How can a general user trace the origin of TCP/IP data generated by persistent e-mail anomaly?

Tags:
.NET applications
computer information
Forensic analysis
malware
TCP/IP
Webmail
Thank you very much for taking time to consider this question. What do you recommend for a general user who needs to trace the origin and route of TCP/IP data associated with an e-mail message? My SOHO computer is infected by some form of malware. The ISP's tech support could not resolve it; the relevant "abuse@" site has not responded to a query. For professional reasons, it is important that make a diligent effort to track where any rerouted messages with confidential information may have ended up. I've done what I can with Traceroute and IP Lookup, and sites that provide guidance on tracing e-mails. I'm out of ideas.

Background:  The balance of this message provides additional detail that may assist your assessment. I use a stand-alone system that runs both Mac and Windows; the webmail service was provided by an major ISP accessed via a standard router.

Indicators:  There three known indicators: (1)  In creating a new e-mail message, the drop-down box in the "From" line generates a second bogus address just below my correct e-mail address; (2) For messages forwarded from my address, the anomaly transmits a duplicate copy of the message to an unknown mail-server. (This was revealed when a message I forwarded with an incorrect address sent back a "Delivery Failed" notification) (3) the ISP tech support staff accessed my system and attributed the anomaly to "spyware."  When they could not remove the anomaly, they referred me to their "abuse@" site.T hat entity provided an automated response 10 days ago, and nothing since.

Status:  To date, I have used the IP address generated by the return notice to identify public IP addresses. Test messages sent to the bogus e-mail address (which drops down from the From line) returned header information that identified the "original recipient" as an unknown UserID and mail server. Whois searches from several sites reported that the UserID and Host Name are "not found" or are non-existent. Before giving up, I'd like to know if there are other open source tools or tracing methods that a user with no training in computer forensics should try and can use reliably.
Best,

PS: Please forgive my use of a pseudonym. But as a sole practitioner, this experience has left me gun shy about e-mail and submissions to websites. For the time being, I've switched to a more secure web-mail service and take other precautions that seem to make sense.
 


Software/Hardware used:
Use both Mac and Windows with Parallels.

Answer Wiki

Thanks. We'll let you know when a new response is added.

TCP reset attack, also known as forged TCP resets, spoofed TCP reset packets or TCP reset attacks. These terms refer to a method of tampering with internet communications. Sometimes, the tampering is malicious, other times, it is beneficial. The Internet is, in essence, a system for individual computers to exchange electronic messages, or packets of IP data

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Genderhayes
    TCP starts a re-transmission timer when each outbound segment is handed down to IP. If no acknowledgment has been received for the data in a given segment before the timer expires, then the segment is retransmitted, up to the TcpMaxDataRetransmissions times
    7,440 pointsBadges:
    report
  • Troubleshoot2014
    Very helpful. Thanks. Does anyone know of a tool or process for resolving a reset attack e.g. a link to a methodology
    15 pointsBadges:
    report
  • Genderhayes
    A stealth scan is a kind of scan that is designed to go undetected by auditing tools stealth scanning technique is “inverse mapping”, where you try to find out all hosts on a network by generating “host unreachable” ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets
    7,440 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following