I have two email accounts. One gmail and one yahoo. I never use the yahoo one for email and never logon to the website. The only time I use the account is for messaging via trillain, triallian does a check to tell me if I have any email.

A little while ago I get a load of  "MAILER-DAEMON@yahoo.com" emails.

My environment:

Windows 7 (always up to date)

Firefox (always up to date)

Trillian professional (always up to date)

Norton 360 installed on this machine for over 2 years, it's always up to date and always doing idle time scans.

With Norton 360 on here for two years, I felt it was a password hack and not local machine compromise (keylogger). So I reset the password, I update my secret my secret questions and verify my backup email address.

I use lastpass, each site has a different 16 char password, using number's letters and symbols.  I never type the passwords, it's either copy and pasted or automed entry via lastpass.

A few days later emails continue to be sent from my account.

I check to see if they are spoofs, but there are items in my "sent mail". I have a static IP address, I check yahoo activiti and it shows no other entries other than my own. It shows no browser activity at all, just messanger sign in activity. No other accounts, such as my gmail, have any problems.

I delete all my contacts and reset the password again. A week later a single email is sent and in my "sent mail" box, it has contacts in the list that I deleted (I previously deleted all contacts). Again it only shows activity from my static IP address, it shows no browser login, just messeger login.

Either my machine is compromised and some how and Norton 360 does not know about it. Or some how it is possible to hack yahoo smtp without needing my most recent password. Or it's possible to trick yahoo into placing entries into a "sent folder" with spoof emails, without logging in.

Here is the header from an entry in my "sent mail".  believe they are hacking SMTP  "Received: from [95.59.206.65] by web161804.mail.bf1.yahoo.com via HTTP". But if so, how do they keep getting my password?

From Mark Proctor Sat Apr 28 23:21:01 2012
X-YMail-OSG: .MRTyHIVM1kPYBs.E2G3CJ2Up2IOJAenw2ik6RwzKegKpHO
 491TEmDeFbrnggII3IwC_cJLARTb_4RYWjcRHMk7dyoG.LjtqpjOs9sGxdVk
 nOHpx9GBuGou.UJ5D6L2W2kg8FH8p8ktpc2dxOW_ymBg92VuqyMDZvkuv8eU
 V7Sx9B3IQ8hr2._nc4f4G9Um519xVNJWCx.nA2VZ58Wl7oANRh5j8MlA1IXr
 dm24Zu8SKNznp5lJiGGxGVRph2lmnZ4_pTk35ICwOEWXG3Rw0kE9rypMnBSh
 mA4V4JhMHgJtWFIMwxWqtNvUlffV5F_eBBw3sF_laubQXGH747LsDyyAGdJ7
 qshqhsz82DiRe5byJKyZf9MLtR4vI2bmF1VztjZHq9fM7YgT.G7op8yGOn_2
 d9fAjBTUxfN_EAHwq.t3ZmY9ZZp6dXFbrysE50_4SMVT.bK.GjMgLerL6tKr
 dD3gFaifNnh6YDD6xqa181hCDv1n.hR2axZXICetOasKqukG0fFn5W5tHD7M
 i5VM-
Received: from [95.59.206.65] by web161804.mail.bf1.yahoo.com via HTTP; Sat, 28 Apr 2012 23:21:01 PDT
X-Mailer: YahooMailWebService/0.8.117.340979
Message-ID: <1335680461.30093.BPMail_high_noncarrier@web161804.mail.bf1.yahoo.com>
Date: Sat, 28 Apr 2012 23:21:01 -0700 (PDT)
From: Mark Proctor <m_proctor@yahoo.com>
Subject: hey
To: baarm8@aol.com
Bcc: mdsflmk2304sdfsdfk@mail.com, fb1911@yahoo.com, snuggles@clara.net,
    robert.macredie@brunel.ac.uk, nadinasmith@hotmail.com,
    anut617245@optonline.net, kate.taylor@thermofisher.com, jaisa2j@aol.com,
    baarm8@aol.com
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Length: 83

Mark