04-30-2012 11:49 AM
I have two email accounts. One gmail and one yahoo. I never use the yahoo one for email and never logon to the website. The only time I use the account is for messaging via trillain, triallian does a check to tell me if I have any email.
A little while ago I get a load of "MAILER-DAEMON@yahoo.com" emails.
Windows 7 (always up to date)
Firefox (always up to date)
Trillian professional (always up to date)
Norton 360 installed on this machine for over 2 years, it's always up to date and always doing idle time scans.
With Norton 360 on here for two years, I felt it was a password hack and not local machine compromise (keylogger). So I reset the password, I update my secret my secret questions and verify my backup email address.
I use lastpass, each site has a different 16 char password, using number's letters and symbols. I never type the passwords, it's either copy and pasted or automed entry via lastpass.
A few days later emails continue to be sent from my account.
I check to see if they are spoofs, but there are items in my "sent mail". I have a static IP address, I check yahoo activiti and it shows no other entries other than my own. It shows no browser activity at all, just messanger sign in activity. No other accounts, such as my gmail, have any problems.
I delete all my contacts and reset the password again. A week later a single email is sent and in my "sent mail" box, it has contacts in the list that I deleted (I previously deleted all contacts). Again it only shows activity from my static IP address, it shows no browser login, just messeger login.
Either my machine is compromised and some how and Norton 360 does not know about it. Or some how it is possible to hack yahoo smtp without needing my most recent password. Or it's possible to trick yahoo into placing entries into a "sent folder" with spoof emails, without logging in.
Here is the header from an entry in my "sent mail". believe they are hacking SMTP "Received: from [188.8.131.52] by web161804.mail.bf1.yahoo.com via HTTP". But if so, how do they keep getting my password?
From Mark Proctor Sat Apr 28 23:21:01 2012
Received: from [184.108.40.206] by web161804.mail.bf1.yahoo.com via HTTP; Sat, 28 Apr 2012 23:21:01 PDT
Date: Sat, 28 Apr 2012 23:21:01 -0700 (PDT)
From: Mark Proctor <email@example.com>
Bcc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org, email@example.com,
Content-Type: text/plain; charset=utf-8
04-30-2012 02:35 PM
Welcome to our community.
Yahoo, like most e-mail providers nowadays, includes alternate mechanisms like account security questions to allow users who have forgotten their passwords to regain access. Unfortunately, these work equally well for hackers who have compromised your Yahoo password to regain access after you've changed it.
I recommend that you change your password again, to a different strong password---and at the same time, change your account security questions or any other mechanism that a user could employ either over the Internet or by telephone to "prove" they were you and get back in.
Let us know how this works out, and if you have any recurrences after following this process.
04-30-2012 03:18 PM
You do not mention any scans you have done. Have you done a full system scan in Safe Mode?
A second opinion is always useful, so you might want to try a full scan with the free version of MalwareBytes. Do not accept the free trial of the full version as it will install a resident scanner that will conflict with 360. You can find MalwareBytes here.
This can help eliminate problems local on your PC.