?
Solved

What to do when email get's spoofed?

Posted on 2011-10-03
10
Medium Priority
?
225 Views
Last Modified: 2012-05-12
For the first time ever, my un/pw for my personal email was compromised and someone sent hundreds of SPAM messages from my account even though my provider, Earthlink, shut it down in less than 4 minutes.  

I have a new pw (my account is working properly now), I ran a full virus and spyware scan on my pc (which found nothing).  

Two questions:  

1.  what else should I do to reduce the chance of it happening again and make sure there isn't something more on my pc or WiFi device?

2.  Out of curiousity, what can I do to find out how it happened?  I'm not a real technologist.  In layman's terms, I suspect someone/something had a "sniffer" on either my home WiFi, or my Blackberry connection of via my ISP to learn the pw.  What else could have happened?

I'm more concerned about other un/pw's for accounts to other services (Quickbooks, etc).

All dialog is welcome.

M3
0
Comment
Question by:M3Metal
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 25

Accepted Solution

by:
Brian B earned 1000 total points
ID: 36904026
Your blackberry mail is encrypted, so shouldn't be a problem there.
If your wi-fi was compromised, you'd probably have more problems than someone sending spam. For that matter, they probably wouldn't have sent it via your own account.
More likely, someone got your password via brute force. However, your ISP should be able to tell you for sure if the spam originated from someone logging on to your account from somewhere else, or if it actually came from your computer.
So what to do?
- Changing your password to a "strong" password is your best bet. That is, one that is at least 8 characters long and uses a combination of upper and lower case letters, numbers and symbols (@,#,$,etc).
- Just to be safe, make sure you change your wi-fi password and that you are using WPA2/PSK encryption.
- If the spam actually originated from your computer, make sure you have an up-to date antivirus installed.
- Also download and run malwarebytes: http://www.malwarebytes.org/
0
 
LVL 20

Assisted Solution

by:edster9999
edster9999 earned 600 total points
ID: 36904036
Your password is sent over the network everytime you access your emails.  there is a good chance your email clients are set up to do this every 5 or 10 minutes.
Unless your server and your client are set up to use security the password is sent in plain text.  Anyone can read it as it flies by.

You also have to be careful how you are connecting.  if you connect using Wireless then your info is flying round for anyone to read.  A laptop nearby can be pulling all the data out of the air.  This is *very* easy to do.

If you connect from a PC you do not own then there is a chance somneone else has already used it and added a program to see what is being typed and send it on.

Step one - Only use secure traffic.  Check there is a tick in the box or option saying 'use secure'.
Try not to use wireless where possible.  Really try not to use public unencrypted wifi (if you do not enter a password to connect then it is not normally encrypted).

Step two - Only use your pc.  Never put in details like email passwords in an internet cafe.  use your phone or pc.

Step three - check for viruses / malware that are on your pc.


0
 
LVL 99

Expert Comment

by:John Hurst
ID: 36904045
You are using Outlook (according to the zone) and so the email client is local to your machine. So you have picked up some malware and it has figured out your Outlook account to send spam (which is what this malware specifically does). Changing the email password will be temporary if the malware is still there.

Consider scanning with Malwarebytes as an added scan tool to see if it finds anything. Also look up Microsoft for Rootkit Revealer. Download and run that.

... Thinkpads_User
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 12

Assisted Solution

by:FarWest
FarWest earned 400 total points
ID: 36904537
Please note a very important thing, If your only clue that ur un/pwd are compromised that there is messages has your name as "From" is not necessarily that he used your username, in SMTP protocol you can set the from when you send the message to any email, and it is common to receive emails that show you are the sender but that is part of faking
so you have to inspect messages header to know more details

good luck
0
 
LVL 25

Expert Comment

by:Brian B
ID: 36904910
I was wondering about that (spoofing) when I first saw this question. However I would hope that an ISP would not shut a user's mail or internet access down if there were just spoofs going on. Actually, if that was the case, I would immediately start looking for a new ISP as this one does not know what they are doing.

For M3Metal, a true "spoof" is someone is just sending email from their own computer, but putting your name on them. Unfortunately, there is nothing you can do about those since your system and even internet connection has nothing to do with it. Hence why I am saying I would doubt your ISP would block you off for that reason.
0
 

Author Comment

by:M3Metal
ID: 36905198
Great input from everyone.  I will inquire with my ISP asking what they know of can find out.  Do these points matter in my determination that it was NOT a breach on my pc or client:  1) my Outlook account shows NO sent messages, 2) I received 100s of email replies from mail servers such as "user no longer exists, etc.), 3) the sent folder in my ISPs webmail account DID list all the sent messages.

Thus, I think someone got in via the web to my webmail account, not my pc.

0
 
LVL 25

Expert Comment

by:Brian B
ID: 36905682
1. This means they did not totally take over your PC. Usually if your PC is sending spam, it because the spammer managed to install a separate spamming program, but it still sends mail they same way as your legitimate mail. This isn't what happened in your case, though (see #3)
2. Whether you sent the mail or not, this is what happens because your name was at the top.
3. This tells us it was definitely a breach of your webmail account. If the spam messages had been sent any other way, they wouldn't have shown up in your sent items in webmail.

So that answer our question about where it originated. No need for further input from your ISP on that fact. So it looks like the spammers did manage to find out your webmail password. So changing that is definitely in order. However the other security measures I mentioned before are also good practices to follow.

If you really wanted to find out how it happened, your ISP might be able to check their security logs to see if there was a "brute force" attack against your account (i.e. they kept guessing at password). If the hackers got it the first try, they probably got your password from somewhere else. I.e. they compromised your ISPs security, or perhaps hacked in somewhere else the used the same password as you used for your webmail.

Lesson learned from that would be try not to use the same password everywhere.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 36905744
I understand the comment about passwords, but I have been using the same email address and password for over a decade now (No comments please). I have never been compromised because of this.

So more likely it is spam from a dodgy, but opened email, or a dodgy website. That is the easy way in.

... Thinkpads_User
0
 

Author Comment

by:M3Metal
ID: 36909556
So, on the topic of security, I'm surprised EE doesn't use SSL or HTTPS for log ins!!!!!
0
 
LVL 25

Expert Comment

by:Brian B
ID: 36909691
That's true about the security of the website. Buyer beware, I suppose.

So is there anything else you need to figure this out? Let me know if you get any further feedback from your ISP and need clarification.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question