email -spoofing/hacking/other cures?

[Matthew]

I access my email (sbcglobal) from 2 PCs, both with virus scanners, and an Android device with Avast.

About a month ago some of my contacts, not all, got an email from my address. I had no indication of anything in my Sent box. I knew about it right away because one of my contacts is a Yahoo group that forwarded that email back to me. Since then, I've changed my p/w multiple times. Last night it happened again. Some contacts got a spam with my return addy. I changed pw again and this time deleted my contact list - I have it saved somewhere else. No indication of anything in my sent nox.

Somewhere, someone got a partial list of my contacts. How can I find out if the emails are really coming from my account or my address is being spoofed somehow? And how to fix it?

 

[John221us]

It is probably scraping them from another source, like maybe Facebook. Look for the commonality of the addresses that were compromised.

 

[Matthew]

It is probably scraping them from another source, like maybe Facebook. Look for the commonality of the addresses that were compromised.

I'm pretty sure someone got my contacts (some of them). Some bounced back to me and my filter tossed them unto my spam folder. Some were bounced because the recipient's spam filter sent them back.

Some bounced to me because they were undeliverable. I looked at those, and they were in my contact list but were old email addys that were no longer valid and I just never updated them. So I am pretty sure my contacts were stolen at some time.

 

[John221us]

What mail client do you use (Outlook, Outlook Express, Webmail)? Is it different on the two machines?

 

[Matthew]

What mail client do you use (Outlook, Outlook Express, Webmail)? Is it different on the two machines?

It's a webmail, att.yahoo.

My two PCs I use Firefox to get to the att.yahoo website to log in. The Android device (Nexus) goes through whatever mechanism it uses.

 

[John221us]

Your address is undoubtedly being spoofed. You might be able to look at the MIME header and figure out the source, if you can look at one of the original messages (not a forwarded copy). I was just trying to help you find out how you got compromised. Maybe some app on the android device. Often social apps will scan your contacts to identify new "friends" for you. Look and see if any of those are suspect.

 

[Matthew]

Your address is undoubtedly being spoofed. You might be able to look at the MIME header and figure out the source, if you can look at one of the original messages (not a forwarded copy). I was just trying to help you find out how you got compromised. Maybe some app on the android device. Often social apps will scan your contacts to identify new "friends" for you. Look and see if any of those are suspect.

Doubt it was something on the Android. There are a lot of contacts on my Google Contacts list, but ONLY contacts within my att.yahoo account were used. It really looks like someone, somewhere, got into my att.yahoo account contact list, got some names/addresses (even ones that were no longer valid), and every now and then sends spam to them. I'll try to look at the header (I already deleted the bounced e-mails so I don't think I can get to them anymore). I did ask a buddy of mine that got one of the e-mails if he can check on the header info.

Once it's spoofed, there's really nothing I can do, is there? Someone is sending emails and putting my address as the "from" without really using my account?

 

[Skip Miller]

Yes, that happens. About a year ago there was a bunch of friends complaining about contact lists being scraped from Yahoo. Allegedly they tightened things up but -Skip

 

[Matthew]

bah. Spammers/scammers should be shot, burned at the stake, hung from the yardarm, shot again, buried in an unmarked grave, peed on, dug up, shot again, and then made an example of.

 

[Dav8or]

bah. Spammers/scammers should be shot, burned at the stake, hung from the yardarm, shot again, buried in an unmarked grave, peed on, dug up, shot again, and then made an example of.

Spammers and scammers I don't know about, but hackers, well they get great accolades followed by six figure jobs working for IT and security companies. The more stuff they get into and mess up, the better for them. Fastest way for a talented young kid to get to the big bucks without college.

Spammers and scammers just utilize the stuff hackers come up with.

 

[Matthew]

Spammers and scammers I don't know about, but hackers, well they get great accolades followed by six figure jobs working for IT and security companies. The more stuff they get into and mess up, the better for them. Fastest way for a talented young kid to get to the big bucks without college.

Spammers and scammers just utilize the stuff hackers come up with.

OK - hackers meet the list to be abused, too.

