Suspicious email

The place to post if you need help or advice

Moderators: ChrisThornett, LXF moderators

Suspicious email

Postby GeordieJedi » Thu Mar 28, 2013 11:22 pm

Hi all.

Right. I received a suspect email from a good friend yesterday.
(I spoke with them, and they never sent the email in question. They also checked their
sent items, so they definitely didn't send it).

They were curious about this, so I forwarded them the email.

I booted into a live CD (and using Firefox, Adblock plus and No script) I opened the
email and forwarded it on to them.
I (obviously) didn't click on on the link in the mail itself.

I suspect that their email address has been spoofed.

I've checked the recent activity details on my email account, and there doesn't seem to be
anything amiss.

Do you think it's necessary for my to change my email account password ?
(My current password it 19 alphanumeric string).


Am I being a little paranoid ?

Useful info -
We both use webmail

My email = Gmail
Friends email = Yahoo mail



TIA for any help or advice.
User avatar
GeordieJedi
LXF regular
 
Posts: 337
Joined: Thu Jun 14, 2007 10:36 pm
Location: North East England

paranoid: yes

Postby Slip » Fri Mar 29, 2013 2:11 am

Hi,

You say you didn't follow the link-- no problem. Probably wouldn't have mattered if you did, since you use Linux, and a virus isn't likely to harm you.

Email spoofs, and hijackings happen all the time. If your friend uses yahoo mail, or one of the major web-based email outfits, it is likely someone has hacked his password. Otherwise it may just be a spoof. If you look at the detailed headers of the email, you may be able to tell if it actually originated from his account.

Either way, if it were me, I wouldn't worry about it.
Slip
 
Posts: 7
Joined: Mon Feb 27, 2012 10:12 pm

Postby Dutch_Master » Fri Mar 29, 2013 2:34 am

It's very easy to spoof the "from" header in an SMTP conversation, so your friend may not have to reset his password... (but as you don't know, it's safer to do anyway!)
Dutch_Master
LXF regular
 
Posts: 2452
Joined: Tue Mar 27, 2007 1:49 am

Postby MartyBartfast » Fri Mar 29, 2013 11:38 am

As said above it's very easy to spoof an Email "From:" address, so if you receive a mail from some random name you've never heard of then it's likely to be a spoofed From address, however the chances of some spammer spoofing your friends address and randomly sending it to someone who knows him is slim, this suggests that whoever/whatever sent that mail has access to your friends mail contacts. Alternatively (and this has happened to me) there could be a third party who is also a contact of both you and your friend, that third party has their Email hacked and the hacker uses one of the names on the contact list as the spoof From: address and sends Emails to all the other names in the address book purporting to be from your friend.

Bottom line is it's likely someone has either been hacked or has got a virus, but it may not be your friend - he ought to change his passwords anyway.
I have been touched by his noodly appendage.
User avatar
MartyBartfast
LXF regular
 
Posts: 816
Joined: Mon Aug 22, 2005 7:25 am
Location: Hants, UK

Postby bobthebob1234 » Fri Mar 29, 2013 4:07 pm

I've had quite a few emails from yahoo email accounts recently, it seems that they have had a problem or someone has got a hold of a bunch of passwords and email addresses.

Get your friend to change his yahoo password

Also out of interest was/is your friend on linkedin, was his yahoo email linked to his linkedin, and did they have the same password?
For certain you have to be lost to find the places that can't be found. Elseways, everyone would know where it was
User avatar
bobthebob1234
LXF regular
 
Posts: 1373
Joined: Thu Jan 03, 2008 9:38 pm
Location: A hole in a field

Postby nelz » Fri Mar 29, 2013 9:07 pm

The From: header is irrelevant as it is added by the sender, so they can put what they want. Of more interest are the server added headers, such as Received. They show the path the mail took to reach you. If it was sent from your friend's account, it will have started with a yahoo server, anything else and it is a spoofed mail sent from a spambot.

Using his address for From: is just a way of getting it through your spam filters, and encouraging you to read it.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8523
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby GeordieJedi » Fri Apr 19, 2013 7:49 pm

[Update]

OK,

I received a photo msg from a good friend asking if I had sent him a suspicious email yesterday.
He also included a screenshot of the offending email.

I assured him that I hadn't sent him anything.
In the screenshot It had my name (as the sender)
but being sent from a completely different email address than mine.

Once again I check my email account's sent items (my account has not sent anything)
and the list of IP addresses that have accessed my email account.
(And again, there's nothing untoward going on)

So it looks like that my email address has now been spoofed.

Im almost certain that my account has not been hacked.

However, do you think it would be wise to change my email account password ?

Thanks again for the help.
User avatar
GeordieJedi
LXF regular
 
Posts: 337
Joined: Thu Jun 14, 2007 10:36 pm
Location: North East England

Postby nelz » Fri Apr 19, 2013 8:15 pm

As already stated, the From: header proves nothing, it i just a line of text inserted into the email. The Received: headers will show where it was actually sent from, if these include your ISP's mail server, you may have cause for concern.

As for changing your password, don't even think about it, just do it. If you even suspect that any password has been compromised you should change it. This applies tenfold to your email password, as gaining that enables someone to get hold of all your other passwords.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8523
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby MartyBartfast » Fri Apr 19, 2013 9:24 pm

If they had compromised your account then they wouldn't need to spoof the From: address. I would think it more likely that a mutual contact of you and your friend has had their account hacked, the hacker/virus has chosen you as the spoof From: address and is sending mails to the compromised account's address book. Most of the recipients will see a mail purporting to be from Geordi Jedi and will ignore it 'cos the name means nothing to them, but it rings alarm bells with your friend because he recognises the name and thinks it's come from you.

Still a good idea to change your passwords though.
I have been touched by his noodly appendage.
User avatar
MartyBartfast
LXF regular
 
Posts: 816
Joined: Mon Aug 22, 2005 7:25 am
Location: Hants, UK


Return to Help!

Who is online

Users browsing this forum: No registered users and 1 guest