Closed Bug 267221 Opened 21 years ago Closed 21 years ago

Entries have appeared in my address book withoiut my knowledge

Categories

(SeaMonkey :: MailNews: Address Book & Contacts, defect)

Product:
SeaMonkey
Component:
MailNews: Address Book & Contacts
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: amenex, Assigned: sspitzer)

Details

(Whiteboard: [sg:nse])

User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.1) Gecko/20040707 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.1) Gecko/20040707 A spam email has been reappearing haphazardly in my Inbox. The key words are "ramona" and "a_hash@hotmail.com." I first received this email in the middle of July, 2003 (over a year ago). When I search my Mail folder for the "ramona" string, I get 31 hits. When I search for the "a_hash@hotmail.com" string, I get about ten hits. I looked in the trash.snm file first with WordPad because it was smallest. I found reference to both strings there and deleted them. I looked in longer files (those without extensions) and deleted as many as 14 instances of the offending email (as in my "SpamEmails" file). Then I looked in my "history.mab" file and found both strings again. When I tried editing the references out, when I later tried to open my Address Book, Mozilla crashed. I then moved an older copy of history.mab into the appropriate folder to replace the now-useless "history_old.mab" file and the Address Book subsequently opened OK. Then I looked at the entries in my Address Book and found a large number that I could not have made myself, including the devious Ramona. I deleted all entries in the Address Book, as I do not use it at all; there should have been next to no entries there. When I exited the Address Book and then Mozilla, I found that the "history.mab" file had been reduced in size, but all the original entries, especially "ramona" are still there. This gives me the distinct impression that it is possible for spammers to add stealth entries to my Address Book for which I receive no alerts or prompts. Apparently, the "ramona" worm somehow reactivates itself from some source so that the offending email reappears even after repeated efforts on my part to expunge it. I take care not to open the email, instead selecting an email on either side before deleting all three including the "ramona" email and emptying my trash folder. Nothing has worked so far. There are really two problems here. One is that a worm (undetected by Norton AntiVirus in spite of weekly scans of the entire hard drive) is resident somewhere that can make the "ramona" email reappear in my Inbox or one of its folders in spite of my having deleted every instance of its appearance in the past. The other is that there are entries in my Address Book (i.e., in history.mab) that I did not make, cannot delete, and cannot see when I delete them from the Address Book popup window in Mail. Please note that some of the unwanted entries in my Address Book are emails of folks I know and trust or my family and other entries are clearly spammers or frequent contributors to newsgroups/mailing lists. The original email came to me on July 14, 2003 from the server: nrcs1.kycalhoun.fsc.usda.gov (199.149.75.253) The Subject line was "Danke! Thanks! - No thanks!" Reproducible: Always Steps to Reproduce: 1. Delete every entry in my Address Book in the popup window 2. Close the Address Book and Mozilla 3. Look with Windows Explorer at my history.mab file and note that time of last change is within a few seconds of my closing Mozilla, but the unwanted email entries are still there. 4. Restart Mozilla and open Address Book, which is still apparently empty as I thought I had last left it. Actual Results: Address Book is blank as I wish, but history.mab file is fill of unwanted emails and undecipherable gibberish. Chances are that "ramona" will resurface at some unpredictable time, messing up my Inbox so the index for Inbox has to be rebuilt by Mozilla. Expected Results: 1. Never put entries in my Address Book without prompting me first. 2. Show all entries in the Address Book without hiding any entries. 3. Delete entries from the "history.mab" file when I delete them from the Address Book in the Address Book popup window. Here is the HTML portion of the "ramona" message: <html> X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-UIDL: 1058203174.1907.mail21 <head> <meta http-equiv="Content-Language" content="en-us"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Hello</title> </head> <body> <p><b><font face="Arial">Hello, </font><font face="Arial" color="#FFFFFF">amenex@amenex.com7ytvql4</font></b></p> <p><font face="Arial" size="4">Would you like a larger one...? or for your spouse to have a larger one. </font><b><font face="Arial" color="#FFFFFF">7ytvqlb 7ytvqlx</font></b><font face="Arial" size="4"><br> Our product is an excellent way to add permanent length and girth to a </font><b> <font face="Arial" color="#FFFFFF">7ytvqlm 7ytvqlt</font></b><font face="Arial" size="4"><br> males erection. Amazing amount inches growth have been recorded throughout<br> all of our extensive testing. You cant go wrong with this wonderful </font><b> <font face="Arial" color="#FFFFFF">7ytvqlv 7ytvqly</font></b><font face="Arial" size="4"><br> life changing product. Get the confidence and size you've always wanted </font> <b><font face="Arial" color="#FFFFFF">7ytvqqc 7ytvqq6</font></b><font face="Arial" size="4"><br> today. And remember, its 100% money back guaranteed.<font color="#FFFFFF">amenex@amenex.com </font> </font><b> <font face="Arial" color="#FFFFFF">7ytvqqa 7ytvqq1</font></b><font face="Arial" size="4"><br> <br> <font color="#FF0000"> <a href="http://green.paradisecity.com.br/4dre/">Check it out right here</a></font></a><font color="#FF0000"> </font></font><b><font face="Arial" color="#FFFFFF">amenex@amenex.com7ytvqqp 7ytvqqe</font></b></p> <p>&nbsp;</p> <p><font size="2" face="Arial">*Your satisfaction is 100% guaranteed. Just call is for a return authorization, send in the unused portion<font color="#FFFFFF"> </font></font><b><font face="Arial" color="#FFFFFF">7ytvqqs 7ytvqq57ytvqqh 7ytvqqw</font></b></p> <p><font size="2" face="Arial">and we will refund your money (less shipping and handling) immediately.</font><b><font face="Arial" color="#FFFFFF">7ytvqq2 7ytvqqn7ytvqql 7ytvqqf</font></b><br> &nbsp;</p> <p><b><font face="Arial">Thanks<font color="#FFFFFF">amenex@amenex.com7ytvqqi/font></font><font face="Arial" color="#FFFFFF">] 7ytvqqb7ytvqqj 7ytvqqm7ytvqq3 7ytvqqv7ytvqq7 7ytvqfc7ytvqfr 7ytvqfa7ytvqfk 7ytvqfp7ytvqfg 7ytvqfs7ytvqfz 7ytvqfh7ytvqfo 7ytvqf2</font></b></p> <p><b><font face="Arial" color="#FFFFFF">7ytvqfd 7ytvqfl7ytvqfq 7ytvqfi</font></b></p> </body> </html>
Not a security exploit Sorry for not reading all the prosa, but it seems the following happened: - You have your mail client configured so that it automatically adds email addresses from received and/or sent mails to the "History" address book, which is specifically for that purpose (not to be confused with your main address book, where you manually enter entries). Adding incoming email addresses was the default for some time, not it's outgoing. Check prefs. - When you delete entries, they may not be physically gone from the file, but they are logically deleted, i.e. inactive. They should not cause a problem, unless you want to hide something (in which case you need to be concerned about your filesystem, too). If any of the above is wrong, please file a new, focused.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Whiteboard: [sg:nse]
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.