1

Problem

Unexpected empty emails are sent by an unknown source since 12 January, 2015.

Attempts to solve the issue

  • they are all from company where I do network/sys support
  • they are all from Windows 7 machines
  • all machines have outlook installed
  • emails have always empty body
  • it has nothing to do with user's interaction. I called them several times right when email arrived and they were doing just regular stuff like browsing etc. Sometimes I receive these mails even when there is nobody using PC.
  • all three PC started to send these mails on 12th January 2015
  • times are unrelated (sometimes I receive mail even during night)
  • I receive email only when PC's are on. For example RobertPC is always on and I receive emails only from it during weekends (others are turned off)
  • there is some pattern in subjects of emails:

WITT - report Helios pocitac - coming from WittPC

WITT Lenka report - coming from Martina PC

WITT - Robert report - coming from RobertPC

However notice the hyphen missing in "WITT Lenka report". Also notice the word "report" is in the middle of subject in "WITT - report Helios pocitac" whereas in other two subjects its at the end.

Here I post source code of two mails. Note that I changed my email address for my_email@gmail.com and company's email address for company_mail@their_domain.com. Company is called WITT and its related to name in subject.

Delivered-To: my_email@gmail.com
Received: by 10.114.12.67 with SMTP id w3csp5070519ldb;
        Mon, 2 Mar 2015 01:54:37 -0800 (PST)
X-Received: by 10.180.105.131 with SMTP id gm3mr34457493wib.11.1425290075184;
        Mon, 02 Mar 2015 01:54:35 -0800 (PST)
Return-Path: <company_mail@their_domain.com>
Received: from ub.wcontact.cz ([217.11.236.196])
        by mx.google.com with ESMTPS id f20si17829519wiw.11.2015.03.02.01.54.34
        for <my_email@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 02 Mar 2015 01:54:35 -0800 (PST)
Received-SPF: none (google.com: company_mail@their_domain.com does not designate permitted sender hosts) client-ip=217.11.236.196;
Authentication-Results: mx.google.com;
       spf=none (google.com: company_mail@their_domain.com does not designate permitted sender hosts) smtp.mail=company_mail@their_domain.com
Received: from Martina (136.67.broadband2.iol.cz [83.208.67.136])
    by ub.wcontact.cz (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id t22C0niI025497
    for <my_email@gmail.com>; Mon, 2 Mar 2015 13:00:50 +0100
Thread-Topic: WITT Lenka report
thread-index: AdBUzuF6ZasY+IMSR/WHxYqBQw1VZw==
From: <company_mail@their_domain.com>
To: <my_email@gmail.com>
Subject: WITT Lenka report
Date: Mon, 2 Mar 2015 10:54:31 +0100
Message-ID: <CEF9D61743624438AFB64DAEE2A1F904@Martina>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609

2nd email:

Delivered-To: my_email@gmail.com
Received: by 10.114.12.67 with SMTP id w3csp5079020ldb;
        Mon, 2 Mar 2015 02:13:46 -0800 (PST)
X-Received: by 10.180.214.99 with SMTP id nz3mr34911628wic.82.1425291226321;
        Mon, 02 Mar 2015 02:13:46 -0800 (PST)
Return-Path: <company_mail@their_domain.com>
Received: from ub.wcontact.cz ([217.11.236.202])
        by mx.google.com with ESMTPS id lc1si21540226wjc.149.2015.03.02.02.13.44
        for <my_email@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 02 Mar 2015 02:13:45 -0800 (PST)
Received-SPF: none (google.com: company_mail@their_domain.com does not designate permitted sender hosts) client-ip=217.11.236.202;
Authentication-Results: mx.google.com;
       spf=none (google.com: company_mail@their_domain.com does not designate permitted sender hosts) smtp.mail=company_mail@their_domain.com
Received: from RobertPC (136.67.broadband2.iol.cz [83.208.67.136])
    by ub.wcontact.cz (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id t22CK1a1025892
    for <my_email@gmail.com>; Mon, 2 Mar 2015 13:20:02 +0100
Thread-Topic: WITT - Robert report
thread-index: AdBU0ZFN59bSeq8gS72nD7K9MjemXQ==
From: <company_mail@their_domain.com>
To: <my_email@gmail.com>
Subject: WITT - Robert report
Date: Mon, 2 Mar 2015 11:13:47 +0100
Message-ID: <A28D9827680449BB964B51889EE50598@RobertPC>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609

Question

What service or application is sending these emails or how to track the source?

