dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
14393
share rss forum feed


autojohn

join:2001-02-21
Winston Salem, NC

2 edits

Is someone useig my Yahoo account to send Spam??

I have gotten dozens of these messages from te MAILER-DAEMON@yahoo.com for the last 2 days - has my account been hijacked by a spammer? What can i do? is it just Yahoo or do i need to change my email address everywhere?

Sorry, we were unable to deliver your message to the following address.

:
Remote host said: 554 delivery error: dd This user doesn't have a
yahoo.com account (pokey7770@yahoo.com) [0] - mta1053.mail.mud.yahoo.com [BODY]

--- Below this line is a copy of the message.

Received: from [77.238.189.57] by nm20.bullet.mail.ird.yahoo.com with NNFMP; 21 Mar 2012 21:18:03 -0000
Received: from [217.146.188.168] by tm10.bullet.mail.ird.yahoo.com with NNFMP; 21 Mar 2012 21:18:03 -0000
Received: from [127.0.0.1] by smtp136.mail.ird.yahoo.com with NNFMP; 21 Mar 2012 21:18:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024; t=1332364683; bh=k1nYEg+Tl07FUtUM2jXU/CJo3b4YIQUZHPo1Htr6Uf4=; h=X-Yahoo-Newman-Id:Message-ID:Date:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:FRom:TO:SUBJect; b=PhOa2PXu51A36ybxjSvdxmiaSXWeR7C0nTVAS+71OnxCaEwUJX3aUYGteqcjo+6XY3XGXHxUZsJk+XB39F5ncDfdmaPY3ZP6IxfrqRfC0W0l1VYJ6e+HAveeAdaiN9GfuRbkjfW+ZkiPC+TE4nTPtEp6Mqj87kG8ZMtaYEpt/ag=
X-Yahoo-Newman-Id: 846414.54431.bm@smtp136.mail.ird.yahoo.com
Message-ID: <846414.54431.bm@smtp136.mail.ird.yahoo.com>
Date: Wed, 21 Mar 2012 14:18:03 -0700 (PDT)
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: Y31rDI0VM1mTNF1BoS9s1FyMMIdL8JthLbBpSTDsr4BM9.p
 R2TruKVArkrqXMtIa2XWTuygcoy5QYF_J80XmHCjTP9klNQSTqgrvWTYTx30
 1CUkrlSAGiuAf21Qn49LAJ5UboA42qeuRk0BFvSM4H_VDATNfJ2EjMevgoVy
 Tt3NL0UQ2us.HzJyCP.cLR9aWNvZnebjPzdnBP3aTWeJ1tZzypSEp.N1iopa
 BbdbLG4iEKn2ib1U9ITDJXQJR7nTGcoxo2ujC92EBrxULqIbooSBIQAihGvN
 DhuDvz4Fq3nSK2Yow2AVd1ybs0YQQgG70tkVc3ARxKddxeM9w2kJjFVHSpVs
 eqcJMliObRXB_nYRxFVayMkt3jZfc5mtR_phTQxtWmohVodDj86iW347fPTh
 MH1C27L6P5mX8fb0AUEcUfqmE4K0OGShNmDapF2KYYwrJWKuqWBaEXHA4ZPP
 Xm5xch1PWWxAmuq_o0TdQGZexgQ--
X-Yahoo-SMTP: htmqFEGswBCx5NBxVySNtRu178bFZY65KP1W7JkmEJPIgjc-
Received: from OWNEROR-I6LR6CR (autojohn@79.159.195.8 with plain)
        by smtp136.mail.ird.yahoo.com with SMTP; 21 Mar 2012 14:18:03 -0700 PDT FRom : autojohn@bellsouth.net TO:<zoka@gmail.com>,<carpins@htmail.co.uk>,<ezionieri@rocketmail.com>,<bubba_land_88@hotmail.com>,<wtsingleton61@gmail.com>,<psvh73@laposte.net>,<sadpriest070@live.com>,<jessy231@hotmail.com>,<pokey7770@yahoo.com>,<nana_sandy@comcast.net>,<liltah69@aol.com>,<reed@hotmail.com>,<mjunell@yahoo.com>,
SUBJect:It seemed to her that she had lost him for good, that he could never 
 
http://ordertadalafilonline.com/parapillum.php  
 


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

It helps if you can put the email in a code block:
[code]
the email message
[/code]

If you are able to edit the message, please make that change.

From what I can see, it looks as if the email was sent from 8.Red-79-159-195.staticIP.rima-tde.net, using your account.

You need to change your password. I'm not sure what you can do to force the intruder off - if he is logged in, he might stay logged in for up to 14 days without needing the new password. Call your ISP (AT&T if you are their customer), or contact Yahoo if you are no longer an AT&T customer. Maybe they have a way of killing existing logins.

Hmm. The sender of the email might not be logged into your Yahoo account. It looks as if he sent that mail with an smtp client, and authenticated to Yahoo using PLAIN authentication. So just changing your password should be sufficient, unless the intruder has access to your computer and can get the new password.

The first step: Make sure that your computer, and all computers you use, is clean. Start here: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

The reason for the clean check, is that there might be malware running on one of your computers, allowing the intruder to pick up your new password when you change it.

After the cleanup, change your password yet again, as an extra safety precaution.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 10.0.2



DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
reply to autojohn

I'm assuming your computer isn't in Spain. Unless it is, it didn't send that message.

I've been seeing this for a couple of years now. Someone is using some sort of vulnerability [Possibly the gibberish after the mailer ID? Buffer overflow or similar attack, perhaps?] in Yahoo's webmail servers to send spam. Judging from my observations of the situation, Yahoo doesn't seem too interested in fixing it, or they would have by now.

At first I was telling affected users to change their Yahoo password and security questions. I'm not sure if that works, but it's worth a try. If that doesn't work, and if Yahoo doesn't want to fix the problem, the only sure fix is to stop using Yahoo mail.

Opposing viewpoints with supporting evidence are welcome.



autojohn

join:2001-02-21
Winston Salem, NC
reply to autojohn

Thanks for the replies. Is this correct? No, My computor is not in Spain :) Do I need to (shudder) change my email address?

Sorry, we were unable to deliver your message to the following address.
 
:
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (pokey7770@yahoo.com) [0] - mta1053.mail.mud.yahoo.com [BODY]
 
--- Below this line is a copy of the message.
 
Received: from [77.238.189.57] by nm20.bullet.mail.ird.yahoo.com with NNFMP; 21 Mar 2012 21:18:03 -0000
Received: from [217.146.188.168] by tm10.bullet.mail.ird.yahoo.com with NNFMP; 21 Mar 2012 21:18:03 -0000
Received: from [127.0.0.1] by smtp136.mail.ird.yahoo.com with NNFMP; 21 Mar 2012 21:18:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024; t=1332364683; bh=k1nYEg+Tl07FUtUM2jXU/CJo3b4YIQUZHPo1Htr6Uf4=; h=X-Yahoo-Newman-Id:Message-ID:Date:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:FRom:TO:SUBJect; b=PhOa2PXu51A36ybxjSvdxmiaSXWeR7C0nTVAS+71OnxCaEwUJX3aUYGteqcjo+6XY3XGXHxUZsJk+XB39F5ncDfdmaPY3ZP6IxfrqRfC0W0l1VYJ6e+HAveeAdaiN9GfuRbkjfW+ZkiPC+TE4nTPtEp6Mqj87kG8ZMtaYEpt/ag=
X-Yahoo-Newman-Id: 846414.54431.bm@smtp136.mail.ird.yahoo.com
Message-ID:
Date: Wed, 21 Mar 2012 14:18:03 -0700 (PDT)
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: Y31rDI0VM1mTNF1BoS9s1FyMMIdL8JthLbBpSTDsr4BM9.p
R2TruKVArkrqXMtIa2XWTuygcoy5QYF_J80XmHCjTP9klNQSTqgrvWTYTx30
1CUkrlSAGiuAf21Qn49LAJ5UboA42qeuRk0BFvSM4H_VDATNfJ2EjMevgoVy
Tt3NL0UQ2us.HzJyCP.cLR9aWNvZnebjPzdnBP3aTWeJ1tZzypSEp.N1iopa
BbdbLG4iEKn2ib1U9ITDJXQJR7nTGcoxo2ujC92EBrxULqIbooSBIQAihGvN
DhuDvz4Fq3nSK2Yow2AVd1ybs0YQQgG70tkVc3ARxKddxeM9w2kJjFVHSpVs
eqcJMliObRXB_nYRxFVayMkt3jZfc5mtR_phTQxtWmohVodDj86iW347fPTh
MH1C27L6P5mX8fb0AUEcUfqmE4K0OGShNmDapF2KYYwrJWKuqWBaEXHA4ZPP
Xm5xch1PWWxAmuq_o0TdQGZexgQ--
X-Yahoo-SMTP: htmqFEGswBCx5NBxVySNtRu178bFZY65KP1W7JkmEJPIgjc-
Received: from OWNEROR-I6LR6CR (autojohn@79.159.195.8 with plain)
by smtp136.mail.ird.yahoo.com with SMTP; 21 Mar 2012 14:18:03 -0700 PDT FRom : autojohn@bellsouth.net TO:,,,,,,,,,,,,,
SUBJect:It seemed to her that she had lost him for good, that he could never
 
»ordertadalafilonline.com/parapillum.php
 

Whip

join:2009-01-23
Califon, NJ
reply to DrStrange

Yeah, they're not too interested.
Same thing happened to me and they insist it was my fault.
Only problem is they only go in through the IM program.
They never log in through the email system.
I haven't used their IM in over 2 years.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to DrStrange

said by DrStrange:

Someone is using some sort of vulnerability [Possibly the gibberish after the mailer ID?

I am not convinced that this is webmail.

I see "Received: from OWNEROR-I6LR6CR (autojohn@79.159.195.8 with plain)".

I am pretty sure that means that the mail was sent using an smtp client, the smtp client authenticated to Yahoo as "autojohn" using PLAIN smtp authentication. The PC from which it was sent probably has NETBIOS name "OWNEROR-I6LR6CR".

If "OWNEROR-I6LR6CR" happens to be the name of autojohn's computer, then he probably has malware that sent the mail through a spanish proxy. Otherwise, the person who sent it probably has his password to use for smtp authentication.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 10.0.2


autojohn

join:2001-02-21
Winston Salem, NC
reply to autojohn

Thanks all for the advice. No that is not the name of my computer - a further search of the interweb reveals that Yahoo has several answers to this issue. Mostly it is that someone has gotten my address at random or purchased from some hard working hacking organization. My account has not been compromised, but I will continue to suffer the undeliverable messages until whoever is doing it moves on to another name.

To resolve the issue with Yahoo (the source of most, but not all) of the uncontactable messages, it was suggested useing an alias for my address in Yahoo. I will give that a try and see what resuts -- soooooooooo, I was not compromised, but apparently have an easy to guess name and will suffer the consequences.

Thanks again for the responses ------------ JMG



autojohn

join:2001-02-21
Winston Salem, NC

1 recommendation

reply to autojohn

The emails have stopped -- guess the spammer moved on to another address -- got an email from my ISP AT&t saying that my password had been suspended as it looked like someone was useing my account to send spam - it asked me to check my options on my account - I did, and changed my password -- so that may have helped as well - In any case, thanks for the advice - especially Snowy ------------ JMG



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to DrStrange

said by DrStrange:

II've been seeing this for a couple of years now. Someone is using some sort of vulnerability [Possibly the gibberish after the mailer ID? Buffer overflow or similar attack, perhaps?] in Yahoo's webmail servers to send spam. Judging from my observations of the situation, Yahoo doesn't seem too interested in fixing it, or they would have by now.

At first I was telling affected users to change their Yahoo password and security questions. I'm not sure if that works, but it's worth a try. If that doesn't work, and if Yahoo doesn't want to fix the problem, the only sure fix is to stop using Yahoo mail.

Opposing viewpoints with supporting evidence are welcome.

I concur with nwrickert See Profile. The posted header information suggests a comprised AT&T/Yahoo ('bellsouth.net') account.

I will include my evidence in a response to the OP.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to autojohn

said by autojohn:

I have gotten dozens of these messages from te MAILER-DAEMON@yahoo.com for the last 2 days - has my account been hijacked by a spammer? What can i do? is it just Yahoo or do i need to change my email address everywhere?

Based on this line:
Received: from OWNEROR-I6LR6CR (Your_User_Name@79.159.195.8 with plain)
 by smtp136.mail.ird.yahoo.com with SMTP; 21 Mar 2012 14:18:03 -0700 PDT
 
I would say your account is compromised. Yahoo! always stamps the authenticating account username, and the originating IP address in the headers. Because SMTP authentication is being used, the posting IP address need not be in the account owner's domain IP address block.

You truncated the headers before the mail agent identification, but AFAIK, only MSFT clients (Outlook, et al) issue SMTP HELO with the computer name. All the others I have used issue SMTP HELO with the computer IP address, even if it is an RFC 1918 IP address. Though some of those other clients can be modified to use a proper FQDN in the domain of the sending IP address.

Here is an example from one of my AT&T/Yahoo! accounts in the 'pacbell.net' domain:
Received: from kozue.pacbell.net (My_User_Name@173.228.18.23 with plain)
        by smtp104.mail.ne1.yahoo.com with SMTP; 13 Oct 2011 23:51:52 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
 
Note that the originating IP address is not an AT&T ('pacbell.net') IP Address. And also that Mozilla Thunderbird allowed me to set an FQDN consistent with the Return Path email address.

You should heed nwrickert See Profile's advice about changing you account password. You shouldn't need to change your email address.

(No, folks, 'kozue.pacbell.net' is not my computer's name; that is just plain 'Kozue'.)

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1

So, they're just guessing obvious passwords?

I've been advising customers and others in this situation to change their Yahoo [or att.net or snet.net or...] passwords and security questions, but I was becoming suspicious that there was more to it than that.

Thanks for the info.



SmokChsr
Who let the magic smoke out?
Premium
join:2006-03-17
Saint Augustine, FL

1 edit
reply to autojohn

I've been receiving quite a few messages in the past week or so, from Bellsouth.net (hosted by yahoo) or Yahoo.com accounts.

This seems like it might be related to the OP's report

The interesting part is that it must also be pulling addresses from the persons address book or from their inbox.

In each case the spam message has been from someone I know, and has multiple addresses of people who I know they also know. In one case, it's a non computer savy person, who gets all his email via bellsouth.net via web, but uses gmail.com for all of his outgoing mail because he couldn't figure out how to use the bellsouth web interface to send.

To me that threw an interesting wrinkle into it, since he would have no addresses stored on the web server. I'll be looking at his computer in the next day or so to see if I can find some sort of mal/spyware on it.. The actual origin seems to be Hungary if I read the headers correctly.

Here is a header from one I received.. Note only the valid email addressees have been altered to protect the innocent, or perhaps not so innocent.

From - Tue Jun 05 09:54:49 2012
X-Account-Key: account4
X-UIDL: AL/VimIAAX2IT84PlQPHQ2IjFJ4
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
X-Apparently-To: xxxxx@bellsouth.net via 98.138.213.191; Tue, 05 Jun 2012 06:54:29 -0700
Received-SPF: none (domain of bellsouth.net does not designate permitted sender hosts)
X-YMailISG: 2AT63vQWLDvgh5Cv6vh0E6JS1jrtmg3yuBvZ13dIMqaNPKK4
 7yGhzSEUo.PHE2b9Xp6HHoIuBzlHaOw_GSxNAyuJqbJnRitytWKN6jCqcL9y
 8BNNNJ5D3weRj4OuchtB0R4E6FicT_apKmoiIZvT6voz17pjTJc9q3QQYrqu
 B_fM2thq7ytOEbus47PNpjwg8Nrge4ge2HODOUxfRpn0GKw2Jz9ESu_bI4xR
 iNMDH_oNspopCmRnRW2h2_DgqHdw_HVix4iIURceDJMV9Ttc_I4IV5eJmDU4
 1ytBj2xOMo_MqhXq_DzZWVP60Eul.Hh6tJf_RkEHisejXnVyfLrVmwNZOJHL
 xD7WliY76uB_UT3ZICOnslMKsG.BakywVnQ2aHrsB1AgiUNCvtP5O.IfXGmG
 FAsLkNw3rhzYjKq.MGc4zY2s_6HYSh6m2tdaets.0kpAr22pnXALgNUuQj6H
 cIjjZjWU_RbeRiwVOk1jbm.3uI_cOwVkzVTKWIctNfS4.xhZ7chqwIBLhoxj
 .IkvwsX5P1PoUnUpSKo9dRitwzm9HoPsCbGMo2WGy6GhZR8xFMHONyTN6Kkr
 3CXMz6tTHBeuW1NmXjLt_NKffNZY.I44hY1sIrswZpqWljzpNg8J7QhiUsX_
 h5ja0au3dBjwtdFmHVL_qXjNkLSey6yfvJqc_vb.T2EjFolcmoUeBCmn9bKQ
 sJWc07xcaPSnIrNC95bA_6JhhakdHMDwOYnvdK521jzj6vP0P1nmGD3zyVB7
 RUr5ryUpSQJulvxQ_6wdXDAnnKprkZoYMwmiqlwEqKa_FBdY9wrqWgx._AWJ
 ONs7J1VfCD2_1iC423m6ElMBcPWb6wRka3PaeS2bTJpzwTevxPiZYGqvmvee
 uXeiKNalhJT2leXC.8jpQhmtYfqOvSKyaQlXsiQpfGB1arP7Hz4S_WfW9kdn
 0VMagojobj4QbnXWohcn3eevDCqhpiYYcwTYHBv8DjeI4xct0ZCyhBv_zDq0
 yxit1saARygWcjDu0hd.VXGKKyez1XJ0PDR9RTvO1F87H.FJLq5QvH05EEBQ
 ENwExy1CxMXiBpjhc8Mm1eJYktGHBmTbWOlX6SjzuzmIozxuO4yHKOHR6Fx5
 1mOu63IANiEt_nAuJ6bwQ9VonwrWCygw0KVVOBNHa07iua.iZhPlT5G0cd6M
 ct21lKYBzE6KwcfQYQ--
X-Originating-IP: [98.139.44.94]
Authentication-Results: mta1069.sbc.mail.mud.yahoo.com  from=bellsouth.net; domainkeys=pass (ok);  from=bellsouth.net; dkim=pass (ok)
Received: from 204.127.217.74  (EHLO fgateway03.isp.att.net) (204.127.217.74)
  by mta1069.sbc.mail.mud.yahoo.com with SMTP; Tue, 05 Jun 2012 06:54:29 -0700
Authentication-Results: isp.att.net;
domainkey=pass (no signature error) header.From=Photog69@bellsouth.net               
Received: from nm1-vm0.access.bullet.mail.sp2.yahoo.com ([98.139.44.94])
          by isp.att.net (frfwmxc04) with SMTP
          id <20120605135428M04002hoiue>; Tue, 5 Jun 2012 13:54:28 +0000
X-Originating-IP: [98.139.44.94]
Received: from [98.139.44.104] by nm1.access.bullet.mail.sp2.yahoo.com with NNFMP; 05 Jun 2012 13:54:28 -0000
Received: from [98.139.44.93] by tm9.access.bullet.mail.sp2.yahoo.com with NNFMP; 05 Jun 2012 13:54:28 -0000
Received: from [127.0.0.1] by omp1030.access.mail.sp2.yahoo.com with NNFMP; 05 Jun 2012 13:54:28 -0000
X-Yahoo-Newman-Id: 504226.41389.bm@omp1030.access.mail.sp2.yahoo.com
Received: (qmail 91001 invoked by uid 60001); 5 Jun 2012 13:54:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024; t=1338904467; bh=JirVj87LegHuZ85IIJu7reD17r8yXSlz44qK1yUishk=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=ds5bJ31OxV2YCRZVPiRYZsIlkX448wyd951SLpH52Eomtm7JjNpFxmALbO9q+y5X/GXneTJynw4cls8RbySn35vgcDuczcJtJrt02m0TrUF5aB3VRl06cfJWhTZQJWUWgdU7FZnfy7zt84ll/5+mTCtZ/jU0aXapRg/0W+3C1rQ=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=bellsouth.net;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
  b=QTHpULmHx+kuMKtN/bxbVX3INe+6dkaE83PDJGF2Z47Lz0zxSqi4VaMF3fCDYsY7IGzIPal6pquzXJ3LJXSwU8O8LBEBC7TMVCNgdQ+e4NIDfeBRDemnaBCL+61EXMVM0YnIrUccGus7NnJV1Rpyu9SbwX+dTIJXu+coQd2Z9ho=;
X-YMail-OSG: guJW.DcVM1mVE8kbNqPk.NKAPPnblACSF03rek2Nq4SgT5e
 yivY8qnI4m3MuTZ1JAdHWgBrXk70LVzAxbsAsbu8Ejez.3Y_6wzU9WV1HSTz
 4wyZtk7nIzb7icZkK0flPR24h3_7a0.rYrklku0wTPUDPwlJd_TUb3vK2YBq
 hrwKUsOrcHH3OuzrPmPC3XkWeXbbNNHFD.hnv4XTGA8e7Vpzh0QOnNd2GY5V
 hd252m_f6Y2aKrgr8UEK0UiOr7Ed3hhyjWqgakK.bMr4VxEFjPZkRcIyKZHZ
 XFDdwp.h83AUL4q2YIlKtZg8ecqyD3iEX15zrF2YuU2fJe8Hio7xh.NpBUH8
 .jEylTjqJBebn2RPctYGxS9U_IGnaEHqEY_Wb9eMTXhhg9aOX6e2SVMS_CAs
 X3qgc0xUnlU5_9R1F.lp1.ejCyF8kDgisFlzfBk9SFEaTKy3g5H_lHc3Pg0e
 2ijn7Wm.e.ZEPb0aYIt2vMnvztUUTVrEV5QNhWI.MTcM-
Received: from [80.99.205.55] by web180304.mail.gq1.yahoo.com via HTTP; Tue, 05 Jun 2012 06:54:27 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1338904467.81411.BPMail_high_noncarrier@web180304.mail.gq1.yahoo.com>
Date: Tue, 5 Jun 2012 06:54:27 -0700 (PDT)
From: xxxxxxxxx<xxxxxxxxxx@bellsouth.net>
Subject: Re:
To: ***********@staugustine.com, ******@staugustine.com, *******@gmail.com,
  ********@yahoo.com, *******@yahoo.com, *me*@bellsouth.net
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
 
http://walentfoto.vdnet.lt/samtam.php?theme=284
 
Learn H0w T0 Earn M0ney OnIine N0w
 


carpetshark3
Premium
join:2004-02-12
Idledale, CO

I got a spam email in my Yahoo account which had my Yahoo addy on it - but no complaints - I don't have anyone in contacts that it can send to besides myself.

I got torked at Yahoo years ago, deleted contacts, now have them in a folder offline for cut and paste.

If it gets addresses from the inbox - it will only spam Yahoo groups and some junk companies. I'd love it if they spammed the (assumed) Brazilian spammers.

I can't figure out how to get spam here without opening it so I just delete it.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
reply to SmokChsr

From the headers:

Received: from [80.99.205.55] by web180304.mail.gq1.yahoo.com via HTTP; Tue, 05 Jun 2012 06:54:27 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
 
Since your friend isn't using the Bellsouth web mail service to send, and the IP address is not a Bellsouth/AT&T IP address, your friend's account is certainly compromised. If this is from the account of the person who is not computer/Internet savvy, the account password should be changed, and the password reset options reviewed to ensure that the thief can't reset the password by sending a reset to his (the thief's) email address. You should also educate him about phishing (I've received numerous email messages, ostensibly from my providers, threatening to close my account if I don't verify it by sending my login details. Also educate him about password security; I have a relative who ignores phishing scams, but had an MSN account stolen because of a weak password.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum