email hacked

Discussion in 'Help Desk' started by lmj1000, Jun 17, 2011.

  1. lmj1000

    lmj1000 New Email

    Joined:
    Jun 17, 2011
    Messages:
    2
    Likes Received:
    0
    contacts in my hotmail account are receiving unsolicited emails. How can I stop this? thanks for any help.:thanks:
     


  2. Big Dan

    Big Dan EQ Forum Moderator Staff Member

    Joined:
    Aug 14, 2008
    Messages:
    647
    Likes Received:
    16
    Change your password.
     

  3. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    Hello,

    Please also verify that you control any secondary email addresses and all password reset information.

    :welcome: to Email Questions!
     
  4. jwriter

    jwriter Valued Member

    Joined:
    Jun 17, 2011
    Messages:
    37
    Likes Received:
    1
    People often give this advice. It sounds good, but I believe it is not useful. To read why, go to this thread...

    How was this spam generated? • mozillaZine Forums

    The point is that the "access" account (address and password) that the spammer used is probably different from the "reply to" address. Why do people assume they are the same? We can tell the "reply to" victim to change their password, but it won't solve the problem. My friend changed her password recently and her friends are STILL getting spam with her in the "reply to" address.

    If we want to help people, we need to get yahoo to investigate which "access" account was used by the botnet to get into their system. I would like to start a thread on this. I think it is an important discussion.
     
  5. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    Those are two different issues. The headers in your original post indicate that Yahoo is indeed receiving the email and relaying it out through their systems.

    The technical term for the discussion you linked to is a "Joe Job". A joe job is when a spammer sends out their spams from their own account(s), and their own ISP(s), but they use an innocent 3rd parties email address as the From: address. The result is that all of the bounces go back to the innocent 3rd party, in this case mary@yahoo.com, even though the emails did not originate from the account. In fact you would see nothing at all in the headers about Yahoo except the From: address and maybe some failed DNS/SPF checks.

    The problem you are describing is the result of a compromised account and not a joe job.
     
    Last edited: Jun 19, 2011
  6. jwriter

    jwriter Valued Member

    Joined:
    Jun 17, 2011
    Messages:
    37
    Likes Received:
    1
    Huh? When would a spammer ever do this? What the botnet does is use a known address and password that the spammer has harvested, and I'm sure they have thousands. I call them "access" accounts but perhaps you can call them compromised accounts. Once they get into yahoo or hotmail, they send spam with various different "reply to" addresses. This is not a joe job, it is just a way to get the recipients to see a familiar name in the header and open the mail.

    OK? Do we agree that asking the "reply to" victim to change their password is useless in this case?
     
  7. Big Dan

    Big Dan EQ Forum Moderator Staff Member

    Joined:
    Aug 14, 2008
    Messages:
    647
    Likes Received:
    16
    It's useful, I'll expound a bit below but also echo what Ray (Popowich) said. If it's someone using your email address as the sender but it not actually coming from your account; that's called 'spoofing' (aka Joe Job) and there isn't much you can do to fix that.

    If mail is going out to your contact list as the original poster suggested, it's very likely that someone has access to the account thus my suggestion to change the password which would by default revoke access to anyone with the old password.

    There is always a chance that there is a trojan or some sort of spyware on the account owner's machine and thats how the evil-doers originally got the password but the first line of defense in cases like is changing the password.
     
  8. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    Yes, if an account is not compromised the password change is not required.

    In your case it appears a compromised Yahoo account is the problem.

    Not everyone gets that email From: an account has to come from the actual account. I can send email From: my Gmail account using a mail program on my computer. It might fail some checks at the recipients mail server if I don't relay it out through Google's SMTP servers, but it can still be sent.

    Yes, botnets exist too, and they are a large source of spam.

    A spammer would do that when they are depending on you to click a link or start a new email to an email address listed in the spam email. They are not depending on a reply to the From: or Reply-to: address to succeed in accomplishing whatever is being pitched in the spam email. To save resources on their end, so they don't have bounces coming back at their servers chewing up bandwidth or mail server connections, they'll use an innocent 3rd parties email address when sending the spam. Which brings us to...

    Another case I started to mention above are the many spam operations that have their own networks within ISP's that don't mind taking money from spammers and other abusive entities. These are not botnets. They are spammers with their own networks and servers dedicated to sending spam. Here is some more information - The Spamhaus Project - ROKSO "The majority of the spammers on the ROKSO List operate illegally and move from network to network and country to country seeking out Internet Service Providers with poor security or known for not enforcing of anti-spam policies."
     
  9. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    If one of your contacts can post the full email headers from one of the spam emails we can help to determine if your account was used to send the spam emails.

    :thanks:
     
  10. jwriter

    jwriter Valued Member

    Joined:
    Jun 17, 2011
    Messages:
    37
    Likes Received:
    1
    Yes we agree that spoofing is being done. But let's not say joe job. That is something different and will only confuse the OP. See Wikipedia and below.

    No, no, no! The spammer may or may not have access to the account. Only yahoo or hotmail can tell us who is the "compromised" account, or the "access" account, or which account it is "coming from". As Ray says, spammers will spoof so they don't have bounces coming back at their servers chewing up bandwidth. As I say, the spammers will spoof to get the recipients to see a familiar name in the header, which is totally easy for them to do if they have people's address books. Either way, we all agree that spoofing is probably going on.

    If so, we are doing a disservice to the OP to get him to think that changing his password will solve the problem. Also, if he has spyware on his machine and his account is the "compromised" account, then the spyware will just read the new password.

    Incidentally, if you look at the OP's full headers, you will probably see that the messages originated from foreign countries. I'm not clear how that helps the OP.
     
  11. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    The percentages can be argued but lets just call it 50/50 and "change your password and verify all of your account reset information including security questions and answers" is a reasonable first step while awaiting additional information. Any signs of compromise and it's a good move. Somehow the connect was made between the OP as their contacts so I'd agree expanding my quotes in the first sentence with "... and also do a spyware scan " isn't a bad idea. Perhaps we need a checklist/guide for suspicious activity and some easy non-technical English for what the possibilities are that could be going on that we can link to when we are not sure if there yet if there is a compromised account?
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...