Funky emails OSX compromised?

Discussion in 'macOS' started by MacNoobie, Feb 18, 2009.

  1. MacNoobie macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #1
    Anyone else out there get this..
    I use Entourage to send and receive emails through comcast and lately I've been getting responses from people that have though that I wrote "f*ck you! I'm crazy!". I thought at first an old friend of mine figured out one of my passwords so I changed it and I still get the random email response to the email sent above.

    Has anyone else gotten anything like this?

    My guess is that Entourage somehow got a bug and is sending out emails but I'm afraid what if its something that can affect the whole system and just uses the settings found on the system to send out emails on its own.

    I've opened up activity monitor and I don't see anything that pops out at me maybe ATSServer, UserEventAgent, I'm using ClamAV/Leopard Cache Cleaner to scan the system for viruses.
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    It's more likely that someone hacked your email account, not anything to do with software running on your computer. I'd change password on all email accounts... make sure it's a complex one. ClamAV (or any other antivirus software) can't detect Mac viruses because none exist.
     
  3. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #3
    "Thought you wrote," as in, received e-mails from you? Your explanation of your problem is confusing, but surely Entourage keeps track of sent e-mails (I have to assume, since I don't use it). Check there to see if those e-mails really are being sent out from your computer, which seems extremely unlikely. Far more likely, somebody you know running Windows has a spambot virus which is spoofing your address, among others.
     
  4. ihabime macrumors 6502

    Joined:
    Jan 12, 2005
    #4
    There are, or were, Office macro viruses, check out microsoft's page on the subject.

    I haven't heard of any OSX trojans that do anything like that, the few that have been around don't seem to do much at all.

    Make sure you change your user PW and I'd ask one of your friends to forward you a copy of the email so you can check the header, it could be some kind of spoofing.
     
  5. Tallest Skil macrumors P6

    Tallest Skil

    Joined:
    Aug 13, 2006
    Location:
    1 Geostationary Tower Plaza
    #5
    In OS 9, sure.
     
  6. ihabime macrumors 6502

    Joined:
    Jan 12, 2005
    #6
    I'm not sure, but the page does list Word 2004, so maybe they still have vulnerabilities, it is Microsoft after all :)
     
  7. MacNoobie thread starter macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #7
    Well the thing is I've changed the password for the account to something random with lower/upper cases and number values so its not like I'm assigning a password like "password123" for example. At first I thought someone did figure out the password, looked up all the settings and set their client to send emails under my account but for someone to figure out a randomly generated password that quickly doesnt seem likely.

    There doesnt seem to be any time stamp or details on the email either.

    I'm guessing its an Entourage macro but I'm not sure where or what to look for in OSX to figure out if it truly is one or not.

    I might try composing emails from my iPhone and see if the problem exists because I suspect it could be a piece of rogue jailbroken code on the phone that could be randomly sending out emails using the smtp settings.

    Seems to be isolated to comcast also so that leads me to believe its Entourage.

    Another thing I've noticed and I'm not sure if its related is random scrolling of the mouse up and down in an app. I thought it might of been my old mouse but the new one randomly scrolls in firefox, entourage, mail etc etc.
     
  8. jdavtz macrumors 6502a

    Joined:
    Aug 22, 2005
    Location:
    Kenya
    #8
    It could be a virus on any one of your friend's computers picking a random "from" email address (i.e. yours) from his/her address book and sending out the emails.
     
  9. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #9
    But it's Mac OS X. There are ZERO viruses in the wild that can run on Mac OS X.
     
  10. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #10
    Did you look in Entourage's sent mail, as I suggested?
     
  11. MacNoobie thread starter macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #11
    That could be as well since I dont see any "sent" emails in either entourage or mail that simply contain the phrase its usually an email I get back from the person saying WTF is going on why did you send me this.

    I'm going to try using my phone simply for email and see if that narrows it down, if I still get someone mailing me back then I'm going to go back to a virgin phone and see if that eliminates the problem. I'm also getting responses back from people that have wrote ME an email to begin with.

    Beyond that I'm not sure if I could simply call comcast and tell them to just delete the email account so that one of my friends isnt sending out this rogue email.
     
  12. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #12
    Can you access this account with a web browser? That would be one way of determining if the mails are actually being sent through this account, or if your address (more likely) is being spoofed.
     
  13. ihabime macrumors 6502

    Joined:
    Jan 12, 2005
    #13
    From my, admittedly very limited, understanding of Office, it used to be possible for an email in entourage to execute a macro that effects other parts of Office, it would only be running on OSX in a technical sense though, because the vulnerability is entirely contained within Office and its macro/scripting framework, it can't effect anything else in the OS.

