Avatar of Now Then
Now Then
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Virus sending spam emails to all contacts. What should be done?

My wife's contacts have been receiving spam emails from email addresses with different domain names but the name infront of the @ symbol is the same in all cases.  It is the same as her yahoo account.  At the bottom of the email it contains the proper email address of her yahoo account.
Can someone tell me how this is likely to be happening? Has someone managed to get into her email account? How have her contacts been obtained?  What would explain this?  Is there a virus on one of her devices?...or has she managed to give up her contacts somehow?  Have the contacts been sent to someone online and added to a spam database....so all her contacts will receive spam forever.

Next, what do we do to stop it from happening?
She uses PCs, an android phone, an iPad and a Macbook.
Thank you for your help
Anti-SpywareSecurityAntiSpam

Avatar of undefined
Last Comment
Member_2_406981

8/22/2022 - Mon
Member_2_406981

1st change password of all e-mail accounts and scan all devices you are using for malware.

If malware is found reinstall the devices too.

The reasons could be that she entered login details on a fake login page
or that one of her devices is compromised.
could also very well be a roughe app only on one of the mobile devices that stole her contacts and the spam is not comming from your devices or your account at all.

More details can be found in the header lines of the e-mails sent out, you need to look at  the received headers especially to trace back the origin of the mails.
Now Then

ASKER
What am I looking for in the header? There was no mention of yahoo in the header, only other domains. So, does that mean that it did not come from yahoo?
Member_2_406981

can you post a header example. You need to check for the last received line(s)( there could be some forged ones trying to hide origin) to find out which is the originating IP (the last lines are the 1st ones produced and are at the bottom of the received header lines, the times and ips should match from line to line, this way you might find forged lines at the beginning).

it depends on the mode of sending the mails (SMTP, Via the WEB-interface) on how the originating IPs needs to be interpreted.

So posting some headers might be helpful, you might remove personal informations such ad the partzs b4 the @ sign,...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
David Anders

9 Things You Need to Do When Your Email Is Hacked
http://blog.credit.com/2013/07/things-to-do-when-your-email-is-hacked-67568/
Member_2_406981

Now the 1st question is to find out WHY he sees the mails to find out if hes hacked or not.
As a precaution applying the tips of davidanders will not harm at all. But if it was not a hack but a normal spam attack using your user part as sender it wont help stopping those mails.

So if possible post the recived headers of some (2-3) of the mails and we can look at it to find out where the mails come from, from your account or from random hosts.
Now Then

ASKER
Sorry for the lengthy delay.  Fingers crossed that there is still someone out there.

Here is a header from one of these emails. I have tried to remove anything that reveals personal details. Please let me know if there is something in here that I should delete.
Thanks

Delivered-To: [MY EMAIL ADDRESS]
Received: by 10.51.14.164 with SMTP id fh4csp2071045igd;
        Tue, 18 Aug 2015 02:19:14 -0700 (PDT)
X-Received: by 10.180.188.49 with SMTP id fx17mr42321933wic.74.1439889554457;
        Tue, 18 Aug 2015 02:19:14 -0700 (PDT)
Return-Path: <peg.paste@fun.ac.jp>
Received: from mailex.mailcore.me (mailex.mailcore.me. [94.136.40.61])
        by mx.google.com with ESMTP id ff10si32461420wjc.32.2015.08.18.02.19.13
        for [MY EMAIL ADDRESS];
        Tue, 18 Aug 2015 02:19:13 -0700 (PDT)
Received-SPF: neutral (google.com: 94.136.40.61 is neither permitted nor denied by best guess record for domain of peg.paste@fun.ac.jp) client-ip=94.136.40.61;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 94.136.40.61 is neither permitted nor denied by best guess record for domain of peg.paste@fun.ac.jp) smtp.mailfrom=peg.paste@fun.ac.jp
Received: from celery.fun.ac.jp ([210.225.229.210] helo=dpmail02.fun.ac.jp)
      by smtp01.mailcore.me with esmtp (Exim 4.80.1)
      (envelope-from <peg.paste@fun.ac.jp>)
      id 1ZRd32-00085m-TK
      for [MY EMAIL ADDRESS]; Tue, 18 Aug 2015 10:19:13 +0100
Received: from [123.18.62.120] (123.18.62.120 [123.18.62.120])
      by dpmail02.fun.ac.jp (deepsmtpd.sk)
      with ESMTP id <8F3EEBCD-A481-45A1-FC64-F1E90EFF9179@fun.ac.jp>
      for [MY EMAIL ADDRESS]; Tue, 18 Aug 2015 18:18:56 +0900
From: "Peg Paste" <peg.paste@fun.ac.jp>
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Subject: From: Peg Paste
Message-Id: <8F3EEBCD-A481-45A1-FC64-F1E90EFF9179@fun.ac.jp>
Date: Tue, 18 Aug 2015 11:15:33 +0200
To: [MY EMAIL ADDRESS]
X-Mailer: iPhone Mail (8A400)
X-IP: 123.18.62.120
X-FROM-DOMAIN: fun.ac.jp
X-FROM-EMAIL: peg.paste@fun.ac.jp
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
Member_2_406981

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.