efabes - thanks for the suggestion. The problem is that if you require them to ask before connecting, ZoneAlarm Pro only asks you once and whatever you answer is the answer it uses for the duration of while that program is running. It only asks you again the next time you launch it. So that wouldn't really help me out. Furthermore, since I've already run both McAfee virus scan and Trend Micro's HouseCall virus scan, with everything being reported as clean, I think it unlikely that one of my trusted programs has a virus.

0

Well, initially I would have looked at your computer because the email header's had your hostname. IP address (if it is static) is not as big a deal. But the hostname resolution requires a local network call (i.e. your router doesn't have it so the information is in the LAN). "What is nmap?" http://www.insecure.org/ "How do I determine why a certain port is open and whether it is because a normal internet enabled program needs it?" You close the port and see if anything is affected. Just try the programs you use that connect on the Internet (can't be that many - browser, email, chat - games shouldn't be running on anything under 1024). Can you post the email headers? Just x-out your IP and hostname.

0

I will check out nmap - thanks. My IP is not static, although it does not frequently change (router connects to DSL modem which is connected all the time..) RE: ports - I can't seem to figure out how to close the ports in ZoneAlarm Pro. As described above, it claims all ports are closed unless they are needed by one of the applications listed as a trusted app. All of the applications on that list belong there (programs I regularly use that need net access) and I have run 2 different virus scans to ensure these programs are what they're supposed to be. There does not seem to be an option to block specific ports to ALL programs. Is there a different firewall I should be using? Below is a copy of some of the email headers with my name, email, part of recipient's email, IP and hostname x'd out. Oddly, every time I try to confirm this post the system blanks out the Message-ID's, so I hope that isn't pertanent for your helping solve this.. Thanks again for your help! EXAMPLE 1: Return-Path: Received: (qmail 3631 invoked from network); 12 Sep 2003 13:36:47 +0800 Received: from unknown (HELO mail.4ph.com) (192.168.1.2) by sun2.cc.ntut.edu.tw with SMTP; 12 Sep 2003 13:36:47 +0800 Received: from (66.197.126.254) by galaxy Forward To 140.124.13.6 with NTUT-CC Anti-Virus SMTP; Fri, 12 Sep 2003 13:25:45 (CST) Received: (qmail 15021 invoked from network); 12 Sep 2003 04:59:16 -0000 Received: from unknown (HELO XXXXXX) (XXX.XXX.XXX.XXXX) by 0 with SMTP; 12 Sep 2003 00:59:16 -0400 From: "XXXXX" To: Subject: Not read: domains get Free Printer Cartridges and more Date: Thu, 11 Sep 2003 22:11:42 -0700 Message-ID: MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal X-MS-TNEF-Correlator: 0000000018DB3FCA596EA14E9D18FA9EE87F97D0E4527500 EXAMPLE 2: Return-Path: Received: (qmail 20394 invoked from network); 12 Sep 2003 05:12:34 -0000 Received: from mail.4ph.com (66.197.126.254) by nero.hotkey.net.au with SMTP; 12 Sep 2003 05:12:34 -0000 Received: (qmail 14808 invoked from network); 12 Sep 2003 04:59:05 -0000 Received: from unknown (HELO XXXXXX) (XX.XXX.XXX.XXX) by 0 with SMTP; 12 Sep 2003 00:59:05 -0400 From: "XXXXXX" To: Subject: Not read: emily get Half price printer cartridges Date: Thu, 11 Sep 2003 22:11:44 -0700 Message-ID: MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal X-MS-TNEF-Correlator: 0000000018DB3FCA596EA14E9D18FA9EE87F97D0C4527500 Example 3: Return-Path: Received: (qmail 15237 invoked from network); 12 Sep 2003 04:59:29 -0000 Received: from unknown (HELO XXXXXX) (XX.XXX.XXX.XXX) by 0 with SMTP; 12 Sep 2003 00:59:29 -0400 From: "XXXXXX" To: Subject: Not read: info get 6 Printer Cartridges for $49. Date: Thu, 11 Sep 2003 22:11:42 -0700 Message-ID: MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal X-MS-TNEF-Correlator: 0000000018DB3FCA596EA14E9D18FA9EE87F97D0A4527500

0

ER, couldn't you clear your safe list from Zone Alarm and start from scratch? Telling each program to access once you know it is ok? I see what your saying about it saying all ports are closed automatically... but there has to be a manual config in there somewhere... by clearing the safe list you can go one by one with each program that connects... I may be wrong, just a suggestion. These are great guys helping you out here, I'm sure you will get it figured out. Good luck!

