Email has been hacked

[kspeel]

THis has never happened before to me and dont know if it is a subject that Virtual Dr can help me with. My email is now sending out mass spam email msg's using my email address. I am new to this and not sure what route to go. I did change my password but still happening. I will take any advise. Thank you

[jdc2000]

What e-mail provider are you using? Is it a web based e-mail account, or does the spam look like it is being sent from your computer? What indications do you have that the spam is actually being sent from your account? Does it show up in your sent mail?

To see if your computer is infected, you could follow the instructions at the link below and post the logs.

http://discussions.virtualdr.com/sho...d.php?t=167915

[kspeel]

I have a time warner roadrunner account. People in my address book are receiving email from my address that I never sent out.It is wanting them to look at an addy of www.news13open.Havent look in sent box yet ..will do when I get home

[jdc2000]

While it is possible that your computer is infected and is sending out the e-mails, it is also possible that a spammer has simply used your e-mail address as the From address in his spam e-mails. It would not hurt to check your computer for malware, but it might also be a good idea to contact some of the spam recipients from your address book to see if they received e-mails during a time period when your computer was known to be turned off.

[ua549]

It sounds like malware stole your address book and the mail is being sent from other than your account and/or computer. If you have one of the forged emails, look at the internet headers. They will show the IP address of where the mail originated and each mail server transited.
Instructions for Ourlook 2010:
Open the email.
Click the File tab.
Click the Properties button to open a dialog.
The headers are displayed in the lower part of the dialog window.

Here is an example of what they look like:

Code:

Return-Path: <***@cfood.hou.***.com>
Received: from mx2.f3n.de (mx2.f3n.de [212.204.115.42])
	by hermes.f3n.de (8.13.8/8.13.8) with ESMTP id p8KHpxr0020574
	for <********@***.de>; Tue, 20 Sep 2011 19:52:00 +0200
Received: from cfood.hou.***.com (cfood.hou.***.com [216.52.171.79])
	by mx2.f3n.de (8.13.8/8.13.8) with ESMTP id p8KHpiIp030536
	for <********@***.de>; Tue, 20 Sep 2011 19:51:45 +0200
Received: from cfood.hou.***.com (localhost [127.0.0.1])
	by cfood.hou.***.com (8.14.3/8.14.3) with ESMTP id p8KHpgqg043991
	for <********@***.de>; Tue, 20 Sep 2011 12:51:42 -0500 (CDT)
	(envelope-from ***@cfood.hou.***.com)
Received: (from ***@localhost)
	by cfood.hou.***.com (8.14.3/8.14.3/Submit) id p8KHpfLL043845
	for ********@***.de; Tue, 20 Sep 2011 12:51:41 -0500 (CDT)
	(envelope-from ***)
Date: Tue, 20 Sep 2011 12:51:41 -0500 (CDT)
Message-Id: <[email protected].***.com>
Subject: *** Announces New Mobile Apps!
From: "***" <support@***.com>
Precedence: bulk
To: "*****" <********@***.de>
MIME-Version: 1.0
Content-ID: <[email protected].***.com>
Content-Type: multipart/alternative;
              boundary="----- =_uHvghXdQgOtdPhybAypr2Q=="
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.2.2 (mx2.f3n.de [212.204.115.42]); Tue, 20 Sep 2011 19:51:47 +0200 (CEST)
X-Spam-Status: No, score=3.2 required=7.5 tests=BAYES_00,DCC_CHECK,
	HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,
	MPART_ALT_DIFF autolearn=no version=3.2.5
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mx2.f3n.de
X-Virus-Scanned: clamav-milter 0.97.2 at mx2.f3n.de
X-Virus-Status: Clean

Note -
The "*" were inserted for privacy.
The From, To, Cc, Bcc and Subject lines can contain anything. They are window dressing and often forged.

[kspeel]

I received 15 emails from posimaster @hotmail.com saying delivery failure coming from my email thatt isn't hotmail with the subject matter I discussed trying to go to pepole in my contacts

[jdc2000]

Those are bounce back messages from Hotmail for e-mails that were sent by the spammer to addresses that are invalid. Are any of your actual contacts reporting that they are getting spam from you. If so, have them follow ua549's procedure to display the full header of one of the spam e-mails, and then copy and paste the contents of that header into an e-mail to you. Then you can use that to see if it really came from your computer.

[kspeel]

Would it a problem for virtual dr if I would post the headers from email for u too look at

[jdc2000]

You can go ahead and post them. Remember though that we need the header(s) from the actual spam e-mail that one of your contacts received, not the from a forwarded copy of those e-mails or from one of the bonce back e-mails.

You may also want to replace the actual e-mail addresses with something like "[email protected]" or "[email protected]" to prevent spammers from picking up from the VDr posts.

[kspeel]

ok going for it
Return-Path: <k-s-p*e*[email protected]>
Received: from hrndva-mxlb.mail.rr.com ([10.128.255.90])
by hrndva-imta03.mail.rr.com with ESMTP
id <[email protected]>
for <[email protected]>; Mon, 23 Jan 2012 11:57:17 +0000
Return-Path: <k-s-p*e*[email protected]>
X-Cloudmark-Score: 0
X-RR-Connecting-IP: 65.55.116.94
Received: from [65.55.116.94] ([65.55.116.94:1538] helo=blu0-omc3-s19.blu0.hotmail.com)
by hrndva-iedge09.mail.rr.com (envelope-from <k-s-p*e*[email protected]>)
(ecelerity 2.2.3.46 r()) with ESMTP
id A8/E3-06197-D1B4D1F4; Mon, 23 Jan 2012 11:57:17 +0000
Received: from BLU0-SMTP64 ([65.55.116.73]) by blu0-omc3-s19.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 23 Jan 2012 03:57:15 -0800
X-Originating-IP: [195.174.204.192]
X-Originating-Email: [k-s-p*e*[email protected]]
Message-ID: <[email protected]>
Received: from [192.168.1.1] ([195.174.204.192]) by BLU0-SMTP64.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 23 Jan 2012 03:57:13 -0800
From: Kim Speelman <k-s-p*e*[email protected]>
Subject: You have got to see this [email protected]
Date: Mon, 23 Jan 2012 05:57:06 +0000
To: [email protected]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 23 Jan 2012 11:57:14.0502 (UTC) FILETIME=[25A1E260:01CCD9C6]
Sender: <[email protected]>


E-Mail addresses edited by jdc2000 to prevent spam.

[kspeel]

you know been a member here since 2000 and learned alot from the experts here and now and the go to guy of all my freinds to clean the bad stuff out of their pc,s,. But this is first time this has happened to me with the email hacked..kinda gets under my skin that this could happen

[ua549]

The email appears to originate from Turkey at 195.174.204.192.

Code:

% Information related to '195.174.192.0 - 195.174.223.255'
 
inetnum:        195.174.192.0 - 195.174.223.255
netname:        TURKSAT-CABLE
descr:          Turksat Uydu Haberlesme Kablo TV ve Isletme A.S.
descr:          Izmir
country:        TR
admin-c:        TTBA1-RIPE
tech-c:         TTBA1-RIPE
status:         ASSIGNED PA
mnt-by:         AS9121-MNT
source:         RIPE # Filtered
 
role:            TT Administrative Contact Role
address:         Turk Telekom
address:         Network Direktorlugu
address:         06530 ANKARA
phone:           +90 312 555 1920
fax-no:          +90 312 313 1924
e-mail:          [email protected]
admin-c:         BADB3-RIPE
tech-c:          ZA66-RIPE
tech-c:          NO638-RIPE
tech-c:          SO351-RIPE
nic-hdl:         TTBA1-RIPE
mnt-by:          AS9121-MNT
source:          RIPE # Filtered

[jdc2000]

Since the e-mail seems to have been sent from outside the U.S., it would not have been sent from your computer. It wouldn't hurt to run a full scan with whatever antivirus you have installed, and with the free version of Malwarebytes, but your computer is probably OK.

E-mail passwords these days should be at least 12-14 characters and not something that might be easily guessed or found in a dictionary, especially if you are using webmail or a nationally recognized e-mail provider.

It is still possible that your address book contents were stolen, especially of you have addresses stored in an online address book as opposed to an address book in an e-mail client program on your computer.

[kspeel]

Did all the above including malware bytes..looked good .Followed the IP addy and it is a company like time warner that supplies tv and broadband ,I emaied them and gave the the email properties for proof...lets see there response

[kspeel]

Had 15 more bounce back emails between 2:30 and 2:25 today