Stopping suspicious emails being sent from Gmail?
May 17, 2011 12:34 PM   Subscribe

Emails are being sent from my gmail account to contacts by someone other than me. How do I figure out what's going on and how do I stop it?

Over the past week and a half, I've been traveling up and down the Pacific Northwest, staying in hotels and using their wifi. At some point someone must have gotten access to my gmail account because over the past three or four days I've been receiving "undelivered mail" messages for message that I definitely haven't been sending. This has happened two or three times, with the messages going out to everyone in my address book from the middle of the night. There is nothing in the subject line and the body contains three links, one to amazon, one to ebay and the third to various shady looking web hosting services. They don't show up in my "Sent" folder and I have no idea how they're being sent. They are definitely going out to people, because my girlfriend has confirmed that she has received one of these shady emails at least twice.

This morning I'm running a Symantec Antivirus scan and have changed the password to my gmail account to a completely random string of letter and numbers that I just made up. The virus scan is still running but I'll post back if it comes up with anything. I (stupidly, I know) use the same passwords for a lot of sites, including sharing passwords between my gmail account and my online bank account. So my banking password has been changed this morning to something completely random as well.

How worried should I be that things are completely fucked? I was never locked out of my gmail account and was able to change the password, but will whoever is doing this still be able to get around the password change and keep doing this? Also, how worried should I be that my bank account is compromised? I was able to change the password for that one too, but if someone is snooping my internet activity will they be able to see what I changed the password to? I'm home now, using Apple's Time Capsule as a wifi router and I'm pretty sure that that connection is secure. I'm on a Mac running 10.6.7, using Firefox 4.0.1 as my primary browser. I can probably provide more info if needed.

What should I do to nip this problem in the bud and fix any of the damage that has already occurred? I will be monitoring the thread and will try to respond to any questions as quick as I can. This is the first time something like this has ever happened and I'd like to take care of it as soon as possible. Thanks in advance for the help hivemind.
posted by friendlyjuan to Computers & Internet (14 answers total) 5 users marked this as a favorite
It's called a Joe job. Nobody's (probably) up in your email account, they're just using your email address as the return/reply-to address.
posted by chesty_a_arthur at 12:38 PM on May 17, 2011 [2 favorites]

If your girlfriend has a copy of one of these message, have her view and save the full email headers.

It's quite possible that someone just stole your contact list and is sending email with a fake return address (yours) to the contents of that list. It's also possible that one of your friends did a mass mailing and someone plucked the list of addresses from that.

Start at the start -- get a copy of one of the emails, and see what the headers say. With this information you can determine what to do next.
posted by devbrain at 12:38 PM on May 17, 2011

And just to be sure, try to log out of all instances if you have not done that already.
posted by hariya at 12:40 PM on May 17, 2011

Look down at the bottom of your gmail account, at the "Last account activity:"
line. Click and you can see where it was accessed.

Changing your password usually stops this.
posted by Ideefixe at 12:43 PM on May 17, 2011

seconding it being a 'joe job' or backscatter, this is pretty common.

If it continues i'd set a filter for the bouncebacks to go to spam or trash and set a reminder to turn it off in a couple of months.
posted by yeahyeahyeahwhoo at 1:01 PM on May 17, 2011 [1 favorite]

Thanks for the tip hariya. I just did the log out of all instances trick and saw that last night someone with an Italian IP address accessed my email with a mobile device.

devbrain: My girlfriend already deleted the emails, but I have in my trash one of the messages that was bounced back. I could post the header here if y'all think that would help. I almost posted it in this message but wasn't sure if there would be a security problem with doing that. Let me know that it's safe and I would love for someone smarter than me to take a look at it and let me know what's going on.

Thanks for the replies so far and keep them coming.
posted by friendlyjuan at 1:05 PM on May 17, 2011

You're not going to find a real culprit. It's just malware. I caught it while traveling recently too.

Make sure you do the usual - Malwarebytes, Avast or AVGfree or whatever AV you like. Change your passwords, and do it from an uninfected machine if at all possible. Do the "log out all instances" thing via Gmail before you reset.

I did not re-catch it after doing those things (and it got two of my gmail accounts).
posted by Lyn Never at 1:42 PM on May 17, 2011

If you saw an italian mobile device logged in then it seems someone did access your gmail account though as-yet unknown means.

If that's the case, it's not a regular "joe job", and they may have simply deleted the entry from your sent items after sending the email.

Any chance those emails are still in your girlfriend's "trash" folder, or equivalent?
posted by devbrain at 2:26 PM on May 17, 2011

Surely it's not a "joe job" if the emails are going to specifically to his contacts?
posted by AmbroseChapel at 2:29 PM on May 17, 2011

This happened to me a while back - there was a rash of it - and I'm careful about what I click and wasn't traveling so it *really* freaked me out. I too had the same password for banking and gmail and panicked. My guy was apparently logging in from Senegal on a mobile device. I still don't know what I did wrong and how he got my password, but after changing passwords all has been well. If it helps ease your mind, no other accounts were compromised (even though I moronically often used my gmail address as a login and my gmail password as a password at sensitive sites.)
posted by CunningLinguist at 3:57 PM on May 17, 2011

Consider using the new google 2-step verification.
posted by ghharr at 4:22 PM on May 17, 2011 [1 favorite]

This has happened to my Gmail 3 times in the last year. Fortunately, only a single batch of spam went out to a relatively small section of my address book.

The most important protection is to immediately change your password. I haven't had problems since I did that.

If you can't stop it, remember that your address book can't be used to send spam if you don't have anyone in it. To be completely safe (if inconvenienced), make a text file of all your correspondents' email addresses and copy/paste them into the "To:" box. Delete your address book and set Gmail not to save addresses.
posted by KRS at 7:22 PM on May 17, 2011

Do you use an Android phone pre-v2.3.4 to also log into any Google Services? Security researchers recently published a security hole that allows anyone to grab a "token" if you've logged into an insecure Wi-Fi point that'll let them access your Google Contacts list. The current best-practice advice is to stop using vulnerable Android phones on potentially insecure Wi-fi points, and to "forgot" all known Wi-Fi points (and hence explicitly connect to Wi-Fi points).

(Since security researchers have just published this, if we assume they also follow the best practice of notifying Google by a few months, and assume attackers have a lead time of around a year (pure conjecture on my part) on security researchers, it's fair to say many attackers are already using this attack vector).

Regardless, ghharr's advice should nip this in the bud quite well, unless the attackers also have control over your phone's GSM access, in which case the attackers are probably part of an intelligence agency and we can no longer help you.
posted by asymptotic at 5:25 AM on May 18, 2011

« Older "Frankly, my dear..."   |   Rheumatoid arthritis treatment? Newer »
This thread is closed to new comments.