I have come to the conclusion that the problem was caused by someone breaking into my AOL account and using it to send spam emails. By coincidence, I had just a couple of weeks earlier uploaded my address book contents to the AOL address book (thinking it might be convenient to do so).
    As for changing the AOL account password, none of the web-provided solutions worked, and when I first called AOL they said they don't provide support over the phone for free accounts. But a second call finally got me a way to change my AOL email password, and since I changed it there have been no further incidents.
    I should have trusted my Mac! But it boggles my mind that a company email account is less secure than my own personal computer. I would expect companies in the business of providing email accounts to have better security. My password wasn't that simple; it would have taken considerable work for someone to crack my password. So perhaps the account information was stolen from a server. Guess I'll never know.
    Anyway, problem solved and it had nothing to do with my Mac at all.