Sent Items Logging

Could someone please explain to me the REASON for this logging/tracking.
I go nowhere on the web that I would want to hide from my mother-in-law, yet this reminds of the telescreens in 1984. Every move I make is logged, behind my back, on my own computer (until people like our guest poster discover it). I can't seem to justify it.
Does anyone else have a different view? I need to be calmed down!
Douglas

 

Updating my experience with this issue, I did a little experimenting with these files. Using the shredder tool in SpybotS&D, I destroyed every file in that folder(11 files in my case). Checking with explorer, folder was empty. Reopened OE6.0 which automatically recreated all files except the pop3.log and smtp.log. Checked my mail and this recreated pop3.log. Sent myself an e-mail and the smtp.log was also recreated. All the previous info in these files was of course gone. I would think that simply deleting these files would have the same effect, without the obvious security feature of wiping them for those who have that need. Using Win98SE, IE6.0SP1 here, your mileage may vary. Question for the more knowledgeable, is this method acceptable? No ill effects that I can see, but I am not so gullible to think just because I can't see it, it is not there.

Question #2, why is that kind of stuff in the folders to begin with(firewall logs,etc.), and is the information being transmitted everytime I give OE permission to access the net? Using Zone Alarm free, so it either has permission or it doesn't. No middle ground. Again, thanks for any guidance.

 

Thinking more about this, if someone who was not using outlook express, received one of those emails with some kind of nasty aboard, and they went to the folder in question here, they could then read the email, even though they deleted without opening it in their application of choice.

Would this put them at risk of letting the critter out, or just the opposite, be a safe way of looking at an email you were a little suspicious of?

 

Hi Douglas,

Since I do not use the OE, every time I have installed any version of the Mircosoft OS I have then uninstalled the OE.
If you do not use it as your email client..you to can uninstall it also.. therefore ,I do not have any .dbx or other compacted file for my email much less any backup email files and this is also something everyone can change if the do use OE.

John

 

Vet

appreciated that you shared the info....there are nine folders in my case.......am getting ready to wipe them all.
.......once again...until you mention these folders I never thought to check them....when I did..behold stored information!! This really gets me po'ed!!!!!!


snowman with attitude

 

Hi again Primrose,

Which is exactly what I'm going to do. Thanks for the reminder.

Douglas

 

Just did a secure wipe of those 9 folders....shut-down and re-started...the folders did not return.....which is fine by me............no noticed changes in os....all working properly as much as I can tell.


going to give this subject a whole lot of thought......I do not use e mail.....no reason for anything to be in the in or out folders...........no reason for so many un-known url's....all traced to source now...........everything hand copied before secure delete..........


snowman with an attitude

 

NOTE:

looking over some of the information that has been copied I noticed that the only website information logged was that of a website where I had used a stored cookie....has anyone else noticed this??


snowman

 

NOTE

LOL..a few moments ago using a security program I disabled outlook express/msimn an much to my surprise four (4) un-installed programs on my desktop....their icons became the outlook express icon.....gee, now I just have to ask myself....will these un-installed programs somehow use outlook express once they are installed...lol

 

CORRECTION:::::::::

The information logged about the website WAS NOT that of a website where a store cokkie was used......it was that of a website where a program had been downloaded from.
..........want to keep all info as correct as possible.




Well everyone this has been a most interesting topic.......enjoyed the time sharing with all of you......there isn't anything else I can contribute so no point in my posting further comments. Joyest Christmas to one and All........


Snowman Chilled Out

 

Hi Snowman,

Maybe a corrupted Icon-cache? I'm of course not sure about this in your case, but these things can happen.

