Someone is spamming from my gmail account.
January 11, 2009 11:08 PM Subscribe
Has my gmail account really been compromised?
Someone, or something seems to have spammed my entire contacts list, from within my gmail account, despite my having a strong password. (Same problem described by this german gmail user).
Has someone really stolen or guessed my password, and do I need to take anti-virus precautions beside changing my password? I am running OS X 10.4.11.
The previous activity on my gmail account suggests someone was using it elsewhere at the time the emails went out, in a GMT+8 timezone:
Browser 115.49.96.23 5:28 am (1 hour ago)
The text of the email and the header (minus 500 email addresses) are below:
---
Dear,
Good day!!!
I would like to introduce a very good company, electronic products
Wholesale dealer.
I have bought some products from company,the price was very cheap,
and the products are very good quality!
Just have a look at this web page : http://www.hpp[redacted].com/
I am sure you will could save a lot of money!
Happy new year!!!!!
Best regards!!!
introduction give you of friend!!!
---
This is the header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:mime-version:content-type;
bh=K6tVhE5iH9jG8/7W3sL3UlYq6awTl26w2OX6rEz6znw=;
b=aEmoNLBhwOJd78gsKoXBSfQU7ZrUJ5yW9TwQe4BS9Z95uMciQgV0xulNnSwsF78wrz
K5BSCZPAJSWwTatBtW+N3lrFHYGRYnJxBXIY2n27cuFJf+C4pZk51F7oJwQUqQDwFzHT
uZqHFcLFBsyEYbK9C3ovp4b/IPtr8ra+Qq618=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:mime-version:content-type;
b=qtqP0ZUW3LzE837BnVjmCGEIxXrpddkhrjWNDruuZm4M372ePF8bBfUUq+/qvzKgdQ
xvqRgGgOLp9VAxhgPbhVNnAAA/thhEqJtw09/A61L0gREHySwCvINze1Yfi7sY6DEZKM
ewL1U02Pwa/pHMmAUIpFgrJMxEiKi2PrjIa4o=
Received: by 10.215.100.13 with SMTP id c13mr4320711qam.377.1231738078819;
Sun, 11 Jan 2009 21:27:58 -0800 (PST)
Received: by 10.214.43.15 with HTTP; Sun, 11 Jan 2009 21:27:58 -0800 (PST)
Message-ID:
Date: Mon, 12 Jan 2009 13:27:58 +0800
Someone, or something seems to have spammed my entire contacts list, from within my gmail account, despite my having a strong password. (Same problem described by this german gmail user).
Has someone really stolen or guessed my password, and do I need to take anti-virus precautions beside changing my password? I am running OS X 10.4.11.
The previous activity on my gmail account suggests someone was using it elsewhere at the time the emails went out, in a GMT+8 timezone:
Browser 115.49.96.23 5:28 am (1 hour ago)
The text of the email and the header (minus 500 email addresses) are below:
---
Dear,
Good day!!!
I would like to introduce a very good company, electronic products
Wholesale dealer.
I have bought some products from company,the price was very cheap,
and the products are very good quality!
Just have a look at this web page : http://www.hpp[redacted].com/
I am sure you will could save a lot of money!
Happy new year!!!!!
Best regards!!!
introduction give you of friend!!!
---
This is the header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:mime-version:content-type;
bh=K6tVhE5iH9jG8/7W3sL3UlYq6awTl26w2OX6rEz6znw=;
b=aEmoNLBhwOJd78gsKoXBSfQU7ZrUJ5yW9TwQe4BS9Z95uMciQgV0xulNnSwsF78wrz
K5BSCZPAJSWwTatBtW+N3lrFHYGRYnJxBXIY2n27cuFJf+C4pZk51F7oJwQUqQDwFzHT
uZqHFcLFBsyEYbK9C3ovp4b/IPtr8ra+Qq618=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:mime-version:content-type;
b=qtqP0ZUW3LzE837BnVjmCGEIxXrpddkhrjWNDruuZm4M372ePF8bBfUUq+/qvzKgdQ
xvqRgGgOLp9VAxhgPbhVNnAAA/thhEqJtw09/A61L0gREHySwCvINze1Yfi7sY6DEZKM
ewL1U02Pwa/pHMmAUIpFgrJMxEiKi2PrjIa4o=
Received: by 10.215.100.13 with SMTP id c13mr4320711qam.377.1231738078819;
Sun, 11 Jan 2009 21:27:58 -0800 (PST)
Received: by 10.214.43.15 with HTTP; Sun, 11 Jan 2009 21:27:58 -0800 (PST)
Message-ID:
Date: Mon, 12 Jan 2009 13:27:58 +0800
Best answer: The previous activity on my gmail account suggests someone was using it elsewhere at the time the emails went out, in a GMT+8 timezone:
Browser 115.49.96.23 5:28 am (1 hour ago)
That's all you need to know. Change your password (to a good one). If it happens again, your browser's been spyware'd.
posted by rokusan at 11:36 PM on January 11, 2009
Browser 115.49.96.23 5:28 am (1 hour ago)
That's all you need to know. Change your password (to a good one). If it happens again, your browser's been spyware'd.
posted by rokusan at 11:36 PM on January 11, 2009
Best answer: I'm seeing this sort of attack more and more. So far, the connecting IP has always been in rural China and 115.49.96.23 fits the pattern, being located in Henan province.
All the other examples I've seen have been on people using Windows, so the fact you're on a Mac is a bit of a surprise, but it could be one of the few OSX viruses out there, a simple trojan or possibly you used another infected computer while away from your home computer. I'll leave it to the Mac experts to try and diagnose if it's the first, but you can tell us yourself if it could possibly be the last.
posted by Busy Old Fool at 12:00 AM on January 12, 2009
All the other examples I've seen have been on people using Windows, so the fact you're on a Mac is a bit of a surprise, but it could be one of the few OSX viruses out there, a simple trojan or possibly you used another infected computer while away from your home computer. I'll leave it to the Mac experts to try and diagnose if it's the first, but you can tell us yourself if it could possibly be the last.
posted by Busy Old Fool at 12:00 AM on January 12, 2009
Someone in China has(d) your password. Did you check your mail from another computer? If so, just change your password. If not, your machine is likely compromised.
One-factor authentication means that you have to completely trust every computer on which you enter your password.
posted by bh at 12:16 AM on January 12, 2009
One-factor authentication means that you have to completely trust every computer on which you enter your password.
posted by bh at 12:16 AM on January 12, 2009
Response by poster: I don't think I've used a public computer to check my email since June 08. I use my iPhone, my MacBook at home, and occasionally a PC at work, but only via vtunnel.com. I suppose one of the work PC's must have a keylogging trojan.
posted by roofus at 12:31 AM on January 12, 2009
posted by roofus at 12:31 AM on January 12, 2009
Response by poster: There's some advice from Google about the problem here, but no indication of exactly how it is happening.
posted by roofus at 2:06 AM on January 12, 2009
posted by roofus at 2:06 AM on January 12, 2009
Oh yeah, it's a Mac, so most probably NOT a trojan or virus. Much more likely a stolen or hacked login, either by guessing or via some sort of phishing scam you fell for some time ago.
If your password was poor, in the "all letters, or your birthday, or something guessable" way, then it was just guessed by a robot. If it was good, then it was probably lifted from a public login or wifi network or somesuch.
As I said above, best way to know is to change your password to a strong one, then see if it happens again.
posted by rokusan at 2:58 AM on January 12, 2009
If your password was poor, in the "all letters, or your birthday, or something guessable" way, then it was just guessed by a robot. If it was good, then it was probably lifted from a public login or wifi network or somesuch.
As I said above, best way to know is to change your password to a strong one, then see if it happens again.
posted by rokusan at 2:58 AM on January 12, 2009
I have been pretty consistently unimpressed by how easy it is to persuade the Gmail signup page to rate a password as "strong". Tacking two digits on the end of just about any 7-letter dictionary word seems to be enough, and that is in no way a strong password.
Here's how to make a truly strong password.
posted by flabdablet at 3:21 AM on January 12, 2009 [1 favorite]
Here's how to make a truly strong password.
posted by flabdablet at 3:21 AM on January 12, 2009 [1 favorite]
Do you use the same password for gmail as you do for everything (or anything) else?
If so, realize that there are now all manners of other avenues to get it. Unsavory or inconsiderate websites might not hash your password before storing it in their DB, giving their admin (or an industrious script kiddie) access to them.
If you used your gmail address to sign up for that account and the same password, anyone who looks at that row is going to get a free shot at your email.
I use the same password for a lot of trivial, unimportant websites, but when it comes to the big dogs (email, online banking, etc.), they all get their own.
posted by toomuchpete at 4:46 AM on January 12, 2009 [2 favorites]
If so, realize that there are now all manners of other avenues to get it. Unsavory or inconsiderate websites might not hash your password before storing it in their DB, giving their admin (or an industrious script kiddie) access to them.
If you used your gmail address to sign up for that account and the same password, anyone who looks at that row is going to get a free shot at your email.
I use the same password for a lot of trivial, unimportant websites, but when it comes to the big dogs (email, online banking, etc.), they all get their own.
posted by toomuchpete at 4:46 AM on January 12, 2009 [2 favorites]
OSX is vulnerable to phishing and OSX users arent immune from sitting down somewhere and checking their gmail on a hacked computer (library, friends house, etc.) Does gmail use https for logins now? If not then someone could have sniffed the password while you were on their lan/wlan.
I never use the same password for my email as anything else. Too many forum operators would know my password and my email. I like having a generic forum/web password, a financial password, a ecommerce password, and an email password. Its really not that difficult to keep track of this stuff. I also never log into a machine I dont control unless I absolutely have to and even then I make a mental note to change the pw when I get home.
posted by damn dirty ape at 7:47 AM on January 12, 2009 [1 favorite]
I never use the same password for my email as anything else. Too many forum operators would know my password and my email. I like having a generic forum/web password, a financial password, a ecommerce password, and an email password. Its really not that difficult to keep track of this stuff. I also never log into a machine I dont control unless I absolutely have to and even then I make a mental note to change the pw when I get home.
posted by damn dirty ape at 7:47 AM on January 12, 2009 [1 favorite]
There's also a published cookie stealing attack for gmail. Not sure if and when it was patched, but you may have been a victim of that too. There's also a setting in gmail to always make your mail go over https. You should enable it.
posted by damn dirty ape at 7:50 AM on January 12, 2009
posted by damn dirty ape at 7:50 AM on January 12, 2009
I am seconding toomuchpete. What happened to you happened to me, but I also had my entire gmail address book deleted. While researching this problem, like you seem to be doing, I came across something that suggested what toomuchpete writes. I have used the same email/password combination for several sites that I used for gmail. Anyway, after one month I haven't had any more incursions after changing my gmail password to something different. Good luck.
posted by battlecj at 9:17 AM on January 12, 2009
posted by battlecj at 9:17 AM on January 12, 2009
There was a Lifehacker blog article about a month ago that sounds like it may be the same thing.
posted by hungrysquirrels at 11:41 AM on January 12, 2009
posted by hungrysquirrels at 11:41 AM on January 12, 2009
This thread is closed to new comments.
posted by mullacc at 11:30 PM on January 11, 2009 [1 favorite]