petrus
join:2002-01-09
Atlanta, GA
| "Unauthorized" outbound email. Trojans? Solution?
Over the past 2 days, I have observed two outbound emails being sent from my computer, that I did not send. I noticed Norton Antivirus scanning the outbound email as I was surfing the Internet. My email client was not open on either occasion. I opened and checked my sent mail within my email client and everything there was mine.
I am very security conscious and I have ZoneAlarm Pro, Norton Systemworks, Spywareguard, Spywareblaster, Spysweeper etc etc. installed. I do regular scans at trojanscan.com and housecall.trendmicro.com and I run Digital Patrol anti trojan software periodically. None of these have found any trojans. On my ZoneAlarm program list, I have configured each listed program to PROMPT me before sending email. I just don't see how any emails could have been sent without my permission. I am perplexed. Comments or suggestions will be appreciated. |
|
Mbrown2480
join:2001-03-20
Vancouver, BC | Do you have any programs that email reports, such as DShield or GFI LanGuard? Have you checked your scheduled tasks for programs that Last Run Time corresponded with the times of the the emails? |
|
dave
Premium,MVM
join:2000-05-04
not in ohio | reply to petrus
If you use Outlook Express, turn on SMTP logging.
(Probably on the Maintenance tab, but I don't have one to look at right now).
The log ends up in the same directory as your Outlook Express message store, as far as I recall. |
|
petrus
join:2002-01-09
Atlanta, GA
3 edits | reply to petrus
I do have GFI Languard installed, but ZoneAlarm prompts me before sending any email. I do not have DShield. I will check scheduled tasks.
I do not use Outlook or Outlook Express. I use Pegasus for my email. |
|
Mbrown2480
join:2001-03-20
Vancouver, BC
2 edits | reply to petrus
If the program in question has it's own SMTP engine the debugging logs of Pegasus wouldn't show anything, and besides you didn't see anything when you looked at your sent email.
Doesn't NAV have logging for it's email scanning, that should at least narrow down the time?
You could always block port 25, TCP and UDP, for the time being, except when you want to send email. This might delay the program while it is executing so you can try to gather some more info.
Here are some programs that use port 25 TCP, "Ajan, Antigen, Barok, BSE, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Stukach, Tapiras, Terminator, WinPC, WinSpy", from »lists.gpick.com/portlist/portlist.htm . |
|
sig
Premium
join:2001-05-05
1 edit | As Mbrown mentioned some malware hs its own SMTP engine so it bypasses your email client. Presumably there are no new apps in ZAP's program list?
Someone else here recently had NAV alert to outgoing mail when they had sent nothing. Turned out to be a keylogger apparently sending logs. For another check for malware detection, I'd download a evaluation copy of TDS or Trojan Hunter, update the malware definition database and then run a scan. You can find these apps via this site: »www.wilders.org/anti_trojans.htm |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
 ·Comcast
| reply to petrus
Do you have ZAPro Outbond E-mail protection adjusted properly ?
E-mail Protection section....Main tab....Outbound MailSafe Protection on ? Also check your Advanced settings to the bottom right of Outbound MailSafe Protection.
Outbound MailSafe protection alerts you if your e-mail
program tries to send and unusually large number of
messages, or tries to send a message to an unusually large
number of recipients. This prevents your computer from
being used without your knowledge to send infected
attachments to other people. In addition, Outbound MailSafe
protection verifies that the program attempting to send the
e-mail has permission to send e-mail messages.
Outbound MailSafe protection works with the following e-
mail applications:
Eudora
Outlook
Outlook Express
Netscape Mail
Pegasus Mail
Juno
--
"It's 5 O'clock Somewhere" |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
1 edit | reply to petrus
You may have the E-mail protection adjusted properly but just encase I'll add a couple pics of where to adjust\add and what alert you should receive if the outgoing e-mail sender's address is not on the allow list.
