Link to home
Start Free TrialLog in
Avatar of Now Then
Now ThenFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Virus sending spam emails to all contacts. What should be done?

My wife's contacts have been receiving spam emails from email addresses with different domain names but the name infront of the @ symbol is the same in all cases.  It is the same as her yahoo account.  At the bottom of the email it contains the proper email address of her yahoo account.
Can someone tell me how this is likely to be happening? Has someone managed to get into her email account? How have her contacts been obtained?  What would explain this?  Is there a virus on one of her devices?...or has she managed to give up her contacts somehow?  Have the contacts been sent to someone online and added to a spam all her contacts will receive spam forever.

Next, what do we do to stop it from happening?
She uses PCs, an android phone, an iPad and a Macbook.
Thank you for your help
Avatar of Member_2_406981

1st change password of all e-mail accounts and scan all devices you are using for malware.

If malware is found reinstall the devices too.

The reasons could be that she entered login details on a fake login page
or that one of her devices is compromised.
could also very well be a roughe app only on one of the mobile devices that stole her contacts and the spam is not comming from your devices or your account at all.

More details can be found in the header lines of the e-mails sent out, you need to look at  the received headers especially to trace back the origin of the mails.
Avatar of Now Then


What am I looking for in the header? There was no mention of yahoo in the header, only other domains. So, does that mean that it did not come from yahoo?
can you post a header example. You need to check for the last received line(s)( there could be some forged ones trying to hide origin) to find out which is the originating IP (the last lines are the 1st ones produced and are at the bottom of the received header lines, the times and ips should match from line to line, this way you might find forged lines at the beginning).

it depends on the mode of sending the mails (SMTP, Via the WEB-interface) on how the originating IPs needs to be interpreted.

So posting some headers might be helpful, you might remove personal informations such ad the partzs b4 the @ sign,...
Now the 1st question is to find out WHY he sees the mails to find out if hes hacked or not.
As a precaution applying the tips of davidanders will not harm at all. But if it was not a hack but a normal spam attack using your user part as sender it wont help stopping those mails.

So if possible post the recived headers of some (2-3) of the mails and we can look at it to find out where the mails come from, from your account or from random hosts.
Sorry for the lengthy delay.  Fingers crossed that there is still someone out there.

Here is a header from one of these emails. I have tried to remove anything that reveals personal details. Please let me know if there is something in here that I should delete.

Delivered-To: [MY EMAIL ADDRESS]
Received: by with SMTP id fh4csp2071045igd;
        Tue, 18 Aug 2015 02:19:14 -0700 (PDT)
X-Received: by with SMTP id fx17mr42321933wic.74.1439889554457;
        Tue, 18 Aug 2015 02:19:14 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id ff10si32461420wjc.32.2015.
        for [MY EMAIL ADDRESS];
        Tue, 18 Aug 2015 02:19:13 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;
       spf=neutral ( is neither permitted nor denied by best guess record for domain of
Received: from ([]
      by with esmtp (Exim 4.80.1)
      (envelope-from <>)
      id 1ZRd32-00085m-TK
      for [MY EMAIL ADDRESS]; Tue, 18 Aug 2015 10:19:13 +0100
Received: from [] ( [])
      by (
      with ESMTP id <>
      for [MY EMAIL ADDRESS]; Tue, 18 Aug 2015 18:18:56 +0900
From: "Peg Paste" <>
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Subject: From: Peg Paste
Message-Id: <>
Date: Tue, 18 Aug 2015 11:15:33 +0200
X-Mailer: iPhone Mail (8A400)
Avatar of Member_2_406981

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial