Comments on: Help me snatch a hacker/spammer

Question: Help me snatch a hacker/spammer

snsranch — Mon, 31 Dec 2007 16:24:09 -0800

My hotmail acct has been hacked/cracked and is being used to spam people including a few MeFites. I'm pissed and concerned. Please hope me!

I've changed my password to something I think is pretty uncrackable but it's still happening.

Ultimately, I know, I should just use a g-mail acct. But in the mean time, what can I do to investigate, complain and secure the info that exists there in my acct?

It's also odd that at least one Mefite has been spammed who I've never had contacted with hotmail. So I believe that this might be MeFi related too.

p.s. Should I post a PSA to MeTa to let folks know that I'm not spamming them?

By: timmins

timmins — Mon, 31 Dec 2007 16:27:40 -0800

I would check to see what is listed as the backup email address for password recovery. In this case, you may change your password a million times but the offender can retrieve it if they have their account listed as the backup.

By: sanko

sanko — Mon, 31 Dec 2007 16:30:02 -0800

Are you certain that the email is coming from Hotmail and not from someone spoofing the headers? Can you ask someone who's received the spam to take a look?

By: krisjohn

krisjohn — Mon, 31 Dec 2007 16:34:34 -0800

Yeah, sounds like you're being Joe Jobbed. Is the spam showing up in your sent items folder?

By: deadmessenger

deadmessenger — Mon, 31 Dec 2007 16:38:36 -0800

It's unlikely to be really coming from your hotmail account. It's called spoofing, and it's really common. I did enterprise email support for many years, and here's a little primer that I've shared with the users over the years who've called me about this very issue.

SMTP, or Simple Message Transfer Protocol, is the protocol used to transmit email between servers on the Internet. Unfortunately, the designers of the SMTP protocol did not anticipate the commercialization of the Internet, and the designed SMTP to be accessible, rather than secure. One of the consequences of this is the fact that SMTP is unauthenticated, meaning that anyone can send email "as" anyone else, and it is trivial for someone to falsify (or "spoof") the sender of an email. Furthermore, it is possible (and preferable) for someone to do so without any access whatsoever to the apparent (fake) sender's email account.

What this means: No, you've not been hacked, nor have our servers been hacked. It is extremely unlikely that any (my employer's name) facilities have been used to send this email, and for that reason, we are powerless to stop or mitigate this. Sorry. Please let me know if I need to explain further.

By: deadmessenger

deadmessenger — Mon, 31 Dec 2007 16:47:44 -0800

Hit "post comment" too soon on my last response. Usually the "explain further" would take the form of me visiting the complaining user's desk and using a simple telnet session to send an email to their account from some really unlikely email address: elvis@graceland.com, santa@northpole.gov were a couple of my favorites. Then, once the message was received a few milliseconds later, I would be able to show them what SMTP headers look like. That demonstration usually drove it home just how easy it was to fake an email, and gave the user a little more insight into spammer tactics.

By: snsranch

snsranch — Mon, 31 Dec 2007 16:51:29 -0800

Well, yes, they are showing up in my sent items and I've had MANY delivery failures listed.

This is the last message that was sent. Note: the listed http has been different in different messages.

snsranch@hotmail.com wrote:

try my own film
I've been browsed a selfmade website for uploading good pics and movies.There are my video contents on my new blog, Just for fun. http://blog.goldwindos2000.com/blog.html

By: aubilenon

aubilenon — Mon, 31 Dec 2007 16:55:17 -0800

Have you told Outlook Express you Hotmail password? Maybe someone's hacked your computer and is using some kind of automation to send messages?

Have you tried contacting hotmail support?

At least they aren't posting "your" film to Projects!

By: snsranch

snsranch — Mon, 31 Dec 2007 17:03:11 -0800

No I don't use Outlook and haven't contacted support. There are no alternate addies listed. I guess I should just contact support.

Weird stuff. Let's see what happens.

By: Pants!

Pants! — Mon, 31 Dec 2007 17:04:43 -0800

Is the IP address on the sent items spam your IP address?

By: deadmessenger

deadmessenger — Mon, 31 Dec 2007 17:21:51 -0800

The fact that the msgs are in your sent mail changes matters entirely. My first guess after hearing that is that your account has been compromised in some way, likely through some piece of malware on your machine. The delivery failures don't matter - they're also a symptom of spoofing.

You may want to change your Hotmail password from another machine. One possibility that I'm thinking of here is that you have a keylogger on your box - if your machine is infected, it's possible that you may be giving your new password away when you change it or log in from that machine.

By: flug

flug — Mon, 31 Dec 2007 17:25:49 -0800

As Pants! suggests, you could probably tell quite a bit by carefully examining the headers of the "delivery failure" messages. There you can find the originating IP address and other interesting info. Look up IP addresses using something like this web site to find the name/owner o the IP addresses you find.

By way of comparison, send yourself an email (or several over a period of time--most large ISPs use different email servers at different times for a variety of reasons) via your hotmail account, examine the headers of that, look up the IP addresses you find.

As suggested above, what you will likely find is that the spam did not actually originate from your account at hotmail.

By: snsranch

snsranch — Mon, 31 Dec 2007 17:34:50 -0800

Ok, checking IPs.

Thanks a lot for the help guys! I really appreciate it.

By: flabdablet

flabdablet — Mon, 31 Dec 2007 21:13:38 -0800

If you have a keylogger installed, you might need to go to fairly extreme lengths to remove it - those things are designed to be hard to find, and often use rootkit techniques to hide themselves. Doing a malware scan from outside Windows is your best bet. I like the Trinity Rescue Kit for this.

By: InnocentBystander

InnocentBystander — Tue, 01 Jan 2008 15:59:35 -0800

[IB's wife]

When i had this happen, it was because an ex was keylogging me. It was just lovely, because he was sending obscene messages to my entire family, as well as messages telling my new boyfriend that I was a fat bitch and would hurt him terribly. If your messages are more general spam, I'd imagine it's some sort of malware from a spammer. But if they seem at ALL targeted, suspect someone in your life.