[GRLUG] hacked

Wed Jul 27 12:30:35 EDT 2011

On Wed, Jul 27, 2011 at 12:14 PM, Jeff DeFouw <mrj at plorb.com> wrote:
> On Wed, Jul 27, 2011 at 10:37:41AM -0400, Casey DuBois wrote:
>> Hey Guys,
>>
>> My Yahoo seems to have been hacked by a spambot.
>>
>> It looks to have started at 7:40 and I got the first copy from myself
>> at around 7:43.
>> From what I can see it started hitting some heavy bounce/returns about
>> that time and may have stopped or got blocked.
>> I was able to change my password by 8ish but it looks like the damage
>> had been done.
>
> It's common for spammers to forge a real person or company e-mail
> address to send out spam.  Access to your account is not required.  Did
> you look at the bounce headers to see if the outgoing mail went through
> Yahoo?

It's pretty rare to receive a message from said address when the
address belongs to someone you know. (I received one of the emails
sent using Casey's yahoo account)

Here are the original headers (with human email addresses stripped):

(nm28-vm1.bullet.mail.ne1.yahoo.com [98.138.91.35])
        by mx.google.com with SMTP id bt10si2057549icb.64.2011.07.26.16.42.03;
        Tue, 26 Jul 2011 16:42:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
[redacted]@yahoo.com designates 98.138.91.35 as permitted sender)
client-ip=98.138.91.35;
Authentication-Results: mx.google.com; spf=pass (google.com: best
guess record for domain of [redacted]@yahoo.com designates
98.138.91.35 as permitted sender) smtp.mail=[redacted]@yahoo.com;
dkim=pass (test mode) header.i=@yahoo.com
Received: from [98.138.90.56] by nm28.bullet.mail.ne1.yahoo.com with
NNFMP; 26 Jul 2011 23:42:02 -0000
Received: from [98.138.87.10] by tm9.bullet.mail.ne1.yahoo.com with
NNFMP; 26 Jul 2011 23:42:02 -0000
Received: from [127.0.0.1] by omp1010.mail.ne1.yahoo.com with NNFMP;
26 Jul 2011 23:42:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 931889.670.bm at omp1010.mail.ne1.yahoo.com
Received: (qmail 94008 invoked by uid 60001); 26 Jul 2011 23:42:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
s=s1024; t=1311723722;
bh=RITWATlob+JiXXfjse8gd6G6GUpHFMO9geSzHpsAISU=;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:To:MIME-Version:Content-Type;
b=xuSCnjFd35ACuh76GG+3ob9c3a0VxbxFTQRQBuEPqED4049JUa8pC6J4nhP4X/nc39O3qoDjq7GH39LT/DO8pFhzEqwrWJRmMETqzqrEQDnGRxNxHtF+ME7K3IQc3OoX9ax8qxW+Xd8ybcLNvq7WWzus1+BCxny4Y8UYWX+VT8E=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:To:MIME-Version:Content-Type;
  b=SQfWSEpiB2JsueK/gwLbZ3FV8B4R0l7xSQbddGtaNm7PtoxXVWE14uubNo7JZ7D3Ge01mgKwlX8wD7EcsjgyO+Od/8kRcZRFKMD0VOw8dpK51PmrvNkXsbvgy+8/Dl0pjPa1iZRFPNHQwDRlQlSbnglYWBLtFkgXe0GLd9qybI0=;
X-YMail-OSG: o40QrkMVM1lQNWhrXIYLlM.S1jInJTbJzv_Lh8U6SBkti2J
 XJE3iv7kF1ore7qjhsntYh3Z_jnwk00GRBMylwU89N2.M6b_O6.73sfFXcxm
 DcJnZmz7Ll8D9YuS_7lVyq3jproPzQxC8H0RVtLjNXMOVs.6LQ6Kh19OSBJ1
 pt59RCUW287giFakJf8ptbVFaJLZy8YgPqoXUSPuEX5AFHMK2Rq9TVmmZ8ph
 h45KvyltiZyCWceTFvxoC7yycmj7U8w.ywCxxKFvZPmnfQJFOlYbs4Y88AAg
 iCfwUfaSWszsbsQJ39s7kLSki.d1Y8Wms4_Nw87WPF70M.BpNwO9ccg1cur2
 vLrb3P6XJtSSG184O9w_3sNXsDS6ju7E4Eb28ucUZwCwfbb9vc7Ca5h_Pti5
 G9rCzYQL5h2_.f_jxBaCZnZ3Az0Zb27IV48QM2KacqTCBI5UIi9TiZZ1WM0B
 GI2NtAPsRBc1l
Received: from [187.171.190.228] by web112002.mail.gq1.yahoo.com via
HTTP; Tue, 26 Jul 2011 16:42:01 PDT
X-Mailer: YahooMailWebService/0.8.112.310352
Message-ID: <1311723721.82325.YahooMailMobile at web112002.mail.gq1.yahoo.com>
Date: Tue, 26 Jul 2011 16:42:01 -0700 (PDT)
From: [redacted]
To: [redacted]
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1494368761-1311723721=:82325"

-- 
:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.