NAV reports lots of mail sending failures, while I don't send any mails

[Jörg Pötzsch]

I am running Win XP SP2 (all security updates installed), NAV 2005 with all
updates and standard protections enabled, connect to the internet using a
Netgear DSL-router (WGR 614), with the firewall turned on. Clean system, NAV
does not detect any virus or other suspicious files. In the router set up,
some ports are forwarded to be used by a hand full of applications. No DMZ
specified.

And still:
From time to time, usually right after boot, I am getting lots of NAV 2005
notifications "Mail could not be sent" (the little yellow pop up windows) -
where all the subject lines look like spam, and the recipients are
completely unknown to me. It does not matter, whether Outlook is running or
not and I did not even try to send an email -

The only thing that helps is to physically disconnect the router from the
dsl modem and to wait half an hour. After reconnecting - it's over. I have
three computers connected to the router; only the machine running XP is
affected.

Did anyone ever have the same trouble? And what can be done to stop this? I
assume, somebody uses one of my email accounts to send out spam -

Thanks

 

[Trev]

I am running Win XP SP2 (all security updates installed), NAV 2005 with all
updates and standard protections enabled, connect to the internet using a
Netgear DSL-router (WGR 614), with the firewall turned on. Clean system, NAV
does not detect any virus or other suspicious files. In the router set up,
some ports are forwarded to be used by a hand full of applications. No DMZ
specified.

And still:
From time to time, usually right after boot, I am getting lots of NAV 2005
notifications "Mail could not be sent" (the little yellow pop up windows) -
where all the subject lines look like spam, and the recipients are
completely unknown to me. It does not matter, whether Outlook is running or
not and I did not even try to send an email -

The only thing that helps is to physically disconnect the router from the
dsl modem and to wait half an hour. After reconnecting - it's over. I have
three computers connected to the router; only the machine running XP is
affected.

Did anyone ever have the same trouble? And what can be done to stop this? I
assume, somebody uses one of my email accounts to send out spam -

Thanks

I've had about a hundred MAILER DAEMON failure notices this last 24
hours. All supposedly returned stuff that I sent. Looking at the body
of the messages they all seem to be medication (Viagara) etc. I just
wonder if it's spam disguised as returned mail. I suppose if you look
at it from the spammers point of view this time I've taken the trouble
to read it. Normally I junk it without reading.

 

[Jörg Pötzsch]

No, I don't get the mails themselves. I just get the Norton windows, telling
me that mails couldn't be sent. Otherwise no traces in in- or outboxes
anywhere.

 

[Beauregard T. Shagnasty]

No, I don't get the mails themselves. I just get the Norton
windows, telling me that mails couldn't be sent. Otherwise no
traces in in- or outboxes anywhere.

Today's mass-mailing worms do not use your email client. They no
longer attach themselves to mail *you* send [1]. They have their own
built-in SMTP engines and quietly send in the background while you are
online. Does your computer seem sluggish?

These worms are the engine-of-choice of spammers, too. Your computer
is likely to be relaying spam. If you had a firewall, you may be able
to block it.

[1] which is why scanning your outgoing mail is pointless.

 

[NormanM]

I've had about a hundred MAILER DAEMON failure notices this last 24
hours. All supposedly returned stuff that I sent. Looking at the body
of the messages they all seem to be medication (Viagara) etc. I just
wonder if it's spam disguised as returned mail. I suppose if you look
at it from the spammers point of view this time I've taken the trouble
to read it. Normally I junk it without reading.

I am not sure that it is the same thing that the OP is seeing. Also, it is
not "supposedly returned" that you sent, it is actual returned email that
you supposedly sent. Spammers have the nasty habit of forging valid email
addresses as the sender of the spam. This is done to avoid filters which
dump email from invalid domains, and the like. The unfortunate side effect
is that mail systems which bounce email after accepting it, send the
delivery failure notices (bounces) to the "Return-Path:" email address. When
that is forged, the victim of the forgery receives the bounces.

All that you can do is complain to the system administrators of the system
sending these bounces. Ask them to either turn it off, or at least to block
such bounces from their system to your account.

 

[NormanM]

I am running Win XP SP2 (all security updates installed), NAV 2005 with all
updates and standard protections enabled, connect to the internet using a
Netgear DSL-router (WGR 614), with the firewall turned on. Clean system, NAV
does not detect any virus or other suspicious files. In the router set up,
some ports are forwarded to be used by a hand full of applications. No DMZ
specified.

And still:
From time to time, usually right after boot, I am getting lots of NAV 2005
notifications "Mail could not be sent" (the little yellow pop up windows)-
where all the subject lines look like spam, and the recipients are
completely unknown to me. It does not matter, whether Outlook is running or
not and I did not even try to send an email -

The only thing that helps is to physically disconnect the router from the
dsl modem and to wait half an hour. After reconnecting - it's over. I have
three computers connected to the router; only the machine running XP is
affected.

Did anyone ever have the same trouble? And what can be done to stop this?I
assume, somebody uses one of my email accounts to send out spam -

It sounds suspiciously like you have a spam engine running in the
background. This may not be a normal virus that NAV is designed to detect;
or NAV has been tweaked by malware to ignore this particular program.

You might try running TCPView from Sysinternals to see what processes are
using what ports. Go here:

http://www.sysinternals.com/

On Windows XP (and Windows 2K) systems this will actually show the processes
listening on open ports. For those of you with Windows Me (or Windows 98)
TCPView will run, but only has a slick GUI for "netstat"; you won't see the
processes listening on the open ports.

 

[Jörg Pötzsch]

Thanks! I'll try TCPview, when the phenomenon will occurr again.

I am running Win XP SP2 (all security updates installed), NAV 2005 with
all
updates and standard protections enabled, connect to the internet using a
Netgear DSL-router (WGR 614), with the firewall turned on. Clean system,
NAV
does not detect any virus or other suspicious files. In the router set up,
some ports are forwarded to be used by a hand full of applications. No DMZ
specified.

And still:
From time to time, usually right after boot, I am getting lots of NAV 2005
notifications "Mail could not be sent" (the little yellow pop up
windows) -
where all the subject lines look like spam, and the recipients are
completely unknown to me. It does not matter, whether Outlook is running
or
not and I did not even try to send an email -

The only thing that helps is to physically disconnect the router from the
dsl modem and to wait half an hour. After reconnecting - it's over. I have
three computers connected to the router; only the machine running XP is
affected.

Did anyone ever have the same trouble? And what can be done to stop this?
I
assume, somebody uses one of my email accounts to send out spam -

It sounds suspiciously like you have a spam engine running in the
background. This may not be a normal virus that NAV is designed to detect;
or NAV has been tweaked by malware to ignore this particular program.

You might try running TCPView from Sysinternals to see what processes are
using what ports. Go here:

http://www.sysinternals.com/

On Windows XP (and Windows 2K) systems this will actually show the processes
listening on open ports. For those of you with Windows Me (or Windows 98)
TCPView will run, but only has a slick GUI for "netstat"; you won't see the
processes listening on the open ports.