0

Well, that last email (#3) is fairly incriminating. It is a direct bounce originating from you (nothing in between). "winmail.dat" Is that your winmail.dat file? I am not thinking of any other way to get that return message (unless the server was hacked) without having it coming from your machine. And honestly, Silver's suggestion is what my first cource of action would be. Back up your config, and then wipe the running config (i.e. start over). It is a common security practice to reevalute the entire system when there is evidence of a breach. In this case (this is Windows, there are probably not any rootkits) simply reevaluate your firewall rules. I would also change my hostname. Not really too much else to do. Messing around with Windows is not the best of ideas (and there is not complete documentation).

0

I have the same exact problem ! It seems to me that the sender is MS-Outlook XP. In fact mail are sent by logging into an SMTP server whose password is stored only in a secondary account in Outlook. Now I deleted the password from Outlook and when I press F9 (Send/Receive button) I am asked the password for the SMTP server despite the fact that 1) I don't have any message in the Outbox 2) The account is not included in the send/receive list. Note that when I select to have the "Send/receive" window pop up I can see that not just one operation is performed (retreiving mail form my main account) but two. Outlook sends a message with one of my secondary accounts but I can see none in my Outbox.

0

thanks anonproxy and silver for your suggestions First, winmail.dat, according to some searches I did on google, is simply an attachment created by Outlook which includes Rich Text Formatting instructions. Secondly, I reset all of the program permissions on ZoneAlarm per your advice. Furthermore, I told it to ask me for permission for Outlook to send emails. Unfortunately, it only asks you once per time the program is running, and uses that answer for the duration of while the program is running, so what I have been doing is saying 'yes' when I actually send an email and then going back into ZoneAlarm and resetting the trigger to prompt me for permission to email (pain in the butt - wish there was a way to have it simply prompt me every time automatically..). Thus far it has not caught any attempts to send any emails that I did not actually write. The thing is, I have not received that many of these bounced messages (although that is no indication of how many 'successful' spam messages actually went out..), and they are sporadic and come in bursts. The first time I noticed it was Aug. 28th, and I had about 7 of the bounced msgs from various dift email accounts of mine. At this point I installed the firewall software and did virus scans, etc. I didn't get any more bounced messages at that point, and I thought the problem was resolved, until Sept 12th when I got 3 more bounced msgs. These were what prompted me to post here. BTW - I don't really know when the problem started happening b/c I get **tons** of bounced messages all the time where someone has just spoofed my email address - so I was used to seeing them and just deleting them. What caught my attention on 8/28 was that I noticed some of the bounces started coming from my pop mail server itself (unusual) Since posting, I've not received any new bounced messages, but I've no way of knowing whether my problem is resolved. It could restart up again in a week or two, just like what happened previously. What I can tell you is that since posting this thread I have received emails from several other people who say they have the exact same problem as me -- with the subjects of the messages even being the same. So clearly this is a significant problem that is affecting others besides myself (and who knows how many people don't even know they have this problem??) What is bizarre to me is that ALL searching on the internet for information about this problem has turned up nothing. The only relevant URL I found is the one for the very thread I started. There are no posts on usenet, either, regarding emails with the subject lines I listed above, etc. There is no virus or trojan information about anything that has this particular behavior. There's nothing on the net about a problem like what I'm having! I'm feeling VERY frustrated right now because I feel unsure about the security of my system and like I have no way of knowing whether the problem still exists other than to wait and see if I get some more bounced messages - and, again, who knows how many messages are going out in the meantime that actually reach their intended recipient? I apologize for the long and emotional msg - I'm just at my wits end with this and I cannot begin to tell you the number of hours that I have spent trying to track down and resolve this problem. Seeing as how the problem affects others besides myself, is there any organization out there that should be notified about a possible new virus/trojan/whatever that might be able to investigate this further? What would y'all do if you were me? Thanks so much, again, to everyone for their support and suggestions with this!

