What to do when email get's spoofed?

For the first time ever, my un/pw for my personal email was compromised and someone sent hundreds of SPAM messages from my account even though my provider, Earthlink, shut it down in less than 4 minutes.  

I have a new pw (my account is working properly now), I ran a full virus and spyware scan on my pc (which found nothing).  

Two questions:  

1.  what else should I do to reduce the chance of it happening again and make sure there isn't something more on my pc or WiFi device?

2.  Out of curiousity, what can I do to find out how it happened?  I'm not a real technologist.  In layman's terms, I suspect someone/something had a "sniffer" on either my home WiFi, or my Blackberry connection of via my ISP to learn the pw.  What else could have happened?

I'm more concerned about other un/pw's for accounts to other services (Quickbooks, etc).

All dialog is welcome.

M3
M3MetalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Your blackberry mail is encrypted, so shouldn't be a problem there.
If your wi-fi was compromised, you'd probably have more problems than someone sending spam. For that matter, they probably wouldn't have sent it via your own account.
More likely, someone got your password via brute force. However, your ISP should be able to tell you for sure if the spam originated from someone logging on to your account from somewhere else, or if it actually came from your computer.
So what to do?
- Changing your password to a "strong" password is your best bet. That is, one that is at least 8 characters long and uses a combination of upper and lower case letters, numbers and symbols (@,#,$,etc).
- Just to be safe, make sure you change your wi-fi password and that you are using WPA2/PSK encryption.
- If the spam actually originated from your computer, make sure you have an up-to date antivirus installed.
- Also download and run malwarebytes: http://www.malwarebytes.org/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
edster9999Commented:
Your password is sent over the network everytime you access your emails.  there is a good chance your email clients are set up to do this every 5 or 10 minutes.
Unless your server and your client are set up to use security the password is sent in plain text.  Anyone can read it as it flies by.

You also have to be careful how you are connecting.  if you connect using Wireless then your info is flying round for anyone to read.  A laptop nearby can be pulling all the data out of the air.  This is *very* easy to do.

If you connect from a PC you do not own then there is a chance somneone else has already used it and added a program to see what is being typed and send it on.

Step one - Only use secure traffic.  Check there is a tick in the box or option saying 'use secure'.
Try not to use wireless where possible.  Really try not to use public unencrypted wifi (if you do not enter a password to connect then it is not normally encrypted).

Step two - Only use your pc.  Never put in details like email passwords in an internet cafe.  use your phone or pc.

Step three - check for viruses / malware that are on your pc.


0
JohnBusiness Consultant (Owner)Commented:
You are using Outlook (according to the zone) and so the email client is local to your machine. So you have picked up some malware and it has figured out your Outlook account to send spam (which is what this malware specifically does). Changing the email password will be temporary if the malware is still there.

Consider scanning with Malwarebytes as an added scan tool to see if it finds anything. Also look up Microsoft for Rootkit Revealer. Download and run that.

... Thinkpads_User
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

FarWestCommented:
Please note a very important thing, If your only clue that ur un/pwd are compromised that there is messages has your name as "From" is not necessarily that he used your username, in SMTP protocol you can set the from when you send the message to any email, and it is common to receive emails that show you are the sender but that is part of faking
so you have to inspect messages header to know more details

good luck
0
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
I was wondering about that (spoofing) when I first saw this question. However I would hope that an ISP would not shut a user's mail or internet access down if there were just spoofs going on. Actually, if that was the case, I would immediately start looking for a new ISP as this one does not know what they are doing.

For M3Metal, a true "spoof" is someone is just sending email from their own computer, but putting your name on them. Unfortunately, there is nothing you can do about those since your system and even internet connection has nothing to do with it. Hence why I am saying I would doubt your ISP would block you off for that reason.
0
M3MetalAuthor Commented:
Great input from everyone.  I will inquire with my ISP asking what they know of can find out.  Do these points matter in my determination that it was NOT a breach on my pc or client:  1) my Outlook account shows NO sent messages, 2) I received 100s of email replies from mail servers such as "user no longer exists, etc.), 3) the sent folder in my ISPs webmail account DID list all the sent messages.

Thus, I think someone got in via the web to my webmail account, not my pc.

0
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
1. This means they did not totally take over your PC. Usually if your PC is sending spam, it because the spammer managed to install a separate spamming program, but it still sends mail they same way as your legitimate mail. This isn't what happened in your case, though (see #3)
2. Whether you sent the mail or not, this is what happens because your name was at the top.
3. This tells us it was definitely a breach of your webmail account. If the spam messages had been sent any other way, they wouldn't have shown up in your sent items in webmail.

So that answer our question about where it originated. No need for further input from your ISP on that fact. So it looks like the spammers did manage to find out your webmail password. So changing that is definitely in order. However the other security measures I mentioned before are also good practices to follow.

If you really wanted to find out how it happened, your ISP might be able to check their security logs to see if there was a "brute force" attack against your account (i.e. they kept guessing at password). If the hackers got it the first try, they probably got your password from somewhere else. I.e. they compromised your ISPs security, or perhaps hacked in somewhere else the used the same password as you used for your webmail.

Lesson learned from that would be try not to use the same password everywhere.
0
JohnBusiness Consultant (Owner)Commented:
I understand the comment about passwords, but I have been using the same email address and password for over a decade now (No comments please). I have never been compromised because of this.

So more likely it is spam from a dodgy, but opened email, or a dodgy website. That is the easy way in.

... Thinkpads_User
0
M3MetalAuthor Commented:
So, on the topic of security, I'm surprised EE doesn't use SSL or HTTPS for log ins!!!!!
0
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
That's true about the security of the website. Buyer beware, I suppose.

So is there anything else you need to figure this out? Let me know if you get any further feedback from your ISP and need clarification.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.