You could try the free RefreshEm to try to repair the icon-cache.
You can find RefreshEm here:
http://camtech2000.com/Pages/Useful.html

 

Jan....thanks....however this was done on purpose......a few of the security tools I have can really cause chain re-actions.......always for the good.
I just shut down the program and re-booted....all back to normal..........what the program did was reveal that the programs would use outlook express....updates maybe.

regards

snowman

 

Vet asked the question if simply deleting is enough. As Jack pointed out, a delete is not enough. Let's say you have a message in the sent folder.....you hit "delete" (yes you want to do this - get it in the delete folder.) BUT, from here, no - it is not secure to just empty the delete bin. All of that email is still on your hard drive and any software recovery program can pull that right back up. What I said and what snowy did is to erase the delete folder. Wipe it. This leaves nothing of your emails to pull up with a recovery program. Make sure it is DOD compliant 7-pass or Gutmann so that it is totally secure from even forensics.

I guess I'm being too all encompassing here. You may not need a wipe. If you DO wipe, you may only need a one pass wipe. As I have said many times - and this is important..... When it comes to privacy and securing your computer, do you want to hide your files from your children? The kid sister? If that is all you need to do, simply deleting I suppose would be fine. But, if you have security needs that go beyond that -- securely erase. Wipe. Beyond the simple, I protect as if a three-letter agency were going to impound my computer tomorrow and find all kinds of writings that these days they could call, "aiding the enemy," -- or whatever.

For me - and most people - (if you're using OE)......

1. Send all sensitive mail to delete folder.
2. Run a wipe of the Delete folder. (And yes, it does recreate itself upon reboot.)
3. Remember the routine and use it!

Yes, you could drag the Delete folder from it's deep path into a shredder. Most people I know just have a custom wash configuration or a self-made plug in to use with their Internet Wiper (like Window Washer or Tracks Eraser Pro - my personal favorite - but I actually use both) Everytime it's run - it wipes that delete folder, along with everything else.

BTW, I can't get anything from my .dbx files in plain text that are threatening in any way. I have never heard of this problem at all, so I don't know what to say. I'm reading the posts carefully though. It sounds very odd.

Happy Holidays To All!!

John
Luv2BSecure

 

I don't usually make a comment as this one....

Folks may I truely suggest that you heed the advice of Lov2B......the man knows what he is talking about....an if you hesitate to use encryption.....consider the ease of use...there is nothing to it........an if you think that you will never need it.......ok fine...but its best to have it and know how to use it should the need arise........an John is the guy to see in that area

respectfully

snowman

 

Hi,

All of the following done offline.

Investigating further, destroyed all files in the folder again, rebooted, and as snowman noted, files are not recreated.

Opened OE: cleanup.log, inbox.dbx, offline.dbx, folders.dbx recreated. The inbox.dbx may create at this time because I have OE set to open that folder at start of the program.

Clicking on the other folders(outbox, etc.), recreates their corresponding .dbx file.

Closed OE: pop3uidl.dbx created.

The two log files(pop3.log, smtp.log) are created as stated in my earlier post.

Now, that is the way these files are recreated on my computer. Why they are not recreated at bootup, I do not know. The above scenario can be done at will.

"Vet asked the question if simply deleting is enough. As Jack pointed out, a delete is not enough. Let's say you have a message in the sent folder.....you hit "delete" (yes you want to do this - get it in the delete folder.) BUT, from here, no - it is not secure to just empty the delete bin. All of that email is still on your hard drive and any software recovery program can pull that right back up. What I said and what snowy did is to erase the delete folder. Wipe it. This leaves nothing of your emails to pull up with a recovery program. Make sure it is DOD compliant 7-pass or Gutmann so that it is totally secure from even forensics."

Sorry if I am not making myself clear, but that is not what I am asking at all. I understand what you are saying, Luv2BSecure, about the security involved. What I really wanted to know was if the method of using the shredder to destroy these files was acceptable, and I gather that it is. By the way, don't know if you use Spybot or not, but the number of passes is adjustable(actually used 10). Whether or not it meets the standards you mentioned, I can't say, but it does what I need.

