G-Stress Posted September 6, 2013 Share Posted September 6, 2013 Hey guys, I'm a bit rusty. I have a friend who's yahoo e-mail account I believe has been compromised. She has changed her passwords on all her accounts, from various devices in various locations and still somehow something/someone is using her yahoo e-mail account OR has managed to copy her address book and is spoofing her e-mail account sending out spam to all her clients. She has forwarded me 2 of the e-mails to my gmail account and I know to look in the header's, etc, but I'm having a bit of an issue trying to figure how where to look to see where the e-mail was originated from. Looking at the headers in gmail to me it mostly looks like a bunch of encrypted gibberish. Quote Link to comment Share on other sites More sharing options...
digip Posted September 6, 2013 Share Posted September 6, 2013 (edited) You need the original email file, saved as an attachment. Forwards, will rewrite the header info usually and not show the original chain they came in from. She needs to save it to disk, renamed to .txt or such, using an email client that can save the whole file with the original headers, or give you access to her account to look at the original email. The last address in the header area towards the bottom before the from and to area, is usually where you find the originating IP too. You'll usually see a number of places it says something like "Received: by" and could be spoofed, or sent from a VM, and might be a lan IP, or say localhost, or 127.0.0.1 even. Might even say: Received: from [10.0.0.8] ([x.x.x.x]) where the x.x.x.x is the real IP of the sender, and the first IP is the local address of the senders lan. The second address is the one externally facing, that you can usually do a GeoIP lookup for a general idea where/what part of the world it came from. If she uses email on her phone though, or has something like the Facebook app, or any facebook, twitter, or other third party social network apps, they usually raid address books, aside from the fact Facebook app has complete control of a phone and your address book, but I would ask her if she uses something like that in conjunction with her normal computer login to yahoo. Tell her make sure when changing passwords, that she also never uses the same password for websites as she does her email and to change them all, since if they have her Yahoo account pass, they will try that email address and pass and every social network site, look up her reset questions and answers for the, and can use that later to re-guess her Yahoo reset question to get in again, and again. Yahoo also had a system breach months back. They tried to say it only effected their Japanese users, but companies like Yahoo use co-location services and I had family members that had yahoo at one time and hadn't logged into their accounts in years, that started sending out spam after the breach, so I know Yahoo was full of shit when they said it was a limited scope to the attack and what data was accessed. She'd be better off exporting her address book, and moving to a new email service, although these days, none of them are exactly what I could call "trustworthy", including gmail. Edited September 6, 2013 by digip Quote Link to comment Share on other sites More sharing options...
GuardMoony Posted September 6, 2013 Share Posted September 6, 2013 I would also recomment leaving yahoo. Esp. if your saying she's using a yahoo account as workd account ?! This realy puts people off. Buying a domain barely cost something these days. And most internet providers give you mailbox where you can link your domain on. Quote Link to comment Share on other sites More sharing options...
Bountyhunter50 Posted September 6, 2013 Share Posted September 6, 2013 I would also recomment leaving yahoo. Esp. if your saying she's using a yahoo account as workd account ?! This realy puts people off. Buying a domain barely cost something these days. And most internet providers give you mailbox where you can link your domain on. I agree, it's a lot more robust than Yahoo (but they're not as bad as AOL, dear lord and all that is holy ..) Quote Link to comment Share on other sites More sharing options...
digip Posted September 6, 2013 Share Posted September 6, 2013 (edited) I agree, it's a lot more robust than Yahoo (but they're not as bad as AOL, dear lord and all that is holy ..)Funny, cause for the longest time too, not sure if still that way, AOL truncated passwords to 8 characters no matter length, and forced lower case for everything. This easy hacking for spam attacks on AOL users, including those who used AIM and just the email service, not the regular AOL software, which also did the same thing..EDIT: Google gmail news of interest to gmail users - https://twitter.com/mouselink/status/375999404182077440 Here is one spam email I received today, can see how they try to obfuscate to some extent. The mydomain part, is what I changed to remove my email servers. Return-Path: <vodon12@hosting5.ukrnames.com> X-Original-To: me@mydomain Delivered-To: x10962632@homiemail-mx23.g.mydomain Received: from diehard.mydomain (caiajhbdcbhh.mydomain [mydomain.132.177]) by homiemail-mx23.g.mydomain (Postfix) with ESMTP id 0A5F860BD5608 for <me@mydomain>; Fri, 6 Sep 2013 10:23:35 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by diehard.mydomain (Postfix) with ESMTP id E7B5017BC6D6 for <me@mydomain>; Fri, 6 Sep 2013 10:23:34 -0700 (PDT) X-DH-Virus-Scanned: Debian amavisd-new at diehard.mydomain X-Spam-Flag: NO X-Spam-Score: -1.938 X-Spam-Level: X-Spam-Status: No, score=-1.938 tagged_above=-999 required=999 tests=[HTML_FONT_SIZE_HUGE=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.94] autolearn=disabled Received: from godfather.mydomain ([mydomain.132.79]) by localhost (diehard.mydomain [mydomain.132.157]) (amavisd-new, port 10024) with ESMTP id P3gZqk8jMF9h for <me@mydomain>; Fri, 6 Sep 2013 10:23:34 -0700 (PDT) Received: from hosting5.ukrnames.com (hosting5.ukrnames.com [91.197.128.157]) by godfather.mydomain (Postfix) with ESMTP id 87F151B0087 for <me@mydomain>; Fri, 6 Sep 2013 10:23:34 -0700 (PDT) Received: from vodon12 by hosting5.ukrnames.com with local (Exim 4.80.1) (envelope-from <vodon12@hosting5.ukrnames.com>) id 1VHzkp-0002Vm-RH for me@mydomain; Fri, 06 Sep 2013 20:23:31 +0300 To: me@mydomain Subject: Invitation From: "Wedding Agent Anthony Craft" <anthony_craft51@kartek-avto.com.ua> X-Mailer: grasslandtromboneV8.75 Reply-To: "Wedding Agent Anthony Craft" <anthony_craft51@kartek-avto.com.ua> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="----------1378488211522A0F93A6E26" Message-Id: <E1VHzkp-0002Vm-RH@hosting5.ukrnames.com> Date: Fri, 06 Sep 2013 20:23:31 +0300 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hosting5.ukrnames.com X-AntiAbuse: Original Domain - mydomain X-AntiAbuse: Originator/Caller UID/GID - [689 687] / [47 12] X-AntiAbuse: Sender Address Domain - hosting5.ukrnames.com X-Get-Message-Sender-Via: hosting5.ukrnames.com: authenticated_id: vodon12/from_h original sender if we look at last received from(which can be spoofed depending on how it was sent): Received: from vodon12 by hosting5.ukrnames.com with local (Exim 4.80.1) (envelope-from <vodon12@hosting5.ukrnames.com>) Array ( [CountryCode] => UA [IP] => 91.197.128.157 [CountryName] => Ukraine [Region] => [City] => [PostalCode] => [Latitude] => 49 [Longitude] => 32 [Hostname] => hosting5.ukrnames.com ) Now lets do a whois: whois 91.197.128.157 Whois v1.01 - Domain information lookup utility Sysinternals - www.sysinternals.com Copyright (C) 2005 Mark Russinovich Connecting to COM.whois-servers.net... Connecting to whois.godaddy.com... Domain Name: UKRNAMES.COM Registrar URL: http://www.godaddy.com Updated Date: 2011-08-21 13:24:07 Creation Date: 2007-09-05 10:32:41 Registrar Expiration Date: 2019-09-05 10:32:41 Registrar: GoDaddy.com, LLC Registrant Name: Oleksiy Mykhaylov Registrant Organization: Ukrainian Internet Names Center Registrant Street: ul. Chernishevskogo 85/14 Registrant City: Kharkiv Registrant State/Province: Registrant Postal Code: 61002 Registrant Country: Ukraine Admin Name: Oleksiy Mykhaylov Admin Organization: Ukrainian Internet Names Center Admin Street: ul. Chernishevskogo 85/14 Admin City: Kharkiv Admin State/Province: Admin Postal