On at least two occasions in the past month, my S.O. has gotten mail from a Yahoo account I own that I rarely use or log onto. It seems this account is sending spam to everyone I ever sent mail to on that account. I was able to log in from my phone, using my old password, but I’m afraid to log in or change that password using my computer until I get a new computer next week. I can’t change the password using a smartphone. For some reason, Yahoo doesn’t let that option come up. I’ve run spyware and virus protection software on this PC, but nothing has been found.
How did someone out there steal my password? Or is there some other method being used to send spam from my account? I always access email using the web.
I’m interested in the technicalities of this.
There’s no sign of the spam mail in my sent folder or in the trash.
Bear in mind that the ‘From’ value on an e-mail is not validated in any way by the machines that carry e-mail across the internet. So if I have unfettered access to a mail server, I can send a message to anyone I want that has the reply-to listed as rusalka@yahoo.com. This is one reason that spam e-mail is so hard to eradicate–a hacker will spoof the address of someone whose contact list they’ve stolen, on the theory that the people on that contact list will not be well-defended against spam listed as coming from that address.
If you look at the full headers of the e-mail your wife received, I’m willing to bet that it does not track back to a Yahoo! server, despite the listed return address.
(If this sounds bizarre, it’s pretty analogous to traditional snail-mail. Nobody needs to break into your house to put your address as the return address on an envelope …)
Yeah, I was getting these on my Yahoo mail account, the headers are being spoofed, they appear to be to me, from me. I tried to send a complaint to Yahoo, but they just don’t seem to understand, or more likely just don’t care. In the old days, the email came with tracking of each server it went through, and these emails must originate somewhere weird. But I don’t see anything obvious in the header when I unhide it. Still, Yahoo out to be able to do more.
Yeah, but how did they get my contact list from that account? The email was sent to a whole bunch of people that I sent email to from that account in the past. Therefore, it can’t just be a spoof.
First, your email server can verify the sender, if they support SPF (yahoo has the DNS entries, your receiving server would have to as well)
Second, this is pretty common, and on yahoo in particular. Basically, they got your password from a breach in another site where you logged in using the compromised email with the same password. You need to change the password to any sites using that email/password combination (I’ve seen it on twitter, as well for example). You should login to yahoo and change your password from your computer. There’s no magic way they can get your password when you login to webmail - either your computer is infected with a keylogger already and they know all your passwords, or they used the breach in another site method and have no means to install software on your computer.
Edit to add, I’ve seen the spoofed @yahoo.com emails on yahoo.com as well - I believe those people are using a different compromised yahoo account and yahoo is or was allowing the faked email in the “to” field. In the emails I got like that the real yahoo email was buried in the headers somewhere non-obvious. SPF wouldn’t stop that because SPF just verifies the domain, not the account - that yahoo.com is sending an email from @yahoo.com, not that bob@yahoo.com is sending instead of joe@yahoo.com
This has been covered here several times. They are likely not sending email from your account. Both Yahoo and Hotmail had accounts compromised. The attackers have your address and all the addresses in your book. What they then do is spoof the address to look like yours and send stuff to all your friends, usually advertisements. Try to limit your purchases from them.
It’s possible they got a copy of one of your friends’ address books and chose a name at random from that list to use as the “from” account. That leaves your friend whose account was actually compromised blissfully unaware that anything is wrong. In fact, maybe a friend of yours volunteered their email address list to some online service of some kind (a new social networking site or a mailing list management site, for example). They could also be randomly using from/to pairs in that list to generate spam emails. There are many possibilities.
It’s possible they got a copy of one of your friends’ address books and chose a name at random from that list to use as the “from” account. QUOTE]
No, because there is a list of people that got sent email in the “cc” field, and they are all from my address book. A friend of mine wouldn’t have exactly the same list. Besides, aside from my S.O., the people in the address book are all unrelated strangers. They are all people I sent email to at one time or another.
“Al Bundy” had an interesting answer. Al, can you point me to the threads that cover this attack on Yahoo? How can someone get people’s address books without gaining access to their account?
Where do I find the actual sender in the email source header?
I’m looking at the source now, and I can’t find anyplace where the real sender’s email address appears. I want to make sure this was a spoof and not my account being compromised.
You can’t, really. All you can do is find the first server in the chain–that’s the originating server. Then you’d have to contact the registered owner of that server with the e-mail details and ask them to identify the account that originated that e-mail on their server. Be careful how aggressively you ask, though–some of these spammer-friendly machines are owned by the Russian mafia. Or so I’ve heard.
There should be a series of “Received” lines in the headers of the message. These will be in reverse order, top to bottom (that is, the top one will be the final one, going to the final recipients mail server).
If it did actually come from Yahoo, they will put in some of their own headers as well, I believe that will include the IP address being used to access the account and send the email.
But again note that email was designed with security as an afterthought–additional, fake, Received lines can be put in, etc. I don’t know if spammers bother anymore, disposable connections are probably easier than putting effort in trying to hide.
Note that in order to hide the true origin of spam, they sometimes put fake servers at the beginning of the chain in the header. Then from that point up, the servers are real.
So the last one(s) in the header may not be the actual sender.
There is no easy algorithm for determining the fakes from the reals. A knowledgeable person can go thru and make a pretty good guess, but people have tried and fail to automate the process in spam blockers.
(Although going thru several servers in distinct domains is immediately suspicious nowadays.)
