dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2052
share rss forum feed

jr118525

join:2013-01-14
Palm Beach Gardens, FL

[Phish] Phishing in getting a copy of your passport and informat

On ESL websites there are scammer who request a copy of your passport and want all kinds of information. Recently, my Yahoo! email account was hacked. I opened a new email account with another service and was emailing back and forth with someone supposedly in China. The information they were giving me about the school and their office, website, did not 'add up' (of course after I sent my info.). Today, someone hacked into that account and changed my password. When I tried to recover the password, inside the header it stated the following:

x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensWQjutc4PB1ASjdctIp8bWtr3zw/Snv6qEE8HRxF74J3OmlmTivp6W9QDigFZ3vNyfu8akQVjy7NmToqv17E4A2XhRxcYi+AxKeIBXdlVIZw=
Authentication-Results: hotmail.com; spf=pass (sender IP is 212.227.17.21) smtp.mailfrom=service@gmx.com; dkim=none header.d=gmx.com; x-hmca=pass
X-SID-PRA: service@.....com
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vRMTq/Ey2ZlMSI7XkMbO9azMNNawq4d8hbrSORlmrGw8/9/DHnO26paxVcO67gqRKInnpc8uN2DgNnsSbdRJiFrg7dVDIsp2IxbdSF00UnXTj9+sp7jO/RkQked3HeWdL1mQjyMwXVOEENTCa4oL5kb
Received: from mout.gmx.net ([212.227.17.21]) by COL0-MC1-F4.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sun, 13 Jan 2013 19:00:32 -0800
Received: from mailout-eu.gmx.com ([10.1.101.215]) by mrigmx.server.lan
(mrigmx002) with ESMTP (Nemesis) id 0ME0gb-1Tjoem2utT-00HLgK for
; Mon, 14 Jan 2013 04:00:31 +0100
Received: (qmail 31009 invoked by uid 0); 14 Jan 2013 03:00:31 -0000
X-Y-GMX-Trusted: 2
From: service@....com
To: ...@hotmail.com
Subject: Requested password link
X-...-HTML: 1
Date: Mon, 14 Jan 2013 04:00:30 +0100
Message-ID:
MIME-Version: 1.0
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 8bit
X-Y-...-Trusted: 0
Return-Path: service@gmx.com
X-OriginalArrivalTime: 14 Jan 2013 03:00:32.0577 (UTC) FILETIME=[5142D310:01CDF203]

So, I am trying to figure out if it is the company from China or just a serious hacker that keeps accessing my email accounts. They didn't ask for money (yet); however, I did send a copy of my passport and resume. This is usually required by all the recruiters in this field. Kinda scary!


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

Re: [Phish] Phishing in getting a copy of your passport and info

I am having trouble making sense of your post.

When quoting headers, put them in a code block:

[code]
put header here
[/code]

It's easier to read that way, and that prevents some special characters from being corrupted.

In looking at the header, I'm not sure what I am supposed to be looking for. It appears to be a mail sent within gmx.com. Nothing stood out as obviously suspicious.

On ESL websites ...

What's an "ESL website"?

You say that your Yahoo account was hacked. Then you say that you used a different service, and that was also hacked. Maybe your computer is malware infested, and they are able to hack your accounts that way.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0

jr118525

join:2013-01-14
Palm Beach Gardens, FL

Received: from mailout-eu.gmx.com ([10.1.101.215]) by mrigmx.server.lan
(mrigmx002) with ESMTP (Nemesis) id 0ME0gb-1Tjoem2utT-00HLgK for

Okay, I thought that 'Nemesis' looked a little suspicious. And, I cannot access my email from the original sign on screen; however, I could answer my security question and change my password. My account has been locked up since this morning.

I used a POP from gmx.com to transfer any emails from Yahoo! I think that is where the potential 'malware' came in at...

ESL websites are for teachers wanting to teach English as a Second Language. They post many jobs on all of those sites and usually request your resume, copy of your passport, and other personal information.

In the past, a particular business emailed me about a job (to the Yahoo! account). I have been sending emails now back and forth with my new account.

Some things seemed sketchy, but it could be just a fluke. They sent me an email last night which was hyperlinked and since I clicked on it, I am wondering if it was malware. My account has been locked since this morning.

And, the recovery email was the one that I posted the header with Nemesis in the Received i.d.


jr118525

join:2013-01-14
Palm Beach Gardens, FL
reply to nwrickert

And one more thing that I thought was strange. At the end of all of my headers in gmx.com it says that my mail was opened by a mailclient and it gives number in parentheses. I thought it was an IP address so I checked it out and it's to the U.S. Department of Defense. Okay, no way....seriously?

So, I cannot figure out what those numbers mean or if it's a phishing email or maybe a scammer.

All I know is that it all seems weird and now I can't access my email. Nothing serious in it, just information for this job and my passport, etc...


garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus

If your computer is infected you should clean it up. Instructions on how to do that are here: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance and then, if still infected, follow those directions about getting guided help in the Security Cleanup forum. Good luck and I recommend not using that pc for email, banking or anything else where passwords or sensitive data is exchanged.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

reply to jr118525

said by jr118525:

Received: from mailout-eu.gmx.com ([10.1.101.215]) by mrigmx.server.lan
(mrigmx002) with ESMTP (Nemesis) id 0ME0gb-1Tjoem2utT-00HLgK for

Okay, I thought that 'Nemesis' looked a little suspicious.

The IP addresses 10.*.*.* are restricted to private use. In this case, it is almost certainly an internal system in the gmx.com backbone. That's why I don't see it as suspicious.

I used a POP from gmx.com to transfer any emails from Yahoo! I think that is where the potential 'malware' came in at...

If possible -- if your mail client supports it -- use secure POP, typically POP with SSL at port 995. Otherwise you are sending your password out in clear text every time you make a POP3 connection.

ESL websites are for teachers wanting to teach English as a Second Language. They post many jobs on all of those sites and usually request your resume, copy of your passport, and other personal information.

That's what I was guessing. But you should have put a bit more info in the original post, so that guessing was not needed. (Just a hint on effective communication).

The passport copy seems like a strange requirement. However, perhaps the people who work in ESL are often immigrants and they might be trying to avoid problems with hiring illegal immigrants. Apart from that, I would guess it is typical for potential employers to want some personal information about people they consider hiring.

They sent me an email last night which was hyperlinked and since I clicked on it, I am wondering if it was malware. My account has been locked since this morning.

With most email clients, if you hover your mouse over the link, the site that the link points to becomes visible somewhere on the screen. It is always wise to check where a link really goes, before deciding whether to click on it.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0

jr118525

join:2013-01-14
Palm Beach Gardens, FL

Thanks nwrickert! However, is it common to have someone id themselves as 'Nemesis' in a header? I read online that recently gmx just had a bunch of their accounts hacked into and were down for awhile in the states and abroad.

Okay, can you tell me what the numbers in the parentheses mean in this header? I thought it was an IP address?

