# Outlook sending spam



## FrankB (Mar 19, 2001)

I am on XP with Outlook 2002 SP2. I have been getting Mailer Daemons returned to me on messages I haven't sent. Today when I checked my mail for the first time I saw Norton scan an outgoing message and I received a Daemon back. The message has to do with printer cartridges. There are no new messages in my sent folder. In the body of the Daemon I see a file winmail.dat. I did a search in my pc and only found a winmail1.dat 1kb. Is this a normal file in XP? Is there a way to find the program that's sending this spam from my pc? I ran spybot and adaware with the latest updates. I also ran Norton and found nothing. I asked for help from my ISP but they haven't helped. Are there any mail trace programs? Any suggestions?


----------



## BillC (May 29, 2003)

One of the newer techniques spammers are using is to hijack many individual machines to avoid be traced. The fact that you said Symantec was scanning something going out leads me to believe you may very well be a victim. Sounds like it anyway.

I'd suggest a couply of omnine scans that are sometimes able to find this type malware. Try Pest Patrol's PestSCan and GFI's online trojan scan

If you find nothing, then it is time for a Hijack This log review I believe.


----------



## FrankB (Mar 19, 2001)

These found 0 problems. I had already run adaware, spybot and norton. This seems to be a problem for others also. It may be the tip of the spam iceberg. Others have tried many things and found nothing in their logs that gives a clue.
Thanks again


----------



## BillC (May 29, 2003)

Golly...a mystery indeed. Well, if something is being sent, an application has to be sending it. Look in your Task Manager and see if anything looks new or unusal to you. Trouble is, for me, most things in Task Manager look unusual!

Also, check the properties of the "returned" mail to see if that might shed some light.

The new Zone Alarm Pro has a mailsafe feature that allows you to block mailings that exceed a number you pick like 'x' messages in 'y' seconds. This was designed for this exact reason. Zone Labs says:


> Too many e- mails are sent at once: Zone Labs security software displays an Outbound MailSafe protection alert when your computer attempts to send more than the specified number of e-mails within the specified time interval.
> 
> A message has too many recipients: Zone Labs security software displays an Outbound MailSafe protection alert when your computer attempts to send an e-mail message with more than the specified number of recipients.


It's a thought.


----------



## FrankB (Mar 19, 2001)

Here's what I found so far on another board.

http://miataru.computing.net/security/wwwboard/forum/6471.html

The last message I posted on that board has a link that explains who is doing it. Very deep!


----------



## greygeezer (Jul 15, 2003)

This article talks around the problem but doesn't say anything specific. This appears to be a growing threat, but still no specific information on your problem.

http://www.pcworld.com/howto/article/0,aid,111636,00.asp


----------



## jlongson (Oct 15, 2003)

Glad others are having this problem. Happily the problem, at least on my machine, isn't a trojan but a tag in a spam that I received.

Disposition-Notification-To: <[email protected]>

(email address is ficticious)

I'm running Outlook 2002-sp2 on XP pro with ZoneAlarm pro.

My spam filter (Cloudmark) picked up the spam and moved it to a spam folder. When I periodically delete the contents of the spam folder, it seems to send these disposition notification messages.

So the message gets sent, even if I never open it. Deleting the spam triggers the send.

Outlook allows blocking of read receipts, but I haven't figured out whether it can block Disposition-Notification-To: messages.


----------



## haza-w (Dec 2, 2004)

Great numbers of these e-mails are being sent from my home PC.
I have traced the address of where the HTML in the e-mail redirects you - it is smartinfosite.info on mine - go there and you get a lovely "unsubscribe" box - the WHOIS data points it to an Australian user who I have contacted with extremely nice words.
ZoneAlarm's MailSafe feature should be preventing mail from being sent in this fashion but nothing is flagged.


----------



## Bob Parks (Jan 10, 2004)

I may have misread this thread but I see a program on a local hardrive sending spam. ZoneAlarm and Norton both have a switch that requires authorization to send mail. After you approve Outlook etc. the spyward program can be denied permission permanently and you never see it again. Spybot/PestPatrol/Weboot/Adaware can then sniff out and delete the bad program.


----------

