Re: Eudora SPAM Issues.. (Followup)
Thanks to everyone who has responded. (And for those of you who accept messages
on accounts that you also put up out-of-office messages, SHAME ON YOU - I got
at least 50 of these back). I apologize that I have not responded to most of
you that have replied, there were just too many.
Let me clear up a few things about my original post that either I forgot to
include or that I didnt know at the time.
1 - All the "bad" features of Eudora are turned off: No HTML Content is shown
(which actually doesnt work completely), executables are turned off, and we are NOT using
the Microsoft Viewer. These users are in paid mode, and have junk filtering turned on. We
see the mail somehow executed before or during the Junk filtering process.
2 - These machines are as clean as I can tell -- Up-to-date Antivirus and Spyware
definitions (Including scans using HijackThis and CWShredder, Spybot Search &
Destroy, Ad-Aware) and a look at everything that is starting up. These scans were
performed both in and out of safe-mode.
3 - I have analyzed the messages that are coming in (in another client -
thunderbird), and I cant find anything that would be executing in the basic
SPAM html code that is in this message. This does not happen with every spam
that comes in. It has not happened much in the last 2-3 days.
4 - I would say this happens for about 5 of every 100 spam messages, so it is
definitely NOT every spam.
5 - The outgoing messages ARE the same as the incoming messages -- What I meant
to say before was that the recipients are not the same. The content IS the same.
This isnt happening as much as it was before (I am unsure why), but it does still happen. I am going to try to get a hold of some of these messages that cause this behavior. It is difficult, however, because of the large volume of spam that comes in, and only a small percentage cause this behavior.
I will also be in contact with the Eudora folks if this continues.
Be assured -- these machines are no longer sending out ANY mail, only receiving
to see what gets kicked into the outbox.
Thanks again,
Brian Luerssen
Infinite Consulting
ICI Security Team wrote:
I have a client who is seeing large amounts of spam originate inside
their organization. I have traced the spam to Windows machines running
Eudora 6.1.1 (latest) in paid mode. Apparently, spam messages come in,
something is executed in these spam messages, and copies/duplicates
(with forged names/headers) immediately drop into the Eudora OutBox
(Messages waiting to be sent) to many users all located in the Eudora
Addressbook of that particular computer.
We have scanned (in safe mode and regular) with Norton AV Corporate
fully up to date, along with numerous spyware, malware, adware scanners
(Spybot Search & Destroy 1.3, CWShredder, Ad-Aware) all with up to date
definitions, and have come up with nothing.
It seems as though some sort of arbitrary execution of code within
Eudora emails is automatically executed before the Incoming SPAM is
classified as such and moved into the JUNK folder.
Headers of the outgoing spam contain the following lines (other than
forged from, reply-to, to, and subject):
X-Mailer: Zckvdgt 0.7
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit
The outgoing spam is not always the same, but is (I believe) based on
the spam that comes in. We have seen Prescription Drugs, Pornographic
Sites, and other common SPAMs.
Is anyone else seeing this or can anyone provide any information? Any
advise would be helpful. In the time being, I am going to move those
users to Thunderbird in efforts to stop originating spam.
Thanks
Brian T Luerssen
Infinite Consulting Inc.