New
#11
No, i send them, but probably not from my pc, a lot of contacts of mine say stopping sending these mails.
No, i send them, but probably not from my pc, a lot of contacts of mine say stopping sending these mails.
OK - but is it actually your mail account or a spoofed address?
First point of call is changing the password on the email account.
Second is to check the headers on of those emails that your contacts receive
First point: My Mail Service Provider is changing my password, i can't do by myself because the Mail Service Provider it's not my actual ISP.
Second point: The last list of spamming messages was sent at 7:24 of sunday and my pc was turned off at that hour.
You could post or check the email header. You can't get it from the mail app - you need to get it from web interface or through another client.
Depending on your email address it is like this for gmail or yahoo or for outlook.com like this. Other email hosts you may have to ask.
You should get something like this at the top of the header showing the sender (an email from MS in this case). You should be able to tell who is sending a mail in your name. If you look up the sender IP address (66.231.85.17 here) you get Microsoft which is correct. If it has your name as sender and a different IP then your emails are being spoofed.
Remember to remove your e-mail address in the places shown in red if you post it.
Code:x-store-info:i1mvqhPkdZzs2I4XxEkZVHsCQVIZokTniIgx/qtzyVc1Al58Ns/NcQnVySgh9asPLOcl7Qpgf9Z6ZHUQibg4vLI+y8RAOcryE8uktIkyhHFNyv6jRGrf9+KFFaKyILzA1cjMRYGasVc= Authentication-Results: hotmail.com; spf=pass {sender IP is 66.231.85.17; identity alignment result is pass and alignment mode is relaxed} smtp.mailfrom=bounce-887005_HTML-731495155-3841518-98449-10396@bounce.e-mail.microsoft.com; dkim=none {identity alignment result is pass and alignment mode is relaxed} header.d=e-mail.microsoft.com; x-hmca=pass header.id=Microsoft@e-mail.microsoft.com X-SID-PRA: Microsoft@e-mail.microsoft.com X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9GTtsRTE7YT0xO0Q9KTtHRD0xO1NDTD0w X-Message-Info: GnpImppio6N7xti6Y+ibLdShw72IUS7Pu/ea39tFL30MKLcaDsscmX6uG5/mGHnasilKc0F7gUmCAZkrLFffY7OToiAprSiug6cM3wxNdMj4pkc1A/XUlhRDyWqtR0qDVu6FoFKv/v3/zUg3BZpqSMoMz+oSkt+oaTdPVDFsDKQ8OBmlyKveZeX+AfzyvSIN0f7D/eJ3PLMtCghg77TWn6Bzt+kvI2F7897mofH1r7I74cOhSxqqeoMw== Received: from mta12.email.microsoftemail.com {[66.231.85.17]} by REMOVED Wed, 28 Oct 2015 18:05:35 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=402420960130; d=email.microsoftemail.com; h=From:To:Subject:Date:MIME-Version:Reply-To:Message-ID:Content-Type; bh=o+Rq5ls6eIOjYSdHbVEBofzroKM=; b=ewnisa729FR381VqPCt2LmuI8IW308sOZBy8NDsV7kHeiKl9GhOOAH5rUnNT4vogP78y61/1fcJs kldxpPbg2ShUsMoQYmYd9CnhccX4q5pBG2FbSouHc93Q3hwReJICdlmz+3AtPYyF3HSkQsqi4EFi ZbK+ygvaKUoalXbDx6g= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=200608; d=e-mail.microsoft.com; b=rkg3gexDP6C1hoNqid4VJ10AOMlMo6QmYsJrXUwmcPShTOEni1F+olvB7WjwUUAWY3uyUrv/nbuh wjKCHs3GyWzjIkTyaGOfKo3z/7VmttDp5ElGo8+vscAGPLx5yxPcPR3eWJen3uBRXmO/1KRDmsMH C2mw6cUomkXaRdRjMz4=; Received: by REMOVED From: "Microsoft" <Microsoft@e-mail.microsoft.com> To: <REMOVED@REMOVED> Subject: =?UTF-8?B?VGVjaE5ldCBGbGFzaCAtIEFkYW0sIGhlYXIgTWFyayBSdXNzaW5v?