I'm wondering if - my PC was hacked and the contacts were reached through it, or att.yahoo itself was hacked and my account info was stolen from there.

I saw that McAffee (I think) had a contract with the Olympics to provide computer security. A reporter went to Sochi with a clean laptop, just to see. Apparently, within minutes of his arrival, he'd already been hacked.

 

[RJM62]

It's also possible that someone else's computer is infected, and copied the email addresses from something you sent with all those people in the "to" or "cc" list. Or that your computer is infected. The full headers of the mails might help narrow down the possibilities.

-Rich

 

[wsuffa]

If you ever sent an email to a group of people (some, not all of your contact list) and one of them got malware that read their email, that's all it took. And now your email is out there along with theirs, so it will happen again.

99% probability that your email was spoofed onto the bad emails.

 

[ja_user]

Most like yahoo was compromised.

 

[Matthew]

Most like yahoo was compromised.

Heh - your name was on the list. Check your spam folder.

Maybe I just found the culprit!

 

[poadeleted21]

It's very simple to spoof the "MAIL FROM" SMTP command, as well as the from header. No hacking involved, just type it in to an SMTP sever and it will take it. Current email standards should be burned at the stake.

 

[Matthew]

But it's spoofing to just some of my personal contacts.

 

[CT4ME]

I've had some clients have similar experiences with SBCGlobal. It appears as if there was a major break-in or leak. In each case, their contacts got weird email messages, usually with a link in them. If you Google "SBCGlobal Yahoo email hacked", you'll see a lot of hits.

 

[ja_user]

Heh - your name was on the list. Check your spam folder.

Maybe I just found the culprit!

That is ok, I never read your emails anyway.

 

[Matthew]

hmmm - just dug into this a little more.

One of the spam e-mails was sent to someone NOT in my contacts list. I DID send an e-mail to this address, once, and the only place it resided was in my "sent" folder. So, maybe my contacts weren't stolen, but my "sent" folder was?

 

[denverpilot]

Without the full headers of the received message, the question is unanswerable.

 

[Matthew]

Without the full headers of the received message, the question is unanswerable.

One got bounced back to me. It was sent to one of my contacts, and then ended up in my spam folder.

Buried in there was this (edited):

From Mail Delivery System Mon Mar 31 02:46:22 2014
X-Apparently-To: my address ; Mon, 31 Mar 2014 02:46:24 -0700
Return-Path: <>
X-YahooFilteredBulk: 193.252.22.212
Received-SPF: none (domain of out.smtpout.orange.fr does not designate permitted sender hosts)
X-YMailISG:
...
stuff
...
X-Originating-IP: [193.252.22.212]
Authentication-Results: mta1204.sbc.mail.gq1.yahoo.com from=orange.fr; domainkeys=neutral (no sig); from=orange.fr; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO out.smtpout.orange.fr) (193.252.22.212)
by mta1204.sbc.mail.gq1.yahoo.com with SMTP; Mon, 31 Mar 2014 02:46:24 -0700
Return-Path: <<>>
From: "Mail Delivery System" <MAILER-DAEMON@orange.fr>
Date: Mon, 31 Mar 2014 11:46:22 +0200
To: my email address
Subject: Undelivered Mail Returned to Sender
...
a little more stuff
...

 

[ja_user]

I got your email too

 

[Matthew]

I got your email too

Bonus!

 

[rpadula]

The problem is Yahoo are a bunch of clowns. Their email system has been hacked every which way. The most recent batch was January this year, but we can find headlines of a breach going back each year:

2014

2013

2012

2011


You probably ought to change your password, if you haven't already.

And P.S. this analysis is amusing .

 

[Matthew]

The problem is Yahoo are a bunch of clowns. Their email system has been hacked every which way. The most recent batch was January this year, but we can find headlines of a breach going back each year:

2014

2013

2012

2011


You probably ought to change your password, if you haven't already.

And P.S. this analysis is amusing .

P/w has been changed several times, but they musta got me at just the right time.

