Spam from your friends:
by Rich Pasco
hacked and spoofed e-mail
Very often, I receive junk mail (spam) with a "From:" address
of one of my contacts, for example a friend or fellow team member. The
mail might contain an advertisement for Viagra or replica Rolex watches,
a sad story about being robbed while on vacation (and please wire money),
or just a link to a web site which could download malicious software
onto my computer. In such cases, I delete that e-mail without clicking
on the potentially dangerous link.
Just as often, a friend or fellow team member contacts me stating that
junk mail is going out in their name and asking what to do about it.
Here is what I reply:
Hacked or Spoofed?
It is important to know whether your mail is hacked or
spoofed. Let's define these terms:
Here are some ways to tell whether the e-mail your friends got from you
was hacked or spoofed:
- Mail is actually
being sent from your account by someone logged in to your server as
- Mail is being sent from somewhere else
with your address being forged onto its "From:" line.
Look at the "From:" on
the junk mail your friends received. If your e-mail system normally
sends your mail showing your full name followed by your e-mail address
in <angle brackets> on its "From:" line, then if it is hacked and
used to send junk mail, the junk mail will also show your name and
address in the same way. Conversely a spammer spoofing just your
address wouldn't know your name and could not do this.
Exception: Unfortunately, America On-Line (AOL) does not always put the
full name of its subscribers on e-mail it sends. So the absence of
a name from an AOL header is normal and does not suggest that it was
Your address book used
If many of your personal correspondents are simultaneously getting the
same junk mail from your address, that's a pretty sure indicator that
it's coming from your account, because the sender has access to your
personal address book. (Someone otherwise forging your address onto
their "To:" line would not be able to target all of your
friends at once, and would be very unlikely to hit any of them at
Look at the full headers (usually hidden) on
one of the junk messages as received. Among the headers are a bunch of
postmarks, lines beginning "Received:". The oldest
one (farthest down the list) explains how the message was first launched
into the e-mail network; subsequent ones (farther up toward the top)
track its travel to you. If the early ones name a server on your e-mail
provider (Yahoo, Hotmail, Google, or whatever) that tends to suggest
that your account was hacked.
Copy in "Sent Mail"
Look in your "Sent Mail" folder. If you find copies
of the junk mail there, then certainly the hacker sent the mail from
your account. (Conversely, it means nothing if you don't; he could
have deleted them after sending.)
After you know which applies to you, please see the appropriate section below.
Hacked: E-mail sent from your account
If junk mail is being sent from your account, then you must change your
e-mail password. You must also learn how they got your old password,
so that they don't get your new one by the same method. It's also a
good idea to change your password periodically, even if you don't
What makes a good password?
Use a password which is not
easy to guess or discover by trial-and-error: don't use your mother's
maiden name, your birthday, or a word from the dictionary. Do use a mix
of upper and lower case letters, numbers, and even some punctuation if
your system allows it.
So how did they get my password in the first place?
Some people think that once they've changed their password they're done.
Let me ask: If you found a burglar wandering through your house with a copy
of your house key, wouldn't you wonder how he got it?
So the next question you need to answer is how they got your password in
the first place. You need to know this so you can prevent them from
getting your new password! Here are some possibilities:
If you let a stranger have your e-mail password, you give them full
access to your e-mail. They can read your personal correspondence, send
mail in your name, access and abuse your address book, send junk mail to
your friends, and so much more.
They guessed it or discovered it by trial and error.
Bad passwords include your name, your birthday, a word from the
dictionary, etc. See also
"Passwords You Should Never Use."
They obtained it from your service provider by clicking
"lost password" and answering your security questions with
information they know about you (mother's maiden name, childhood pet,
You gave it to them, by typing it into their web site.
The strongest password in the world is no good if you give it away for the asking!
Maybe the web site was a phony one mimicking the login screen for your e-mail service.
Or maybe it promised some freebie (e.g. cup of coffee) if you just enter your e-mail address and password.
A social networking site may ask for your e-mail password to invite your friends
to join their network. Or you may get a phony e-mail, ostensibly from
your service provider, asking you to click on a link to a form and enter
your information to "confirm" your account.
You used the same password on another site.
Many web services require you to sign up with a username and password.
Do not choose the same password as for your e-mail account! Doing so would
give the operator of that site access to your e-mail account, to read your mail
and to send out mail in your name.
