View topic - [SOLVED] E-mail

[Mantari Profile]

Hi
I receive an e-mail which states that it’s from my sister - but it’s not, it's her address but there is nothing in her sent box.

I know a virus can randomly take an e-mail from an address book and fake the sender, and then send it out to others who are also in the address book.

Does the virus have to be on a PC where the address book is resident on the PC and not on a web e-mail account? I'm thinking it has to be on a PC

I’ve looked through the full e-mail header and apart from seeing the e-mail addresses which I recognise i.e. my sister's and other people's, I was wondering if there was any way of determining where it really came from? To see whose PC actually has the virus


Any thoughts,

thanks

M

[VirusBuster]

Being a fake from email, its not necessarily caused by malware on the PC
Somebody simply changes the from email to any other

If you want to check where it came from, check the email headers and look from the source IP address, then you can check it in http://cqcounter.com/whois/

[Mantari Profile]

Hi
in the header it says it came from my sisters e-mail but there is nothing in her sent box. I understand someone can change these details but I cant see where it originated.

Please may I PM you with the Header details for your opinion?

Thanks

[VirusBuster]

How do you check your email? Via Webmail? or via email client?
If you check it via webmail, right click the email and select see complete header

Here is an example of the header of an SPAM email I received in my Yahoo account:

From Correos Mon Jun 25 23:29:25 2012
X-Apparently-To: xxxxxxxxxx@xxxx.xx via 77.238.189.172; Mon, 25 Jun 2012 22:29:28 +0000
Return-Path: <daveandc@m10.themothership.net>
X-YahooFilteredBulk: 209.90.225.10
Received-SPF: none (domain of m10.themothership.net does not designate permitted sender hosts)
X-YMailISG: sNr.VeYWLDtqiDgsYzn36Fq2oNj.S1W4XXem4NEHPAlLNXEH
OaU9_KotcAIcndmbrFmQO.GDEDz9bOThDvEL6rQhOpEHP7lkB1mnOQbvi7m_
ywBds9Kwq8gqqJ2vdKOopVDq.AJ9JxlcGAu6ltRV9Zr9wNBBAaAbT8Xu7yzr
EUei5CzPMzjOHlN.JjAItCwkAMSL3o8XMUkcVq9yIVo._mOoV0Sl_tVNps5y
Q2rEzOty2lwn8Jtql2_tAwvx0P7d5nv1tBSeWEIsWNRtWHTI4hb7KQqjejJL
4NSWt3pOD5.aA3RWzNSs4ufGvzfmfphurzdfY5i1i1Rx3SUO.OSDlFuiKv30
z56LM.7p6VqmXuhaz5EcfUVVAwVIav1uSa.OtO5qOLiErt9dnjOce9X1Oq.J
X66tZEcq9hF7jJB3qnGYURSRPVCmK80zBhRzAs0MdahNX0o7VbHOcVcYiyOt
BfWPJTMFADu3AxxkfaGYqFm04ZDUtsm4xc2tNZuUOCylLP.0qfXM77YQ3RDb
X5HHQFDs0CsPIAaQu0yg1puN0kC0x4DBO_Hyyt.ft413_GpRCPOAbufSsYO0
u0mFfi8.NzphoTfCCWs235k3nFyup1PIt1iizdG6n6vPJJtXpGJbIYE7AgOT
QBQAbHFA992o5Gtn9iYUqT3Eg2gyMEVzBYT7qY7o4Xe0FNfUwewbTTT6fGKB
Sa7XP6h1Mj8Ilou70n5x4i6Jh31JTPcJtwkG4ppFYJZgj5bAavnPPxplSJ9X
YvERL3CBxK7zKRCLzZpeYnoiGmNng_eLEmEfI0xdHcZqlTAA9fJsEgYeSybX
494QZy1ecTlZF.k56aWeoGfzIGZfKCbkNOD60XW6Okbdz6QozqM3CPzmH5Rr
e_40O5SRMGJdmI1vlnL.Z8wBYRdaQEmWWmDkPLKahF_ggUtTDI39NoItVrIq
uSngsR1wrLy5
X-Originating-IP: [209.90.225.10]
Authentication-Results: mta1042.mail.ukl.yahoo.com from=correos.es; domainkeys=neutral (no sig); from=correos.es; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO m10.themothership.net) (209.90.225.10)
by mta1042.mail.ukl.yahoo.com with SMTP; Mon, 25 Jun 2012 22:29:28 +0000
Received: from daveandc by m10.themothership.net with local (Exim 4.77)
(envelope-from <daveandc@m10.themothership.net>)
id 1SjHmf-0005iu-LL
for xxxxxxxxxx@xxxxxxxxxxx.xx; Mon, 25 Jun 2012 15:29:25 -0700
To: xxxxxxxxx@xxxxxx.xx
Subject: Tiene que recoger un paquete postal
From: "Correos" <menedzher@correos.es>
X-Mailer: EasyDMfree
Reply-To: "Correos" <menedzher@correos.es>
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------13406633654FE8E6459DFF3"
Message-Id: <E1SjHmf-0005iu-LL@m10.themothership.net>
Date: Mon, 25 Jun 2012 15:29:25 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - m10.themothership.net
X-AntiAbuse: Original Domain - yahoo.es
X-AntiAbuse: Originator/Caller UID/GID - [536 534] / [47 12]
X-AntiAbuse: Sender Address Domain - m10.themothership.net
Content-Length: 40139

Look for the fields I marked in red

[Mantari Profile]

OK found them - seems to be in America
but is there anything we can do to stop it?

[VirusBuster]

OK found them - seems to be in America
but is there anything we can do to stop it?

I'm afraid not

[Mantari Profile]

Hi
Its not what I said earlier...

We looked into it a little further as there was one e-mail sent out that was only used once and was only stored on Yahoo address book- which got us thinking

so we went into the yahoo mail account and the new notification icon in the yahoo account - its a bell in the top right of the screen, to the left of Go Mobile My Y! had an exclamation ! in it - we clicked on it and it said that the account had been comproised by an unknown device - which detailed in Poland

My sister is now following the Yahoo steps to re-secure her account

[VirusBuster]

Then the email account was hacked. The first thing you must do is changing the password, but I believe thats one of the things instructed by Yahoo

[Mantari Profile]

Yes, looks like it

Just out of interest - if the web mail is constantly open - my sister leaves the yahoo mail open all the time,

does leaving the web page open leave it more exposed to hackers or does the hacking take place else where on the net?


Thanks

[VirusBuster]

Sorry for the delay.

does leaving the web page open leave it more exposed to hackers or does the hacking take place else where on the net?

Not really, but its not a good practice as anybody who has access to the PC will be able to access the email account
If you are not using it, always close the session