D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] (no subject)

 
On Tue, 3 Apr 2012, Martijn Grooten wrote:


On Tue, Apr 3, 2012 at 3:40 PM, badapple wrote:

A quick check of the email headers as compared to my usual details show
these two spams originated from this IP address: 92.48.118.11. A quick whois
shows the netblock belongs to Simply Transit Ltd/AS29550 and a quick google
shows they are known spammers. Case closed. I know my password is secure and
has been changed anyway just to be on the safe side, but it's a standard
case of forged headers anyway.


I don't see forged headers - AFAICT the email was sent from Yahoo.


I'd concur...


92.48.118.11 is pi.a-squared.co.uk which hosts the LUG list server.


Exactly.. Hand in your geek card now...


And as for a keylogger being involved, um, no. That at least gave me a
good laugh.


I think it's the most likely way for webmail accounts to get
compromised. That, or phishing.


Indeed.
I run many mailing lists for various subjects and from time to time an account gets hacked and one or more messages get to the list(s) - My experience suggests it's never a case of forged headers and always a case of a password compromise. I now have this standard message that gets emailed back: 

  Hi,

  I think your aol/hotmail/yahoo (delete as appropriate) account has
  been compromised and has been used to send spam to the XYZ list
  (and others).

  Please check and change your password as the perpetrators have most
  likely gained access via your password.

  I've temporarily removed you from the XYZ list to stop any more
  spam being sent from your account to the list.

  When you've checked & changed your password, drop me an email and I'll
  add you back onto the list.

  Regards,
Usually they change their password and that's that, so it's highly likely to be a password compromise - especially as the email is usually sent to other people at the same time - often 5 or 6 people in the To: header field. (so I'd be willing to bet that gummy_bear1973#yahoo.co.uk is in your address book) how they got the password, well who knows - but since it's almost always from a webmail type of account I'd guess inadvertently using an insecure machine with a keyboard logger, internet "kiosk", open wi-fi, etc. 

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq