Recently a friend of mine got an email which apparently originated from a long disused AOL account. Although I haven’t used the AOL account in several years, the email was dated today. The message itself consisted of a commercial link (broken here, of course):
and a maxim from one Publilius Syrus, who probably used to sleep with a dagger under his pillow–“Treat your friend as though he might become your enemy”.
As I used to exchange messages with this friend under the old AOL account, I believe that someone has somehow hacked into the old account and its associated address book, and is now using this information to send spam and/or viruses. In fact it was to warn me about this possibility that my friend forwarded the message. I don’t think I’m going too far out on a limb here when I say AOL needs to disable that account completely, nor am I expecting too much when I say it should be relatively easy for them to do so. As for me I couldn’t even log into it if I wanted to; back when I stopped using it, it got so badly corrupted that I couldn’t even do a password reset. By that time I had already been using mostly Google mail for some time, so I said to heck with it. I didn’t need to belong to a web service that exists merely to pelt my eyes with commercial links and garish ads, and I wasn’t going to meander through voice-activated phone menus to fix it.
So off I go to the AOL website this morning, looking for a number to call, an AIM name to chat with, or an address to send an email to. Although the website is as bad as I remember, I even go so far as to sign up for a new AOL email account, just so I can send them an email or chat with someone who works there. Guess what? Apparently, in order to call them up, you need to be a paid member. Ditto for AIM chat. And I couldn’t even find an email contact.
AOL needs to take care of this, and I don’t see why I should have to pay money for something I really do not want–nay more, I despise it–to get someone to fix this.
My parents had something similar happen. Took us two days to get it cleared up since, as you said, without being a paid member you can’t get someone on the phone. Basically, we spent two days trying to answer security questions that they set nearly 20 years ago. On top of that, I may have been the one to set them up so we’re going back and forth between answer them in my dad’s ‘voice’ and mine and me answering as if I was setting up the account for him. Each time it locked us out it took a few hours before you could try again etc etc etc.
And still trying to call them on the phone to let them know that all this spam was being sent out from their account and we just needed the password reset so we could fix it.
Note that the “From” field is email is completely settable by the sender. So having it “come” from your old AOL account is easily faked. It does not necessarily mean that anyone hacked your account. It takes a fair amount of expertise in reading email headers to determine the true origin of an email. (Spammers are good at faking large chunks of a header to mislead software looking to mark spam.)
The address book entry could have been obtained thru other means, including someone who had your old address and your friend’s email address in their address book and their machine picked up a virus.
Going in and changing your AOL password is a good thing to do. (As well as cleaning out any data they have that you no longer need.) But affecting the current situation is unlikely.
I see how that can easily be done by the person who forwards it, which in this case would my friend–and I can’t imagine they’d do that. But for an original email, how would one do that?[sup]1[/sup] I don’t see anything in GMail for that, and IIRC Outlook allows only a choice of the addresses you have configured to work with Outlook. Aren’t most email clients or providers basically the same in that regard?
Or is it something one would have to write code to accomplish?
[sup]1[/sup]As always, question is intended to be within the bounds of SDMB rules, applicable laws, etc.
The “From” address in an email is like the return address on an envelope. Anyone can write any address they like there. Most email clients try to discourage it, but it’s not something that requires a high degree of technical knowledge.
The email almost certainly did not come through AOL, and there is probably nothing at all they can do about it. The web hosts responsible for the hacked sites on which these sites reside could do something about it, but probably won’t.
The Wikipedia article on email spoofing. Doesn’t explain how it’s done, but it has links and covers some of the terminology. A simple Googling will lead to articles showing how you step-by-step.
I tried this out way-back-when to show someone how easy it was. I sent an email to my department chair looking like it came from the chair’s account to demonstrate how simple it was and that the header should not be trusted.
To have full control you might need to write a program (although I am sure there are programs available from “disreputable” sources), but that is not incredibly difficult. See SMTP (and in particular see the SMTP transport example).
Not really, and no. It probably doesn’t have a true originating address, in the sense of an email address, if that’s what you mean. It most likely originated from a poorly configured mail server somewhere, probably controlled in turn by a botnet or hacked web server. “Origin” doesn’t have much meaning in this sort of situation.
It’s nothing personal, if that helps - your old address was probably just one of millions they use to try to make their emails look more authentic.
It’s nothing tricky, it can even happen accidentally. When you set up an email client (not webmail, but a bonafide email client) there are fields to enter your full name, your email address, the adresses of the incoming and outgoing mail servers (which don’t have to be the same).
Whatever you put in the email address field will show up as who your mail is “from”, whether it’s your real address or not. I’ve had people come in because they couldn’t reply to an email, and it was because the sender had misspelled their own email address when they set up their mail client, so the from line showed bjoens@isp.com instead of bjones@isp.com. We also once had a student change his from line to the principal’s address and sent a mass email to all other students accusing them of breaking a rule.
No “hacking”, no programming, just editing a box in your mail preferences.
How would they know his friend’s e-mail, though? It cannot be a random happenstance that his friends received an e-mail that appeared to come from Spectre.
It’s been some years since, but come to think of it I’m sure I’ve gone through at least one online tutorial where part of the required functionality was to send and receive emails inside the program. I’m sure that, somewhere in these applications, it would have been easy to populate the fields we’ve been talking about; however once I got the damn thing working–i.e. resolving port number conflicts and such–I didn’t care to look into the matter further.
There’s a very good chance that people he doesn’t know also got the same email “from him”. They frequently have just a list of valid emails they got from somewhere and combed social media sites trying to guess which ones might know each other. (I occasionally get spam purporting to be from my wife. I also get spam from people I’ve never heard of, but worded as if they came from a friend.) They also may have gotten pairs of addresses from ecard or similar message sending sites.
Your email address and contacts aren’t quite as secret as a lot of people think.
One thing that still puzzles me is this: My old AOL address is a meaningless word and not my real name, but my friend’s GMail address is simply <hefirstname.herlastname>@gmail.com. So how did the spoofer not only get my old AOL name, but also the fact that I once used it to exchange messages with <herfirstname.herlastname@gmail.com>?
The link in the message turns out to have the TLD name for Sri Lanka, but the ISP seems to be in Germany while the owner of the account is in Brooklyn.
Both addresses probably came from an infected PC or account, someone who has corresponded with you both. Perhaps your friend’s PC or account was compromised, possibly some time ago. It doesn’t really matter - those addresses are in circulation.
The site linked in the message has been hacked, it’s not owned by the spammer.
One possibility: Do the two of you have any common friends, such that one of you might have ever sent an e-mail to both the other and to the common friend? If any such person got a virus, the virus could have picked up both of your e-mail addresses from that person’s computer, and then forwarded them along to the spammer who released the virus.
Yeah, telnet is all you need if you are using a SMTP server. Like I said. Been there, done that.
Reading headers: First of all, you have to be able to see the whole header. It could be dozens of lines long. For some strange reason, a lot of web-mail sites no longer let you see the whole header. I like to scan ones that I think may be off for one reason or another. (Situations not unlike what the OP’s friend encountered.)
If the spammers kept it simple, the first machine in the sequence of mail servers it went thru would be the true source. But since a lot of the header can be faked, the spammer can create an initial source header that looks like it’s coming from a legitimate site, and then the real header gets added as it goes out. (Routing thru other servers used to be common, but open email relaying was a Bad Thing and went away more or less because of this.) Hence, the real source would be somewhere in the midst of the chain of servers. Someone with a good background in email header reading could deduce the likely real source. Hard enough that it can only be partially automated well.
One thing to keep in mind is that the original Internet (ARPNET) folk were incredibly trusting, pretty much knew each other, etc. So the necessary features to ensure trust about things like email headers just weren’t thought of at the time. By the time things took off, it was too late to force true security into the system. There are authorization fields in headers, but these are optional and if they were required, things would break for too many people. You can’t even force sanity checking on the time stamps on email since so many servers out there that permanently have the wrong date or time or messages get held up for downed servers. So spammers can set the origin time to whatever they like so it might appear in your inbox at the top.
Don’t trust be default any email. The From, the attachments or the links.
