Spam from your friends: hacked and spoofed e-mail

Very often, I receive junk mail (spam) with a "From:" address of one of my contacts, for example a friend or fellow team member. The mail might contain an advertisement for Viagra or replica Rolex watches, or just a link to a web site which could download malicious software onto my computer. In such cases, I delete that e-mail without clicking on the potentially dangerous link.

Just as often, a friend or fellow team member contacts me stating that junk mail is going out in their name and asking what to do about it. Here is what I reply:

Hacked or Spoofed?

It is important to know whether your mail is hacked or spoofed. Let's define these terms:

hacked

Mail is actually being sent from your account by someone logged in to your server as you.

spoofed

Mail is being sent from somewhere else with your address being forged onto its "From:" line.

1. Full name
   Look at the "From:" on the junk mail your friends received. If your e-mail system normally sends your mail showing your full name followed by your e-mail address in <angle brackets> on its "From:" line, then if it is hacked and used to send junk mail, the junk mail will also show your name and address in the same way. Conversely a spammer spoofing just your address wouldn't know your name and could not do this.

   Exception: Unfortunately, America On-Line (AOL) does not put the full name of its subscribers on e-mail it sends. So the absence of a name from an AOL header is normal and does not suggest that it was spoofed.

2. Your address book used
   If many of your personal correspondents are simultaneously getting the same junk mail from your address, that's a pretty sure indicator that it's coming from your account, because the sender has access to your personal address book. (Someone otherwise forging your address onto their "To:" line would not be able to target all of your friends at once, and would be very unlikely to hit any of them at all.)

3. Launching Server
   Look at the full headers (usually hidden) on one of the junk messages as received. Among the headers are a bunch of postmarks, lines beginning "Received:". The oldest one (farthest down the list) explains how the message was first launched into the e-mail network; subsequent ones (farther up toward the top) track its travel to you. If the early ones name a server on your e-mail provider (Yahoo, Hotmail, Google, or whatever) that tends to suggest that your account was hacked.

4. Copy in "Sent Mail"
   Look in your "Sent Mail" folder. If you find copies of the junk mail there, then certainly the hacker sent the mail from your account. (Conversely, it means nothing if you don't; he could have deleted them after sending.)

After you know which applies to you, please see the appropriate section below.

Hacked: E-mail sent from your account

If junk mail is being sent from your account, then you must change your e-mail password. You must also learn how they got your old password, so that they don't get your new one by the same method. It's also a good idea to change your password periodically, even if you don't suspect trouble.

What makes a good password?

Use a password which is not easy to guess or discover by trial-and-error: don't use your mother's maiden name, your birthday, or a word from the dictionary. Do use a mix of upper and lower case letters, numbers, and even some punctuation if your system allows it.

So how did they get my password in the first place?

The next question you need to answer is how they got your password in the first place. You need to know this so you can prevent them from getting your new password! Here are some possibilities:

1. They guessed it or discovered it by trial and error. Bad passwords include your name, your birthday, a word from the dictionary, etc.

2. They obtained it from your service provider by clicking "lost password" and answering your security questions with information they know about you (mother's maiden name, childhood pet, etc.)

3. You gave it to them, by typing it into a web site promising some freebie if you just enter your e-mail address and password. The strongest password in the world is no good if you give it away for the asking! One way in which e-mail passwords get compromised is that you get an offer of a gift from a friend (e.g. cup of coffee), but to claim it, you need to enter your e-mail address and password. A social networking site may ask for your e-mail password to invite your friends to join their network. Or you may get a phony e-mail, ostensibly from your service provider, asking you to click on a link to a form and enter your information to "confirm" your account.

4. You used the same password on another site. Many web services require you to sign up with a username and password. Do not choose the same password as for your e-mail account! Doing so would give the operator of that site access to your e-mail account, to read your mail and to send out mail in your name.