"I guess I'm being too all encompassing here. You may not need a wipe. If you DO wipe, you may only need a one pass wipe. As I have said many times - and this is important..... When it comes to privacy and securing your computer, do you want to hide your files from your children? The kid sister? If that is all you need to do, simply deleting I suppose would be fine. But, if you have security needs that go beyond that -- securely erase. Wipe. Beyond the simple, I protect as if a three-letter agency were going to impound my computer tomorrow and find all kinds of writings that these days they could call, "aiding the enemy," -- or whatever."

No one uses this computer but me. I rarely use email. Other than notices of replies to posts, about the only email I get is Earthlink's monthly newsletter, which I do not read, just never unsubscribed. I get absolutely zero spam. If one of those three letter agencies you referred to, confiscates this computer, the result would be death by boredom. Will leave it up to everyone who reads this as to whether that is a good thing or bad.

"BTW, I can't get anything from my .dbx files in plain text that are threatening in any way. I have never heard of this problem at all, so I don't know what to say. I'm reading the posts carefully though. It sounds very odd."

E-mail is not the problem I am concerned with at all. It is all the other stuff that keeps mysteriously appearing in those files, and the files of a couple other posters(snowy and Douglas). Is Microsoft(or something else) tracking me, or possibly some problem with my computer? Since I am not the only one having this problem, I don't have a definite answer to that.

This is an example of what I am talking about. Went online to symantec home page and a microsoft tech bulletin search, nowhere else.

From deleted items.dbx:

<td class="windowbg2" valign="middle" align="center" width="6%" bgcolor="#F8F8F8"><img src="http://www.spywareinfoforum.com/yabbse/YaBBImages/thread.gif" alt=""></td>
***<td class="windowbg2" valign="middle" align="center" width="4%" bgcolor="#F8F8F8"><img src="http://www.spywareinfoforum.com/yabbse/YaBBImages/xx.gif" alt="" border="0" align="middle"></td>
***<td class="windowbg" valign="middle" width="48%" bgcolor="#AFC6DB"><font size="2"><a href="http://www.spywareinfoforum.com/yabbse/showthread.php?t=2439">1500 and still going!!!!</a> </font></td>
***<td class="windowbg2" valign="middle" width="14%" bgcolor="#F8F8F8"><font size="2"><a href="http://www.spywareinfoforum.com/yabbse/index.php?action=viewprofile;user=admin"><acronym title="View profile of Mike">Mike</acronym></a></font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">5</font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">49</font></td>
***<td class="windowbg2" valign="middle" width="27%" bgcolor="#F8F8F8"><font size="1">December 13, 2002, 11:50:37 AM
by <a href="http://www.spywareinfoforum.com/yabbse/index.php?action=viewprofile;user=cnm">cnm</a></font></td>
</tr><tr>
***<td class="windowbg2" valign="middle" align="center" width="6%" bgcolor="#F8F8F8"><img src="http://www.spywareinfoforum.com/yabbse/YaBBImages/thread.gif" alt=""></td>
***<td class="windowbg2" valign="middle" align="center" width="4%" bgcolor="#F8F8F8"><img src="http://www.spywareinfoforum.com/yabbse/YaBBImages/xx.gif" alt="" border="0" align="middle"></td>
***<td class="windowbg" valign="middle" width="48%" bgcolor="#AFC6DB"><font size="2"><a href="http://www.spywareinfoforum.com/yabbse/showthread.php?t=2310">:::AHEM::: Update to the downloads page</a> </font></td>
***<td class="windowbg2" valign="middle" width="14%" bgcolor="#F8F8F8"><font size="2"><a href="http://www.spywareinfoforum.com/yabbse/index.php?action=viewprofile;user=admin"><acronym title="View profile of Mike">Mike</acronym></a></font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">2</font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">102</font></td>
***<td class="windowbg2" valign="middle" width="27%" bgcolor="#F8F8F8"><font size="1">December 11, 2002, 08:03:16 AM
by <a href="http://www.spywareinfoforum.com/yabbse/index.php?action=viewprofile;user=TonyKlein">TonyKlein

From inbox.dbx:

<H2>November 2002</H2><HR/><a href='/technet/security/bulletin/MS02-065.asp'>MS02-065 : Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)</a>


</p><H2>October 2002</H2><HR/><a href='/technet/security/bulletin/MS02-055.asp'>MS02-055 : Unchecked Buffer in Windows Help Facility Could Enable Code Execution (Q323255)</a>


<a href='/technet/security/bulletin/MS02-054.asp'>MS02-054 : Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q32904</a>


</p><H2>September 2002</H2><HR/><a href='/technet/security/bulletin/MS02-053.asp'>MS02-053 : Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution (Q324096)</a>


<a href='/technet/security/bulletin/MS02-050.asp'>MS02-050 : Certificate Validation Flaw Could Enable Identity Spoofing (Q329115)</a>


</p><H2>August 2002</H2><HR/><a href='/technet/security/bulletin/MS02-048.asp'>MS02-048 : Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172)</a>


</p><H2>March 2002</H2><HR/><a href='/technet/security/bulletin/MS02-014.asp'>MS02-014 : Unchecked Buffer in Windows Shell Could Lead to Code Execution</a>


<a href='/technet/security/bulletin/MS02-013.asp'>MS02-013 : 04 March 2002 Cumulative VM Update</a>


</p><H2>February 2002</H2><HR/><a href='/technet/security/bulletin/MS02-006.asp'>MS02-006 : Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run</a>


</p><H2>December 2001</H2><HR/><a href='/technet/security/bulletin/MS01-059.asp'>MS01-059 : Unchecked Buffer in Universal Plug and Play Can Lead to System Compromise</a>


</p><H2>November 2001</H2><HR/><a href='/technet/security/bulletin/MS01-054.asp'>MS01-054 : Invalid Universal Plug and Play Request Can Disrupt System Operation</a>


</p><H2>April 2001</H2><HR/><a href='/technet/security/bulletin/MS01-022.asp'>MS01-022 : WebDAV Service Provider Can Allow Scripts to Levy Requests as User</a>


</p><H2>March 2001</H2><HR/><a href='/technet/security/bulletin/MS01-019.asp'>MS01-019 : Passwords for Compressed Folders are Recoverable</a>


<a href='/technet/security/bulletin/MS01-017.asp'>MS01-017 : Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard</a>


</p><H2>November 2000</H2><HR/><a href='/technet/security/bulletin/MS00-091.asp'>MS00-091 : Incomplete TCP/IP Packet Vulnerability </a>


</p><H2>October 2000</H2><HR/><a href='/technet/security/bulletin/MS00-081.asp'>MS00-081 : New Variant of VM File Reading Vulnerability</a>


<a href='/technet/security/bulletin/MS00-079.asp'>MS00-079 : HyperTerminal Buffer Overflow Vulnerability </a>


<a href='/technet/security/bulletin/MS00-075.asp'>MS00-075 : Microsoft VM ActiveX Component Vulnerability</a>


<a href='/technet/security/bulletin/MS00-074.asp'>MS00-074 : WebTV

The info from deleted items.dbx appears to be old data, (possibly scripting?) from the spywareinfo web site page. Note, I did not visit that site. The info from inbox.dbx is apparently current info from the microsoft page which I did visit. I don't see why any of that stuff should be in either file. OE was not running while online.

OK, if anyone can explain this or offer a course of action, I would be most grateful. That is about as clear as I know how to make this. I can clean the files, no problem. Question is, how is this getting in the files and is it going out to where ever when OE accesses the internet? I don't know that I would consider any of the example given as threatning, but it is a clear cut invasion of my privacy if this kind of thing is being sent to someone.

Must apologise for the length of the post, but this has me annoyed to say the least.

On a happier note, wishing everyone a happy and safe holiday season, and many more to come.

 

I am sorry Vietnam_Vet.......I thought by the questions and comments above that you were interested in the emails, and asking about dragging them to the shredder I took as a security question you were not sure about. I know I answered to the best of my ability. Snowy had some nice things to say, that was kind of him and I appreciate his nice words, but I will tell you --- I am lost on your last question above. As I said, I have not heard of this, never have seen it before and this is all new to me. Because it's not in my OE files doesn't mean a thing. Apparently something is not quite right here. With your description, snowman's description, it sounds very strange indeed. That's why in my last post I said,

I think we may be expecting too much though if we expect to have answers to this mystery here and now from anyone on this board. After all, snow just opened this thread on the 22nd and today is the 25th (Christmas Day ).

But knowing the people on this board, and my own curiosity, there are more than a few people trying to figure this out. One thing is clear, if you have cleaned tracks - it has left some things and they are showing up in strange places. You didn't go to Mike's Spyware site that day but obviously you did at some point and some tracks are (oddly) in OE .dbx files. The "yaBB" references are all to the forum software used here and at Mike's spywareinfoforum.com site as well.

BTW.... In your first post you said the system-made .dbx folders (inbox, sent, draft,delete) were recreated on boot. In your last post, did I understand you to say it did not recreate "delete" when you rebooted? I agree it's all more than interesting - it's very disturbing in fact. I'm right there with snowy on the anger - and the privacy intrusions it could cause. But, right now it's Christmas and it will take some time for everyone to get down to it and try to figure out what's going on.

Again, I'm sorry if I was confused by you asking about the shredding, etc and thinking you were asking if the method would work. Sometimes when a thread takes off like this one, it's hard to keep track, but I honestly thought I answered your questions except for having the answer to the big question which we may not have for awhile.

Happiest of holidays! I'm up late listening for Santa sightings on the radio.

John
Luv2BSecure

 

Vietnam_Vet said

That's exactly my question and problem!
L2BS said

So forget Christmas dinner! We're counting on you all!

Douglas

 

Good Morning to all..an to all a MERRY CHRISTMAS DAY!


Well so as we don't go off in differant directions....seems we all agree that be it e-mail or the Folders/Files......they should be SECURELY DELETED........in case of the VET he used the SHREDDER in spybot.....I understand Vet that you are asking how secure is the Shredder's over-writing.....to answer that the type of over-writing being used would need to be known...such as DOD....or what ?

As Lov2B noted its the Christmas holiday an responses may be slow in coming.......only reason I am here today is due to deep snow outside........
In the mean time I am still testng....right now I see this exploit as something of a KEYLOGGER type.....an VERY DANGEROUS!!!! FE: I did some business in Zurich this past friday.....an removed the program used monday late night.......well highly private account information was retained in one of the folders we are discussing....yikes!! Did a wipe using Gutmann
We all seen to agree that deleting the folders/files is not the real issue. The issue is HOW IS THE INFORMATION BEING LOGGED IN THOSE FOLDERS??\

So far I found...

(1) one e mail that was sent to me
(2) information on a previously used isp
(3) A listing of the COMPLETE contents of my C drive both M$ and non-M$ programs listed therein
(4) The programing code of a couple of websites
(5) information related to several programs un-installed..BUT NOT ALL programs that have been uninstalled
(6) Certain url's.....

My question....is outlook express BEING EXPLOIT.....or is this a problem caused by outlook express....

 

So as no one takes offense by the use of the word "EXPLOITED" let me clearly say here and now that no accusasions are being made. The word "exploited" is used in the context of there being a possible security issue in either outlook express or the WINDOWS os

 

because several people are having this issue.....each with their own settings,. security programs and os's......the only two things I notice we have in common is that Outlook Express is installed and the Windows os is being used

No particular website.....no particular program is being logged..........the only commonality being the above listed.

uninstalling outlook express may not be the answer...thats yet unknown....the information being logged may just find its way elsewhere on the os......
shortly I will be shutting down from the internet and boxing the computer.....in a couple or so days......bout all I can say is that I sure hope you folks find an answer to all this..........somehow I think the answer is going to be a simple one....hopefully anyway..

