3

Spam emails went out for an hour earlier this week bearing my Yahoo account in the FROM field and going out to all my contacts.

I changed the password, then saw (via rejected emails sent to my Yahoo account) that mail had gone out again with my email in the "FROM" field, to all my contacts.

However, in neither case did the account show to be accessed (verified in the Yahoo web client), nor did the account have anything in the sent folder of the account.

So I looked at the headers, and the last "Received" marker before the FROM looked suspicious, leading me to believe that my account is no longer able to be accessed, but with my full contact list, the spammers can now impersonate me and send out mail to my contacts.

Two of the headers' "Received" markers are shown below:

The "FROM" marker in each is my Yahoo account, caveatrob@yahoo.com

Received: (qmail 9004 invoked by uid 0); 27 Feb 2014 06:16:28 -0000
X-TCPREMOTEIP: 1.53.225.12
X-Authenticated-UID: brian@monahanlaw.com
Received: from unknown (HELO monahanlaw.com) (brian@monahanlaw.com@1.53.225.12)
  by 0 with ESMTPA; 27 Feb 2014 06:16:27 -0000
From: "Rob Lastname" <caveatrob@yahoo.com**>

This is the second:

Received: from [188.253.180.46] (helo=mst-music.ch) by box6.rapidenet.ca with
 esmtpa (Exim 4.80.1)   (envelope-from <caveatrob@yahoo.com>)   id
 1WIvxj-0003Jw-Rn; Thu, 27 Feb 2014 03:05:00 -0500
From: Rob Lastname <caveatrob@yahoo.com>
Caveatrob
  • 141
  • 1
  • 1
  • 5
  • Your question is not too clear, but you are absolutely correct that it is possible - and even easy - to fake a "from" e-mail address. There are even online services you can use to do it for about $20, if you're too lazy to do it yourself. What, specifically, do you want to know? – KnightOfNi Feb 27 '14 at 21:15
  • I'd like to know if it's safe to assume: 1. The account is no longer compromised with the password change, 2. The initial hack gave the attacker my address book, so 3. Any mail sent out today is not being sent by my Yahoo account, but via other servers via spoof, so 4. My account is secure, and 5. My address book is forever exposed, so the spammer can continue to send mail to my contacts. 6. There's not much I can do to recover. – Caveatrob Feb 27 '14 at 21:37
  • Sometimes emails can take a while to be rejected. Just wait, if it keeps happening you should investigate the IP and headers to see if they match Yahoo SMTP settings (send an email to a fake address and wait for the rejected reply to compare). Worst scenario he has a session open (cookie hax) and will use it until it expires (in an automated fashion ofc). Best case, no SPF for yahoo and he sends the emails on your behalf from somewhere else, to check this, edit your Name (From: "Rob TheReal Lastname") and check if it appears in future rejected reports – Aki Feb 27 '14 at 23:49

3 Answers3

2

From the pieces of information you provided, I would assert:

  • Your Yahoo account wasn't compromised, (2 headers show they weren't coming from Yahoo). No need to change your Yahoo password. Check for yourself it isn't in the biggest known data leaks:

    Was my account stolen?.

  • Your address book was stolen on your PC, your PC might be compromised. Until it is completly checked, you should avoid to change any password from this PC.

  • The 2 extracts of E-mail headers prove that the From: field was simply manually or programatically filled (a 10 years old guy knows how to write this field with From: God Himself <…>).

  • The 2 hackers which used your address book were using hacked computers located there:

    Where is located this IP,

    Where is located this IP?.

dan
  • 3,033
  • 14
  • 34
2

I will answer this question in accordance with your numbered questions in the comment.

1: Impossible to know without access to your computer, if at all.

2: The attacker did HAVE access to your address book, but it is once again impossible to know if he made a copy of it on his machine.

3: Logically, if an e-mail exists, someone or something sent it. If it wasn't you, it was someone else. As @mr.spuratic pointed out, you can verify for certain that a e-mail WAS sent from within yahoo, but you can't prove that it wasn't.

4: Impossible to know without access to your computer and account.

5: See 2.

6: Make sure the attacker can't get your password again (do an AV scan, use HTTPS Everywhere, etc.)

Hope this helps you out.

KnightOfNi
  • 2,247
  • 3
  • 18
  • 23
  • Yahoo *tend* to use [DKIM](http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) (though they don't definitively state all email does, and publishing DKIM policy is still somewhat messy). If the DKIM signature checks out, then you can be certain it originated within Yahoo, if there is no DKIM-Signature: header then it's a good indicator it did not. – mr.spuratic Feb 28 '14 at 10:03
  • @mr.spuratic Thanks, I actually didn't know that. Still, an absence of a definite policy, in my mind, means there is no way to be certain, just convinced. – KnightOfNi Feb 28 '14 at 15:55
-3

PROBLEM SOLVED. I fixed this issue on my own and I am not even computer savvy. This same exact thing happened to me the other day on my Yahoo account. I was receiving tons of spam e-mails from my own e-mail account. My account was not hacked. I changed my password several times and they still kept coming in. I finally went into the Yahoo help center and I read that if you change the default setting so that your e-mails do not show images, it will prevent this from happening. It said that even though it looks like your e-mail is sending you spam, it is actually spammers disguising themselves with your e-mail, not actually hacking into your account. I went into the settings and chose "do not show images," and suddenly, all the spam e-mails that were in my account were all of a sudden going to my spam folder. I guess somehow, when you are e-mails automatically show the images, it sends some type of confirmation to the spammers that the e-mail is legit or something to that effect. Either way, after changing my settings to "do not show images," the continuous spam mail stopped going into my inbox and directly went into the spam folder. Job done!

Julisa Gonzalez
  • 1
  • 1
    *it is actually spammers disguising themselves with your e-mail* is generally the case, but not likely in this scenario, since all his contacts were spammed. Also that changing *show images* will stop this (in the 'general' case) assumes that the spammers take the trouble of checking email arrival with image tags, which is *not* very likely. Many of them don't care at all since spamming is cheap. If it works at all is because 'you' mailed to 'you' (and you had the rare spammer that checked arrival), that is not the case for the OP. –  Jan 08 '16 at 13:06
  • 1
    This is a completely different problem. – Xander Jan 08 '16 at 18:33