Hacked mail

Coincidence or....?

A few times recently I have had junk mails purportedly from my daughters shortly after contacting them.

I post to a number of other folk without this happening. Is it my end (limited anti-virus protection) or their end ( i-phone users)?

Suggestions?

Reply to
Tim Lamb
Loading thread data ...

Are you or they on Yahoo or have any of you ever been ? Its not much to do with Iphones as far as I can tell. They are probably one of the most secure portable devices there are. Look at the actual email addresses used though, as often you will find them different. Not a new problem. Brian

Reply to
Brian Gaff (Sofa)

In message <qtnl47$21e$ snipped-for-privacy@dont-email.me, "Brian Gaff (Sofa)" snipped-for-privacy@blueyonder.co.uk> writes

They are both on Yahoo as is my wife. I have an disused Yahoo mail address.

The lack of sensible message and incorrect send addresses are pretty obvious on Thunderbird but might fool a phone user.

The usual content is a URL.

Reply to
Tim Lamb

First have at the full message headers of spoofed email. That will tell you if it actually came from her mail system or an unrelated one. Look for a SPF record in the header as well, and see what status is attached to it (e.g. "Pass" or "Soft fail").

Reply to
John Rumm

At some point, possibly a decade ago or more, somebody got their mail hacked. Might have been you, them, or anyone you corresponded with. They hoovered up the addressbook and any correspondances (eg if you sent a mail to Fred CC daughter, then Fred's account knows you both and knows that you know each other).

They then send out messages purporting to be from someone you might know. The illusion will likely fall apart if they try to write text (because it's quite likely they won't sound like Fred), so they just send a URL and hope someone is gullible to click on it.

(I'd guess the URL would forward to a fake Gmail/Yahoo/Outlook/etc login page, in the hope of snaffling your email credentials)

Not a lot you can do about it, except change email addresses and maybe blackhole mail claiming to come from the old one.

Theo

Reply to
Theo

Contacting them how ?

Very unlikely to be their end infected. The iphone is very very difficult to infect because of the walled garden approach to apps only being able to see what you allow them to see.

Of course its possible they have allowed an app to have access to their contacts and that's how its happening.

Ask them if others get a similar result after contacting them.

Reply to
%

I just mark these as spam and move on. A couple of times a year I get one from someone who died five years ago. Usually, the part before the @ is correct but the part after could be anything.

Reply to
Tim Streater

I have yet to find my way around T bird headers. This might be the incentive. They display marked as probable junk but I would check anyway because of the lack of content.

Reply to
Tim Lamb

In message snipped-for-privacy@mid.individual.net>, % snipped-for-privacy@gmail.com writes

CCd in a mail for the last one.

OK.

Reply to
Tim Lamb

In thunderbird, just hit CTRL + U to display the full message source.

Reply to
John Rumm

Right! 4 pages of gobbledegook:-)

Sent from jumbo.zone but otherwise nothing I understand. It obviously passed all the authentication checks.

Reply to
Tim Lamb

Yes this is a historic problem. Nearly everyone who used Yahoo mail in the online way, rather than using a client and has done it for some years seems to have been hacked partially, ie they know who certain email addresses were associated with from the address books hacked. I regularly see their names but filter them via incorrect email addresses in the line with the right name. Normally they are of the type. I'm sorry to contact you but I've had my card stolen and am in (insert place name here) and wondered if you could give me some money, Or it might be, Hey found this great site, then they put a graphic of the innocent looking site obscuring the address of the one with the malware on it. The latter never works for me as the graphic is not 'read' for obvious reasons. Brian

Reply to
Brian Gaff (Sofa 2)

Well most devices these days can be set up so that you are informed when email is being sent. Even way back in the Outlook Express days as I still am, you can set a flag to let you know when something tries to send email behind the scenes. Many pcs particularly get themselves boted, but greylisting has actually stopped a lot of that. The server always rejects the first attempt to send the email, hoping that the botted machine just sends the lot fast to avoid detection, hence they all get rejected, but a proper email from your own client will retry. Brian

Reply to
Brian Gaff (Sofa 2)

You need to selectively read the things, even the from line can be very interesting if you compare it to the one you see on a good valid message. Normally the email client is also listed which can be a give away straight away. Brian

Reply to
Brian Gaff (Sofa 2)

Yes well, I think a sensible approach to what you let have access to your address book is in order. I know for example that in order to use the amazon echo devices to make calls you need to allow it to have access to the mobiles address book. I have yet to see any problems from this. The main things I do see with mobiles are the location services being used to try to get you to go to shops etc. The Tile App does this on its free to use app, but of course you can ignore them or turn off location services sharing so it only works when you want to find something. There is no such thing as a free lunch, and to be fair they do tell you in their voluminous terms and conditions which nobody reads of course!

There are a lot of things to be wary of out there, never post pictures unedited to facebook while on holiday, as unless you are careful they reveal where you are and what time you were there in the metadata, allowing the canny crook to go and do over your home address while you are away. Brian

Reply to
Brian Gaff (Sofa 2

Past em here or email them to me, and I can probably get you a bit more info - like where it came from, whether its using a compromise account or just spoofing etc.

(we only need the headers - you can snip the actual body, and react any real mail addresses etc)

Reply to
John Rumm

In message <qtpvvh$tb4$ snipped-for-privacy@news.albasani.net>, "Brian Gaff (Sofa 2)" snipped-for-privacy@blueyonder.co.uk> writes

Other than exercise caution, there doesn't seem much can be done.

