dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
1896
share rss forum feed

tgp1994

join:2010-10-06

1 edit

Spam email being sent to single contact?

Hi everyone,

Earlier, I attempted to check my computer for malware with the gracious help of the DSLReports users, although nothing was found. One of the reasons that I had wanted to check was because one of the contacts on my outlook email list, my dad, has been receiving spam emails under my full name (and from a similar domain as my email account) for some time now. Although the initial scans performed brought up nothing, I think we may have been looking in the wrong places, so I was hoping someone may be able to offer me some advice.

Essentially, about once every week, one email is sent to my dad's email address. In the from field, my full name is present, but the email is usually a random one, at yahoo.com. The emails that I use in outlook are primarily provided by at&t (the other from msn), which are coincidentally hosted by yahoo (although the domain ends in att.net). The body of the message is usually just a link to a website (which neither my dad nor I have gone to), and on the next line, some sort of timestamp. In the most recent message, the timestamp holds a time about one hour before the message appears to have been sent.

The original scans can be found at the link provided above. I'm working on getting the headers of the messages right now.

If anyone can provide any help on this, I would greatly appreciate it.

Here is the full message (including header):
quote:
Return-Path: some_spammer@yahoo.com>
Received: from nm7-vm3.bullet.mail.ne1.yahoo.com (nm7-vm3.bullet.mail.ne1.yahoo.com [98.138.91.137])
by mtain-mk07.r1000.mx.aol.com (Internet Inbound) with ESMTP id 6C8923800009D
for ; Sun, 12 Aug 2012 11:53:56 -0400 (EDT)
Received: from [98.138.90.51] by nm7.bullet.mail.ne1.yahoo.com with NNFMP; 12 Aug 2012 15:53:56 -0000
Received: from [98.138.89.169] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 12 Aug 2012 15:53:56 -0000
Received: from [127.0.0.1] by omp1025.mail.ne1.yahoo.com with NNFMP; 12 Aug 2012 15:53:56 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: (a combination of letters and numbers)@omp1025.mail.ne1.yahoo.com
Received: (qmail 92814 invoked by uid 60001); 12 Aug 2012 15:53:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1344786835; bh=pcbzygYtqgyN8DwNako3OIkO8kRaisCIm5aZF3AHotA=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=eKSIz9MxH69ip0V+XOB9T6fZRa7oLi2iCfje/RSjdj/s7++pOxw+LzXH6jG/Mjvj/f+NT55PLrSnL7LQJpPOdd5PpEwTSEkBt3zHFsLPNSQxTH7auKl59Q0DvzMgTNLPtgghWmDas54ADhU8bd5ec iYnBV+iXZK9rN2akE1Dums=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type;
b=V8+U42RSadAObtOR/8ZqbFTw1uGWV27vzhtgUx39OClpn6dGBqqFKGo+hVeA2jOUZlSB/ZNxtzgkItdafSON5XTuiNEtjMPVsnOQN/7tmE3gWGxaNeBJZw58fAAudLatkNR4Dghgq+PLDO0bDvCLJaQDNxxJrnVQYNSUcarjBF0=;
X-YMail-OSG: LadUAFMVM1n.FF9TV4Vm46IQWsWxwz_Rx128ANM6qU8klED
x7WGrJWam2vIoE0gR6Bs1PH8.IuY.WWbSLm0Kf.pEf0oB9P5vlwaUfqcUtr1
NqywmmvfLRsdE4KPnnk7bWFk7f15EBE7RlS6mHuPB4dwM0p1GWh4M1VPjBd9
_RXd9CaM.Ez_fFrTizmZmo.jCRj7263nngWI5ChGtBUx9.HpVd7X07MwFWWq
nQ9WYiOdSDTHS7OmMo4qCillE1PNVCFpXX3p7iw4Mf1zh4i2vcx6BmNVicqU
G5IJ9ocEfwcRxxo_9NQhSxq5wEtWCuf4ziyrJy7at.L3prVIQbJpAIdxkp1b
rrTJ9VgIGctWgDosU99u_zi4XLxzFikVgxrnuJB__j.Dz.hdPyU8IlCDTKkG
7rnOFnbtC2Z0pWQ9uVPhHhRYcSewgHqMjzwh9oxPyG.KiAiUjYiydKFM2vBf
40FYN_jvNELWGNfMyrA--
Received: from [93.144.101.1] by web121704.mail.ne1.yahoo.com via HTTP; Sun, 12 Aug 2012 08:53:55 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: (some numbers).YahooMailNeo@web121704.mail.ne1.yahoo.com>
Date: Sun, 12 Aug 2012 08:53:55 -0700 (PDT)
From: (My full name) some_spammer@yahoo.com>
Reply-To: some_spammer@yahoo.com
To: "my_dad@aol.com"
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
x-aol-global-disposition: S
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d618b5027d1945ae8
X-AOL-IP: 98.138.91.137
X-AOL-SPF: domain : yahoo.com SPF : none
(some website)
8/11/2012 10:56:46 AM



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 recommendation

If you're computing from Ivrea (a town and comune of the province of Turin in the Piedmont region of northwestern Italy)
»en.wikipedia.org/wiki/Ivrea
you've got a security issue.
That's where the IP 93.144.101.1 is located
Received: from [93.144.101.1] by web121704.mail.ne1.yahoo.com via HTTP; Sun, 12 Aug 2012 08:53:55 PDT
 
That last IP in the headers is where that email originated.
If you are not located there or are not using a proxy service that may be using that IP there isn't anything in those headers that suggest a local infection, rogue SMTP server etc... going on.
Hopefully filling enough pieces of this puzzle will indicate that whatever is happening is not about your computer.

tgp1994

join:2010-10-06
Ivrea seems like a nice place, although I have no connection with it.

Thanks for pointing that out! Where can I go now in figuring out how my full name and father's email was lifted?


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by tgp1994:

Thanks for pointing that out! Where can I go now in figuring out how my full name and father's email was lifted?

I'd start with a Google search.
A few suggestions on the search strings I'd use:
"your name, your email address"
"your name, your dads name"
"your name, your dads name, your email address"
etc...
If your persistent you'll find what you're looking for.
The key thing to come away with though is that you should feel confident that wherever it was gleaned from it wasn't a leak on your own machine. If it were, you'd be having a lot more issues than a monthly email to show for it.

tgp1994

join:2010-10-06
Thanks snowy, that last tidbit of information makes me feel much better. (The fact that I had been charged for itunes purchases from someone in china after I used my debit card at a home depot store is most likely unrelated, right? Those two events, the shopping, and then the charges, occurred about a month prior to the emails.)

I followed your instructions for the searches, although I did not find any good results. In fact, doing a verbatim search for my email didn't return anything...


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by tgp1994:

(The fact that I had been charged for itunes purchases from someone in china after I used my debit card at a home depot store is most likely unrelated, right?

Right.
A lot of harmless but intriguing events go unexplained & that's actually a good thing.
Imagine how boring life would be without it's mysteries.

tgp1994

join:2010-10-06
That's true.

Any other ideas of how this person or thing could have gotten my name and dads email though?


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 recommendation

said by tgp1994:

Any other ideas of how this person or thing could have gotten my name and dads email though?

The contact list of your email account would be a possibility.
I can understand your curiosity but in the scheme of things it's really not a big deal from what I've seen.

tgp1994

join:2010-10-06
Ok, hopefully these emails will taper off.

Thanks for your help, snowy!