 

Hi snowman,

Some possible explanations :

a Spy Software to secretly spy on and monitor computer activity which would use OE to send info to whose installed
thi progy and not a build in SMTP server, some are really difficult to detect ?

VNC server, PCAnywhere or some progy of the kind installed
on yur computer and a client could have use your machine to post some mails ?

A backdoor which might be eradicated a while ago ?

OT : if you never use OE, you could make a rule in your FW preventing msimn.exe IN and OUT to stay protected ?

Is the phenomenon reproducible ?
If yes, could your use a Sniffer ?

Just my 5 pences, I never heard about something of the kind before.

Rgds,

 

JACK

thanks much for taking of your time to reply........upon first seeing the exploit my thoughts were the same as yours......have since ruled much of that out.......differant people involded.....differant os's......we would all have had to unknowningly installed or been exploited by a particular snake program........odds are very high against that.

yes..reproduced at will.......no outbound traffic........

the rest of this post is just in general info.......perhaps pieced together may be useful.

my earliest logging was the e mail....Nov. 2.2002...it was received......not answered. The logging could have been going on longer.....I never checked.......my last reformat was just prior to november............
java and activeX never allowed with the exception of windows update applet and a couple of extremely secure business java applets..........outlook express blocked by firewall always..........
numerous security programs set to prevent .exe and forced install........numerous scripts prevented.....no cookies allowed........registry cleaned after each install of new program and after un-install of any program.....os constantly checked., monitored for keyloggers....trogans..viruses.......internet scan....download scan..os scan....constantly......all programs updated.....no known snakes in os........all new programs scan for trogans/virus before install..........numerous other security measures in place..........

after wipe of folders in question......new folders contain information......not of a personal nature but of the os........most in programming code......cc++ (is that right lol)

one thing continues to bother me for some reason....in outlook express....tab: Connection:.......Internet Connection Sharing.....* outlook express shares your internet connection settings with internet explorer*** an this has me wondering if IE is involded......just wondering.......did check settings in IE...very secure.

JACK.....a couple of the url's that were logged has me highly on alert...in fact my security has been lowered deliberated to see if any attempts are made on the os...

No I have never heard of this before either.......but strongly advise everyone to pay attention....this aint santa coming down the chimmey......its a major privacy exploit.....
to what extent the exploit can be used is best left to the experts to decide.........it bothers me that the Sent Folder was loaded with information........hopefully it never left the os.......no passwords are kept...can't connect. You can bet I would never use a credit card or send e mail.......
this may not be popular to hear..but this makes many security programs absolutely useless....no not virus and trogan scanners.........but many other type programs useless........cleaning of the index.dat wont clean these folders FE....wiping the os wont help either....these folders need to be manually removed.

also......after deleting the folders I left them deleted for several hours.....then re-made them..instantly the folders contained logged information.

 

Presently the INBOX folder contains instructions on how to use outlook express and numerous listing about the os.

 

Hi Snowman,

Did you try to set you stored *.dbx (x:\Documents and Settings\user\Application Data\Identities\{xxx-yyy-zzz-aaa-bbb}in WinXP for instance) on another partition in new file
and see if it's still reproducible ?

Really wierd, indeed.

Rgds,

 

JACK

no I have not done that as yet....decided to wait and see what reveals itself in those files........
the files are in my control.....its the logging that isn't.....whats causing the logging...........questions many ..

so far the newly created files just logged the os date...its not going outbound........
spent the past two days going through the registry....looks clean.....ran scans for every known trogan/virus/keylogger/snake.......clean....but you can bet this hound will keep tracking........

wondering why everyone is not experiencing this
oh..re-checked setting in outlook...IE..os....looks ok....
can only suggest others get involded.....work as a team.