[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 03/04/12 18:43, Gordon Henderson wrote: > Usually they change their password and that's that, so it's highly > likely to be a password compromise - especially as the email is > usually sent to other people at the same time - often 5 or 6 people in > the To: header field. (so I'd be willing to bet that > gummy_bear1973#yahoo.co.uk is in your address book) how they got the > password, well who knows - but since it's almost always from a webmail > type of account I'd guess inadvertently using an insecure machine with > a keyboard logger, internet "kiosk", open wi-fi, etc. Congratulations on your reading comprehension fail: as stated at least twice, I have *never* used the yahoo webmail interface to send an email. I've used the yahoo html interface exactly twice, once to initially register the account and again today to reset the password and look at account activity. I don't have an address book on yahoo and the email gummy_bear1973@xxxxxxxxxxx is completely unknown to me (and currently under investigation). There were no other CC's or BCC's so this is a strangely targeted breach of as yet unknown origin. I only use mail clients of various flavours, never webmail. Literally never. The only machine apart from my own heavily secured boxes I've used since at least Christmas is a highly geeky programmer friend's updated and secured win7 laptop (I work from home currently and don't have to work onsite). I have sent emails from that machine, but only via SSH tunnels to my home machines and not from the yahoo account. If that laptop was compromised they would have access to a lot more of my key security infrastructure than just a lame throwaway yahoo account and would now be happily getting root logins on the many commercial servers I manage. There is no way my machine-generated strong password has been compromised - a CSRF/XSS flaw in either/or/both some flaky anime forums I've registered on using that yahoo address and potentially yahoo's APIs themself are the most likely attack vectors so far and I'm still digging for more info. As I said, a Japanese-based IP started a mobile session on my account at 01:56 this morning, one minute before the two spams were sent. There was no further activity after that. As a network/systems admin I also run multiple internet-facing servers including mail lists, mail servers and so on so I really am quite well versed in this area. Please stop telling me I've been keylogged because it's not the case! I will admit my first incredulous glance at the email headers was pretty half-assed and I jumped to (wrong) conclusions immediately, not helped by copy/pasting the wrong IP address into whois - that was my bad. Indeed, I know from comparison with all the archived LUG emails that "92.48.118.11 is pi.a-squared.co.uk which hosts the LUG list server", that was just being momentarily dumb-arsed. Back to investigating, Mat -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq