Besides Computer Viruses...

Help me understand this phenomenon. Good guesses are welcome.

In 2014, I started getting fraudulently addressed emails sent to my account.

I don’t mean merely that they had forged “From” headers, that’s nothing new. What made these different was that the attributed full names were people I knew and with whom I had exchanged email messages in the past. But the email addresses themselves were not their email addresses.

Example: suppose I’d been sending and receiving emails with my friend Joe Blow for eons, and that Joe Blow’s email address is joe.blow@his.isp.com; in 2014 I started getting emails that showed up as coming from Joe Blow <bullshit@spamalot.com>.

MY THINKING:

• Isn’t a virus on my machine. TLDR on that is in the spoiler below.

It doesn’t seem terribly likely that this is due to malware on my computer snagging names from my address book. I’m on a Mac. I’m not saying Mac viruses aren’t possible but if your inclination is to say “you’ve got a virus, dude”, I want to see some links to authoritative web pages stating that there are MacOS viruses in the wild that can infect your computer and behave this way. MacOS-centric message board opinion is that as of yet there still aren’t any, just a few proof-of-concept exploits and some trojans that you have to launch and provide password in order to install. In the latter category — trojans I might have been spoofed into installing —I’m not aware of any that behave in this specific way, harvesting email fullnames and using them to send spam back to the person. Let’s see, what else? Well I still use Eudora. The old version, Eudora 6, not the Thunderbird skin that got labeled Eudora 8. It’s now considered pretty ancient and doesn’t seem a likely target for malware designed to harvest email information.

• Although I’m not quick to conclude that my ISP got their site hacked, it’s a possibility. I don’t maintain a web-based address book and I use POP email and my emails are deleted from the POP server after fetching them. That still leaves the possibility that a) my ISP’s records of sent and received emails was hacked and that b) they obtained the list of full names in conjunction with my email address from that list.

• It seems even less likely that either one of my friends or the ISP of one of my friends got hacked. The real email addresses of all these different spoofed friends are quite different from each other — some yahoo mail, some aol, some gmail.

ADDL INFO

• Some subject lines they’ve used: “Re: Hello” / “Fwd: news” / “Fwd: For AHunter3” / “news for AHunter3” / “Ahunter3 estimate this” / “From {sender name}” / “Fwd:”

• No attachments.

• They all have links, some of which appear to go to healthspam sites, some of which go to education-institution sites, some of which go to video-on-demand viewing sites… or so I gather from the URLs. (I didn’t go there)



Just this last year, Mac OS X has had a massive surge in known malware threats. Blame the success of MacBooks making the OS a tempting target.

Keep in mind that viruses are becoming rarer and rarer. I’m an IT professional and I haven’t seen an actual virus infection in close to 10 years. Viruses replicate by spreading from your computer to other systems which makes them easier to catch, since the behavior of actively trying to spread to other machines makes them more visible. These days, malware just sits on your machine doing whatever it’s doing and doesn’t need to replicate. Malware now comes from hijacked web sites, bundled with dodgy software, or sent by email from compromised “zombie” machines and doesn’t need your system to spread it.

In your case I would try scanning your system to be sure you don’t have malware. Malwarebytes has an OS X version and you can download a free scanner. I’d start there.

Same as with all spoofed emails. The address book of someone you emailed in the past was compromised, which supplies the full names needed to spoof the emails. The name and email address not being concordant just means the true sender didn’t adjust the From address; there’s no technical need to link the From address and name field, and for a spammer there are reasons not to.

There are mechanisms like SPF to determine whether an email has a forged From address, thus it’s necessary that the spammer avoid an email domain that has such protection. Since most mail clients hide the From address by default, the name field is still effective in fooling the small number of people who would respond to the spam. It’s also possible for a mail server to rewrite the email with a different address, possibly the address of the rogue account sending the spam, independently of what the sender originally specified.

Is it even necessary that anybody had their computer hacked at all?

After all, emails are sent out over the internet with the to: and from: addresses attached, and I believe, UN-encrypted. So anybody on the internet between you and the addressee will see that email going by, and could record those addresses. And all un-detected, as long as they don’t interfere with the messages.

So a Spammer could quickly build a database showing that AHunter3 and JoeBlow often email each other. And thus spam that appears to come from the other is much more likely to make it thru any filters, and actually get opened. Which is what the spammers want.

For years, law enforcement has used something similar called ‘open mail cover’, which involves the Post Office photocopying the front & back of every piece of mail that comes to an address. This is quite legal, and can be done without requiring a Court Warrant.

For this to happen multiple times to the same person among multiple contacts, someone has access to something they shouldn’t.

Using postal mail as an example, it’s like a stranger knowing who you are receiving mail from. They may not be opening your mail but they are at least peeking into your mailbox to read the envelopes. In either case you have a security problem somewhere. It’s not normal for a spammer to know who is sending you mail, they got into something they shouldn’t have.

I mentioned malware mostly to dispel the idea that Mac OS X is immune to malware. But I agree with Cleophus that it’s probably someone you know with a compromised account. If Joe got a spoofed email that claims it’s from Sue, it’s probably Bill who was compromised and has both Joe and Sue in his contacts. A clever spammer will send spam to one contact pretending to be from another contact but never from Bill, that way Bill’s friends won’t get clued in that Bill is the one compromised to warn him. That also explains why these spoofed emails are spoofing different people, not just one person.

I wonder if it’s your home network - Is it properly password protected? A teenage neighbour who has your password?

An obvious thing to do is to start over; either on the same computer after a total cleanup, or on another computer.

While not this exact problem, I noticed something related in my spam: there were patterns in the spam I was receiving, where I would get a lot of spam on a specific subject in a short period. It was coming off keywords in the emails I sent my mother.

Like if I mentioned that I was trying to cut down on fructose in my diet, I’d get spam on diabetes supplies (not diabetic, but too much fructose makes you fart).
If I mentioned back pain, chiropractor spam.
Stuff like that.

My mother uses gmail.

It sure looks to me like gmail was searching my mom’s mail, both incoming and outgoing, and matching keywords, and was then selling my email address to spammers based on which keywords interested them.

Perhaps your email provider is doing something similar to you.

I wonder if, when you start discussing a particular topic on e-mail, your spam filter lets through more spam on that topic? Because the spam is now more similar to the non-spam mail you’re sending or receiving, the spam filter is less sure that they are spam.

That’s possible. Some of the best spam filters use Bayesian filtering methods to learn what you, personally, consider to be spam. The longer the filter is active, the more customized it becomes, until it has the potential to allow certain kinds of spam related to subjects you correspond about. It’s almost like a benign cookie system but instead of targeting you with ads it’s trying to guess what you will and won’t want to receive. What is unwanted or even offensive to one person is interesting to another and it’s trying to avoid false positives.

However, if you notice that you send an email on a subject and receive related spam immediately afterward, that’s unlikely. Such filters are not generally that reactive and develop their behaviors over time. In that case you’re probably looking at ads targeted at you by a marketer getting your info from somewhere. Maybe the email provider itself if you’re not using one that’s well-known. (The big providers like Gmail or Hotmail would risk too much with tactics like that.)

If you use a web-based client rather than one locally installed, try deleting cookies from your browser (you can probably even set your browser to delete them every time you close it). Cookies are a treasure trove of info about your browsing habits and help online marketers to give you a “personalized experience” which is creepy.