Funky emails OSX compromised?

[coyote23]

So an update the messages continued to a prospective client of mine twice the most recent one at 9:43 am this morning (its now 12:24). I talked to Comcast support which is almost like talking to a brick wall since the lady wanted me to install McAfee Security Suite on my Mac and kept calling it a PC specifically. I've stopped using Entourage and used Mail (still happens) and the ONLY thing I've noticed differently between the "rogue" emails and legit ones are the rogue one has Javamail.root@sz0147a.emeryville.ca.mail.comcast.net as the In-Reply-To. The legit ones dont have the Javamail.root portion just the random ID but everything else looks legit had the Apple Message framework v930.3 in the Mime Type, Apple Mail 2.930.3 in the X-Mailer etc etc so it looks like Mail sent it (it also tagged Entourage also).

I'm on the verge of reinstalling OSX (no archive and install) and reinstalling most of my software (there goes like 2 days at least). Running ClamXav now to see if it will pick up anything (doubtful)

reinstalling OS X or Mail or anything won't help. either through deliberate maliciousness - or through the random act of a bored script kiddie - someone is definitely putting the spoof on you. My vote is it's just randomly happening & these BS e-mails could even be 'bot behavior. I could get into all kinds of detail - but, you could just google a little bit & discover what is more probably happening to you.

Googling "mail spoofing" or "mail spoofing bot" will take you to tales of thousands & thousands of people who are going through what you are going through.

Change your e-mail addresses - notify people on your list of what's happening - and your problems should disappear.

 

[MacNoobie]

The problem with spoofing is how is this script kiddie gaining access to new client email addresses ones that for example didnt exist before?

As I've said it seems like new emails come in some with entirely new clients and new email addresses so if some script kiddie is out there spoofing those email addresses with my return address then how is he doing it with new emails that arrive? You cant simply tell me that hes spoofing my return address to every other address out there otherwise I'd be getting emails from random people that I dont even have on my address book.

It sounds like what ever is doing this either exists at Comcasts gateway thus sitting between me and the client and sending random emails with that message to which it would affect a lot of people. Another possibility is it really exists on this Mac (such as a daemon) and just reads over the email dbase and randomly sends an email to what ever new comes in thus it has access to my contacts.

I remember being on AIM with IM+ and push emails enabled on the iPhone only to login and come back to my friend asking me what "**** you! i'm crazy!" was. That was the VERY first time I noticed it, changed all my passwords on emails/sites/etc.

You have correctly stated the nonexistent value of such a measure, but still you are thinking of trying it?

I didn't completely reread this thread, but IIRC, nobody suggested that the problem has anything to do with OSX, and everything to do with spoofed e-mail addresses, about which you can do absolutely nothing except abandon that e-mail address and use a different one.

My point is this that it seems to be just me since I dont hear anyone else by google searching the phrase complaining about it. It seems to "know" my contacts and the newest emails almost always get a random rogue email. So if I have a new client that emails me then they get one its always the newest email in the box as one of my older partners didnt receive it but did when he just emailed me a week or two ago.

If it is some sort of spoofing via human then I'm wondering how its getting new email addresses that are sent to me, its not like the guys spamming thousands or millions of people randomly with my return address and I'm getting random emails back from people I don't know. So then that leaves us with a spoof bot.. um ok but aren't those practically non existent on OSX and if not then what or where would I look to try and find it activity monitor? terminal command?

I do have little snitch installed and deleted all the programs on its access list hoping I'd catch some rogue program trying to access the internet but the only thing I keep seeing is access to creativepro.com by a PubSubAgent.app on port 80 when I access mail.

I dont think its a person I'm sure of it because I dont get emails from random people reply'd/forwarded to me saying what the hell.. its always the newest/last email received.

 

[IJ Reilly]

The problem with spoofing is how is this script kiddie gaining access to new client email addresses ones that for example didnt exist before?

I don't follow precisely what you are trying to say here, but all it takes for this to occur is for someone's e-mail address book to be compromised (easily and frequently accomplished in Windows). If it is someone you know and with whom you do business they could have many e-mail addresses in common with you. I get a lot of spam with the return address of people I know. Their PCs have probably been turned into spam zombies. Nobody has yet compromised a Mac in this fashion, so if you think it's happened to you, it would be a first in OSX history. Consider the odds before you act.

 

[plinden]

I just read over this thread for the first time, and looked at the headers of the email you posted. I have had some experience in writing email applications.

Unfortunately, what you posted doesn't do any good in determining the cause. You are just posting the full headers of the message you got in reply to the original. The emeryville and JavaMail references are just details of the email account that person is using, not the origin of the "**** you" message.

Can you ask a recipient to view and copy to you the complete message that is using your email address?

 

[MacNoobie]

PROBLEM SOLVED!!!!!!!!!!!

So this happened to me tonight I decided to send myself an email just to see if this funky email was still happening and sure enough I get a copy of it to my mailbox. Getting so frustrated I decided to do as one person said and just email everyone and close down the account. So I go to login to my Comcast account and searched around the settings and in doing so I found that the auto-reply setting was switched on and sure enough said "**** you! i'm crazy!".

I know who did it and I've changed the password so hopefully I'll be good for another 3 years lol.

 

[IJ Reilly]

Now my suggestion involves your hands and someone's neck.