Skip

Spam from my account
August 14, 2014 7:51 AM   Subscribe

So, friends are receiving emails that appear to be from me. They are not from me. As far as I can tell, my accounts or machine have not been compromised. What now?

The emails have my name in the "from", my return address, and all are in the same format as my gmail. They look legitimate. They look like:
Good afternoon Joe Jones

http://somerandomserver.uk/bear.php?ryrqpu2563kxgpss

bob smith
..where "Joe Jones" is my friend's name, and "bob smith" is my name. I've had 2 examples of this email forwarded to me ("You hacked, bro?") and each has had a different greeting (Salutations, and Good Afternoon), and pointed to a different server url and pagename.php.

The end destination is another fairly random url, with a shitty diet website ("THE DOCTORS")

My Google account activity shows no unusual logins. I am pretty good about keeping different, complex passwords for all accounts, and at any rate, I've changed my Gmail password.

I do not have a home PC. My work PC is pretty heavily protected via a few layers of firewall, and a pretty ferocious security team. Certainly, anything is possible, but if this machine was sick and sending off messages I really think they'd know. I'll re-image this machine if I have to, but it would be a hassle I'd like to avoid.

I have an iPad and an iPhone. Could I (or my wife/kids) accidentally said yes to something on an app that could result in this?

What else is there? What am I not thinking of?
posted by dirtdirt to Computers & Internet (7 answers total) 2 users marked this as a favorite
 
1) Compromise address book
2) Select two random addresses in that address book
3) Send an email from one and to the other

Just saying it doesn't have to be you, or your friend. It might be someone who has both of you in his/her address book. "Address book" could be on a mobile phone, social media, something that's been given permission via oauth, webmail, compromised desktop machine... sorry, there's a lot of attack surface here, as email addresses are semi-public information.

Maybe the source of the email might give you a hint (it's in the headers).
posted by Leon at 7:55 AM on August 14 [1 favorite]


Sounds like you're getting Joe Jobbed. It's a thing that happens when spammers fake their From: address, and you might not have ever done anything wrong but have an email online that was scrapped by a spammer somewhere.
posted by mathowie at 7:56 AM on August 14 [5 favorites]


I think you'd need to include the complete headers for anyone to be able to say that it's the account that's compromised instead of simple From: spoofing.

If you don't have two-factor auth turned on on your Gmail, your account could be compromised, especially if you've used the Gmail password along with your address as logins on other sites whose databases have leaked.
posted by tomierna at 7:57 AM on August 14 [1 favorite]


you can also see where/how you've logged into gmail recently via the scroll down and bottom right "details" link under "last account activity". Check to see if you've logged in from anywhere strange.
posted by k5.user at 8:14 AM on August 14 [1 favorite]


What mathowie said. If anyone has ever received an email from you at any time, your address is saved on their computer/phone somehow and can be swiped by a spammer.
posted by Melismata at 8:16 AM on August 14 [2 favorites]


Thirding the Joe Job. Happens all the time. And there's not a damn thing you can do, except tell people to ignore it.

Note that you can tell real vs fake emails apart by looking at the headers. A proper email will show a trail for the email leaving the sender's computer, going through their ISP's servers, going through your ISP's servers, and finally arriving at you. A faked email will have weird things going on in the beginning of that sequence.

If you don't know how to view headers, google for "view headers [your email program name]".
posted by intermod at 10:27 AM on August 14 [1 favorite]


Thirding the Joe Job. Happens all the time. And there's not a damn thing you can do, except tell people to ignore it.

Well, yes and no. There are techniques you can do that will strongly encourage receiving systems to drop forged mail, like DKIM and SPF.

If you run your own domain you can set this all up fairly easily. If you use one of the big-name e-mail providers this should already be in place. Since you mention gmail, DKIM and SPF should be in place already, which means your recipient's hosts are not rejecting the mail that is obviously forged, or your account is actually the sender.

Have your friend grab one of the e-mails in raw format (full headers) and send that back here so we can help further.

Out of an abundance of caution in the mean time, change your Google account password and revoke any third-party application access credentials.
posted by odinsdream at 10:58 AM on August 14


« Older I am converting my home office...   |  I'd like some recommendations ... Newer »

You are not logged in, either login or create an account to post comments



Post