dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1350
share rss forum feed


Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON

From where do you think this spam is being sent?

My apologies if this is the wrong forum. Mods please move this post if necessary.

My wife's Yahoo (.ca) account recently sent out a burst of one line URL spam messages. I got one of them, which alerted us to the issue, and we just checked her account to see what's going on. It seems that the messages are going out to individuals in her address book, based on those that bounced, but we can't see for sure because there is nothing in the sent items.

There also seems to be no changes to her online settings, as was the case previously with my sister's Yahoo.ca account in which an odd filter had shown up, which we deleted and this seemed to stop spam leaving her account. On my wife's laptop, which she barely ever uses, there is up to date AV and anti-malware running. Her address book is only stored online, although I suppose addresses to which she's sent or replied would show up on the laptop and could be accessed.

Below is a sample of the relevant, I hope, headers from one of the few messages that bounced. All of the bounced messages have the same block of IP addresses listed. I've sanitized it slightly for privacy (related to the actual recipient of the message).

Received: from nm29.bullet.mail.bf1.yahoo.com (nm29.bullet.mail.bf1.yahoo.com [98.139.212.188])
Received: from [98.139.215.142] by nm29.bullet.mail.bf1.yahoo.com with NNFMP; 29 Mar 2013 04:38:46 -0000
Received: from [98.139.212.249] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 29 Mar 2013 04:38:46 -0000
Received: from [127.0.0.1] by omp1058.mail.bf1.yahoo.com with NNFMP; 29 Mar 2013 04:38:46 -0000

The localhost IP in there confused me, and leads me to believe that these are being sent via Yahoo's servers, but from someone's machine (not the webmail access) with, perhaps, their IP being scrubbed to show only localhost? That's an uneducated guess, and I'm sure folks here would know much, much better.

Anyways, I guess my basic question is whether or not the info above indicates anything significant. The fact that her address book seems to have been accessed adds to my worry that it is indeed an intrusion of her webmail account (password now changed), but I hope I'm wrong.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Post full headers in a code box. Munge the recipient information for privacy, before you post.

It's hard to guess based on incomplete information.

Checking my yahoo mail, I have messages with a similar localhost line. One of those is mail from Yahoo itself. Another has additional "Received:" lines below the one with "localhost".

The "localhost" line that you are seeing looks legitimate, and doesn't tell us anything, other than that Yahoo transferred mail from one internal process to another.

If there are no "Received:" lines below that, then information on the source is not available, though Yahoo might have logs. If there are "Received:" lines below the localhost line, then look there to try to track down the source.

The source of most spam is a hacked machine.

It's a good guess that the Yahoo account was hacked. I am hearing enough cases of that to suggest that it might be a common spammer practice.

It might be a good idea to do a check for keylogger, trojan or other malware on computers that normally use that Yahoo account.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 19.0.2


dsilvers

join:2009-05-17
Canyon Lake, TX
reply to Styvas

It would be helpful if you posted the complete header. 127.0.0.1 doesn't make much sense. Some parts of email headers can be faked and some can't.



Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON
reply to nwrickert

Thanks for the reply. I'll try to figure out how to do the code box thing and re-post. I was reticent to post the whole header set as I don't know what info in there is personally identifying and what's not (in terms of my wife's account info). What looks like gibberish to me could be an enormous privacy breach if I post it publicly.


dsilvers

join:2009-05-17
Canyon Lake, TX

Short of your wife's email address there will not be much of interest. Redact that if it bothers you.



Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON
reply to Styvas

I hope I've done this correctly. If someone notices something that I shouldn't have posted publicly, please let me know immediately via PM and I'll edit the post to remove it.

Anywhere that you see REMOVED, I've deleted a reference to my wife's full name and/or email address (the very first one, however, is the recipient of the spam message -- her friend).

I do notice that I overlooked a telling IP further down (looks to be in New Jersey), but someone might have a reasonable explanation for that as well.