--
"It's 5 O'clock Somewhere" |
|
exocet_cm
Thank a cop
Premium
join:2003-03-23
New Orleans, LA
clubs:  
·Cox HSI
·Suddenlink
 ·Cingular Wireless
 ·AT&T Southeast
·Charter Pipeline
| reply to petrus
I use ZoneAlarm's ID Lock. Whenever a program requests permission to send my e-mail, it will alert me AND display what program is attempting to send my e-mail address and to WHERE is it sending my e-mail address. This works with ANYTHING that is attempting to transmit my e-mail, webpages, programs, etc...
--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131 |
|
exocet_cm
Thank a cop
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
·Cingular Wireless
·AT&T Southeast
·Charter Pipeline
| reply to petrus
Here, perfect example.
I requested admissions information from a college website that required my e-mail.
--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131 |
|
petrus
join:2002-01-09
Atlanta, GA |  reply to petrus
Great information everyone. In ZAP I was using mailsafe but was not using ID lock. This should do the trick.
Again, MANY THANKS to all who responded!!! |
|
exocet_cm
Thank a cop
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
·Cingular Wireless
·AT&T Southeast
·Charter Pipeline
| said by petrus  :
Again, MANY THANKS to all who responded!!!
Thats what we're all here for 
--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131 |
|
Mbrown2480
join:2001-03-20
Vancouver, BC
| reply to petrus
said by petrus :
I opened and checked my sent mail within my email client and everything there was mine.
I thought the program in question wasn't using his email client. If it is a key logger how could he use ID Lock to protect against it? If it is a password stealer he could enter all his passwords into ID Lock. |
|
sig
Premium
join:2001-05-05
| reply to petrus
said by petrus :
Great information everyone. In ZAP I was using mailsafe but was not using ID lock. This should do the trick.
Again, MANY THANKS to all who responded!!!
Well it may not do the trick completely. If you have any malware on your PC it'll still be there whether or not the ID Lock thing works. If you haven't already, you should download another AT as I mentioned above and double check to see whether or not you have something that your other apps missed. |
|
petrus
join:2002-01-09
Atlanta, GA
| I have been looking at various AT programs and have considered buying TDS3, but I have read in some other message groups that TDS3 has a "backdoor" which allows DCS to retrieve information from the users computer without the users knowledge. Have You ever heard this? |
|
sig
Premium
join:2001-05-05
4 edits | I'd recommend try before you buy any app as long as a trial version is available. (BOClean is another often recommended AT but has no free trial. It does have a 30 day money back guarantee no questions asked which is honored. Easiest to use since it's only a real time monitor so you install and it even updates itself. Although you'd want to update manually right after installing. I have it and like it because its a small app, takes care of itself, and behaves itself.)
As for what you've heard about TDS, some of the users here are about as paranoid as one can get about such things and no credible claims of installing a "backdoor" have been made here that I can recall. (And as I said a number of fairly "paranoid" people use it so they must not have such concerns.) At one time perhaps as long as a couple years ago, TDS cracked down on illegal pirated versions in which the app itself "turned itself in" to TDS (perhaps when an update was attempted? can't specifically recall) and the program was disabled. The user also was notified (via email? my memory is a bit fuzzy but I think that was the method) that he/she was using a pirated version and to either purchase or delete, if memory serves. That released a "spit"storm in some quarters and gave rise to the "backdoor" rumors. After that episode TDS abandoned that particular method of app authentication and unauthorized user notification.
Perhaps actual TDS users here might comment if they read this thread. There also is an open TDS forum comprised of users and TDS staff and user/mods. I'll give you the link so you can ask for yourself there (and consider the source of course, but something of the sort rumored would be fairly common knowledge I'd think if it were true). Meanwhile you can also see if someone else responds here in this thread. TDS Public forum: »www.wilderssecurity.com/index.php?board=5 |
|
petrus
join:2002-01-09
Atlanta, GA | Thanks for the information. I will check out the TDS board and post some questions there about TDS and a "backdoor". From what I read TDS3 is one of the best. |
|
pctransfuz
Normandy Beach
join:2003-07-26
Tempe, AZ | reply to petrus
I use AVG, from »www.grisoft.com. Great, picks up all troj's/viri..
Very good, trust it.
Late. |
|