030
  • 5,731
  • 12
  • 61
  • 107
mist
  • 21
  • 7
  • The client is `Microsoft CDO for Windows 2000`. Very outdated, probably a virus? – sebix Mar 02 '15 at 14:56
  • I've just ran Nod32 scan. However there has been no message from antivirus so far. – mist Mar 02 '15 at 15:04
  • 2
    Sniff the network on the machines itself to see which process connects to your server. – sebix Mar 02 '15 at 16:03
  • @sebix thats a good idea! Could you please tell me what sniffer shows PID? I know that TCPView shows PID but its unable to record traffic. Maybe I will have to make a script and filter only smtp connections, right? – mist Mar 02 '15 at 17:12
  • Did you have access on Sendmail server (ub.wcontact.cz)? – masegaloeh May 13 '15 at 05:50
  • Yes I have. There is Postfix. – mist May 13 '15 at 05:51
  • You can run [Process Monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645) to help you **log** network connection and its PID. [The program will need to be open and running for it to record the logs, but if you set it up to save the logs to disk as it records them you can always review them later](http://superuser.com/a/543781/320460). In the server, sendmail/postfix will also log the connection from those PCs. – masegaloeh May 13 '15 at 06:34
  • The key here is time correlation between `ub.wcontact.cz` and the three PCs. You can get the timestamp when `ub.wcontact.cz` receive the email and then looking the PID at Process Monitor log. – masegaloeh May 13 '15 at 06:35
  • I will try this. I have timestamp also in email header. Thanks. – mist May 13 '15 at 06:36
  • This actually looks very promissing. Proccess Monitor is exactly the tool what I needed. I have a filter for all packats related to ub.wcontact.cz. We will see result soon I guess :-) – mist May 13 '15 at 06:50
  • Looks like ub.wcontact.cz acts as open relay. Does windows PC's must authorize against smtp server? Or windows machines are in trusted network? If windows machines is in trusted network, then probably they are spamming other users too. – Guntis May 13 '15 at 07:28
  • @Guntis: its MX server for my domain which are emails sent to. – mist May 13 '15 at 07:35
  • Is mail sent to another users too from that windows machines? or only to your email? – Guntis May 13 '15 at 09:21
  • Only to my email. – mist May 13 '15 at 09:22
  • Have you checked the scheduled tasks on the affected machines ? Does this occur only when the user is logged in ? I suggest you give the users a new PC and keep these machines for further analysis, and put them behind a computer with `tcpdump` capturing all traffic. I strongly suspect malware. An antivirus isn't a silver bullet and won't protect from targeted attacks. –  May 13 '15 at 15:14
  • 2
    Problem is solved. There was connection to smtp server by process taskeng.exe. Which are scheduled tasks indeed. Like three years ago I put there this task to notify me when the backup drive is full. It never worked however. Suddenly it started to work this January :-) Process Monitor lead me to this so @masegaloeh please post your suggestion as an answer so I can give you bounty. Thank you so much! – mist May 13 '15 at 15:33

1 Answers1

0

Disclaimer 1: Of course Windows already have good auditing tool to deal something like this. Unfortunately in windows environment, I don't have experience as a sysadmin, only a regular end-user.

Disclaimer 2: When someone encounter similar issue like this (mysterious email, or outgoing packet), it would be good idea to disconnect this machine for further analysis.

The randomly-occurred problem can be tracked using good logging system. In this case, you need to setup logging in your mail server and end-user PC. Windows PC must have log entry about timestamp, PID, and outgoing connection target. Debian Server should has logging about timestamp when email received and who the sender and recipient of the email. With this two information you can view which process that sent email to you. That's why time synchronization is important.

In the past, you have used TCPview to get picture of Windows activity. The bad new is TCPView can't do logging. So, you have to look into TCPview windows until the email was sent. The other bad news is SMTP transaction can be very fast, so there is little chance that your eyes capture the SMTP event.

Based on this Super User answer, you can try Process Monitor to help you log network connection and its PID. The program will need to be open and running for it to record the logs, but if you set it up to save the logs to disk as it records them you can always review them later.

Process Monitor

With this tools you can run and checks the log at the end of the day. No need to watch the screen continously again.

Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • 1
    I used filter to display exact packets I wanted - smtp which leads to ub.wcontact.cz. Also I checked Drop filtered events in Options. This way I let it over day and then just took a look what process was sending emails. – mist May 13 '15 at 23:28