email account hijacking

Forums › Spark New Zealand (including Skinny and BigPipe) › email account hijacking

GEOMAX

450 posts

Ultimate Geek

#141036 27-Feb-2014 17:54

I have changed my email password 3 times in 3 days and still get emails with both the from and to addresses being mine. My email is accessed from both Telecom and 2degrees via Nokia mail. Is there anything I can do to route my mail differently. Both phones are Nokia. I have to try something.

1 | 2

BDFL - Memuneh
74191 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#995690 27-Feb-2014 17:57

Are these emails coming out of your account? Can you see sometihng in the SENT folder and more importantly, if you look at email headers do they show coming out of your email servers?

If not, then it's just someone spoofing your email address, not necessarily hijacking your account.

freitasm on Keybase | My technology disclosure

Sharesies

Affiliate link

Affiliate link: Trade NZ and US shares and funds with Sharesies.

GEOMAX

450 posts

Ultimate Geek

#995697 27-Feb-2014 18:09

nothing in phone or fixed sent boxes. the headers show this .

Received: from 127.0.0.1 (EHLO 190.253.0.123) (190.253.0.123)
by mta1005.tnz.mail.aue.yahoo.com with SMTP; Thu, 27 Feb 2014 04:19:19 +0000
Message-ID: <5DC7A8D50232BA7FE58AF72010985DC7@V857034BN>

I can include it all from one if you want more.

Stu

Hammered
6647 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#995710 27-Feb-2014 18:25

As above, it seems more like spoofing than account hijack. I gather this is an @xtra.co.nz address? Nothing you can do about it because spoofing doesn't have anything to do with your actual account.

It's kinda like posting a letter but putting someone else's address as the senders address. No one has taken over the senders house, just purporting it was sent from there.

GEOMAX

450 posts

Ultimate Geek

#995713 27-Feb-2014 18:31

it is an @xtra address. I have 3 in the account. All have been used for SPAM .One I have not used for at least 12months. This is why I think it is the account that has been hijacked. The looking at Nokia etc was just clutching at straws.

freitasm

BDFL - Memuneh
74191 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#995714 27-Feb-2014 18:33

It's not necessarily hijacking. The latest round seems to be just spoofing, using emails collected in previous rounds.

If you can post all the headers that would help a bit.

freitasm on Keybase | My technology disclosure

GEOMAX

450 posts

Ultimate Geek

#995726 27-Feb-2014 18:48

here is all of one.

From ********@xtra.co.nz Wed Feb 26 15:06:16 2014
aXJpbmcgcHJvY2VzcyBhbmQgZ2l2ZSB5b3UgYSBicmllZiBzeW5vcHNpcyBvZiB0aGUgcG9zaXRpb24n
cyBiZW5lZml0cyBhbmQgcmVxdWlyZW1lbnRzLiBJZiB5b3UgYXJlIHRha2luZyBhIGNhcmVlciBicmVh
aywgYXJlIG9uIGEgbWF0ZXJuaXR5IGxlYXZlLCByZWNlbnRseSByZXRpcmVkIG9yIHNpbXBseSBsb29r
aW5nIGZvciBzb21lIHBhcnQtdGltZQEwAQEBAQ--
X-Apparently-To: ********@xtra.co.nz via 72.30.239.84; Thu, 27 Feb 2014 04:19:20 +0000
Return-Path: <********@xtra.co.nz>
X-YahooFilteredBulk: 190.253.0.123
Received-SPF: none (domain of xtra.co.nz does not designate permitted sender hosts)
X-YMailISG: 6SA.ICkWLDuahTPVBUNAv.X9.522m_T5zCEpXW9NyVsOfafJ
ppfoI7dvkD9HXw.BvoPDpQZwqMDISAE_..OyZZQU9yVDTzhf4tBxonYf0izg
tRXhpyvbnj5.yvj.vBGNHF.nZ2n7EaR38eDEDbLuMjExlWNtYjkm1gbiL6xO
1MyQY_0DgtfNluUZDwAEa0Mdu5dSVKpsXV1AgHzHPwV3qwryG23SxO1m0iDQ
0zRlSO2xFLEJJ7xmO6LPnpT.cdsa0Hk.vmrQAHasuneoJzMQr89SG79Y_zZn
vXK4eSxc6PSynu4ykiuyPUCtoEq7HxtkemFb.tw1zHpZfX4dBC4rKIkpQudY
ngokDG2Isy86TT4i2H_ogzmf6SnK4v0PwQiayEKjaspJF.q8uFtV3JqPKH2h
RlkluDmpVCOIomS4ji52QMbb.xQO3Gqt6xFqeY.N4dwon6DDbNGQmoJLQPV2
Pe.SiABMIri9Qgp6XW6bR0IOWlG98gwUhY1NKd9GambYE8i2le.ceV_fCmif
P_hvRFbbXt7Lkc0MGrKyZaq3gQxoJpV9Y6wiopi2aNBpQSFbGMbKPSQJ7NJz
OB7ycczzZDfUyIXKuYBdMr2qSWTqL6MBz5CC3CT9bfA4mkV8Q3PZMsTT2YTo
soMmj8cbk2o_7hRweGA63NskrUBGyLiruyDkKgTS1GJxbAci.HZ6_EPYNs7n
zV.YPOumFrdpO8TWAbykATY3F_cI65xcNU3bmYwdFDeXAprIBbhfqdNPOlRk
sUZ_EgauX8LBjJ6y0r1.4LB.vQN5XhV1HNLs85AgfuM.4dQ6ooWAM_uhkIoi
06i7JXjNwQIR3JG8akW2qgA9QMvmL5S3308IN8Na8zm8bxTrDyt7maYnVTHt
4WcRhiXMYN9dnRooGtjthwZLxbRkMO8bn0kA8eZNQ5Y16XF871yHtWNOFS5F
gzfvmH2iniWirjODAZRu1eqlSev59GNudYvmsjc6E6aTwz0B7npmQ1NR.lOg
KBhGtyBas9oiPBAH6rpxeg9ZIRXgHC.O5ovRjZzV3cG1EHejAnNPnt9spULP
rXxAfobRxZR3PpxB1z2Cq25dySvWcam0Z3VPRRezkH4RgGY0s_Gkp8V3QQlt
51Jkm5yW2w8jctwriTcwZq1m5qInlOKe9WyWxAtyObICM3wqUc.ESIqrxdpB
h_UZ7scXzZK4dxIx1nDkMThzjcWyTKfo2htLI0CkVVIRBycs_Q--
X-Originating-IP: [190.253.0.123]
Authentication-Results: mta1005.tnz.mail.aue.yahoo.com from=xtra.co.nz; domainkeys=neutral (no sig); from=xtra.co.nz; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO 190.253.0.123) (190.253.0.123)
by mta1005.tnz.mail.aue.yahoo.com with SMTP; Thu, 27 Feb 2014 04:19:19 +0000
Message-ID: <5DC7A8D50232BA7FE58AF72010985DC7@V857034BN>
From: <********@xtra.co.nz>
To: <********@xtra.co.nz>
Subject: Vacancy - apply online
Date: 26 Feb 2014 17:06:16 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Content-Length: 872

GEOMAX

450 posts

Ultimate Geek

#995747 27-Feb-2014 19:26

I have 10 more going back to noon yesterday (Wednesday) if you need anymore.

mattwnz

18772 posts

Uber Geek

#995748 27-Feb-2014 19:27

Looks like it is being sent from the IP, 190.253.0.123, is that a yahoo IP?

freitasm

BDFL - Memuneh
74191 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#995750 27-Feb-2014 19:34

It's a Colombian IP address. I'd say it's just spoofing the address, not accessing the mailbox.

freitasm on Keybase | My technology disclosure

cyril7

8766 posts

Uber Geek

ID Verified

Trusted

Subscriber

#995751 27-Feb-2014 19:36

I have a bunch of customers with personal accounts that now impact on their commercial emails in the same boat, there are literally thousands of emails each day that our filters are now blocking.

These are all spoofed from somewhere that is not here. As I see it there is now nothing you can do, as mentioned once before, Yahoo and their national lead outlet (Xtra) should be charged for public nuisance for this whole sad mess.

Cyril

GEOMAX

450 posts

Ultimate Geek

#995756 27-Feb-2014 19:59

freitasm: It's a Colombian IP address. I'd say it's just spoofing the address, not accessing the mailbox.

addresses not address. 3 email addresses in my account just happen to be selected and spoofed at the same time?
Possible but highly unlikely.

freitasm

BDFL - Memuneh
74191 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#995760 27-Feb-2014 20:04

Sure can happen. Spammers send millions of emails every day and there was a series of Yahoo!Xtra addresses used in the last few months.

freitasm on Keybase | My technology disclosure

qraider

374 posts

Ultimate Geek

#996280 28-Feb-2014 12:13

GEOMAX:
freitasm: It's a Colombian IP address. I'd say it's just spoofing the address, not accessing the mailbox.

addresses not address. 3 email addresses in my account just happen to be selected and spoofed at the same time?
Possible but highly unlikely.

You can check to see access to your account via: https://api.login.yahoo.com/login/history/

That will show you Recent Login Activity - Your most recent activity includes any times that you signed into Yahoo! by entering your Yahoo! ID and password (not limited to Mail).

Current Phone:
- Android: Samsung SM-G900F Galaxy S5 (XT)
- Win Phone 8: Samsung ATIV S (XT)

Current Tablet:

- Acer Iconia 7" Android Tablet

Twitter: qraider

kenkeniff

628 posts

Ultimate Geek

#996300 28-Feb-2014 12:29

+1 that you're email accounts probably havn't been "hacked" but probably scrapped from another person's account that has been hacked, downloaded from a hacked database (inc. Yahoo/Xtra) or simply brute forced (guessed) and as others have said is now being used to spoof messages.

I'd recommend changing to another email provider (I.e Gmail) that actually employs Email Authentication (DKIM & SPF) to reduce the ability of 'hackers' to forge your mail.

See: http://en.m.wikipedia.org/wiki/E-mail_authentication

1101

3054 posts

Uber Geek

#996421 28-Feb-2014 14:29

GEOMAX:
freitasm: It's a Colombian IP address. I'd say it's just spoofing the address, not accessing the mailbox.

addresses not address. 3 email addresses in my account just happen to be selected and spoofed at the same time?
Possible but highly unlikely.

Possible & VERY likely.
It happens all the time.

It wont be JUST your 3 email adresses, it will be a huge number of xtra email spoofed at the same time. Your email adresses are just part of the spammers list of emails adresses to use.

Its also common with email adresses NOT associated with xtra/yahoo . Its a scam thats been around a long time.

1 | 2