Feed
 

Returned Mail ++

Avatar Alan Cox
My server is PlusNet and they have been very good for 2 years at filtering unwanted stuff (well so far as I can tell anyway). In the last few weeks, this has changed and I have been getting more and more returned emails as undeliverable or for other reasons. None of them have been emails that I have sent or recognise in any way as remotely relevant to me. Some of them include a foreign script that may be Greek or Russian or something. Today I got 7 of these pesky things. Has anyone else had the same experience or am I being picked on? And, what do I do? I am reluctant to use a Mail Rule to consign them all to oblivion before I've seen them because I may miss one I did send? (The address is often Mail Delivery System <[undisclosed email]>)

Re: Returned Mail ++

Avatar Lionel Ogden
Speak to the Plusnet help desk I have always found them to be very helpful.

Re: Returned Mail ++

Avatar Alan Cox
Thanks Lionel. I should have thought of that myself.

I rang the Helpline and the chap told me that the likely explanation was that I had got some sort of infection that was using my email address to send out daft emails. He also said that Macs do have lots of viruses contrary to popular belief.

His recommendation was to download and instal a free antivirus program called Avast and do a full system scan which should identify any infection and get rid of it.

Before doing this, I would appreciate any comments, including from any one who has used Avast. As ever with these things, there seem to be all sorts of options which frighten folk like me!

Re: Returned Mail ++

Avatar Derek Wright
You do not say whether you are using a Mail program on the computer eg Mail or Thunderbird etc or whether you are using the Web interface to see your mail.

If you are using the Web interface then the computer is not involved in this problem.

Plusnet had a problem a few years ago when they accidentally made users passwords available - they then offered users the option of setting up private domain names - do you have a private name or is an @plusnet. format email address.

If you are using a Plusnet email address then the problem could be your address has been hacked rathr like Yahoo addresses were hacked a few weeks ago.

Have you asked about this problem on the ThinkBroadband Plusnet forum and also on the Plusnet community forum to see if other users have experienced this problem.

Re: Returned Mail ++

Avatar Mick Burrell
I have this issue from time to time with one of the addresses I use for my cottage rentals. As that address must be on thousands of computers having replied to peoples' enquiries, I've always assumed it's been harvested from an infected PC.

As a side issue, I'm often asked if I yet have anti-virus software on my Mac. I thought it about time I looked into this so downloaded ClamXav and ran it. It found one phishing email dated 2005 which I'd not deleted but sidelined (it was obvious to me that's what it was). You could try that but my guess would be it's not anything to do with your machine.

Re: Returned Mail ++

Avatar Eleanor Spenceley
I started to write a long reply, instead, for more information I'd recommend you read:

For having to install anti virus on the Mac:
http://guides.macrumors.com/Mac_Virus/Malware_FAQ
http://gigaom.com/apple/antivirus-software-on-your-mac-yes-or-no/
https://discussions.apple.com/docs/DOC-2435
https://discussions.apple.com/thread/3919183?start=0&tstart=0

As for receiving emails from 'yourself':

It is highly likely the 'bad guys' have got your email address from somewhere on the web (forums perhaps) or picked it up from someone who knows you but are running a poorly protected/virus ridden Windows PC.

Note the issuing server: mk-outboundfilter-1.mail.uk.tiscali.com. tiscali not plusnet. It appears they are now using your email to spoof you and everyone else from a tiscali server not your Mac on plusnet.

http://www.windowsecurity.com/articles/Email-Spoofing.html
http://en.wikipedia.org/wiki/Email_spoofing
http://wiki.answers.com/Q/How_do_you_stop_spoof_spam_email_from_your_own_email_address
http://www.ehow.com/how_6855730_prevent-spoofing-emails.html

After reading all this and you are still concerned your Mac has a 'virus'... I'd install Sophos anti virus protection to check your machine.

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
Then at least you know for certain. Though I know of no Mac virus/trojan which collects your email address.
The worst it can do is make you paranoid since it will probably at least come up the odd Windows** virus in your Spam email folder! When I ran it on all my Macs nothing was found.

(Note: ** Windows viruses are of no real concern to you since they are harmless to a Mac and only an issue if you pass them on to a Windows user who probably will not be too happy!). Anti virus applications often do not distinguish between Windows/Mac viruses identifying all as 'dangerous', I think this is an effective way of making you paranoid enough to buy a copy!!! :-)

Once/if you find out there are no Mac (**) issues you could always uninstall it if it does start making you paranoid!!! :-)

Remember, no Anti-virus software will protect you from _new_ malware issues, since their software will not know about them either!!! So you are just as at risk without Anti-virus than with until the AV company updates their software to check for it! No Anti-virus software would have prevented the recent 'Java/botnet' exploitation, in fact one Anti-virus antidote to this made things worse not better!

http://www.pcmag.com/article2/0,2817,2402981,00.asp

Also remember, Apple includes it's own basic malware protection since Snow Leopard:
http://arstechnica.com/apple/2009/08/snow-leopard-includes-rudimentary-malware-protection/
http://arstechnica.com/apple/2011/07/mac-os-x-10-7/9/#security

Make sure you keep your Mac up-to-date and install any security updates in a timely fashion.

Believe it or not this is my short reply... :-)

Re: Returned Mail ++

Avatar Alan Cox
I am very grateful to everyone who has responded to my worry about emails which I have not sent being returned to me. Fortunately, the flood has become a trickle and long may this continue.

Meanwhile:– the Plusnet Adviser said there are lots of viruses in the Mac world despite claims to the contrary. I am using Mail and not webmail so the problem could be in my machine. I have scanned my system (Alan, Documents and Desktop) using ClamXav which found 2 infected files one of which it called: ‘classload.jar–3415c... Java.ClassLoader . .‘ The other one was almost the same. I have no idea where they are and whether it matters anyway – any advice please?

Meanwhile, I have read, digested and learnt from Martin’s ‘short‘ contribution, and goodness how long a ‘long’ contribution would take to get through, especially with all those links to websites. I think he is probably right in suggesting, ever so politely, that I am being paranoid and that some dastardly fellow has hijacked my Mail address for a little amusement. That’s how I’ll leave it for now and hope nothing worse turns up.

I do keep up to date with Security downloads but don't know that I can manage Mountain Lion unless I can scrape together enough bullion to get an up to date Mac.

Meanwhile, thanks again and any additional thoughts are always welcome.

Re: Returned Mail ++

Avatar Eleanor Spenceley
'classload.jar–3415c... Java.ClassLoader . .' is this correct? Because I cannot find any reference to it or anything near to it by Googling.

As for me implying you were being paranoid (ever so politely), that was not my intention.

Suffice to say, running 'Anti Virus' software can make you paranoid as it can show up 'false positives', alerting you of 'malware which run on Windows rather than a Mac', showing you all the new 'malware' it can now detect... etc... After seeing all this for days on end as the software proceses all your files everyday, it would make anyone paranoid turning on their computer in the morning! :-)

Re: Returned Mail ++

Avatar Alan Cox
Martin, I am paranoid so you have not offended me and you are quite right to have thought that of me if you privately did!

The Filename and infection Name is as I typed.

I have spent most of today using Sophos to scan my whole system and it has (so far) found 12 'threats'. The first is called Troj/JDownl–A and the Filename is Classload.jar–3415c185–6f8.They are all 12 a bit like this. Sophos says this threat cannot be cleaned up so click the threat name to get manual cleanup instructions. I did this and Safari opened – well, sort of. It opened with a lovely white screen but did not deign to go to any web site at all so that's a bummer. Sophos gave me the path to the file but I couldn't follow it – no surprise there because the path was'/Users/alan/.jpi_cache/jar/1.0/classload.jar-3415c185-6f81cd62.zip [Installer.class]'.

Firefox does work (which is how I was able to do this) but it is not interested in the threat.

Meanwhile, Sophos still has 647,955 items to scan, and has been stuck there for the last 2 hours so it seems to have given up and I am stuffed.

I wish I'd never mentioned this problem ;–(((((. Should I now just close all windows, do a Restart and hope that Safari works?

Re: Returned Mail ++

Avatar Alan Cox
Quickly, quickly – I Quit Safari and re-opened it and it seems to be working OK again. As for the rest, I am stuck.

Re: Returned Mail ++

Avatar Eleanor Spenceley
Troj/JDownl–A - Appears to be an 'ancient' Windows Virus of 2004.

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JDownL-A.aspx

I am also interested in the other 11.
(I am also puzzled how it's got into .jpi_cache). As I understand it this is a very old way to cache java applets. I don't have it on any of my 'newer' Macs. What have you been running to get this? :-)

If Sophos has frozen, try 'force quitting' it and rerunning. (Here we go... down the slippery, paranoid slope of running AV software... Ho Hum). Or try another AV software.

Are you wanting me to have a look at your Mac via a remote/iChat connection? You know my email address, find me on iChat.

Re: Returned Mail ++

Avatar Alan Cox
Thanks to Martin (Sophos and iChat in which I couldn't be heard), he has removed a batch of Windows viruses from my machine and no Mac viruses have appeared. These Windows viruses dated from 2004 and must have been on a previous machine and migrated to my present one which I bought in 2007.

The flow of returned emails which I had not sent has decreased substantially, so I am assuming they were due to some silly guy (or guyess) who grabbed my email address to have a bit of childish fun.

Re: Returned Mail ++

Avatar Eleanor Spenceley
Just a quick follow up for anyone still alarmed how Alan got 12 Windows viruses.

There were 2 (7 year old) viruses hiding in a hidden .jpi_cache folder (which itself had not been used for about 7 years! but probably got migrated from his last machine migration). These viruses were not doing anything, have not been run and were essentially data junk in a long forgotten folder).

The other 10 reports were copies of these viruses within Time Machine backups.
I've removed the .jpi_cache folder from his home account and the copies on his Time Machine will eventually get purged over time. (It's too much hassle to track them on Time Machine, they are totally benign and can essentially be ignored).

How did Alan get these Windows viruses? By visiting a website which the Web Browser downloaded the Java applets into .jpi_cache and then forgotten about since they were targeted towards security lapses on Windows systems.

In conclusion:

No Mac malware was found.
Viruses were not the cause of the e-mail spoofing.
Shame the PlusNet guy gave such bad/alarmist advice.

All pretty much as expected. What ever Mac malware there is, Apple's own security measures appear quite adequate in this case.

It's a case of 'move along, there's absolutely nothing to see here'. :-)
 
Feed