[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 03/04/12 15:59, Martijn Grooten wrote: > On Tue, Apr 3, 2012 at 3:40 PM, badapple wrote: >> A quick check of the email headers as compared to my usual details show >> these two spams originated from this IP address: 92.48.118.11. A quick whois >> shows the netblock belongs to Simply Transit Ltd/AS29550 and a quick google >> shows they are known spammers. Case closed. I know my password is secure and >> has been changed anyway just to be on the safe side, but it's a standard >> case of forged headers anyway. > I don't see forged headers - AFAICT the email was sent from Yahoo. > > 92.48.118.11 is pi.a-squared.co.uk which hosts the LUG list server. > >> And as for a keylogger being involved, um, no. That at least gave me a >> good laugh. > I think it's the most likely way for webmail accounts to get > compromised. That, or phishing. > > Martijn. > Actually, a bit more digging has turned up a Japanese IP address and Yahoo's control panel, which I've never bothered using before, shows there was a mobile account access to my Yahoo account at 01:56 this morning, 1 minute before those two spams were delivered. I'm following up on this now as I think I know the source of the problem - as I've probably mentioned before, I'm really into anime and am a member of more obscure anime forums/portals/trackers than I can remember. I'm talking with a couple of site admins right now and it's looking like one of the more poorly put together ones has been compromised. The two spam emails actually did show up in my Sent folder... worrying. Quite how the compromise has been managed will require further investigation - obviously, I don't reuse passwords at all and forum passwords aren't ever set as the same as my actual email account. Might take a while to resolve thanks to time difference and my Japanese still being terrible despite 20+ years of anime watching. And still no, definitely not a keylogger. Unless a three letter agency has delegated me a threat to world peace and James Bond currently has 22nd century nanotech installed in my network card firmware, this machine is clean. Particularly as I had to RMA my current workstations mobo and some bad RAM back to scan.co.uk yesterday and have been using a spare Core 2 Quad with a hand-built linux install for barely 24 hours. Today is the first time I've even used it's native thunderbird install for mail - all day yesterday whilst I was busy installing, importing SSH/GPG keys, tuning SELinux, etc, my mail was running from an OpenBSD -current VM I keep to hand for such exact situations on an encrypted USB stick. I also put together all of my own hardware so I'm really intimately familiar with all the guts of both this Quad and the Core i5 machine temporarily retired yesterday. Anyway, the yahoo account has been re-secured and now it's just waiting on the site admin(s) to get back to me with more information. I must admit it's a bit embarrassing as I make my living in computer security... Apologetically, Mat -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq