I logged in to a yahoo email account (not the one associated with this board) that I rarely use. I have not logged into this particular account in several months. Got a “reply” to an email allegedly sent by me, from that account, containing nothing but a link. Strongly suspect the link was to some malware infested site, but I did not click it. I did not send the email containing this suspicious link. I run virus scans regularly, nothing has turned up. Apparently the same person received multiple similar emails allegedly from me within the last month.
How could this happen? I don’t think my machine has any viruses, and as stated above, I have not even logged in to this particular account in months…
“Logging on to your account” and “having a virus on your computer” have nothing to do with people sending email out from your account name. Your password doesn’t have anything to do with it either.
Seems to me that alot of people have been having this problem with YahooMail lately. I checked the headers a few times. THey’re coming from Yahoo’s mail servers.
I would consider this an unforgiveable and fundamental security problem that would warrant alot of attention - but nobody seems to be saying a thing. For whatever Yahoo refuses to invest the time and energy in SPF and there other approaches to security aren’t working.
If I were to gripe and moan and rant I’m sure that everyone’s eyes would glaze over and I would be accused of somehow being an anti-Yahoo bigot.
Nice to see that there’s still such a need for basic education on computer security. Just basic.
If I had your email address I could spoof an email from you now and you would get any non deliveries this generates. It does not require anything more than knowing what your email address is. It certainly does not mean anyone has access to your email account.
There is nothing you can do to prevent it because it requires no access to anything you can control to spoof an email address.
There are methods of controlling this sort of thing from a system adminstrators point of view but nothing you can do as an end user.
The worst part about it is that it just requires one system with an inappropriately-configured smtp (simple mail transport protocol) listener to be able to spoof an email, it doesn’t need to be the originating or the final system.
This has been going on with Yahoo and Hotmail for a long time now. There are numerous threads on it here and elsewhere. Yahoo had a bunch of accounts attacked many times. If they have the password, then even go back and send from your very Yahoo account. Otherwise, they use the address and send from a non-Yahoo server. In most cases, they have harvested all the email addresses in the accounts. They sent fake mail from “YOU” to all your associates.
People always act surprised, panicked, or indignant about this being possible, but it’s nothing new, and fundamentally long precedes e-mail. If I sent you (or somebody else) a letter (the old-fashioned paper kind) with your address listed as the return address, you wouldn’t think that somebody had broken into your house, nor would you ask why the Post Office allows such fraud. But that’s exactly analogous to how the “from” field of an e-mail works: What shows up there is what the sender tells his e-mail program to put there, and the sender could put anything there at all, just like you can put any return address at all on an envelope.
This happened to me last week, and the spam message is sitting in the Sent Items folder of my Yahoo mailbox. I don’t believe that the message was sent from any of my computers, and I have good virus protection running on all of them, so I believe the message was sent from the mail server. (BTW, it went to everyone in my Yahoo address book.)