Re: [OT] web email acct compromised

[T o n g <mlist4suntong@yahoo.com>]

On Sun, 25 Dec 2011 07:47:42 -0600, hvw59601 wrote:

> Recently one of my Yahoo accts was compromised. Mail was sent all over
> the place with nonsense, to LDU also.

> [. . . ]

> And how is an account compromised?

Looks like it's a growing trend to me. One of my friend was hit a while 
ago as well. Because she is not that tech savvy, I couldn't figure out 
how it actually happened either. Do you have any clue yourself? 

Don't worry if you don't. you are not the first victim. While I was 
trying to find the reason for her, I found the following, 

Am I sending out spam?
http://boards.straightdope.com/sdmb/showthread.php?t=633043

in which the OP says,

    "1)I'm ridiculously careful about that kind of stuff and I'm not sure 
I could be tricked into it.
    2)This is a seldom used account. It's not used for any social 
networking sites, I never would have typed in the username/password 
anywhere other then on the webmail page and my phone (it's a POP3 
account).. . ."

In other words, it is happening to those who are careful about such 
things. So any hints might help.

Judging from her email header, I can tell that the spammer was really 
able to get into her account, send email from within the yahoo web mail 
interface, to all her contacts, using an Android cell phone through the 
YahooMail Mobile phone Web Service. 

BTW, the spammer IP address was 117.195.97.137, and the 117.195.96.0/20 
address block (117.192.0.0 - 117.207.255.255) belongs to BSNL Internet in 
India, according to a whois lookup.

Here is the full email header:

    Received: (qmail 62123 invoked by uid 60001); 20 Dec 2011 20:24:45 
-0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com; 
s=s1024; t=1324412685; bh=Uerd3bJ2IEQlAxxINeFmfZ/RbZ1Dqn4BLyX/qf4QVRE=; 
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-
Version:Content-Type; b=mCaYOO18t1+C9xm1u0Fisd1s9fO5+MR6Mykku0cZMf9smq
+yg2Qx70hK8mdurk97PTUDW/OsJSnLugzArQQWiApnLVG/t+CIZr
+IAYdBNwFQXZ1lotAOpW1tGMtcMI6QjtFXZt9gYWOAHVamCYAKq0Vf4meMnfNGk88NisYQgE4=
    DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=rogers.com;
    h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-
Version:Content-Type;
    b=pT7VarhBYaYQUGmhmthvyP7UjypmjidcaFIJO8yLX4FGZsqHbsy+iazsEfC1bWdo1rC/
djsMlFv6tuhEoKrzjLJ45sMmDDBuQWIXZpzZjMGw5ILVRsGPrp2OeS/WDTc9pvGS6dTFiU
+DjbFcWPCIncoOobSNVCSQVFdPmtQ7eKI=;
    X-YMail-OSG: JcRxq6EVM1nm3zKFcoOnAtEo23MwEaGh9nAQXyvg7XOo1J.
    tnKPDlwG_SvTEDpG8ylRTyTahWKUtOAxa4.bE_WiHzbvHbRxirSg5d3h.rjL
    LT84eL012aK0Fp835Z_7H0ahfrV6JIOlOJW_9PvPjOKllgMvEOwWbjuoOf8H
    SEUEfWQwcFbK7Oxn39c.APJmVwM5gk5ry77kt1f_pExbC9CS1TzUk_Wrw.su
    R9zfMRzAIcKKW0obEWK7d6BoeKiIhl2o5ndOOePZz7_NEoAvZKmqg5lIPSI9
    gM9jDmHVH8gS1rESp4qTSMukULc6u9d1b02PHCOum0i4g_zG4lUX7yWOIYJ3
    71qJl6YkJKjebVUt5.Ilemt2DxIy9DZ4CYTCB0eY.6itVYj7JeuS2fzvhse1
    s_wuKst.ftWlM7g34z..crd9VRL5vKoZw6SPwWII17p_XKk9mfo.a.FuZ1kW
    n0ovtEqD4ZyFbqCcRMcJjS0wx2CDmDzWx7ftt.KtZSOvl_NIvuGW9JeVK_w.
    WR4Ulzk.XiFfm3UOnBTilXKxSC_bBNubfwpzLKk1foQ--
    Received: from [117.195.97.137] by web88605.mail.bf1.yahoo.com via 
HTTP; Tue, 20 Dec 2011 12:24:44 PST
    X-Mailer: YahooMailWebService/0.8.115.331698
    Message-ID: 
<1324412684.53494.androidMobile@web88605.mail.bf1.yahoo.com>
    Date: Tue, 20 Dec 2011 12:24:44 -0800 (PST)
    From: ......
    Subject: I DID IT!

-- 
Tong (remove underscore(s) to reply)
  http://xpt.sourceforge.net/techdocs/
  http://xpt.sourceforge.net/tools/