A "spyware" program in your computer (or a public computer
you used) saw it. Spyware is
malicious software which runs stealthily in the background, virtually
looking over your shoulder and sending what you type back to its
headquarters. One form of spyware, keylogging software, quietly
records every keystroke you make. Many virus scanners do not detect spyware, so you should
periodically scan your computer with a specific spyware scanner. One I
recommend for Windows users is
Spybot Search and Destroy;
another is Malwarebytes Anti-Malware Free.
For information about how the spyware got onto your computer in the first place,
see my essays Every Trick in the Book and About Executable Files.
For more, see:
- 2 million Facebook, Gmail and Twitter passwords stolen in massive hack by Jose Pagliery, CNN Money,, December 4, 2013
- Beware Twitter "password check" sites - there are fakes, and there are fake fakes! by Paul Ducklin, Sophos Naked Security, April 24, 2013
- The worst passwords you could ever choose exposed by Yahoo Voices hack by Graham Cluley, Sophos Naked Security, July 13, 2012
- How I'd hack your passwords by John Pozadzides, MSN Money, February 4, 2011
- Choosing a smart password from Google
- Is your Twitter password secure? by Alastair Coote
- How Big is Your Haystack ... and how well hidden is YOUR needle? from Gibson Research Corp.
|Never give your e-mail password to anyone|
or enter it into any web site
other than your own e-mail server in the normal course of logging in to read your mail.
Will changing my password fix everything?
Yes and no.
It will stop the hacker who knew your old password from using it
to log in to your account again. However, if he copied down your
address book during the time he had your password, then he can continue
to use his copy to send junk mail to your contacts forever. He can even
spoof (forge) your contact info onto his "From:" line so that
future mail seems to come from your account, even when it does not (see
below). Basically, once someone knows something, there is nothing you
can do to get him to forget it and not use it any more. That is why it
is vitally important to not let him have it in the first place.
Also, if you don't know exactly how the hacker got your old password,
consider that he might use the same trick to get your new one. For
example, if your computer is infected with spyware, it could report your
new password back to its master as easily as it reported your old one.
Should I change my e-mail address?
Sometimes the first reaction of people whose e-mail accounts have been
hacked is to close that account and open a new one. This is seldom necessary,
and necessitates notifying all of your correspondents of your new address.
Closing an account may be useful if you're receiving a lot of spam,
but that's not the subject of this essay. We're talking about someone else
signing in to your account as if you, in order to send spam. In that
case, changing your password as described above should fix it. And if for
some reason it doesn't, i.e. the hacker gets your new password, somehow,
then he could probably just as easily get the password to any new account you
Close out old, unused e-mail accounts
Don't just abandon old e-mail accounts. Close them out with the
service provider so they cannot be used again.
Sometimes when I phone a friend to tell them their e-mail account has
been compromised, they say, "Oh, I don't even use that account any more."
I encourage them to contact their service provider and close the account. Leaving
it open not only makes it available for malicious use, it also risks your
Spoofed: Your address forged onto the "From:" line
Conversely, if the mail is being launched via some other route than
through your e-mail account, there is little you can do to stop it.
The "From:" address on an e-mail is easier to forge than the
return address in the upper-left corner of a postal envelope, and is in
no way proof of where a message really came from. Once spammers know and
use your e-mail address in this way, you can't stop them.
Keep your e-mail address private
There is a lot you can do to prevent your address from being used in the
first place: Keep it private to only your trusted friends and private
communities; never post your e-mail address on a web site or publicly
Not only will keeping your e-mail address private prevent you from
receiving junk mail, more importantly it will prevent spammers from
forging your address as the source of junk mail.
Keep your contact's addresses private
Out of respect for your friends and business contacts, safeguard your
e-mail address book as if it were gold. Giving it to strangers invites
them to send junk mail to your contacts, and/or to spoof their addresses
onto junk mail they send to you and others.
Don't give out your friends' e-mail
addresses without their permission. For example, don't
type them into a web site that offers to "send this article to
Otherwise, if you wish to share a web site with a friend, just copy its
address from the address bar of your browser and paste it into an e-mail
to your friend, with an explanatory introduction. That way, it will be
up to them whether or not to access that site.
