email hacked

lmj1000

New Email
contacts in my hotmail account are receiving unsolicited emails. How can I stop this? thanks for any help.:thanks:
 

EQ Admin

EQ Forum Admin
Staff member
Hello,

Please also verify that you control any secondary email addresses and all password reset information.

:welcome: to Email Questions!
 

jwriter

Valued Member
Change your password.

People often give this advice. It sounds good, but I believe it is not useful. To read why, go to this thread...

How was this spam generated? • mozillaZine Forums

The point is that the "access" account (address and password) that the spammer used is probably different from the "reply to" address. Why do people assume they are the same? We can tell the "reply to" victim to change their password, but it won't solve the problem. My friend changed her password recently and her friends are STILL getting spam with her in the "reply to" address.

If we want to help people, we need to get yahoo to investigate which "access" account was used by the botnet to get into their system. I would like to start a thread on this. I think it is an important discussion.
 

EQ Admin

EQ Forum Admin
Staff member
Those are two different issues. The headers in your original post indicate that Yahoo is indeed receiving the email and relaying it out through their systems.

The technical term for the discussion you linked to is a "Joe Job". A joe job is when a spammer sends out their spams from their own account(s), and their own ISP(s), but they use an innocent 3rd parties email address as the From: address. The result is that all of the bounces go back to the innocent 3rd party, in this case mary@yahoo.com, even though the emails did not originate from the account. In fact you would see nothing at all in the headers about Yahoo except the From: address and maybe some failed DNS/SPF checks.

The problem you are describing is the result of a compromised account and not a joe job.
 
Last edited:

jwriter

Valued Member
A joe job is when a spammer sends out their spams from their own account(s), and their own ISP(s)

Huh? When would a spammer ever do this? What the botnet does is use a known address and password that the spammer has harvested, and I'm sure they have thousands. I call them "access" accounts but perhaps you can call them compromised accounts. Once they get into yahoo or hotmail, they send spam with various different "reply to" addresses. This is not a joe job, it is just a way to get the recipients to see a familiar name in the header and open the mail.

OK? Do we agree that asking the "reply to" victim to change their password is useless in this case?
 

Big Dan

EQ Forum Moderator
People often give this advice. It sounds good, but I believe it is not useful. To read why, go to this thread...

How was this spam generated? • mozillaZine Forums

The point is that the "access" account (address and password) that the spammer used is probably different from the "reply to" address. Why do people assume they are the same? We can tell the "reply to" victim to change their password, but it won't solve the problem. My friend changed her password recently and her friends are STILL getting spam with her in the "reply to" address.

If we want to help people, we need to get yahoo to investigate which "access" account was used by the botnet to get into their system. I would like to start a thread on this. I think it is an important discussion.

It's useful, I'll expound a bit below but also echo what Ray (Popowich) said. If it's someone using your email address as the sender but it not actually coming from your account; that's called 'spoofing' (aka Joe Job) and there isn't much you can do to fix that.

If mail is going out to your contact list as the original poster suggested, it's very likely that someone has access to the account thus my suggestion to change the password which would by default revoke access to anyone with the old password.

There is always a chance that there is a trojan or some sort of spyware on the account owner's machine and thats how the evil-doers originally got the password but the first line of defense in cases like is changing the password.
 

EQ Admin

EQ Forum Admin
Staff member
Yes, if an account is not compromised the password change is not required.

In your case it appears a compromised Yahoo account is the problem.

Not everyone gets that email From: an account has to come from the actual account. I can send email From: my Gmail account using a mail program on my computer. It might fail some checks at the recipients mail server if I don't relay it out through Google's SMTP servers, but it can still be sent.

Yes, botnets exist too, and they are a large source of spam.

Huh? When would a spammer ever do this?
A spammer would do that when they are depending on you to click a link or start a new email to an email address listed in the spam email. They are not depending on a reply to the From: or Reply-to: address to succeed in accomplishing whatever is being pitched in the spam email. To save resources on their end, so they don't have bounces coming back at their servers chewing up bandwidth or mail server connections, they'll use an innocent 3rd parties email address when sending the spam. Which brings us to...

Another case I started to mention above are the many spam operations that have their own networks within ISP's that don't mind taking money from spammers and other abusive entities. These are not botnets. They are spammers with their own networks and servers dedicated to sending spam. Here is some more information - The Spamhaus Project - ROKSO "The majority of the spammers on the ROKSO List operate illegally and move from network to network and country to country seeking out Internet Service Providers with poor security or known for not enforcing of anti-spam policies."
 

jwriter

Valued Member
It's useful, I'll expound a bit below but also echo what Ray (Popowich) said. If it's someone using your email address as the sender but it not actually coming from your account; that's called 'spoofing' (aka Joe Job)

Yes we agree that spoofing is being done. But let's not say joe job. That is something different and will only confuse the OP. See Wikipedia and below.

If mail is going out to your contact list as the original poster suggested, it's very likely that someone has access to the account

No, no, no! The spammer may or may not have access to the account. Only yahoo or hotmail can tell us who is the "compromised" account, or the "access" account, or which account it is "coming from". As Ray says, spammers will spoof so they don't have bounces coming back at their servers chewing up bandwidth. As I say, the spammers will spoof to get the recipients to see a familiar name in the header, which is totally easy for them to do if they have people's address books. Either way, we all agree that spoofing is probably going on.

If so, we are doing a disservice to the OP to get him to think that changing his password will solve the problem. Also, if he has spyware on his machine and his account is the "compromised" account, then the spyware will just read the new password.

Incidentally, if you look at the OP's full headers, you will probably see that the messages originated from foreign countries. I'm not clear how that helps the OP.
 

EQ Admin

EQ Forum Admin
Staff member
The percentages can be argued but lets just call it 50/50 and "change your password and verify all of your account reset information including security questions and answers" is a reasonable first step while awaiting additional information. Any signs of compromise and it's a good move. Somehow the connect was made between the OP as their contacts so I'd agree expanding my quotes in the first sentence with "... and also do a spyware scan " isn't a bad idea. Perhaps we need a checklist/guide for suspicious activity and some easy non-technical English for what the possibilities are that could be going on that we can link to when we are not sure if there yet if there is a compromised account?
 
Top