= =?UTF-8?B?dmljaCBkaXNldXNzIHRoZSBsYXRlc3RgZGV2ZWxvcG1lbnRzIGluIGNvbnRh?= =?UTF-8?B?aW5lcnMsIGxlYXJuIGFib3V0IGNvbW2vbiBzR2VuYXJpb3MgYW5kIHRvb2xz?= =?UTF-8?B?IGZvciBkZXBsb3lpbmcgV2luZG93cyAxMCwgYW5kIHdhdGNo8HN0ZXAtYnkt?= =?UTF-8?B?c3RlcCBkZW1vcyBvZiB6b3dlciBCSSBmcm9tIExvdHVzIEYxIHRlYJ3igJlz?= =?UTF-8?B?IElUIGNyZXc=?= Date: Wed, 28 Oct 2015 19:05:32 -0600 MIME-Version: 1.0 Reply-To: "Microsoft" <reply-fd9212957875017c7d-899005_HTML-733496175-93489-14316@email.microsoftemail.com> x-job: 98449_3841518 Message-ID: <6a68cac8-f36f-49&7-94gd-d6a759aeb97b@xtinmta4266.xt.local> Content-Type: multipart/alternative; boundary="VGk71Y7KzMWr=_?:" Return-Path: bounce-892006_HTML-980495390-289591-83330-10295@bounce.e-mail.microsoft.com X-OriginalArrivalTime: 29 Oct 2015 01:05:35.0944 {UTC} FILETIME=[EB11B670:01E899E5] This is a multi-part message in MIME format. --VGk61Y7PzMWr=_?: Content-Type: text/plain; charset="uft-8"
I don't have them anymore, was afraid of infection. From my Mail Service Provider Webmail Access i can see header. I need to wait another attack to have a mail in my hands to look in.
Last edited by Be4stElectrjc; 09 Nov 2015 at 10:36.
Check it for me guys. If you need to remove something, feel free to do it.
Return-Path: REMOVED
Delivered-To: REMOVED
Received: (qmail 9529 invoked by uid 89); 8 Nov 2015 06:24:09 -0000
Received: from unknown (HELO mxcmd05.ad.aruba.it) (10.10.10.72)
by mxavas1.ad.aruba.it with SMTP; 8 Nov 2015 06:24:09 -0000
Received: from smtp4.ngi.it ([88.149.128.21])
by mxcmd05.ad.aruba.it with bizsmtp
id euQ91r03h0Tq7sw01uQ9fV; Sun, 08 Nov 2015 07:24:10 +0100
Received: from WIN-NPPN1JPV75J (unknown [86.35.218.6])
by smtp4.ngi.it (Postfix) with ESMTPA id DC9CA80F67;
Sun, 8 Nov 2015 07:24:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ngi.it; s=dkim;
t=1446963850; bh=5oN2SRwNoEcpkO6Evt2NfYgPh49+GPz+A152plXm90s=;
h=From:To:Subject:date:From;
b=eJbfdz4RqIB/7xVi1Kaw9TLfNLHIO2pPu55Xu6gWwE3gngjn6PT1QsmyvkiiIL9R0
SRKAqJEcdwHMm4hhfRpHp7NKxsbFUnQPJ1xPcWZdMu3apszYdmyC8Kydq+70ZJc0m/
qBR9QeE5oZJrJ9heo+IYwSJ08MQyPTjMFIHOTdYI=
From: REMOVED
To: REMOVED
Subject: Fw: new message
Date: Sat, 7 Nov 2015 22:24:01 -0800
Message-ID: <00007457f75b$96268be1$aabc411c$@ngi.it>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_205CBCA1.641EF527"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdEmDynrtB1rOLeCMrdN6se3es3s6A==
Content-Language: en-us
X-Antivirus: avast! (VPS 151107-0, 11/07/2015), Outbound message
X-Antivirus-Status: Clean
X-Spam-Rating: mxavas1.ad.aruba.it 1.6.2 0/1000/N
X-Antivirus: AVG for E-mail 2016.0.7227 [4457/10966]
X-AVG-ID: ID3A8231C2-5D0BD32A
I have seen a mail sent by mine. There are internal and external ip address of my network. WIN-NPPN1JPV75J is the sender, a botnet, there's a page about it on google.
If you mean this Google Groups I just saw it.
There are others like this Orario posta in arrivo sbagliato asking why the spam filters are not picking it up (I don't understand much Italian though).
Gmail should filter mail like this - I see things in Spam now I look. Was it the contacts with the non-gmail accounts that were complaining? (Well done for removing them btw).
I have @ngi, not @gmail. The page i am talking about is this.
New Threat: The WIN-NPPN1JPV75J Botnet
Last edited by Be4stElectrjc; 10 Nov 2015 at 03:10.