Entries have appeared in my address book withoiut my knowledge



14 years ago
14 years ago


(Reporter: amenex, Assigned: sspitzer)


Windows 98

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:nse])



14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.1) Gecko/20040707
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.1) Gecko/20040707

A spam email has been reappearing haphazardly in my Inbox.  The key words are
"ramona" and "a_hash@hotmail.com." I first received this email in the middle of
July, 2003 (over a year ago). When I search my Mail folder for the "ramona"
string, I get 31 hits.  When I search for the "a_hash@hotmail.com" string, I get
about ten hits.  I looked in the trash.snm file first with WordPad because it
was smallest.  I found reference to both strings there and deleted them.  I
looked in longer files (those without extensions) and deleted as many as 14
instances of the offending email (as in my "SpamEmails" file).  Then I looked in
my "history.mab" file and found both strings again.  When I tried editing the
references out, when I later tried to open my Address Book, Mozilla crashed.  I
then moved an older copy of history.mab into the appropriate folder to replace
the now-useless "history_old.mab" file and the Address Book subsequently opened
OK.  Then I looked at the entries in my Address Book and found a large number
that I could not have made myself, including the devious Ramona.  I deleted all
entries in the Address Book, as I do not use it at all; there should have been
next to no entries there.  When I exited the Address Book and then Mozilla, I
found that the "history.mab" file had been reduced in size, but all the original
entries, especially "ramona" are still there.  This gives me the distinct
impression that it is possible for spammers to add stealth entries to my Address
Book for which I receive no alerts or prompts.  Apparently, the "ramona" worm
somehow reactivates itself from some source so that the offending email
reappears even after repeated efforts on my part to expunge it.  I take care not
to open the email, instead selecting an email on either side before deleting all
three including the "ramona" email and emptying my trash folder.  Nothing has
worked so far.  There are really two problems here.  One is that a worm
(undetected by Norton AntiVirus in spite of weekly scans of the entire hard
drive) is resident somewhere that can make the "ramona" email reappear in my
Inbox or one of its folders in spite of my having deleted every instance of its
appearance in the past.  The other is that there are entries in my Address Book
(i.e., in history.mab) that I did not make, cannot delete, and cannot see when I
delete them from the Address Book popup window in Mail.  Please note that some
of the unwanted entries in my Address Book are emails of folks I know and trust
or my family and other entries are clearly spammers or frequent contributors to
newsgroups/mailing lists.  The original email came to me on July 14, 2003 from
the server: nrcs1.kycalhoun.fsc.usda.gov (  The Subject line was
"Danke! Thanks! - No thanks!"

Reproducible: Always
Steps to Reproduce:
1. Delete every entry in my Address Book in the popup window
2. Close the Address Book and Mozilla
3. Look with Windows Explorer at my history.mab file and note that time of last
change is within a few seconds of my closing Mozilla, but the unwanted email
entries are still there.
4. Restart Mozilla and open Address Book, which is still apparently empty as I
thought I had last left it.

Actual Results:  
Address Book is blank as I wish, but history.mab file is fill of unwanted emails
and undecipherable gibberish.  Chances are that "ramona" will resurface at some
unpredictable time, messing up my Inbox so the index for Inbox has to be rebuilt
by Mozilla.

Expected Results:  
1. Never put entries in my Address Book without prompting me first.
2. Show all entries in the Address Book without hiding any entries.
3. Delete entries from the "history.mab" file when I delete them from the
Address Book in the Address Book popup window.

Here is the HTML portion of the "ramona" message:
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-UIDL: 1058203174.1907.mail21

<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">


<p><b><font face="Arial">Hello, </font><font face="Arial"
<p><font face="Arial" size="4">Would you like a larger one...? or for your 
spouse to have a larger one. </font><b><font face="Arial" color="#FFFFFF">7ytvqlb 
  7ytvqlx</font></b><font face="Arial" size="4"><br>
Our product is an excellent way to add permanent length and girth to a </font><b>
<font face="Arial" color="#FFFFFF">7ytvqlm            7ytvqlt</font></b><font
face="Arial" size="4"><br>
males erection. Amazing amount inches growth have been recorded throughout<br>
all of our extensive testing. You cant go wrong with this wonderful </font><b>
<font face="Arial" color="#FFFFFF">7ytvqlv               
7ytvqly</font></b><font face="Arial" size="4"><br>
life changing product. Get the confidence and size you've always wanted </font>
<b><font face="Arial" color="#FFFFFF">7ytvqqc               
7ytvqq6</font></b><font face="Arial" size="4"><br>
today. And remember, 
its 100% money back guaranteed.<font color="#FFFFFF">amenex@amenex.com </font>
<font face="Arial" color="#FFFFFF">7ytvqqa         7ytvqq1</font></b><font
face="Arial" size="4"><br>
<font color="#FF0000">
<a href="http://green.paradisecity.com.br/4dre/">Check it out right
here</a></font></a><font color="#FF0000">
</font></font><b><font face="Arial" color="#FFFFFF">amenex@amenex.com7ytvqqp   
<p><font size="2" face="Arial">*Your satisfaction is 100% guaranteed. Just call 
is for a return authorization, send in the unused portion<font color="#FFFFFF">
</font></font><b><font face="Arial" color="#FFFFFF">7ytvqqs                
7ytvqq57ytvqqh             7ytvqqw</font></b></p>
<p><font size="2" face="Arial">and we will refund your money (less shipping and 
handling) immediately.</font><b><font face="Arial" color="#FFFFFF">7ytvqq2 
<p><b><font face="Arial">Thanks<font
color="#FFFFFF">amenex@amenex.com7ytvqqi/font></font><font face="Arial"
color="#FFFFFF">]                 7ytvqqb7ytvqqj                 7ytvqqm7ytvqq3
                7ytvqfc7ytvqfr         7ytvqfa7ytvqfk    7ytvqfp7ytvqfg        
        7ytvqfs7ytvqfz        7ytvqfh7ytvqfo          7ytvqf2</font></b></p>
<p><b><font face="Arial" color="#FFFFFF">7ytvqfd                 7ytvqfl7ytvqfq


Not a security exploit

Sorry for not reading all the prosa, but it seems the following happened:

- You have your mail client configured so that it automatically adds email
addresses from received and/or sent mails to the "History" address book, which
is specifically for that purpose (not to be confused with your main address
book, where you manually enter entries). Adding incoming email addresses was the
default for some time, not it's outgoing. Check prefs.
- When you delete entries, they may not be physically gone from the file, but
they are logically deleted, i.e. inactive. They should not cause a problem,
unless you want to hide something (in which case you need to be concerned about
your filesystem, too).

If any of the above is wrong, please file a new, focused.
Group: security
Last Resolved: 14 years ago
Resolution: --- → INVALID
Whiteboard: [sg:nse]
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.