5. A "spyware" program in your computer (or a public computer you used) saw it. Spyware is malicious software which runs stealthily in the background, virtually looking over your shoulder and sending what you type back to its headquarters. Many virus scanners do not detect spyware, so you should periodically scan your system with a specific spyware scanner. One I recommend for Windows users is Spybot Search and Destroy; another is Malwarebytes Anti-Malware Free. For information about how the spyware got onto your computer in the first place, see my essays Every Trick in the Book and About Executable Files.

6. For more, see:

   • How I'd hack your passwords by John Pozadzides.
   • Choosing a smart password from Google

Never give your e-mail password to anyone or enter it into any web site other than your own e-mail server in the normal course of logging in to read your mail.

Will changing my password fix everything?

Yes and no.

It will stop the hacker who knew your old password from using it to log in to your account again. However, if he copied down your address book during the time he had your password, then he can continue to use his copy to send junk mail to your contacts forever. He can even spoof (forge) your contact info onto his "From:" line so that future mail seems to come from your account, even when it does not (see below). Basically, once someone knows something, there is nothing you can do to get him to forget it and not use it any more. That is why it is vitally important to not let him have it in the first place.

Also, if you don't know exactly how the hacker got your old password, consider that he might use the same trick to get your new one. For example, if your system is infected with spyware, it could report your new password back to its master as easily as it reported your old one.

Should I change my e-mail address?

Sometimes the first reaction of people whose e-mail accounts have been hacked is to close that account and open a new one. This is seldom necessary, and necessitates notifying all of your correspondents of your new address.

Closing an account may be useful if you're receiving a lot of spam, but that's not the subject of this essay. We're talking about someone else signing in to your account as if you, in order to send spam. In that case, changing your password as described above should fix it. And if for some reason it doesn't, i.e. the hacker gets your new password, somehow, then he could probably just as easily get the password to any new account you might create.

Close out old, unused e-mail accounts

Don't just abandon old e-mail accounts. Close them out with the service provider so they cannot be used again.

Sometimes when I phone a friend to tell them their e-mail account has been compromised, they say, "Oh, I don't even use that account any more." I encourage them to contact their service provider and close the account. Leaving it open not only makes it available for malicious use, it also risks your reputation.

Spoofed: Your address forged onto the "From:" line

Conversely, if the mail is being launched via some other route than through your e-mail account, there is little you can do to stop it. The "From:" address on an e-mail is easier to forge than the return address in the upper-left corner of a postal envelope, and is in no way proof of where a message really came from. Once spammers know and use your e-mail address in this way, you can't stop them.

Keep your e-mail address private

There is a lot you can do to prevent your address from being used in the first place: Keep it private to only your trusted friends and private communities; never post your e-mail address on a web site or publicly viewable forum.

Not only will keeping your e-mail address private prevent you from receiving junk mail, more importantly it will prevent spammers from forging your address as the source of junk mail.

Keep your contact's addresses private

Out of respect for your friends and business contacts, safeguard your e-mail address book as if it were gold. Giving it to strangers invites them to send junk mail to your contacts, and/or to spoof their addresses onto junk mail they send to you and others.

Don't give out your friends' e-mail addresses without their permission. For example, don't type them into a web site that offers to "send this article to a friend" unless they have a clearly stated privacy policy. Otherwise, if you wish to share a web site with a friend, just copy its address from the address bar of your browser and paste it into an e-mail to your friend, with an explanatory introduction. That way, it will be up to them whether or not to access that site.

Feedback Please

As the author of this page, Rich Pasco would appreciate any feedback you may have to offer. If your e-mail account was hacked, please let me know whether this page was helpful in resolving the problem. I would espcially like to know how the hacker took control of your account in the first place, and what steps you took to secure your account and prevent a recurrence. You may e-mail me directly or use this form.

Index to all of Rich Pasco's articles on e-mail and viruses

Rich Pasco's home page

Copyright © 2010-2011 Richard C. Pasco. All rights reserved.