Spam from your friends:
by Rich Pasco
|Never give your e-mail password to anyone|
or enter it into any web site
other than your own e-mail server in the normal course of logging in to read your mail.
Yes and no.
It will stop the hacker who knew your old password from using it to log in to your account again. However, if he copied down your address book during the time he had your password, then he can continue to use his copy to send junk mail to your contacts forever. He can even spoof (forge) your contact info onto his “From:” line so that future mail seems to come from your account, even when it does not (see below). Basically, once someone knows something, there is nothing you can do to get him to forget it and not use it any more. That is why it is vitally important to not let him have it in the first place.
Also, if you don't know exactly how the hacker got your old password, consider that he might use the same trick to get your new one. For example, if your computer is infected with spyware, it could report your new password back to its master as easily as it reported your old one.
Sometimes the first reaction of people whose e-mail accounts have been hacked is to close that account and open a new one. This is seldom necessary, and necessitates notifying all of your correspondents of your new address.
Closing an account may be useful if you're receiving a lot of spam, but that's not the subject of this essay. We're talking about someone else signing in to your account as if you, in order to send spam. In that case, changing your password as described above should fix it. And if for some reason it doesn't, i.e. the hacker gets your new password, somehow, then he could probably just as easily get the password to any new account you might create.
Don't just abandon old e-mail accounts. Close them out with the service provider so they cannot be used again.
Sometimes when I phone a friend to tell them their e-mail account has been compromised, they say, “Oh, I don't even use that account any more.” I encourage them to contact their service provider and close the account. Leaving it open not only makes it available for malicious use, it also risks your reputation.
Conversely, if the mail is being launched via some other route than through your e-mail account, there is little you can do to stop it. The “From:” address on an e-mail is easier to forge than the return address in the upper-left corner of a postal envelope, and is in no way proof of where a message really came from. Once spammers know and use your e-mail address in this way, you can't stop them.
There is a lot you can do to prevent your address from being used in the first place: Keep it private to only your trusted friends and private communities; never post your e-mail address on a web site or publicly viewable forum.
Not only will keeping your e-mail address private prevent you from receiving junk mail, more importantly it will prevent spammers from forging your address as the source of junk mail.
Out of respect for your friends and business contacts, safeguard your e-mail address book as if it were gold. Giving it to strangers invites them to send junk mail to your contacts, and/or to spoof their addresses onto junk mail they send to you and others.
This article is mostly concerned with situations where your e-mail address appears on the “From:” line of junk mail sent to others. Conversely, however, no discussion of spoofing would be complete without mentioning spoofs you'll find in your inbox.
Because many e-mail programs now regard mail from unknown addresses with suspicion, and spammers have a vested interest in gaining the confidence of their targets, many spammers will spoof onto their “From:” line an e-mail address which many people will have in their white list of acceptable senders. This might be the address of a popular financial institution or a social networking site. In many but not all of these cases, the body of the mail is also designed to resemble a notification from one these services, like ”your bill is ready” or “you have an update,” so click here for details. For more about these spoofs, see my companion essay, ”Every trick in the book: how hackers take over your computer.”
I have received an increasing number of reports where spam is delivered with its “From:” line bearing the name of one of the targeted recipient's contacts, in conjunction with a random e-mail address (not the real e-mail address of the supposed sender).
It remains a mystery how the spammer knows the names of the target's contacts but not their e-mail addresses. If the spammer had intercepted a prior e-mail, in that case the spammer would have known the contact's real e-mail address and probably would have used it in conjunction with the contact's name, instead of the random address. So I keep looking for other explanations.
One possible explanation is that the spammer visited the target's Facebook page and there looked at the target's list of Friends. That might explain how he knew their names but not their e-mail addresses. This is one reason I advise my clients to hide their list of Facebook Friends from public view. The other, primary reason, is to reduce the incentive for an impostor to clone their profile and send Friend requests to all of their real Friends. If you are receiving spam like this, I would recommend that you review the settings on your personal Facebook account, and to change them such that your list of Friends is not open to public view. Detailed directions on how to do this are here: Keep your Friends list non-public
That way, a spammer intending to send you junk mail will not know whose name to spoof on his “From:” line.
Of course, nothing you can do now will force spammers to forget what they already know.
Here's how I determined the physical location of a hacker who took over my friend Patrick's e-mail account. You may utilize this technique, being aware that the details may vary depending on your e-mail software and the nature of the hack.
I opened the hacked message in my e-mail client reader (Mozilla Thunderbird), and invoked “View Message Source”. The exact command varies depending on your e-mail client software. In some others it is “View Full Headers.”
When looking at the headers of a message, you will see a bunch of lines beginning “Received:”. These are like postmarks, added by each server that handles a message on its way to you. They are in reverse chronological order, the older ones farther down the page. The oldest one tells the origin of the message:
|The hacker's IP address is 220.127.116.11|
Next, I invoked IP2Location at to tell me where in the world this is located. This commercial system allows unregistered guests 20 free lookups per day. I entered 18.104.22.168 into their demo form and got:
|The hacker is in Nigeria, state of Lagos, town of Badagry|
Whenever I get obvious spam (junk mail) from a friend's account, I hit “Reply-to-All” to alert my friend and all of his correspondents to the problem. Often, my friend was unaware that his account was compromised until he hears from me. And sometimes, the copy that the other recipients get alerts them to the problem so they don't take the bait and click the malicious link.
A bounce message is an automated reply from a mail server reporting that an e-mail message was not deliverable as addressed, perhaps because the address is invalid, or the recipient's inbox is full. I was stunned recently when a friend told me that he just deletes “return to sender” bounce messages unread. You should always carefully read bounce messages! They are very important!
They say exactly why your message was bounced. If the address to which you sent it is no longer valid, then you should delete the invalid address from your contacts, and, if appropriate, call up your contact on the phone to get their new address.
Usually the bounce message include a copy of the e-mail you tried to send, or at least its headers. Look at it! If it is really an e-mail you tried to send, then you just need to update your contact's address as above. If not, then the fact you're getting a bounce of a message that you did not knowingly send is the first clue that your account has been spoofed or hacked, a matter which you should take very seriously.Sender Policy Framework From Wikipedia, the free encyclopedia
As the author of this page, Rich Pasco would appreciate any feedback you may have to offer. If your e-mail account was hacked, please let me know whether this page was helpful in resolving the problem. I would especially like to know how the hacker took control of your account in the first place, and what steps you took to secure your account and prevent a recurrence. You may e-mail me directly or use this form.
Copyright © 2010-2011 Richard C. Pasco. All rights reserved.