AOL Account Hacked
 

It looks like someone hacked my AOL account and sent spam to all my address-book contacts, around 1:45 PDT this morning. Apologies to those of you who got garbage-mail alleging to be from me as a result.

Since I use the free webmail service, AOL customer service has been utterly unhelpful ... I changed my password, not sure what else I can do short of closing the account. (Which I don't want to do, since it's been my personal e-mail for many years and is in so many links and contact-me settings for me.

I'm pretty certain this was direct hack of my account in terms of accessing the address book stored on the AOL server(s) - if it were a virus infecting my work PC I would've expected it to grab address from my outlook contacts, but all of the ones used are stored on the AOL server and many don't exist in my Outlook contacts. My 2 home PCs are only connected to the internet extremely infrequently, since I am rigorous about keeping the internet out of my weekends.

Any suggestions as to what-else-to-do are appreciated. I looked for any account options that would allow send restrictions, no luck. Parental controls? Couldn't log in - probably another paid-subscriber-only feature.

!#%^%@#$#@$ spammers...

-E

As one of the recipients, I had to laugh at it considering that you started [URL="http://www.mersenneforum.org/showthread.php?t=8110&highlight=spamr"]this thread[/URL]. Granted it was not a 419 type spam, but the irony was rather funny.

I had a similar problem in the past with Road Runner (by Time Warner, which owns AOL) in which someone forged my e-mail address. I know it was forged (as opposed to a virus) for two reasons. First, I have a Mac. Second, none of my contacts got the spam.

In any case I hope that your problems with the account have been resolved.

[quote=ewmayer;212458]Since I use the free webmail service, AOL customer service has been utterly unhelpful

< snip >

Any suggestions as to what-else-to-do are appreciated.[/quote]A couple of years ago, Bruce Schneier ([URL]http://www.schneier.com/[/URL]) wrote about e-mail accounts in one of his Crypto-Gram newsletters.

The main point I recall was that he advised using a paid e-mail service, not a free one. Free e-mail services have less incentive to work to prevent problems, and less incentive to fix them properly once they happen, than a subscription service would.

[quote=cheesehead;212466]A couple of years ago, Bruce Schneier ([URL]http://www.schneier.com/[/URL]) wrote about e-mail accounts in one of his Crypto-Gram newsletters.

The main point I recall was that he advised using a paid e-mail service, not a free one. Free e-mail services have less incentive to work to prevent problems, and less incentive to fix them properly once they happen, than a subscription service would.[/quote]
Yes, but they also cost money.
What my family does is we pay for(for 3 pounds a year i think) a domain name with which we redirect emails to wherever we want. We have changed email provider many times when we have had problems or changed ISP and havn't changed email address.

I suppose what you could do, since you don't want to get rid of the AOL address due to its being your long-established point of contact, is to have it forward to some other address that you have more direct control over (or at least which is more secure). Is it possible to do that with free AOL? (I know it's possible with free Gmail, but then again, they tend to be the exception with regard to such features as compared to other free webmail providers, so that may not be the case for you.)

Once your actual point of access is out of the AOL account, you could then delete your address book entries, etc. from there and change your password to something long and random (since you won't have to enter it much). That would make it harder for someone to attack it and also minimize the damage if someone did manage to get in.

maybe a hater of david hasselhoff...?

Do you want to redirect everything to a mersenneforum.org email address?

Since you have access to the DH forum this is an option for you.

Another possibility is to consolidate all of your email addresses into Google Mail. We have probably 20 email addresses tied to ours. Even if AOL cannot forward emails, Google can pull them in for you.

[SIZE=1]PS - Your password (12345) was probably a bit too short.[/SIZE]

[QUOTE=Xyzzy;212497][SIZE=1]PS - Your password (12345) was probably a bit too short.[/SIZE][/QUOTE]He did change the default password. It is now password1.

I would recommend making sure you don't have any passwords saved in emails that are under that account.