    I only point it out because Microsoft does list how to turn on macro virus protection in Office 2004, so apparently up to that point it was still a vulnerability.
     
  14. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #14
    ClamXAV doesn't detect anything on OS X. It's got a Windows only database.
     
  15. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #15
    Anyone can fake an email with your address. Google: Joe Job

    It's the same as putting your address as return address on a postal letter. However the emails can be tracked.

    Ask them to forward to you the email and email headers, and see where these emails were sent from.

    OSX is not compromised in any way by itself, unless you installed the program yourself that allowed such a thing, then it's actually user compromised the system.
     
  16. MacNoobie thread starter macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #16
    I'm studying the raw headers from one of the emails I got:

    Return-Path: who@smugmug.com
    Received: from imta17.emeryville.ca.mail.comcast.net (LHLO
    IMTA17.emeryville.ca.mail.comcast.net) (76.96.30.78) by
    sz0147.ev.mail.comcast.net with LMTP; Wed, 18 Feb 2009 20:48:47 +0000 (UTC)
    Received: from mx1.smugmug.net ([208.79.45.22])
    by IMTA17.emeryville.ca.mail.comcast.net with comcast
    id HYom1b00B0UiYJQ0HYomV3; Wed, 18 Feb 2009 20:48:46 +0000
    X-Authority-Analysis: v=1.0 c=1 a=43WOCZFTUHMA:10
    a=JZRxJTk5ORS6Rj94vp7wEA==:17 a=iAgKEEEpAAAA:8 a=C_IRinGWAAAA:8
    a=jBBqwrQKbZTIgFEQ5bgA:9 a=aJi_hNMFcv6tVIZ2e27FimTtD5kA:4 a=50e4U0PicR4A:10
    a=si9q_4b84H0A:10
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mx1.smugmug.net (Postfix) with ESMTP id F315E65C104;
    Wed, 18 Feb 2009 12:48:44 -0800 (PST)
    X-Virus-Scanned: amavisd-new at smugmug.com
    Received: from mx1.smugmug.net ([127.0.0.1])
    by localhost (mx3.sv3.smugmug.net [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id HETuKRM+7o-W; Wed, 18 Feb 2009 12:48:44 -0800 (PST)
    Received: from blanked.blanked-computer.local (c-71-198-0-59.hsd1.ca.comcast.net [71.198.0.59])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mx1.smugmug.net (Postfix) with ESMTP id 7817265C101;
    Wed, 18 Feb 2009 12:48:44 -0800 (PST)
    Message-ID: <499C73F9.5020009@smugmug.com>
    Date: Wed, 18 Feb 2009 12:47:53 -0800
    From: "blanky [SmugMug]" <blanky@smugmug.com>
    Reply-To: help@smugmug.com
    User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
    MIME-Version: 1.0
    To: BLANK@comcast.net
    Subject: Re: BLANK
    References: <877489559.1584001234982980795.JavaMail.root@sz0147a.emeryville.ca.mail.comcast.net>
    In-Reply-To: <877489559.1584001234982980795.JavaMail.root@sz0147a.emeryville.ca.mail.comcast.net>
    Content-Type: text/plain; charset=UTF-8; format=flowed
    Content-Transfer-Encoding: 7bit

    Hi BLANK,

    I'm not going to pretend you didn't just send that to us --- and its
    better that I caught this than someone else who may have been seriously
    offended --- but growing up in the Bronx and Brooklyn have made me
    pretty thick skinned when it comes to being instructed to perform that
    particular act.

    That said, BLANK > I take it you have an issue you require assistance
    with? Would you elaborate?

    BLANK
    Support Hero
    http://www.smugmug.com/help

    blah@comcast.net wrote:
    > **** you! i'm crazy!
    >
    >

    Obviously I've blanked out names and related email addresses but the only thing I can gather from looking at the header is its from a California address in comcast? I also noticed that after I got my iPhone and jailbroken it that this started to happen.. not sure if its coincidence or what..
     
  17. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #17
    IJ Reilly is absolutely correct. The most likely cause of the OP's problem is that his email addressed has been spoofed.
    • This is an old problem.
    • It has nothing to do with viruses.
    • It has nothing to do with MacOS X.
    • It has nothing to do with Entourage.
    • There is precious little that you can do about it.
    A traditional method used to acquire addresses to be spoofed is to breach a Windows computer and to copy its address book. If that computer is owned by a friend, family member, or colleague, then the spoofer has your address. Addresses can be acquired directly from your mail provider and from businesses that you deal with. Spoofers may even mechanically generate your address.

    You can mitigate the problem somewhat by using multiple email accounts. Dedicate each account to a particular aspect of your life. Use your work account only for work, your family account only for your family, online shopping only for online shopping, etc. Minimize your use of accounts from the big name providers.
     
  18. MacNoobie thread starter macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #18
    Apparently not since looking in the sent folder in entourage doesn't show any "sent" emails containing that. All I get back is an email from some poor random soul that replied to the "sent" email.

    It looks like its spoofed and its going to be a WITCH to deal with. I'm going to wait for a couple days and see what happens with not running entourage and handling emails on here but just on the phone. Would it also be prudent to try and have comcast just close down the account eventually?

    A couple notes:

    Only happens on my comcast account which Mail and Entourage are setup for.
    HAS happened inside of AIM to a friend of mine using IM+ with email push enabled with the comcast account for an hour after I've logged out of the service. I just happened to log in with IM+ on my iPhone and saw the prior conversation to which that phrase popped up.
    Seems to be fairly random not very frequent, has hit another photographer thats worked with me and that smugmug help desk and my friend on AIM.
     
  19. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #19
    You could shut the account down, but that won't stop someone from spoofing it as a return address. You just won't know about it anymore.
     
  20. MacNoobie thread starter macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #20
    Are there ANY plans to overhaul email in the next internet? You see cell phone carriers taking every step every measure to insure your phones not spoofed or hacked in any way and does anyone feel like email should be overhauled to prevent spoofing for example.

    I realize its a tall order to ask for something so dramatic but it seems like in this day and age when technology is pacing so quickly that the internet needs it, email needs it etc.
     
  21. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #21
    Just be grateful that you don't own any domains. They get hijacked by spammers regularly, and these events can generate thousands of bounced spams in a single day. I've heard about schemes to authentic e-mail but none have ever caught on but even that would not help much when millions of Windows boxes are running spambots. Maybe in Internet v3.
     
  22. ihabime macrumors 6502

    Joined:
    Jan 12, 2005
    #22
    Sheesh, you mention the V-word once and everybody jumps on you :p
    I mentioned spoofing too, but nobody is yelling at me for that...

    To the OP, when you say "email from some poor random soul that replied to the "sent" email." Do you mean that the people receiving the emails are total strangers and not people in your address book?

    If that's true, then I don't think it's as big problem. It sounds like they are just randomly generating spoofed return addresses for comcast. I used to get that all the time on RoadRunner, they use fake RR addresses to spam, it gets them past the filters since RR considers it's own customers trustworthy.
     
  23. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #23
    It's not always about you. There are several people who ran down the blind alley of viruses and other unlikely causes of the OP's problem. You are just one of them. As for my post, I used the word virus once. The word was included in the middle of a bullet list that dismissed five possibilities as the prospective cause of the OP's problems. It went right over your head that I when I quoted your reference to Office, I was dismissing Microsoft as a cause of the OP's problem.
     
  24. MacNoobie thread starter macrumors 6502a

    MacNoobie

    Joined:
    Mar 15, 2005
    Location:
    Colorado
    #24
    So an update the messages continued to a prospective client of mine twice the most recent one at 9:43 am this morning (its now 12:24). I talked to Comcast support which is almost like talking to a brick wall since the lady wanted me to install McAfee Security Suite on my Mac and kept calling it a PC specifically. I've stopped using Entourage and used Mail (still happens) and the ONLY thing I've noticed differently between the "rogue" emails and legit ones are the rogue one has Javamail.root@sz0147a.emeryville.ca.mail.comcast.net as the In-Reply-To. The legit ones dont have the Javamail.root portion just the random ID but everything else looks legit had the Apple Message framework v930.3 in the Mime Type, Apple Mail 2.930.3 in the X-Mailer etc etc so it looks like Mail sent it (it also tagged Entourage also).

    I'm on the verge of reinstalling OSX (no archive and install) and reinstalling most of my software (there goes like 2 days at least). Running ClamXav now to see if it will pick up anything (doubtful)
     
  25. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #25
    You have correctly stated the nonexistent value of such a measure, but still you are thinking of trying it?

    I didn't completely reread this thread, but IIRC, nobody suggested that the problem has anything to do with OSX, and everything to do with spoofed e-mail addresses, about which you can do absolutely nothing except abandon that e-mail address and use a different one.
     

Share This Page