 

[denverpilot]

The headers tend to indicate the message originally was receive by Yahoo from a server in France. It's not conclusive, but it's a good sign it didn't come legitimately from your computer. They've stripped the rest of the full header that's supposed to remain intact or there was no modern MUA (e.g. Desktop software like Outlook or Thunderbird) involved in the message creation, since it's not at the top of the header.

Which leads to the general opinion that it's simply forged spam relayed through an open relay or hacked server in France. Theres a bunch of other possibilities but that's close enough to not worry about it much. Someone found your address and spoofed it.

 

[Matthew]

The headers tend to indicate the message originally was receive by Yahoo from a server in France. It's not conclusive, but it's a good sign it didn't come legitimately from your computer. They've stripped the rest of the full header that's supposed to remain intact or there was no modern MUA (e.g. Desktop software like Outlook or Thunderbird) involved in the message creation, since it's not at the top of the header.

Which leads to the general opinion that it's simply forged spam relayed through an open relay or hacked server in France. Theres a bunch of other possibilities but that's close enough to not worry about it much. Someone found your address and spoofed it.

Yeah - but it was sent to addresses in my "sent" folder.

 

[denverpilot]

Yeah - but it was sent to addresses in my "sent" folder.

True. You mentioned that earlier.

I'm guessing the NSA has started a smear campaign against you.

Email transport is beyond retarded at this point. We've had the ability to identify he server sending the message inbound via public key encryption for decades. It's even standardized in TLS. We simply refuse to take a stand, turn it on in mandatory mode, and wait for anyone who wants to email us to use an ISP capable of affording a damn $25 SSL key.

 

[Matthew]

I'm guessing the NSA has started a smear campaign against you.

Ooh. Hadn't thought about that.

Will I have to report that on my next medical?

 

[denverpilot]

Ooh. Hadn't thought about that.



Will I have to report that on my next medical?

Only if the FAA doesn't come out with Driver's Licenses for Computers by then.

 

[flyingron]

I have had accounts (at various levels) at spamcop.net. It's still my goto resource for deciphering spam headers.

 

[Matthew]

I have had accounts (at various levels) at spamcop.net. It's still my goto resource for deciphering spam headers.

I was looking into that the other day - how does that work? You create an account, then copy a spam header into it and let it decode?

I can read enough, and Google enough, of the header to find out where it came from (France), but I still can't figure out how they got my "sent" addresses so the spams were sent only to people I've emailed in the past.

 

[RJM62]

I was looking into that the other day - how does that work? You create an account, then copy a spam header into it and let it decode?

I can read enough, and Google enough, of the header to find out where it came from (France), but I still can't figure out how they got my "sent" addresses so the spams were sent only to people I've emailed in the past.

Some possibilities, in no particular order:

1. Your computer is infected with malware that stole the information. This is a bit less likely if you always use webmail, but not impossible.

2. Someone else's computer is infected, and that computer's owner corresponds with a lot of the same people you do.

3. You (or someone else) sent a mass email to all those recipients, and one or more of their computers is infected.

4. You (or someone else) sent a mass email to all those recipients, and it was intercepted in transit.

5. Yahoo! got hacked again.

There are other ways it could have happened, as well. The above are just examples.

-Rich

 

[Matthew]

Some possibilities, in no particular order:

1. Your computer is infected with malware that stole the information. This is a bit less likely if you always use webmail, but not impossible.

2. Someone else's computer is infected, and that computer's owner corresponds with a lot of the same people you do.

3. You (or someone else) sent a mass email to all those recipients, and one or more of their computers is infected.

4. You (or someone else) sent a mass email to all those recipients, and it was intercepted in transit.

5. Yahoo! got hacked again.

There are other ways it could have happened, as well. The above are just examples.

-Rich

1 - I use three different systems on any given day. All are scanned regularly, nothing found. Maybe, maybe not.

2 - There is no way anyone but me would have that combination of people.

3 - One of the recipients was someone I only used once. See #2. I don't send mass mailings.

4 - See #3.

5 - maybe.

During my poking around, I found a similar email that I recieved from someone else (a handyman my neighbor and I use). I found it in either my spam or trash folder. I don't click on links in mail like that. It was dated about a week before this happened. Maybe that started it?