Return-Path: <REMOVED>
Received: from nm29.bullet.mail.bf1.yahoo.com (nm29.bullet.mail.bf1.yahoo.com [98.139.212.188])
by mail.ac.brocku.ca (8.14.4/8.14.3) with ESMTP id r2T4pWMu030142
for <REMOVED>; Fri, 29 Mar 2013 00:51:32 -0400
Received: from [98.139.215.142] by nm29.bullet.mail.bf1.yahoo.com with NNFMP; 29 Mar 2013 04:38:46 -0000
Received: from [98.139.212.249] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 29 Mar 2013 04:38:46 -0000
Received: from [127.0.0.1] by omp1058.mail.bf1.yahoo.com with NNFMP; 29 Mar 2013 04:38:46 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 373554.90337.bm@omp1058.mail.bf1.yahoo.com
Received: (qmail 23396 invoked by uid 60001); 29 Mar 2013 04:38:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.ca; s=s1024; t=1364531926; bh=+VSHxta/IArOCJaag11iYVn0UdV3xFhUCy3aho7lsKQ=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=TdHKnYVlhsVmfkySVpaQaA8c1IwqSwp5gRvLUGT4tTAKw4sDx2H8/XNGX9fHmEBQSvnwwqnlXCpC2AYkjSApdzCoOdHRsXzjio4WsDi7rUPJnYO8GZU/jY60WwWUd/WQ3lRPTh2RMeyzqsFt6rkagTj0PpFZCCk9g30nXSsoodQ=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.ca;
  h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
  b=xM3BTgbdkpdDt8e7cZk7gDuuJnQyIhKVW/sZ4MGek+bAa+E86sP8Y/cFYBJeQeSMrdHHiA1RnVIAAGJIEuQeBK+X5UDuflLsguF03I39D+ikDxQpHqajRQlxGdJ8KS4nQRBHmRxRUhpDMG0Iz48V9S61kAjLWhh80qmTIsqwvFs=;
X-YMail-OSG: sjer_6MVM1m.t8TX58kTSUCawXcYwK2nxoGyvIrbv4VVdLW
 gyC_rDtMXQfY90NvqIlL5LXwpi4IqeZtbvsU0SlUVbI4ePULik_WnPurmrPm
 GdXR5mE8U13FwcG2V7pqoLA1QaEw2CMiOceYchdjqJb7BxpYOSH5Kx5zePb4
 3XT6LLOQO7qW1ePLdZJTVV2_C2IsXKYAdVTZQkFbECwN2QnKg5ZoH37vtecW
 s4C0oUSFmbmYufo5jTct1uiuwj0USAJsUa3LPOjYUt6LzxEJaYWmvFYzg7zm
 Vwr8bOn1nrr5YIZ0YSYs2ABW8mattpIvhRyf3MO.Ob9hKOjBb2WMOKIGpMJM
 p9eBGzKWf0T4EgaCS9o1JnpUP0kCJl.Cb6xMkpjBRR03FrYDMGCfYJlLqUKC
 JKHLfG8EJqNIq.duhyKVtAQrXy5L8NbsFNzDcvclaWvTc37djsn_WBIE3YaZ
 cyFMZZH_aNSHR_29qlrOtOW1pWbaYoL7ZX4wR5oaU0G_fWx.MJDJsEaj5QLT
 D5aArOh.HTetHyN4qcPinq9p0_snMur__kS02M0MCRYmwRsnxglzf4uBZ28q
 pZfWyQ6pFc8Gh46Rzjw--
Received: from [174.239.97.160] by web162505.mail.bf1.yahoo.com via HTTP; Thu, 28 Mar 2013 21:38:45 PDT
X-Rocket-MIMEInfo: 002.001,Cmh0dHA6Ly93d3cuZmVzZXdvcmtzLmNvbS9iZmx4amp0cy9kdXhmLmNqbnlsP3VtYyAgCgoKIAoKCgogCj MvMjkvMjAxMyA1OjM4OjQ0IEFNCgoKCiAKCiAKICAgICAgCgogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIAoKCgoKCgoKCgoKICAgICAgICAKCgozLzI5LzIwMTMgNTozODo0NCBBTSAgIC AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgATABAQEB
X-Mailer: YahooMailWebService/0.8.139.530
Message-ID: <1364531925.23034.YahooMailNeo@web162505.mail.bf1.yahoo.com>
Date: Thu, 28 Mar 2013 21:38:45 -0700 (PDT)
From: <REMOVED>
Reply-To: <REMOVED>
Subject: ::::
To: dw08tj <dw08tj@badger.ac.brocku.ca>, afortin <REMOVED recipient address>,
        jm09kv <jm09kv@badger.ac.brocku.ca>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1024699347-1585945310-1364531925=:23034"
X-Spam-Score: -1.486  ;
BAYES_00,FREEMAIL_FROM,FSL_FREEMAIL_1,FSL_FREEMAIL_2,HTML_MESSAGE,
T_DKIM_INVALID
X-Spam-Settings: key=afortin;subject_tag=*****SPAM*****;spam_action=mark;required_score=5
X-Exclamation: Surgite!  Push on!
X-SMTP-From: <REMOVED> nm29.bullet.mail.bf1.yahoo.com [98.139.212.188] (nm29.bullet.mail.bf1.yahoo.com)
X-Spam-Scanned-By: mail.ac.brocku.ca
X-Virus-Scanned-By: mail.ac.brocku.ca, using ClamAV
X-Filter-Time: 2 seconds
X-Scanned-By: MIMEDefang 2.72 on 139.57.65.81
 
--1024699347-1585945310-1364531925=:23034
Content-Type: text/plain; charset=us-ascii
 


Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON
reply to Styvas

I guess I should be more clear about what I'm asking. Is there any way to tell from the headers if the message originated from her actual Yahoo.ca webmail account or if it was likely just a message sent through Yahoo's servers, but using her email address in the From and Reply-To fields?

Since the messages went to people in her address book, it seems, the assumption is that her account was compromised, but perhaps that's not true for a reason evident from the headers.

Thanks!


dsilvers

join:2009-05-17
Canyon Lake, TX

2 recommendations

174.239.97.160 Verizon Wireless Network »multirbl.valli.org/lookup/174.23···160.html

Change your passwords from a known clean machine regardless of where it originated from. Somebody has her address book.

NetRange 174.192.0.0 - 174.255.255.255
CIDR 174.192.0.0/10
OriginAS
NetName WIRELESSDATANETWORK
NetHandle NET-174-192-0-0-1
Parent NET-174-0-0-0-0
NetType Direct Allocation
RegDate 2008-12-16
Updated 2012-03-02
Ref »whois.arin.net/rest/net/NET-174-192-0-0-1
OrgName Cellco Partnership DBA Verizon Wireless


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

reply to Styvas

said by Styvas:

I guess I should be more clear about what I'm asking. Is there any way to tell from the headers if the message originated from her actual Yahoo.ca webmail account or if it was likely just a message sent through Yahoo's servers, but using her email address in the From and Reply-To fields?

This looks very much like mail sent via a webmail account. The source IP address was 174.239.97.160, which appears to be from a Verizon cell phone network - possibly a hacked smart phone.

It is likely that her yahoo account has been compromised. Change the password. Check the security, including a malware scan, on every computer that uses that yahoo account. And, if any malware is found on any of those systems, change the password once again from a machine not affected by the malware. And do whatever it takes to remove the malware, even if that requires reformatting and reinstalling.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 19.0.2


Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON

I can believe that her account was compromised (these things happen) although I'd be surprised if it was due to malware on her laptop (and every other computer in the house is running OS X, which minimizes the risk -- although not entirely, I realize). In fact, she virtually never uses that account any longer and it's likely been months since she logged into it.

Regardless, I've updated the password from a clean machine and will scan the laptop and the Macs as well just to be safe.

Thanks for the help!



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

said by Styvas:

... just to be safe.

Yes, that's the point.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 19.0.2

HarryH3
Premium
join:2005-02-21
kudos:3
Reviews:
·Suddenlink
reply to Styvas

I've received this type of email from several friends with Yahoo email accounts. It seems to me that someone is just constantly throwing username and password attempts at Yahoo and when they get lucky on one then they spam the address book.

Last week I got the classic "Hey, I'm stranded in a foreign country and need cash quickly!" email came from a friends account at Yahoo. I called his cell right away to alert him to the breach as the "Kwality" of the sentence structure was obviously not up to his usual standards.



Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON

lol! My wife's password is not strong (it is now, mind you) so I could believe that explanation.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to Styvas

styvas, here is a news story that might be related:

»news.softpedia.com/news/Hijacked···22.shtml

it doesn't say how the yahoo email accounts were compromised but there have been several stories, over the past three months, about yahoo email accounts being compromised..



HA Nut
Premium
join:2004-05-13
USA
reply to Styvas

Glad to see you improving your wife's password. I recently upped the length of all my webmail addresses. Prior to doing so, most of mine were only 8 characters long. (I was surprised to learn that Microsoft limits Hotmail / Outlook webmail to 16 characters.)