Reply to
Tim Lamb

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

Reply to
Tim Lamb

In message <JbmbviXdcKAeFwj+@marfordfarm.demon.co.uk>, Tim Lamb snipped-for-privacy@marfordfarm.demon.co.uk> writes

Try this:-

From - Mon Dec 9 08:05:17 2019 X-Account-Key: account4 X-UIDL: 21366 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Received: from LO2P265MB1421.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:5a::14) by CWLP265MB0962.GBRP265.PROD.OUTLOOK.COM with HTTPS via CWLP265CA0338.GBRP265.PROD.OUTLOOK.COM; Mon, 9 Dec 2019 03:24:06 +0000 Received: from LO2P265CA0401.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:f::29) by LO2P265MB1421.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:94::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.14; Mon, 9 Dec 2019 03:24:06 +0000 Received: from AM5EUR02FT010.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e1e::202) by LO2P265CA0401.outlook.office365.com (2603:10a6:600:f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.14 via Frontend Transport; Mon, 9 Dec 2019 03:24:06 +0000 Authentication-Results: spf=none (sender IP is 118.97.118.130) smtp.mailfrom=onigiri.co.id; marfordfarm.demon.co.uk; dkim=none (message not signed) header.d=none;marfordfarm.demon.co.uk; dmarc=none action=none header.from=onigiri.co.id;compauth=fail reason=001 Received-SPF: None (protection.outlook.com: onigiri.co.id does not designate permitted sender hosts) Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id (118.97.118.130) by AM5EUR02FT010.mail.protection.outlook.com (10.152.8.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18 via Frontend Transport; Mon, 9 Dec 2019 03:24:05 +0000 Received: from localhost (localhost [127.0.0.1]) by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with ESMTP id 7BC5A12256D for snipped-for-privacy@marfordfarm.demon.co.uk>; Mon, 9 Dec 2019 10:19:11

+0700 (WIB) Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id ([127.0.0.1]) by localhost (mx5-siagan-mbaru-g12-itu.indomaguro.co.id [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id Wns20PcwSrH6 for snipped-for-privacy@marfordfarm.demon.co.uk>; Mon, 9 Dec 2019 10:19:11 +0700 (WIB) Received: from localhost (localhost [127.0.0.1]) by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with ESMTP id 1C03012256B for snipped-for-privacy@marfordfarm.demon.co.uk>; Mon, 9 Dec 2019 10:19:11 +0700 (WIB) X-Virus-Scanned: amavisd-new at mx5-siagan-mbaru-g12-itu.indomaguro.co.id Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id ([127.0.0.1]) by localhost (mx5-siagan-mbaru-g12-itu.indomaguro.co.id [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EwNacX-0Qg_V for snipped-for-privacy@marfordfarm.demon.co.uk>; Mon, 9 Dec 2019 10:19:11 +0700 (WIB) Received: from sp.onigiri.co.id (unknown [191.55.76.13]) by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with ESMTPA id ED7FB122570 for snipped-for-privacy@marfordfarm.demon.co.uk>; Mon, 9 Dec 2019 10:19:09 +0700 (WIB) From: "Hannah Lamb" snipped-for-privacy@onigiri.co.id>

To: "Pa" snipped-for-privacy@marfordfarm.demon.co.uk>

Reply-To: "Hannah Lamb" snipped-for-privacy@yahoo.com Subject: Hello Pa Thread-Index: Ky1lejU1cXY1d20uOWU3Ki51eTZmMQ== Date: Mon, 9 Dec 2019 06:23:31 +0300 Message-Id: snipped-for-privacy@HU0US2NY2HF3HH7.namprd.prod.o utlook.com>

Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_10U6HCH5TFTN4ZZXP7FT5DUSS0RP83PZ0M4N0T2NHU0US2NY2H F3HH7_" Return-Path: snipped-for-privacy@onigiri.co.id X-MS-Exchange-Organization-ExpirationStartTime: 09 Dec 2019

03:24:05.5006 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 08def035-c0b7-433d-ddc6-08d77c573ede X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: b58b9882-6915-43fd-93c2-085d389cfee5:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: CIP:118.97.118.130;IPV:NLI;CTRY:ID;EFV:NLI;SFV:SPM;SFS:(10001);DIR:INB;S FP:;SCL:5;SRVR:LO2P265MB1421;H:mx5-siagan-mbaru-g12-itu.indomaguro.co.id; FPR:;SPF:None;LANG:en;CAT:SPOOF; X-MS-Exchange-Organization-AuthSource: AM5EUR02FT010.eop-EUR02.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 08def035-c0b7-433d-ddc6-08d77c573ede X-MS-TrafficTypeDiagnostic: LO2P265MB1421: X-MS-Oob-TLC-OOBClassifiers: OLM:1728; X-MS-Exchange-Organization-SCL: 6 X-Microsoft-Antispam: BCL:0; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2019 03:24:05.1073 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 08def035-c0b7-433d-ddc6-08d77c573ede X-MS-Exchange-CrossTenant-Id: b58b9882-6915-43fd-93c2-085d389cfee5 X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P265MB1421 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5773365 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2516.000 X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750127)(52000205 0)(701014)(944506383)(944626516) >
Reply to
Tim Lamb

...

She's in Indonesia. There's a number of server addresses between her and your Outlook stuff, with some having onigiri addresses. I looked at

formatting link
which seems legit, at first glance.

Reply to
Tim Streater

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.