Another thing to be weary of is the fact that there may have been emails that came from places you hadn't requested your password from in the past (forgotten password) which an attacker could have seen, used to request one and then covered their tracks.

Obviously as there was a spam email sending spree this is far more unlikely!

Also might be an idea to investigate how it might have happened... Keylogger? Trojan? Login from public net? (very common) or direct attack on your account?

...Well you did ask for suggestions!


Personally I am extremely weary of email security and am constantly berating (in the nicest possible way :P) friends and family about leaving things that could potentially be a password database unsecured. (although now my mum is a bit overly cyber security aware lol)

Weary, wary or both?

[QUOTE=davieddy;212516]Weary, wary or both?[/QUOTE]

wary.

[QUOTE=Xyzzy;212497][SIZE=1]PS - Your password (12345) was probably a bit too short.[/SIZE][/QUOTE]

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!

[quote=ATH;212551]1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage![/quote]Your luggage is much more secure than mine, then. There's only four digits on my case 8-(

Paul

[QUOTE=Uncwilly;212505]He did change the default password. It is now password1.[/QUOTE]

Actually, it's "mypass" ... you're thinking of my online banking account. ;)

Thanks for the suggestions, all - I'll start culling my online address book in the coming days, to at least give would-be intruders fewer spam targets in future.

In the meantime, no new outgoing spams in the past 24 hours, so fingers crossed that the password reset locked the intruder out.

[QUOTE=henryzz;212472]Yes, but they also cost money.
What my family does is we pay for(for 3 pounds a year i think) a domain name with which we redirect emails to wherever we want. We have changed email provider many times when we have had problems or changed ISP and havn't changed email address.[/QUOTE]
Same here. Then when I sign up for something I create a new redirect specifically for that website. If I start getting spam I know where the leak was and can just delete/change that address.

Anyone is welcome to attempt to assume my identity.

3 guesses what my password is.

Hint: This purports to be a maths forum.

Jamie Blandford

David (oops:smile:)

[URL]http://www.youtube.com/watch?v=OmOe27SJ3Yc[/URL]

[QUOTE=ATH;212551]1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage![/QUOTE]

6:17 - 6:50:
[URL="http://www.youtube.com/watch?v=AcY090XV284"]http://www.youtube.com/watch?v=AcY090XV284[/URL]

[quote=Xyzzy;212497][SIZE=1]PS - Your password (12345) was probably a bit too short.[/SIZE][/quote]
And the answer to your security question - "I met my significant other in Wasilla, AK" was a bit too obvious.

[quote=ewmayer;212458]It looks like someone hacked my AOL account and sent spam to all my address-book contacts, around 1:45 PDT this morning. Apologies to those of you who got garbage-mail alleging to be from me as a result.

Since I use the free webmail service, AOL customer service has been utterly unhelpful ... I changed my password, not sure what else I can do short of closing the account. (Which I don't want to do, since it's been my personal e-mail for many years and is in so many links and contact-me settings for me.

I'm pretty certain this was direct hack of my account in terms of accessing the address book stored on the AOL server(s) - if it were a virus infecting my work PC I would've expected it to grab address from my outlook contacts, but all of the ones used are stored on the AOL server and many don't exist in my Outlook contacts. My 2 home PCs are only connected to the internet extremely infrequently, since I am rigorous about keeping the internet out of my weekends.

Any suggestions as to what-else-to-do are appreciated. I looked for any account options that would allow send restrictions, no luck. Parental controls? Couldn't log in - probably another paid-subscriber-only feature.

!#%^%@#$#@$ spammers...

-E[/quote]

The solution is quite simple: Don't use AOL.

Mildly concerned
 

Recently I have got several messages from [EMAIL="postmaster@mail.hotmail.com"]postmaster@mail.hotmail.com[/EMAIL]
informing me that the recipient of the email (I didn't send) was unknown.

I smell a rat somewhere.

Have I got bird flue or swine fever?
Or is an oil slick less newsworthy than a failed car bomb in Times Square?

David

[quote=davieddy;214010]Recently I have got several messages from [EMAIL="postmaster@mail.hotmail.com"]postmaster@mail.hotmail.com[/EMAIL]
informing me that the recipient of the email (I didn't send) was unknown.

I smell a rat somewhere.

Have I got bird flue or swine fever?
Or is an oil slick less newsworthy than a failed car bomb in Times Square?

David[/quote]
Quite commonly, spammers will use email addresses picked from their harvested lists in the From: fields of spam--thereby ensuring that the emails come from a valid address (therefore defeating some rudimentary screening methods), and also serving to divert the attention of less computer-savvy folks (who are unaware of how easily a From: field can be forged) to the wrong target.

Many MX servers (SMTP servers that accept incoming mail to a domain) will flat-out reject an email to a nonexistent account, thus allowing the sending SMTP server (in this case the spammer's mailer) to know right away that the address it tried is invalid and give up. However, others will accept the email without checking it, and [I]then[/I] check the address's validity afterwards. If it turns out to be bad, it sends a bounce email--referred to technically as a [I]delayed bounce[/I]--back to the address listed in the From: field on the message. Of course, this means that if the From: address is forged, the innocent holder of that address (in this case you) will receive the bounce message. From what I've seen in the past Hotmail does participate in this not-ideal practice of sending delayed bounces, so that would be consistent with the bounces you got.

Note that this is not to be confused with the bounce messages you normally get from an ISP's mail server: those are just [I]relay[/I] servers between your computer and the destination MX server, and therefore cannot check the address's validity themselves (unless the recipient's entire domain is nonexistent, in which case they'll usually reject the message flat-out producing an appropriate error dialog box in the sender's mail client). They have to first accept the message for relaying, then try to send it to the destination MX--and if that rejects the message, it will return a bounce to the sender. Note that if the destination MX does delayed bounces, as described above, then the ISP relay server (now in the place of the spammer in my earlier example) has no idea the message didn't go through and therefore you don't get a bounce from them, but rather from the MX.

So, to summarize: if you're receiving bounces of messages you didn't send, it doesn't mean someone's hacked into your account. What's much more likely is that you're on the mailing list of some spammer who's forging emails in your name.

[quote=mdettweiler;214014]...it sends a bounce email--referred to technically as a [I]delayed bounce[/I]--back to the address listed in the From: field on the message. Of course, this means that if the From: address is forged, the innocent holder of that address (in this case you) will receive the bounce message.[/quote]
Indeed, over one weekend in April 2008, my email at the company received ~1.3 [I]million[/I] bounces (sic!): they started arriving early Saturday and poured steadily over two days from every country in the world. Thousands out of the million crept through the spam filter, so even the filtered box was all aflame. Sad, but true story. Needless to say, first thing on Monday, that email had to be invalidated and I was given another one. (I've taken a small cross-analysis of pre-bouncing original accounts -- they, too, were from all over the world. Some worm used my email for "From:" - in a bundle of thousands others. The worm was apparently spread and activated on that April Saturday morning.)

Aftermath: there are probably some corners of the world where my name is still synonymous with certain ED remedies. Or hopefully not. And never again I registered to any conferences with anything other than a single-use throw-away yahoo account.

[QUOTE=Batalov;214018]And never again I registered to any conferences with anything other than a single-use throw-away yahoo account.[/QUOTE]
For one shot forum registrations etc. I can recommend using something like
[url]http://www.trash-mail.com/[/url]
Just type a fantasy email address and get the reply you are waiting for.
(Don't use it for important things because everybody can read the reply.)

[QUOTE=rudi_m;214020]For one shot forum registrations etc. I can recommend using something like
[url]http://www.trash-mail.com/[/url]
Just type a fantasy email address and get the reply you are waiting for.
(Don't use it for important things because everybody can read the reply.)[/QUOTE]I used a service several years ago that had 1 hour and/or 1 day e-mail accounts.