Return-Path: eslteachers@qq.com
Received: from smtpbg1.qq.com ([183.60.61.196]) by mx-ha.gmx.net (mxgmx106)
with ESMTP (Nemesis) id 0MVJWk-1TVuGi3pNu-00YiXl for
; Sat, 05 Jan 2013 07:31:56 +0100
From: "=?utf-8?B?5oCd5ouT5aSW5pWZTWFuZHk=?="
To: "=?utf-8?B?dGVhY2hlcnNyNGxpZmU=?="
Subject: =?utf-8?B?5Zue5aSN77yaIGVzbCBqb2JzIGluIENoaW5h?=
Mime-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
Date: Sat, 5 Jan 2013 14:31:50 +0800
X-Priority: 3
Message-ID:
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
Envelope-To:
X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3;
X-GMX-Antivirus: 0 (no virus found)
X-UI-Filterresults: ;V01:K0:cQD6mG8wFdI=:GMmoqYQ+RnBvfEgaoNCOOTIZUx3t0FZ
G6O8TTQOpU92foHZnQmMFV9879JVaJJYfgfmGAGPecRqlD3rS8vsv88UVPidM+mIhhXR7fN
HwGHZal9e4VUoZe+8dvMRGKuM3VyvtrxExTQuCpJrQUNllylv5QBrvjHR/NB7k84V0Jzizh
ly24kdQstnLLI7jhTELyJYA52w8TbefEWtBJ2jrrf2GGcSsMMiIUXf5EviwRME3VjE1X98m
VLHnNvnFXMaIgMVpNsOKunOvHhdAyWpgqZ49smfe85ytaBmaHfiYkWow7QbBT1CN1WivUx+
WC2UpA295U4LlN9OuQgdfCRAZ8Sv9MVidv8EfKHABarZb3oUDURiYgtL+KS18PO3OWeAUBO
0TALrfj4K445yUZLd4MCC57fN3RG0PcUROE1g5lxLo+xapC0MurS0UKIAGJxztORNwsANOm
uVy1QsdGsLMv2Wrb2lb6OsUOEglKHlEO9UbD2whBbAYQNTFAWvqbrpmx2OWzXfyf+g3t/2r
RwQGQDTEgkLfi3SCqFlCK2DzJunAIqrWi3oy4E0BHgLwEAYif/12AhjbG5eqDxa0hQ3YK4K
KfNDt6nemRg2goT17HF6ptJY7OTO0rRZZOx8j2jsYVRvyZVvEw2bs2o5uaCfDU8VmpUlv6+
8GsPJ5F1FQNXPVoYAWdejiPFT4cEcpRozEXDCyj9yUzaOe8eWazkbcGq2VR7oUNi4smJxu3
GSpHWwcTphDrfk6PH5UCCUlJmyu308BMhwh6BtlsXrcTYPZSlRu8fLkyVaSZBzDcVOoqAmH
246lvU1A+3VQZnV1DpTwWT3xNhgOunB1KbA5GJfYstEPUVy7L9GXT9r0PrdOJ0VEpKztt3e
oseJHHqlVCTn7TOizrCFl3UMcp/KN3PE0gmw+MxIKpxtFlsL0Mw7IYhN8BsRTEv6SHy4r6M
r77mjwfNKwIIix5+DSpde3Z9ZK3XL0hAZ/bboAMafWbPIoiR4dlywACygqkbXrBtGrh1LJj
W/VMbRq06nAHRGJekLU+6aYppb5LR9SAMiud8c6xkk09GSfdS//eEuv10J8DlXv+SxMuxDU
gszbOnakJMRg/lpTicyxEm+sZVqKwayT4BlgUqK819jDHzU9AWswjvBvE1uYPRY8YGPXpGY
hTszl2R+Py2A4ky80ijW+Ryn2KyR8Jz+n9t40EShdWf636DUeImGoH/8q+6a0IEHesKUWt9
arJMAj8JldVeuf2o9V8Tsoya0Ry3ZiLY09tkX9Dj/6LcUNtZNdAeJwSsolYZtRXslWrlfys
gaeUUkftyUaYXQp5QtLkdaLsOXNnWvQAXzL7M2sJP5y62f5pqWQ5eTkhqs1LNfOKOtSF95v
Kz/g3MOhDIN0Gnid9V+yXaKPCZMy5t9yWA6vnDSBqD954QeXooVwstrPjGr67ItcouEL20/
zJM7p1T+uL1q0H9Grh4QnFIlX8plK3VpAXNTIkpM9IM5/SWVQw6Dtdn+lJcmzFjS4UA27AV
iOmDvd9ZdojnH1+o0xWdNlRXWXuSvUjqk+cw==
X-GMX-UID: ZGllQbhmCG9ydeKetm1vDsxkdj37EoX6
X-Flags: 1411

MailID: ZGllQbhmCG9ydeKetm1vDsxkdj37EoX6

------------------------------------------------------------------------
message opened by mailclient 6.65.11.0 (6.65.3.0)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

said by jr118525:

Thanks nwrickert! However, is it common to have someone id themselves as 'Nemesis' in a header?

It doesn't have much significance, as far as I can tell. It could be the name of their SMTP software.

Your "suspicious" header:
Received: from smtpbg1.qq.com ([183.60.61.196]) by mx-ha.gmx.net (mxgmx106)
 with ESMTP (Nemesis) id 0MVJWk-1TVuGi3pNu-00YiXl for
 <teachersr4life@gmx.com>; Sat, 05 Jan 2013 07:31:56 +0100
 
(note how code tags affect the readability).

A header from a spam message that I just received:
Received: from [31.169.95.176] (helo=server.toplumailing.biz)
        by hollerith.cs.niu.edu with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
        (Exim 4.72)
        (envelope-from <mailreklamhizmeti@gmail.com>)
        id 1TufIt-0006k8-DH
        for rickert@cs.niu.edu; Mon, 14 Jan 2013 02:22:00 -0600
 
Two headers from spam received on a different system:
Received: from 67.158.71.146 (node-6033.tor.pppoe.execulink.com [67.158.71.146])
        by mp.cs.niu.edu (8.14.3/8.14.3) with SMTP id r0DLsvXp003243
        for <postmaster@mp.cs.niu.edu>; Sun, 13 Jan 2013 15:55:04 -0600 (CST)
Received: from unknown (HELO d9r) ([227.118.151.161])
        by 67.158.71.146 with ESMTP; Sun, 13 Jan 2013 16:55:47 -0500
 
As you can see, there is some variation in the format of "Received:" headers.

I read online that recently gmx just had a bunch of their accounts hacked into and were down for awhile in the states and abroad.

Hacking accounts is a lot easier than hacking internal backbone computers.

Okay, can you tell me what the numbers in the parentheses mean in this header? I thought it was an IP address?

Okay, let me list that header (from your post) again:
Received: from smtpbg1.qq.com ([183.60.61.196]) by mx-ha.gmx.net (mxgmx106)
 with ESMTP (Nemesis) id 0MVJWk-1TVuGi3pNu-00YiXl for
 <teachersr4life@gmx.com>; Sat, 05 Jan 2013 07:31:56 +0100
 

"from smtpbg1.qq.com" - this is the system from which the mail was received by the gmx.com server.

"([183.60.61.196])" - that is the IP address of the sending system (of smtpbg1.qq.com). That was determined directly, and the hostname was determined by looking up that IP address (as I read the header).

"(mxgmx106)" - this is most likely the name use by the sending syste (by smtpbg1.qq.com) in its mail protocol commands. It probably sent:

EHLO mxgmx106


"with ESMTP (Nemesis)" - ESMTP is the name of the protocol (extended SMTP), and I'm guessing that "Nemesis" is the name of a particular software implementation of the protocol at the server site.

"id 0MVJWk-1TVuGi3pNu-00YiXl" - this links an ID for the message. That ID can probably be used on the server to find related logs of the message.

I hope that explains enough detail on that header.

--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0

jr118525

join:2013-01-14
Palm Beach Gardens, FL

1 recommendation

Yes, that is what I was looking for. One more thing, at the bottom it states that my mail was opened by mailclient with numbers and then more numbers in parentheses.

What are those numbers?



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

said by jr118525:

Yes, that is what I was looking for. One more thing, at the bottom it states that my mail was opened by mailclient with numbers and then more numbers in parentheses.

What are those numbers?

That information was probably added by your mail client. Maybe, check whether the documentation explains it. My guess is that it might be a version number for the mail client software, though it's unclear why there would be two version numbers.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0

jr118525

join:2013-01-14
Palm Beach Gardens, FL
reply to jr118525

Re: [Phish] Phishing in getting a copy of your passport and info
I was hoping that someone could confirm for me two things that I believe point to a phishing scam: 1) That I am reading the header correctly and that NEMESIS in the Receiver is bad and 2) I was trying to find out what the numbers in parentheses mean if it says my mail has been opened by a mail client.

Ex: message opened by mailclient 6.65.11.0 (6.65.3.0)

I gave my computer to a guy who runs his own business. I got it back, ran Norton and found 25 security risks still in my computer with 5 viruses and 2 Heuristic Viruses. Supposedly, I cleaned them out; however, I plan on booting my computer and then installing an encryption service. I have started using hushmail for now.

And I still cannot access my gmx account and no response from them whatsoever.

The header looks suspicious. Here's another one from Nemesis in the header:
Return-Path: eslteachers@qq.com
Received: from smtpbg1.qq.com ([183.60.61.196]) by mx-ha.gmx.net (mxgmx106)
with ESMTP (Nemesis) id 0MVJWk-1TVuGi3pNu-00YiXl for
; Sat, 05 Jan 2013 07:31:56 +0100
From: "=?utf-8?B?5oCd5ouT5aSW5pWZTWFuZHk=?="
To: "=?utf-8?B?dGVhY2hlcnNyNGxpZmU=?="
Subject: =?utf-8?B?5Zue5aSN77yaIGVzbCBqb2JzIGluIENoaW5h?=
Mime-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
Date: Sat, 5 Jan 2013 14:31:50 +0800
X-Priority: 3
Message-ID:
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
Envelope-To:
X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3;
X-GMX-Antivirus: 0 (no virus found)
X-UI-Filterresults: ;V01:K0:cQD6mG8wFdI=:GMmoqYQ+RnBvfEgaoNCOOTIZUx3t0FZ
G6O8TTQOpU92foHZnQmMFV9879JVaJJYfgfmGAGPecRqlD3rS8vsv88UVPidM+mIhhXR7fN
HwGHZal9e4VUoZe+8dvMRGKuM3VyvtrxExTQuCpJrQUNllylv5QBrvjHR/NB7k84V0Jzizh
ly24kdQstnLLI7jhTELyJYA52w8TbefEWtBJ2jrrf2GGcSsMMiIUXf5EviwRME3VjE1X98m
VLHnNvnFXMaIgMVpNsOKunOvHhdAyWpgqZ49smfe85ytaBmaHfiYkWow7QbBT1CN1WivUx+
WC2UpA295U4LlN9OuQgdfCRAZ8Sv9MVidv8EfKHABarZb3oUDURiYgtL+KS18PO3OWeAUBO
0TALrfj4K445yUZLd4MCC57fN3RG0PcUROE1g5lxLo+xapC0MurS0UKIAGJxztORNwsANOm
uVy1QsdGsLMv2Wrb2lb6OsUOEglKHlEO9UbD2whBbAYQNTFAWvqbrpmx2OWzXfyf+g3t/2r
RwQGQDTEgkLfi3SCqFlCK2DzJunAIqrWi3oy4E0BHgLwEAYif/12AhjbG5eqDxa0hQ3YK4K
KfNDt6nemRg2goT17HF6ptJY7OTO0rRZZOx8j2jsYVRvyZVvEw2bs2o5uaCfDU8VmpUlv6+
8GsPJ5F1FQNXPVoYAWdejiPFT4cEcpRozEXDCyj9yUzaOe8eWazkbcGq2VR7oUNi4smJxu3
GSpHWwcTphDrfk6PH5UCCUlJmyu308BMhwh6BtlsXrcTYPZSlRu8fLkyVaSZBzDcVOoqAmH
246lvU1A+3VQZnV1DpTwWT3xNhgOunB1KbA5GJfYstEPUVy7L9GXT9r0PrdOJ0VEpKztt3e
oseJHHqlVCTn7TOizrCFl3UMcp/KN3PE0gmw+MxIKpxtFlsL0Mw7IYhN8BsRTEv6SHy4r6M
r77mjwfNKwIIix5+DSpde3Z9ZK3XL0hAZ/bboAMafWbPIoiR4dlywACygqkbXrBtGrh1LJj
W/VMbRq06nAHRGJekLU+6aYppb5LR9SAMiud8c6xkk09GSfdS//eEuv10J8DlXv+SxMuxDU
gszbOnakJMRg/lpTicyxEm+sZVqKwayT4BlgUqK819jDHzU9AWswjvBvE1uYPRY8YGPXpGY
hTszl2R+Py2A4ky80ijW+Ryn2KyR8Jz+n9t40EShdWf636DUeImGoH/8q+6a0IEHesKUWt9
arJMAj8JldVeuf2o9V8Tsoya0Ry3ZiLY09tkX9Dj/6LcUNtZNdAeJwSsolYZtRXslWrlfys
gaeUUkftyUaYXQp5QtLkdaLsOXNnWvQAXzL7M2sJP5y62f5pqWQ5eTkhqs1LNfOKOtSF95v
Kz/g3MOhDIN0Gnid9V+yXaKPCZMy5t9yWA6vnDSBqD954QeXooVwstrPjGr67ItcouEL20/
zJM7p1T+uL1q0H9Grh4QnFIlX8plK3VpAXNTIkpM9IM5/SWVQw6Dtdn+lJcmzFjS4UA27AV
iOmDvd9ZdojnH1+o0xWdNlRXWXuSvUjqk+cw==
X-GMX-UID: ZGllQbhmCG9ydeKetm1vDsxkdj37EoX6
X-Flags: 1411

MailID: ZGllQbhmCG9ydeKetm1vDsxkdj37EoX6

------------------------------------------------------------------------
message opened by mailclient 6.65.11.0 (6.65.3.0)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

I won't further comment on your first paragraph. You evidently didn't like my answer, and are hoping for somebody else to give a different answer.

said by jr118525:

I gave my computer to a guy who runs his own business. I got it back, ran Norton and found 25 security risks still in my computer with 5 viruses and 2 Heuristic Viruses.

At that point, you should seriously consider reformatting your disks, and doing a fresh reinstall, or doing a restore from a complete backup taken well before these problems showed up.

Supposedly, I cleaned them out; however, I plan on booting my computer and then installing an encryption service. I have started using hushmail for now.

If you still have malware, then encryption won't help.

Encrypted email is mainly useful when it is end-to-end. That is, both sender and recipient are using crypto.

Here's another one from Nemesis in the header:

You are still ignoring the advice I gave in my first reply (about using code blocks). When you post headers without a code block, a lot of the information is missing. For example, anything between "<" and ">" is treated as broken html and ignored. You need to post in a code block, to make the header information fully visible.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0

jr118525

join:2013-01-14
Palm Beach Gardens, FL

nwrickert..your info. was most appreciated. The above post was an accident. I didn't think it had posted so I added another post.

Your answers are actually on target, so I have no prob. with anything you've told me. Quite the contrary, it is me who had not clarified things.

I am new at all of this and all I know is that things I saw didn't make sense. Now, two of my emails are blocked and it all started on my personal laptop and now it's continuing with a public computer.

A lot of my pics, documents, and important things were already backed up on USB and cloud drives.

And yes, I completely understand that reformatting and then installing an encryption is what I need to do to solve the problem.

I understood that the email service encrypts what is in your account if anyone hack into it, as well as, any emails that are transpired between two people with the same service. Like I said, I am new at this so I am doing my best to read and figure it all out.

About the phishing...I don't understand how my email became infected when I was only opening and communicating with one person. But now I can't sign onto the other account with the same service. So that makes 3 email accounts that I can no longer use.

I thought it was interesting to find Nemesis used as an id when it means revenge or retribution. Just sent up red flags for me.

IMHO, this is a hacker/phishing service being used to target my accounts. ALL of my email accounts have been hacked into, gmail, gmx, hotmail, Yahoo!, aol, and now I have a different one. Maybe it's malware?

Bottom line, and what I hear from you, reformat, use trueencrypt, don't click on anything without hovering over it first (it was an email address hyperlinked that someone sent me), and continue to use hushmail knowing my limitations.

Anymore advice would be greatly appreciated on how to solve this problem and how to analyze email headersa and ward off phishing attacks.

I appreciate all the help given here. Sorry, I ignored your post about code block. I am not familiar with that or how to do it. I'll figure it out.

(GMX does not seem to be interested in my problem. They have yet to respond). Unreal.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

said by jr118525:

Bottom line, and what I hear from you, reformat, use trueencrypt, don't click on anything without hovering over it first (it was an email address hyperlinked that someone sent me), and continue to use hushmail knowing my limitations.

Some comments on that.

Firstly, "truecrypt" does not protect you against hacking. It protects your information, if your laptop (or other computer) is stolen, and it protects the information on your computer when it goes to the graveyard for dead computers.

The files on a truecrypt disk are readily accessible to you when your computer is up and running. And they are just as accessible to a hacker who breaks into your computer when it is up and running.

I am not saying it is useless. In fact, I use an encrypted disk myself. But it is best to understand what it protects and what it does not protect.

Anymore advice would be greatly appreciated on how to solve this problem and how to analyze email headersa and ward off phishing attacks.

The most obvious other advice, assuming that you use Windows, is to set your login account as a limited user account. Have a separate administrative account for doing admin things, such as installing software or running updates. But, for ordinary use, stick to a limited user account. That makes it far harder for the hackers to get a foothold.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 18.0