Email Addresses stolen from earthlink account

Hello Experts,

I am not sure even how to ask this question but - some customers of mine have had add their email address(earthlink account in this case) book abused/stolen and had emails sent out on their behalf stating that they were in England and to send money...blah blah.

How did this happen and what can be done about stopping it in the future?  I have my suspicions but new to this type of problem.  Whats the best way to fix this?

Thanks Experts!
12stringAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

younghvCommented:
When you say they are "emails sent out on their behalf", do you mean they are in the "Sent Items" folders?

If so, then the accounts have been compromised and they are going to need to change  passwords and security questions.

A more likely scenario is that the email address has been grabbed by a SPAM bot (or being auto-generated) and these emails are being sent from somewhere else - with those return addresses being inserted in the "From" line.

0
jhyieslaCommented:
There are a couple of possibilities.

One is that the actual EarthLink account has been compromised. The best way to handle this is to have the owners of the accounts change their passwords to something very strong, or cancel these accounts and get new ones; obvious logistical issues there on the second part.

The other option, which may be more likely, is that someone somewhere has spoofed their accounts. You'd be very unlikely to ever know who and there's truly nothing you can do about it.  We get emails all the time in from people who appear to be our own users who aren't.  I finally had to set up an antispoofing rule in our Spam service. But that still doesn't keep that person from misusing that address to send to other people.
0
younghvCommented:
;)
GMTA - Snap!
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

12stringAuthor Commented:
Thank you Younghv and jhyiesla!  sorry for the delay.  I had already changed the email password and changed their windows accounts password to something we all can live with and yes they are stronger.

How can I trace what and how did it happen?  eventviewer?  where can I go to find out more about htese kinds of attacks?

Thanks for your Help!
0
jhyieslaCommented:
Assuming that the issue was some compromise of the account at EarthLink, tightening up the password should stop the problem, unless the user has some keystroke logger on his PC in which case if the hacker is still watching it will happen again.  Other than that not sure there is much else to do or followup on.

if it's a spoofed email, not sure there is anything you can do about it or much you can do to track it down. I suppose the email header might contain pertinent info, but the hacker most likely would have run it through some proxy servers in which case following it is very hard or even if they didn't does knowing that it came from Bulgaria really help you?
0
younghvCommented:
In my experience, there is no definitive way to find out the actual source of the compromise.

As a general statement, the most common causes are websites that require you to give up your email address to register...then promptly sell that information to anyone who will pay.

Another common source are emails that get passed on to 100's/1,000's of people and no one bothers to clean the strings of addresses before forwarding.

Whenever some moron publicly displays my email address in one of those "forward-to-everyone-in-your-address-book" emails, they get one notification from this website:
http://stopforwarding.com/the-email/

The second time they get their own special rule in my Outlook client ("auto-reply") with an explanation of why I am no longer accepting their messages.

(Sorry - pet peeve #3,498)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
12stringAuthor Commented:
jhyiesla:  to answer your question "even if they didn't does knowing that it came from Bulgaria really help you?"  no not right off the bat but maybe I could start by blocking all IP's from bulgaria unless i had relatives there.  I am just trying to exhaust all possible options and then make the best choice.  I keep running into this issue and end up making some kind of excuse to the end user without really knowing what I am talking about.  So I figured i would start asking question to EE and see if I have missed anything.  

it appears that nothing new has been created to fight this problem other than make your passwords really strong and when forwarding emails minimize if not eliminate all other emails addresses within the email.  

anything else?
0
jhyieslaCommented:
The bottom line is you are right, there's nothing new that I know of to really fight this stuff. I keep hearing talk of legitimate ISPs banning together to create an email system based on some kind of certificate, but not sure how far along that is.

If you system supports it, it's possible to block email from non-US IP addresses:  http://www.experts-exchange.com/Networking/Misc/Q_21787352.html

However, if they're routing through some anonymous proxy, that may not be much good.

The Internet is just an unsavory place. Like every other place or thing that we come up with or go to, someone will figure out how to spoil it. The whole recent episode with Epsilon points that out.  Also, as long as legitimate web sites user "hacker techniques" like spoofing email addresses and use pop-ups to do business it will make it harder to protect against these things.
0
12stringAuthor Commented:
Thank you two I really appreciate the info!  I would like to split the points evenly between you two.  any objections?
0
jhyieslaCommented:
Works for me.
0
younghvCommented:
Fine - glad to share with jhyiesla and thanks for letting me rant.
0
12stringAuthor Commented:
Once again Thanks Guys for the info!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.