US Telco Support > AT&T > AT&T Midwest > Yahoo account was hacked this morning

Yahoo account was hacked this morning

bash-3.2$ host 66.94.236.23
23.236.94.66.in-addr.arpa domain name pointer nm18-vm0.access.bullet.mail.mud.yahoo.com.

That IP is a valid Yahoo Mail Server. It's likely that they automated some IMAP or Web based email spamming program to originate the email through your Yahoo account.

You'll need to look closer at the email headers to see which IP connected to webmail or SMTP submission. Have your friends forward the email if they still have it. Heck, Yahoo likely still has the email records for the abuse too.

Example:
Received: from [99.142.56.1] by web81104.mail.mud.yahoo.com via HTTP; Tue, 10 Jan 2012 06:29:08 PST
X-Mailer: YahooMailClassic/15.0.4 YahooMailWebService/0.8.115.331698

That would direct you to the true IP address of the 'attacker'.

reply to privatepilot
Did your password get changed? This kind of hacking would often be via getting tech support to reset your password. If your old password worked, then that would not be the case.

I tend to think that the best strategy is to not use your "main" email address for anything but communicating with ATT. Too late now, but others might do that.

Here is part of the header I captured:
Received: from [66.94.237.196] by nm8.access.bullet.mail.mud.yahoo.com with NNFMP; 17 Jan
2012 15:28:30 -0000
Received: from [66.94.237.106] by tm7.access.bullet.mail.mud.yahoo.com with NNFMP; 17 Jan
2012 15:28:30 -0000
Received: from [127.0.0.1] by omp1011.access.mail.mud.yahoo.com with NNFMP; 17 Jan 2012
15:28:30 -0000
X-
Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 329800.72447.bm@omp1011.access.mail.mud.yahoo.com
Received: (qmail 1164 invoked by uid 60001); 17 Jan 2012 15:28:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1326814110;
bh=a5fJ8JQQEM7ojl/18XkKbt1zWZMYhifyXnnlp3KITg4=;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;

There is more but this might give someone a clue??
pp

reply to privatepilot
I did NOT reply to any request to 'reset' my password etc. (I've been around for too many years to fall for that one)

The 'hacker' sucked out all my yahoo contacts, deleted them and then changed my email ID slightly (ch'd an 'o' to '0'). All my other yahoo/att ID were deleted except the original which allowed me back in to undo the dastardly deed. (one dumb move on their part)

Of course, I then changed my pwd but the horse had left the barn..

I agree that one should only use the main yahoo log on ID for just its intended purpose. And have a very unique pwd for that.
pp

Sorry to hear that. Call customer service up and ask for it to be reset. Then as I suggested try and make a move to google or similar service, that has 2 factor authentication or at least has a little better security to prevent cr@p like this from happening.

I had a similar issue many years ago, with some somewhat revealing pictures a woman decided to apparently send through email of us together... Well surprise surprise some f*cktard hacked into an account of mine. The response from some foreign customer service for ATT was well less than responsive. They eventually got it straightened out... But it wasn't until after I told the customer service dude "Look I don't care how long this takes, just get it fixed!"

Anyway sorry your horses also left the barn... And just try to go for a slightly more secure email provider.