Code: 61002 Admin Country: Ukraine Admin Phone: +380.5727626123 Admin Fax: +380.577800386 Admin Email: alexey@ukrnames.com Tech Name: Oleksiy Ptashniy Tech Organization: Ukrainian Internet Names Center Tech Street: ul. Chernishevskogo 85/14 Tech City: Kharkiv Tech State/Province: Tech Postal Code: 61002 Tech Country: Ukraine Tech Phone: +380.503011496 Tech Fax: +380.577800386 Tech Email: alex@ukrnames.com Name Server: NS1.UKRNAMES.COM Name Server: NS2.UKRNAMES.COM Name Server: NS3.UKRNAMES.COM The data contained in GoDaddy.com, LLC's WhoIs database, while believed by the company to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of GoDaddy.com, LLC. By submitting an inquiry, you agree to these terms of usage and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise make possible, dissemination or collection of this data, in part or in its entirety, for any purpose, such as the transmission of unsolicited advertising and and solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Please note: the registrant of the domain name is specified in the "registrant" section. In most cases, GoDaddy.com, LLC is not the registrant of domain names listed in this database. So they are using GoDaddy and we can report them for abuse. Edited September 6, 2013 by digip Quote Link to comment Share on other sites More sharing options...
G-Stress Posted September 6, 2013 Author Share Posted September 6, 2013 Thanks for the quick response guys! @ digip, yes she has changed all her passes and never used the same for everything and all her questions. I honestly think somehow that her address book was just compromised and the bot or user is mass spamming her address book. She said her clients are receiving the junk about 2 times a day. I also suggested she leave yahoo or use a different e-mail for her work and she has done so, now using the email service via her domain. She does use facebook on her phone and I'm sure yahoo as well and maybe other social apps. Also yes I did notice a localhost address in the header I was looking at and I thought that I would need the original e-mail, because of tracking purposes that it would show me her address if it were forwarded vs. the attacker's IP, but I wasn't sure. I use to use yahoo back in the day, but I find gmail is much better especially for business use if your not gonna buy a domain. Also it's been awhile since I been on the forums, I was wondering when hak5 was gonna add a like button :) bout time! Thanks again guys for all your input and advice:) Quote Link to comment Share on other sites More sharing options...
Dec100 Posted September 11, 2013 Share Posted September 11, 2013 If you can get one of the emails as an attachment (to preserve the headers as Digip suggests), you can copy/past the header into an online analyser to make it easier to read... http://www.mxtoolbox.com/EmailHeaders.aspx It might make things clearer on where it came from. Quote Link to comment Share on other sites More sharing options...
digip Posted September 11, 2013 Share Posted September 11, 2013 If you can get one of the emails as an attachment (to preserve the headers as Digip suggests), you can copy/past the header into an online analyser to make it easier to read... http://www.mxtoolbox.com/EmailHeaders.aspx It might make things clearer on where it came from. Just be careful to sanitize your own email address info!! Lots of those are used to create spam lists, and most people don't take out their email ID, server, ip, etc. Quote Link to comment Share on other sites More sharing options...
Dec100 Posted September 11, 2013 Share Posted September 11, 2013 Just be careful to sanitize your own email address info!! Lots of those are used to create spam lists, and most people don't take out their email ID, server, ip, etc. Good point! Quote Link to comment Share on other sites More sharing options...
G-Stress Posted September 14, 2013 Author Share Posted September 14, 2013 Dec100, Thanks for that buddy! I was not aware such a service existed. I am a bit rusty on my reconnaissance skills ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.