Urgent: Possible security problem

[planethoth]

Hi I am having a bizarre problem that I am not able to discern whether
is Entourage based or not, but Entourage is my primary email client and
I use it every day for most email tasks.

Some people are receiving emails that I did not send from my Hotmail
account. One of them is receiving the emails otherwise blank but has
"Not read:" in the subject line. Another replied that an attachment had
been sent from me that she couldn't open, also has "Not read:" in the
subject line. I have not sent any email whatsoever to the latter
recipient in quite some time.

I have run virus scans on my computers with Norton and have not found
anything, however, I am concerned there is some kind of security issue
here. Can anyone tell what might be causing this?

My set-up:

Entourage 2004
Powerbook G4 1.5 GHz
OS X 10.4.4
Norton AV for Mac
Hotmail and Gmail

 

[JE McGimpsey]

I have run virus scans on my computers with Norton and have not found
anything, however, I am concerned there is some kind of security issue
here. Can anyone tell what might be causing this?

It's most likely that your address was spoofed. Have your correspondent
look at the headers. My guess is that the message won't have originated
from your isp.

 

[planethoth]

If they know how to do this... assuming this is the case, what should I
be concerned about here and what action should I take?

 

[planethoth]

So far, Norton AV and Mac Scan anti-spyware software have picked up
nothing. I am very worried about this, how do I shut down this spoofer
if I cannot find how they did it? And, in addition, is this possibly a
flaw in Entourage itself?

 

[planethoth]

Just want to be clear about what I am describing: these people I am
hearing from are getting these emails (allegedly) from me and I am only
hearing about it when they reply. These people are not strangers but
people I know. So might this suggest someone has stolen addresses from
either my Entourage address book or Hotmail?

 

[Barry Wainwright [MVP]]

Just want to be clear about what I am describing: these people I am
hearing from are getting these emails (allegedly) from me and I am only
hearing about it when they reply. These people are not strangers but
people I know. So might this suggest someone has stolen addresses from
either my Entourage address book or Hotmail?

The mails are NOT coming from you or your computer. They are being sent out
by a third party, but have your name & email address in the 'from' header.
This is very easy to fake.

There's not really anything you can do except tell the people who are
getting in touch with you that you are not responsible and that they should
not be opening the attachments! If they are windows users, it's quite
possible/likely that they are also now infected.

 

[planethoth]

Let me recap three things about this problem:

1. the emails are coming, allegedly, from one of my email addresses
with my name
2. the name that is used, although my name, is not the form that i use
in my email accounts, i.e., these have First initial/name in full,
whereas I use First name in full/last name in full
3. The people who have received my emails are ALL people I know, but do
not know each other. They are not connected to each other in any way
other than that they know me, so they cannot have appeared on each
others' address books or list.

Only one of them has received an attachment.

Given this information, is it any clearer what this could be?

 

[planethoth]

Although I am a moderately sophisticated computer user, most of the
people I know are not and have no clue about it when I try to explain
the internet headers, etc. I have had no luck with trying to get them
to explain what to look for. Hell, I am not even sure I know what I am
looking for. All I know is, it would be very strange for three
disparate people who all happen to be on my contact list to get emails
purporting to be from me if there wasn't something going on besides a
coincidence...

 

[mmmmark]

Although I am a moderately sophisticated computer user, most of the
people I know are not and have no clue about it when I try to explain
the internet headers, etc. I have had no luck with trying to get them
to explain what to look for. Hell, I am not even sure I know what I am
looking for. All I know is, it would be very strange for three
disparate people who all happen to be on my contact list to get emails
purporting to be from me if there wasn't something going on besides a
coincidence...

One thing that can prevent many of these problems is to use the BCC field
when forwarding emails to lots of people. If you include dozens of
addresses in the TO field, then usually EACH and EVERY person on that
forward list will (by default) have ALL those email addresses added to their
address book.

Then, if ANY of them is exposed to a virus/worm/trojan, you are going along
for the ride. Worse yet, by including people's names in the TO field,
you've sent everyone else along for that same ride. It is much like being
exposed to STDs.... There is a transitive property, affecting everyone
you've ever sent or received email from.

Granted, since you have a Mac you (currently) can't get a virus, but you can
be spoofed like you have been or you can be included on spam lists (more
likely these days). Spam can be minimized if people practice "safe
emailing" and proper use of the BCC field (it's like using protection).
;-)

regards,
-Mark

 

[planethoth]

One thing that is not clear to me is: how are people I know getting
these bogus emails from me even when I have not communicated with them
for weeks? I virtually NEVER use multiple email addresses, for what
that is worth, and have not used them recently whatsoever. These
details are important to understanding what is going on here...

 

[mmmmark]

One thing that is not clear to me is: how are people I know getting
these bogus emails from me even when I have not communicated with them
for weeks? I virtually NEVER use multiple email addresses, for what
that is worth, and have not used them recently whatsoever. These
details are important to understanding what is going on here...

You may need to re-read some of these responses in succession to more fully
understand. Your email address is in somebody's addressbook which has been
compromised by a virus/worm/trojan. It is sending out mail as if it were
from you (spoofing your address). To anyone that this mail goes to, it
appears to be from you and the reply-to address is also you.

None of this means that you have ever sent them an email. All it means is
that you and these people have a common 'friend' who has received a
virus/worm/trojan. Unluckily for you, your name is one (perhaps of many)
that is being spoofed. Welcome to the world of deception.

There is little to nothing you can do about it. Just try to educate others
based on what you read here so that they can 1) understand that you did
nothing wrong and 2) be more careful with their email conversations and
better use discretion with who has their email address and how they use the
TO and BCC fields. It is poor netiquette to address emails to large numbers
of people in the TO field. If you need more information on BCC I'm sure
there are plenty of links in Google explaining its use.

I feel for you. My sister-in-law had an acquaintance who got hit a few
months ago and many people were aggravated as a result. My S-I-L forwards
emails to hundreds of people and sometimes includes my name amongst the
addresses. In this manner, I am inadvertently added to all those people's
address books. One of them got hit and since then, I've received about 5
spams a day. Normally I don't use my primary address for forwarding "junk"
around. I use a separate one. Unfortunately, my S-I-L picked my wrong
address and now I am paying in spam.

Don't let it bother you too much. Life's too short to lose sleep over this.
Live. Laugh. Love. Smile

Best Regards,
-Mark

 

[planethoth]

Let me again be clear: I have not sent ANY multiple-address emails. I
simply do not use this technique, as common as it is for others. The
issue of BCC etc. is good practice but it absolutely does not come into
play here---in addition, my contacts would NOT be communicating with
each other as they are entirely unrelated to each other. These people
have also not sent any multiple address emails to me. Even though I may
be in any of their address books, none of their names can be in each
others address books. Their only commonality is that they know me.
Someone logically HAS to have access to my address book or contact list
somehow, am I wrong?

Again, for what it is worth, I have taken the following steps which
have NOT stopped this problem:

- Turned on the Mac's OS X firewall
- Changed my Hotmail/MSN password
- Scanned the computer using Norton AV and MacScan (nothing found)

 

[planethoth]

I have fully read every response in this forum. But I must insist:
There is a logical descrepancy here, because I don't think it is
possible that my email is being spoofed from SOMEONE ELSE'S email
address. Why? Because of the following:

* ALL of the people are unconnected to each other. They happen to know
me, but they do not know each other, receive emails from each other,
forwards from me or each other, or multiple-address emails from each
other.

*In addition, in the subject line, after the phrase "Not read:", at
least a few of the cases contain wording from subject lines that had
been in previous email exchanges between me and them! This would not be
possible if only my name and email address were taken.

This is NOT an issue of me not reading the responses in this forum
carefully. IF I am being unclear about these facts, let me know. But it
seems that in fact it is other people who are not reading what I wrote
before they answer me. The details are extremely important here...

 

[Chris Ridd]

Let me again be clear: I have not sent ANY multiple-address emails. I
simply do not use this technique, as common as it is for others. The
issue of BCC etc. is good practice but it absolutely does not come into
play here---in addition, my contacts would NOT be communicating with
each other as they are entirely unrelated to each other. These people
have also not sent any multiple address emails to me. Even though I may
be in any of their address books, none of their names can be in each
others address books. Their only commonality is that they know me.
Someone logically HAS to have access to my address book or contact list
somehow, am I wrong?

Again, for what it is worth, I have taken the following steps which
have NOT stopped this problem:

- Turned on the Mac's OS X firewall
- Changed my Hotmail/MSN password
- Scanned the computer using Norton AV and MacScan (nothing found)

Of course they won't make a difference.

The infected machine (or machines) *already* has your email address and at
least one of your contacts' email addresses. You're not closing the stable
door after the horse has bolted, you're closing the *wrong* stable door

Your machine has *not* been infected by anything, and the addresses have
*not* been stolen from your machine. Seriously.

You know the "six degrees of separation" game (aka "six degrees of Kevin
Bacon")? Well, that's almost certainly the reason why your contacts are
getting mail from each other even though you think their only common contact
is you.

Don't worry about it, and don't spend too much time worrying how it all
happened. One infected Windows box is all it takes.

Cheers,

Chris

 

[mmmmark]

I have fully read every response in this forum. But I must insist:
There is a logical descrepancy here, because I don't think it is
possible that my email is being spoofed from SOMEONE ELSE'S email
address. Why? Because of the following:

* ALL of the people are unconnected to each other. They happen to know
me, but they do not know each other, receive emails from each other,
forwards from me or each other, or multiple-address emails from each
other.

*In addition, in the subject line, after the phrase "Not read:", at
least a few of the cases contain wording from subject lines that had
been in previous email exchanges between me and them! This would not be
possible if only my name and email address were taken.

This is NOT an issue of me not reading the responses in this forum
carefully. IF I am being unclear about these facts, let me know. But it
seems that in fact it is other people who are not reading what I wrote
before they answer me. The details are extremely important here...

I'm not saying for certain that a TO/BCC issue has been the culprit. I just
jump on that soapbox anytime I get a chance--and it is certainly worth
repeating.

All it takes is one computer of someone you know and all this can happen.
Think carefully about the "safe sex" analogy I spoke of. Everyone is
affected by everyone they've EVER sent mail to (and whoever they sent email
to.......etc).

Good luck,
-Mark

 

[planethoth]

The analogy to six degrees of separation is well understood by me, but
there seems to be a problem with it. I can guarantee you that, except
for me, there is not any likely webbing holding these five people
together. As an example, my parents were the first ones to report
receiving these emails---they live in another city far from here and
really only have contact with me and my brothers in this city. My
brothers have not received these things. No contacts that my brothers
and me could possibly have in common (there are very few) have received
them either.

These emails have gone to people who have totally disparate social
circles and even ages---the connections back would be incredibly slim
and far removed. It simply does not make sense.

But the biggest death blow to this theory that my address was just
taken from someone else's address book is that the subject lines are
often containing text that was in previous emails BETWEEN myself and
that recipient. If this does not suggest some breach of my account, I
do not know what would.

 

[mmmmark]

The analogy to six degrees of separation is well understood by me, but
there seems to be a problem with it. I can guarantee you that, except
for me, there is not any likely webbing holding these five people
together. As an example, my parents were the first ones to report
receiving these emails---they live in another city far from here and
really only have contact with me and my brothers in this city. My
brothers have not received these things. No contacts that my brothers
and me could possibly have in common (there are very few) have received
them either.

These emails have gone to people who have totally disparate social
circles and even ages---the connections back would be incredibly slim
and far removed. It simply does not make sense.

But the biggest death blow to this theory that my address was just
taken from someone else's address book is that the subject lines are
often containing text that was in previous emails BETWEEN myself and
that recipient. If this does not suggest some breach of my account, I
do not know what would.

How do you access your email? Is it always through Entourage? Or do you
access it via webmail from your ISP or through another service like
mail2web, etc.?

It might be possible that your email account has been compromised by someone
who sniffed your password, but this is extremely, extremely unlikely.

Do you also check this mail from a work computer? Is it a PC running
Outlook/Outlook Express? This is a possibility that this computer had a
virus/worm/trojan.

I don't know what else to tell you. This sort of stuff is becoming part of
life in this digital age. It sucks, yes. But at some point we just have to
take it on the chin and move on.

Did this happen as one event or is it ongoing? Any "exes" in your life that
might have known a password?

-Mark

 

[planethoth]

* 98-99% of the time I check my email on this Mac Powerbook, through
Entourage. Occasionally, I use Apple's Mail.app.

* I cannot even recall the last time I checked my email on another
computer. Nobody except me has ever had my password. I do not do
automatic log-ins for MSN Messenger or things like that.

* I also use Gmail through Entourage. It has not been involved.

It seems to me most logical to conclude that this is either an
Entourage problem or a Hotmail problem, no?

 

[mmmmark]

* 98-99% of the time I check my email on this Mac Powerbook, through
Entourage. Occasionally, I use Apple's Mail.app.

* I cannot even recall the last time I checked my email on another
computer. Nobody except me has ever had my password. I do not do
automatic log-ins for MSN Messenger or things like that.

* I also use Gmail through Entourage. It has not been involved.

It seems to me most logical to conclude that this is either an
Entourage problem or a Hotmail problem, no?

Starting to sound like a Hotmail problem, although I haven't a clue about
the probabilities of that.

 

[planethoth]

Who can I contact immediately at Hotmail? The MS security team has not
responded to my email and this needs to be fixed ASAP... is there a
number?