Spam email sent from acct - how to address?

wevets · June 18, 2012, 4:15pm

This weekend my Yahoo! account started sending out spam to everyone in my address book.

I’ve already:

Changed the account password
Changed the verification 2nd email address associated with the account
(In progress) Running anti-virus/malware checks on my computer.
Are there any other steps I should take?
I’ve debated in my head making this email account my ‘trash’ account that gets submitted to things that ask for an email account. I’ve stuck with that account because I have a nice, short, easy-to-remember username. Still, I can’t have my friends being spammed because I made a mistake.
The other issue is that I wonder how much I can even do about this. Even though I’ve changed the password, can’t they still spoof the account address and spam anyone who accepts email from that address?
Any information or links to what to do would be helpful. Thanks!

Sunspace · June 18, 2012, 4:35pm

Email can be sent with forged headers making it seem like it’s from you, even though it may never have touch your computer or online account.

Are you sure that it is actually your Yahoo account that’s sending the spam? Can you ask one of the recipients to send a spam sample, including all the header information that many email programs and services hide, back to you, so you can post it and we can go over the header information? That way we can at least see where it really came from…

filmore · June 18, 2012, 4:36pm

You said it was sent from your yahoo account. There are two ways to understand this:

It was sent from your yahoo account just as if you logged in and sent them yourself.
Spammers sent the email from some random location but forged your yahoo email address in the From field. The spam looks like it came from your yahoo account, but if you look at the headers you can see it came from some other place (like Russia).

Do you know which scenario you are dealing with?

If it’s the first case, then the spammers likely got your email and password by hacking some other website. The other website stored your email/pw in a database and the hackers stole that. Likely they did not hack your computer with a virus, but you never know. Do you use the same password for yahoo as other websites? If so, hackers can hack those other websites to get your email password.

You should change all your passwords for all your accounts. The hackers may try the same email/pw combination on other sites that use email login like netflix, facebook, etc. In addition, hackers may have had access to your inbox and could have read any messages there. They may have downloaded those messages looking for other logins in the inbox messages.

wevets · June 18, 2012, 4:55pm

That’s a great question - it occurred to me, but I don’t really know what I’m looking for. Luckily that acct had many outdated email addresses and I got bouncebacks from those:

Delivery Failure Bounceback:

— Below this line is a copy of the message.

Received: from [98.139.215.141] by nm35.bullet.mail.bf1.yahoo.com with NNFMP; 17 Jun 2012 23:30:49 -0000
Received: from [98.139.212.245] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 17 Jun 2012 23:30:49 -0000
Received: from [127.0.0.1] by omp1054.mail.bf1.yahoo.com with NNFMP; 17 Jun 2012 23:30:49 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 675483.77527.bm@omp1054.mail.bf1.yahoo.com
Received: (qmail 60990 invoked by uid 60001); 17 Jun 2012 23:30:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1339975849; bh=2FiequQf3KjnQuD2GoYhsZvXTh2Wgd455jiy7zOBoxU=; h=X-YMail-OSG:Received:X-Mailer:Message-ID[noparse]:D[/noparse]ate:From:Reply-To:To:MIME-Version:Content-Type; b=A1h1nN7APPQ1ZvOjaYaZD2vIwH/S6nqV1JzcTh6Q15i2pcIoV6sQaAzuM5ReEaOUFNUGkWHyMLhKZyLfWUHuF+Qc/VQ1HXjyYpnlj/88gfXr3fKvyJimldr0+UyfkqIRZp56E7l/VaVV+CDeYDj4o/z/W032Nbur6X6LCwr/XVI=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID[noparse]:D[/noparse]ate:From:Reply-To:To:MIME-Version:Content-Type;
b=2G6wnvUWk1diFXqeCmRpD4CVHg/gNKstXXpoZ5krAWvHePdOXrTEhU2H7O6xIOJ/WYoOC7cT7Jye8iHQHI2o/PTwbK1cTBfzmuxJ+RpqW2/mqiPlG2oh259Dt3sIGKD52z/GIoI6hcMEDbEj4bh15nM72iEFtAd3PAmSBSmocwY=;
X-YMail-OSG: xxOhFD8VM1kr7tmUqJvQ23n8uFPm3zY3tPg7mFUFAUBhSh6
Gn.7y5SyUSIemWQKCkhxEGCoExMZONe5ZH8kTURc2NI4P4NVoqxZuBAxHf4S
XBcPNfp2BMDvfkJFSdC8JN6Ttrili7SJ24iWKfRjliq.5E11_kTLHZHF4.zb
nTAd.ogpD9wy7qMBvjo8q4TssaXMrRCI.hL9jIvl4UmIT1pJQs9ipX6StRqC
6xl6Qomyuj6Rj75dC8PxhOzUFJQMoydV2fW7LocPIydfhE.RUdoK03V5IrNY
5WPFHl9rcolA0v0v5p2XnBSpUMQ91lnxSz1g5ogIiBry4QiJDToc.rT8jEx3
DwaUOqQ4RFGDZDp9kjVdpdd85OfDbos2kAUhe_30GfksFY6fD.7nIFPDNlWV
ZDgu8k_BShCFzm8wl8BEghHob2I2rj9XFlclk__oGg7GEBgDmPBYgxgpZbcY
.pqxr1szbGJvshKiqpsnPizQNkiWIjZoTRUFF51Q7i6z_XtpJ5_CgvElzrP4
o0y90dNAibjHLl4nMZ6vK3NPF48HwcyLfiH6c20_HM8q_U7_uquLMn_aYa_j
23tsIghYqU00BxpGCJPHV3SK0rVE55eENReU.YtPy3wNE7BKDRlYmSpyJGa2
KxaI.nL5DqbjjWA_68c9tLA–
Received: from [200.88.85.108] by web161403.mail.bf1.yahoo.com via HTTP; Sun, 17 Jun 2012 16:30:49 PDT
X-Mailer: YahooMailWebService/0.8.118.349524

Does the bolded portion indicate that my Yahoo account is actually the one sending the spam?

I’m guessing it does, but I don’t really know what I’m looking for.

I did have one other account that used the same password. I’ve changed that one too.
Seems to me that I’m dealing with scenario #1 from filmore’s post.

filmore · June 18, 2012, 5:15pm

Those headers do look like they’re using your real yahoo account to send the spam. The address at the bottom (200.88.85.108) is the spammers computer in the Dominican Republic. From that computer he logged into yahoo. The rest of the headers seem to match the yahoo mail servers. So likely the spammers got your email/pw from somewhere and used it to log into your account and send spam.

Make sure the pw used on your email account is unique and used no where else.

tellyworth · June 18, 2012, 9:52pm

A thousand times this.

Don’t even use a similar password. They need to be unrelated.

Mann_Slaughter · June 19, 2012, 4:51am

I had this happen to me through my Yahoo account about 2 years ago.
But probably the worst thing about it was the fact that the SPAM which was sent out was CC’d to everyone in my contact list, which at the time included a VERY insecure girlfriend, and generated a ton of questions!

“Who’s THIS person?”
“Why do you still have your ex-girlfriend in your E-mail contacts?!?”, etc.

I thought she’d never stop asking about my contacts.

To keep this from ever happening again I did what you did, (Changed password; Verification E-mail; Virus scan) but I also added the words “REMOVE_BEFORE_SENDING” to all of my contacts’ E-mail addresses, right after their name, and before the “@”. Yes, it adds an extra step to delete those words before sending an E-mail, but I never have to worry about anyone getting SPAM through that account again.

inzoii122 · June 19, 2012, 5:41am

I have the same problem, I always get the notice that a lot email back to my inbox but they are send as a different name.

Like my email is 12@ooo.com

But the return fail email saying that the email from 99@000.com is sending the email and can’t be received.

But why the email keep coming into my account as fail

wevets · June 19, 2012, 3:16pm

That’s an excellent idea - I might do that.

BTW, the Norton scan came up empty. Is there anything else I need to do, my-end-wise?

Mann_Slaughter · June 20, 2012, 6:08am

If I’m concerned with security I run my default antivirus program, Microsoft Security Essentials, (it’s completely free for activated versions of Windows Vista and up [I have Win7]) as well as Malwarebytes, and SuperAntiSpyware.

Outside of the issue with Yahoo & the jealous ex I mentioned, I’ve not had any problems since.

ThelmaLou · June 20, 2012, 5:07pm

I have both a yahoo account and a hotmail account that I use for sign-ups etc. where I don’t care if I get spam or junk mail. Neither of these is my main email account. Neither one has any contacts in the contact list, since I never send mail from them, but only receive mail. So am I safe from this spoofing thing WRT these two accounts?

Mama_Zappa · June 21, 2012, 4:38pm

filmore:

You said it was sent from your yahoo account. There are two ways to understand this:

It was sent from your yahoo account just as if you logged in and sent them yourself.

Spammers sent the email from some random location but forged your yahoo email address in the From field. The spam looks like it came from your yahoo account, but if you look at the headers you can see it came from some other place (like Russia).

Do you know which scenario you are dealing with?

If it’s the first case, then the spammers likely got your email and password by hacking some other website. The other website stored your email/pw in a database and the hackers stole that. Likely they did not hack your computer with a virus, but you never know. Do you use the same password for yahoo as other websites? If so, hackers can hack those other websites to get your email password.

You should change all your passwords for all your accounts. The hackers may try the same email/pw combination on other sites that use email login like netflix, facebook, etc. In addition, hackers may have had access to your inbox and could have read any messages there. They may have downloaded those messages looking for other logins in the inbox messages.

Yep.

There seems to have been quite a few Yahoo compromises in the past week - my brother’s account, and a friend’s account, both sent out spam. My brother said that his was in fact compromised; the friend didn’t say one way or the other. A careless hacker might not clean up the sent mail folder when spamming from a compromised account, and that’s pretty good evidence that they’ve actually gotten in. Of course, someone being extra careful would use your account for spamming, delete the sent mails, and avoid using your address book, all reducing the chances of getting caught.

Of course, even if your account was hacked, the hackers now have copied your address book and can continue to send out spam “from you” by spoofing the address. As far as I know, there’s nothing you can do about that :(.