0

Connected via OptusNet (Aussie Cable Internet) running Norton Internet Security 2003, Sygate Home Network. Fully virus-checked and ad-aware clean. However recently IE has been acting very slow - ie initial browse take 5--10 seconds, and when you mistype an internet address .. eg www.sdgjhfsgkjhfkj.com.au I get the following:: URL: auto.search.msn.com/dnse...fsgkjhfkj.com.au ------------------- <Picture Link that doesn't work> We can't find "www.sdgjhfsgkjhfkj.com.au". Click Go to try your address again. Or, correct the spelling of your address above and click Go. See more results for www.sdgjhfsgkjhfkj.com.au at Click2Search ---------------- Viewing the source to this code to this page shows, a number of Javascript links to: a.as-us.falkag.net Anyone tell me what I have/ how to get rid of?? Haven't received any bounced messages like the above persion, but still concerned I have something going wrong.

0

Me too! I am not experiencing any more unwanted mail sending. This may depend from spammers momentairly stopping their activity or because I installed all available patches and updates to my Windows XP and Office XP. (I had the autoupdate function on, but found manually some extra patches available on Windows Update and reapplied both SR1 and SR2 to Office) I will report any change and listen for news from all of you.

0

I think I have the same problem. So far we have only had one incident of spam bounced back to our computer (running Windows XP home)but the thing that has me worried is the amount of net traffic whenever we connect. While connected about five minutes to check email (outlook express) there is usually up to five megs of 'something' going out and and maybe 250k of 'something' coming in. My anti virus thing (AVG) gave a clean report. Is a total Windows patch update the best course of action?

0

I have the same problem on XP outlook 2002 SP2. Today I noticed a message being sent that I didn't send. It was scanned by norton on the way out. It is not in my sent folder. I received a mailer daemon that contained the printer cartridge message and also file winmail.dat. I searched my pc for winmail but only found winmail1.dat 1kb. I ran spybot, adaware and norton with nothing found. I'm on dial-up. Has anyone worked with outlook on this? Any suggestions? I also see a lot of hard drive activity when I shut down IE. I did a ctrl alt dlt and it is IE that has a high percentage of cpu activity. Thanks in advance for any help!

0

Here are some clues. It's over my head. http://groups.google.com/groups?q=get+Free+Epson+Cartridges+and+more&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f74c91e_1%40nntp2.nac.net&rnum=1

0

Just to report an update -- I got two more bounced messages today, so apparantly I still have the problem despite all my efforts to contain it. And btw, I have ALL WinXP patches installed, Anti-Trojan Monitors, ZoneAlarm Pro firewall, NAT gateway router, antivirus scans, etc I'm going insane with this!

0

what you're experiencing is something called a "read receipt"...it's not a virus. i'm not sure what version of outlook you're using, but in outlook express 6, when you compose a message, you can request a read receipt by going to Tools->Request Read Receipt before sending out the email. as the name suggests, it will force the recipient of the email (not sure if this only affects outlook users) to automatically send out a confirmation receipt email when the delivered email is either read or deleted without being read (that's why the subject lines of your emails are "Not read: blah blah"). obviously, if the sender uses a bogus email address (as spammers often do), you'll get a bounced email because your receipt email couldn't make it back to its source. in the little research i've done, i can find no way to turn off the read receipt feature so that recipients of these flagged emails can prevent the receipt emails from going out. stinkin microsoft... so rest assured, though annoying, the receipt email is harmless. at worst (or best, depending on how you look at it), you're spamming the individual who spammed you :)

0

Answerman, I am sorry but you are wrong. We would not have spent all these weeks studing around this problem if it was just a matter of Return Receipts. By the way: you can disable the return receipt in Outlook: Tools|Options|Preferences|EmailOptions|VerifyOptions The msgs with failure notice are only the symptom of the problem. The matter is that is that our Outlooks have been sending spam mail advertising for "Printer cartdridges" without us being aware of it. Some messages, bouncing back with errors, warned us that something was going wrong with our mail systems. I was able to intercept outgoing mail for a password protected SMTP account by disabling password remembering. No firewall or tweaking software could stop our unwilling spamming, since the sender was our legitimate MS Outlook software. We applied all MS patches but the problem persisted. In my case the unwanted mail outgoing stopped now for a few weeks but I am not sure why. Any update from the others ? DWDP

0