Spoofs in your inbox
This article is mostly concerned with situations where
your e-mail address appears on the "From:" line of junk mail
sent to others. Conversely, however, no discussion of spoofing would be
complete without mentioning spoofs you'll find in your inbox.
Because many e-mail programs now regard mail from unknown addresses with
suspicion, and spammers have a vested interest in gaining the confidence of
their targets, many spammers will spoof onto their "From:" line
an e-mail address which many people will have in their white list of acceptable
senders. This might be the address of a popular financial institution or a
social networking site. In many but not all of these cases, the body of the
mail is also designed to resemble a notification from one these services, like
"your bill is ready" or "you have an update," so click
here for details. For more about these spoofs, see my companion essay,
"Every trick in the book: how hackers take over your computer."
Here's how I determined the physical location of a hacker who took
over my friend Patrick's e-mail account. You may utilize this technique,
being aware that the details may vary depending on your e-mail software and the nature
of the hack.
Step 1: Determine hacker's IP address
I opened the hacked message in my e-mail client reader (Mozilla Thunderbird),
and invoked "View Message Source". The exact
command varies depending on your e-mail client software. In some
others it is "View Full Headers."
When looking at the headers of a message, you will see a bunch of
lines beginning "Received:". These are like postmarks, added by each
server that handles a message on its way to you. They are in reverse
chronological order, the older ones farther down the page. The oldest
one tells the origin of the message:
|The hacker's IP address is 22.214.171.124|
Step 2: Locate IP address on the planet
Next, I invoked IP2Location at to tell me where in the world this is
located. This commercial system allows unregistered guests 20 free lookups per day.
I entered 126.96.36.199 into their demo form and got:
|The hacker is in Nigeria, state of Lagos, town of Badagry|
You can see this on a Google Map or learn more about the place in Wikipedia.
So, What Was Your First Clue?
Feedback from Contacts
Whenever I get obvious spam (junk mail) from a friend's account, I hit "Reply-to-All" to alert my friend
and all of his correspondents to the problem. Often, my friend was unaware that his account was compromised until
he hears from me. And sometimes, the copy that the other recipients get alerts them to the problem so they don't
take the bait and click the malicious link.
A bounce message is an automated reply from a mail server reporting that an e-mail message was not deliverable
as addressed, perhaps because the address is invalid, or the recipient's inbox is full. I was stunned recently
when a friend told me that he just deletes "return to sender" bounce messages unread. You should always
carefully read bounce messages! They are very important!
They say exactly why your message was bounced. If the address to
which you sent it is no longer valid, then you should delete the
invalid address from your contacts, and, if appropriate, call up your
contact on the phone to get their new address.
Usually the bounce message include a copy of the e-mail you tried to
send, or at least its headers. Look at it! If it is really an e-mail
you tried to send, then you just need to update your contact's address
as above. If not, then the fact you're getting a bounce of a message
that you did not knowingly send is the first clue that your account
has been spoofed or hacked, a matter which you should take very seriously.
Yahoo email account passwords stolen, ABC News, January 30, 2014.
One Quick Way to Find Out if Your Email and Password Have Been Hacked by Will Oremus, Slate, July 12, 2012
Yahoo confirms 400,000 accounts hacked, less than 5% valid by Emil Protalinski, ZDNet, July 12, 2012
Yahoo! Hacked: What You Need to Do Now by Shelly Palmer, Huffington Post, July 16, 2012
How to Check if Your Yahoo, Gmail or AOL Passwords Were Leaked by Samantha Murphy, Mashable, July 12, 2012
Yahoo Confirms, Apologizes For The Email Hack, Says Still Fixing by Ingrid Lunden, TechCrunch, July 12, 2012
Phishing attack against MSN/Hotmail users - a new year, but old tricks still persist by Graham Cluley, Monday, January 14, 2013
As the author of this page, Rich Pasco would appreciate any feedback you
may have to offer. If your e-mail account was hacked, please let me know
whether this page was helpful in resolving the problem. I would especially
like to know how the hacker took control of your account in the first place,
and what steps you took to secure your account and prevent a recurrence.
You may e-mail me directly or use this form.
Index to all of Rich Pasco's articles on e-mail and viruses
Rich Pasco's home page
Copyright © 2010-2011 Richard C. Pasco. All rights reserved.