Spam being sent from my account?

[StewartR]

Can anyone work out what's going on here and what I could/should do about it?

The 'Sent' folder on my Gmail account contains 150 emails which were sent between in a burst 18:41 and 21:03 on May 27th, all of which are obviously spammy and were definitely not sent by me. Curiously, they were all sent to one of just 4 different email addresses. Here's a screen shot from my Sent folder before I marked them all as spam:

Here are some screen shots of the actual messages, showing that the claimed senders are all different, but all with my email address:

I've also looked at the gobbleygook plain text headers of the emails. They don't mean anything to me but they might mean something to somebody else. Here are the headers from a random spam email and a random genuine one which I actually sent myself:

Can anybody work out from this information what might have happened?

Thanks in advance for your help.

 

[Merluza]

Have you clicked on any links in unusual emails recently?

 

[tijuana taxi]

Run Malwarebytes to get whatever has hijacked your email would be my first choice

 

[StewartR]

Have you clicked on any links in unusual emails recently?

No. Never. Absolutely not.

 

[StewartR]

Run Malwarebytes to get whatever has hijacked your email would be my first choice

So you're suggesting that there is some malware running on my PC? This can't have been done remotely?

I have Norton Anti Virus running on all the PCs in the office but I'll give Malwarebytes a try.

 

[Mikesphotaes]

Change your password, job done!

 

[mickledore]

Change your password, job done!

I had something similar. I was getting swamped with undelivered mails all being returned to me. Sopke to ISP and they suggested changing passwords. Sorted.
I wasn't given an explanation of what had gone on, but I probably wouldn't have understood the geek speak anyway. Change your password and all "should" sort itself out.

 

[StewartR]

Change your password, job done!

So you're suggesting there is NOT malware running on my PC?

On what grounds do you offer that diagnosis?

 

[Tintin124]

Run Malwarebytes to get whatever has hijacked your email would be my first choice

Change your password, job done!

Both are the things you need to do... someone has hacked your account

Would also run a startup time virus scan

 

[mickledore]

If you are worried about Malaware then install Malwarebytes. The full version only costs about £20 and could be classed as a legitimate business expense.

 

[RacingSnake]

Run the malware checker purely as a precaution - the only time I've had this happen, it was (as has been mentioned) down to the password.... I changed it, beefed it up to 2-step authentication and (touch wood) never had an issue again.

 

[StewartR]

Both are the things you need to do... someone has hacked your account

Would also run a startup time virus scan

OK.

But I use my email account on several computers. Running additional anti-virus measures on all of them is going to be a real pain if I don't actually have any malware. Is there any way of telling whether the account hack has been done remotely (eg by my password being compromised, somehow) or whether it's done via malware on a PC which I control?

 

[Tintin124]

OK.

But I use my email account on several computers. Running additional anti-virus measures on all of them is going to be a real pain if I don't actually have any malware. Is there any way of telling whether the account hack has been done remotely (eg by my password being compromised, somehow) or whether it's done via malware on a PC which I control?

The most likely situation is password hack and not computer compromise (depending on visited sites and things downloaded/installed).... i know with hotmail servers you can see where the last login was from (Global+Local Location) so you can easily tell if it was you that logged in. Hopefully your email servers have the same reverse lookup.

Agree its a pita but ultimately something that needs to be done.

 

[Sharky]

OK.

But I use my email account on several computers. Running additional anti-virus measures on all of them is going to be a real pain if I don't actually have any malware.

It's a pain but it's a reality. Why lock the front door and then leave your back door wide open...

 

[Mikesphotaes]

So you're suggesting there is NOT malware running on my PC?

On what grounds do you offer that diagnosis?

I had this a year or two ago, Malwarebytes et al never found a thing.

Changing my password sorted the problem.

Not the faintest idea whether malware is running on your PC but always best to check it occasionally with Malwarebytes.

 

[Alastair]

It's a Gmail account, the spammer doesn't need to be on your PC. If you change your password and it doesn't stop it probably is on your PC.

The simplest cause is someone's cracked your password and using your Gmail account from another location. Occam's Razor. So change your password and see what happens.


But run the malaware scans anyway. It's possible that your password was grabbed by a piece of malaware and sent out from your PC and that's how this started. Change *all* your passwords as once one has been compromised in this way you can't trust any of them.

 

[gramps]

Are you quite sure these are/were in your 'Sent' folder? ('Received' folder would simply imply forged headers).
The most likely explanation, if they were in your 'Sent' folder, is that your Gmail account has been hacked and you need to change your password, HOWEVER, do you really want to risk your network possibly being infected just because it's an inconvenience to scan your computers?

 

[Ross Mac]

I agree, not worth the risk, password change and scan for malware is the only safe option.

 

[Tintin124]

Oh yes forgot to mention check settings as they may have setup alternative email addresses under account management which may get details when changing your password.

 

[noneforit]

Somebody or something has guessed/hacked your password I reckon.

Change it and update it on any device which uses mail.

 

[sphexx]

Check your email address here
https://haveibeenpwned.com
But the best is just to change your password anyway, as already suggested.

 

[Paddysnapper]

Run the malware checker purely as a precaution - the only time I've had this happen, it was (as has been mentioned) down to the password.... I changed it, beefed it up to 2-step authentication and (touch wood) never had an issue again.

 

[Joeturner11]

Check your email address here
https://haveibeenpwned.com
But the best is just to change your password anyway, as already suggested.

According to that site @StewartR your account has been hacked into.

 

[Sharky]

According to that site @StewartR your account has been hacked into.

Technically not hacked into, he was in the Adobe hack release data as were 153 million others.

 

[Joeturner11]

Technically not hacked into, he was in the Adobe hack release data as were 153 million others.

Technically not, but basically what has happened.

 

[Alastair]

According to that site @StewartR your account has been hacked into.

Change your Adobe account password as well.

You weren't using the same password for Adobe and gmail, were you?

 

[Sharky]

Technically not, but basically what has happened.

There is a world of difference from saying "your account has been hacked into" to the reality of his information was contained with 153 million others in the Adobe leak.

 

[dejongj]

So its you sending all this nonsense. You b*****d

Have you got an android phone? Could that be compromised and sending the emails.

 

[StewartR]

Thanks for the suggestions, everyone.

Its enormously frustrating not knowing how this might have happened. Yes I can check for malware on all the PCs I use, and yes I can change my passwords. And that will almost certainly stop the problem. But the problem has already stopped; there was that one brief burst of activity several days ago and nothing since. So the best I can hope for is that it won't happen again, and presumably after a period of time without trouble I'll conclude that it looks like it isn't going to happen again.

But the thing is, I'm reasonably careful with computer security and yet still this happened somehow - and I'd like to know how, if only so that I can make sure it doesn't happen again. At the very least, does anybody know of a way to tell from the headers of the spam emails whether or not they originated from my PC?

So far I've downloaded and run Malwarebytes on my main office PC and it found absolutely nothing. I'll run it on the home PCs tomorrow morning. I've changed my Gmail password and I'll look at whether I need to change others. Apparently I have 134 passwords saved in Google Chrome. Most of them I don't really care too much about: I'm not really bothered if someone hacks into my TP account, or accounts with various online retailers, because they couldn't really do any harm. But I'll change the really valuable ones.

 

[StewartR]

According to that site @StewartR your account has been hacked into.

Change your Adobe account password as well.

You weren't using the same password for Adobe and gmail, were you?

I didn't even know I had an Adobe account. It's nothing I care very much about so it probably has the same weak password that I use for all sites which I don't care about and which allow weak passwords. But it wouldn't have been the same password as Gmail: that's a strong one.

 

[StewartR]

So its you sending all this nonsense. You b*****d

Yes, but only if you are jrprince, kimberwo, isomsbox and/or kristyl1. I've sent tons of varied spam to them, but to nobody else.

Actually, that's a bit odd, isn't it?

Have you got an android phone? Could that be compromised and sending the emails.

Yes to Android phone. Not sure about it being compromised. I've never lost it and it's protected with a join-the-dots PIN thing, so I very much doubt it's been compromised physically. Could it be compromised remotely? I have no idea. How would I tell?

 

[stryvya]

Malwarebytes free today:- http://www.bitsdujour.com/software/iobit-malware-fighter-pro/in=todays-deals-home

 

[gramps]

Malwarebytes free today:- http://www.bitsdujour.com/software/iobit-malware-fighter-pro/in=todays-deals-home

Is that Malwarebytes?

 

[Sharky]

Is that Malwarebytes?

Nope.

@StewartR you seem to have a very lax attitude towards security and doesn't present you or your business in a great light imo. For what it's worth the mail originated from Vietnam and was sent via PHPmailer so it's unlikely it came from any of your PCs. It was probably a test send to see if it got a good hit, it did and if you hadn't noticed i would of expected a lot more spam to of been sent the next time around.

Precautionary scans / clean up of everything inside your network and any extra devices that you've used the gmail account on is a good first step. When people mention your phone security they don't mean physical security, they are talking about compromised apps that may have been installed and leached information from your phone. They may be seemingly legit apps from the Play store or third party sources. Or maybe you've just been caught out by a traditional e-mail borne threat. Opened any xls / xps / doc attached recently for invoices / quotes that you weren't expecting?

My advice change all your passwords, invest in more robust security policies, don't just rely solely on Malwarebytes it does miss things but still a good layer of security. Norton doesn't do business / corporate grade products which suggests you're using home solutions to protection your business. You'll probably be breaking the EULA by doing do as well (Malwarebyte Free / Premium is not permitted for business use). Invest in something that is appropriate for your usage and level of protection.

 

[admirable]

Is that Malwarebytes?

No

 

[gramps]

Nope.

No

As I first thought and possibly just the type of software 'confusion' that could lead to more problems!

 

[James Pardon]

If you use Gmail via the website, gmail.com then it's unlikely to be malware on your machine that's sending out spam, not a piece of actual installed malicious software at least, more they have your password and are using that elsewhere to send out spam.

If you have Outlook or similar program installed you use for mail then there could be some malware hijacking and sending out through this.

If you use Gmail.com via the website then it's going to be that your password is compromised and you just need to update it. I would also check in your Gmail Filters to make sure there hasn't been any setup to forward on mail to anyone untoward. It's very easy to setup a Gmail Filter rule to just forward on any password resets to a 3rd party and they can get access all over again.

Link to Filters : https://mail.google.com/mail/u/0/#settings/filters

Another good thing to check in Gmail is in the very bottom right hand corner is a Details link right in the bottom right corner of the page, this will show you a window with all the connections into your Gmail account. If there's a link from Botswana or somewhere random then that's going to confirm someone knows your credentials

 

[shreds]

PITA I know but all high security access sites usually require at least a 8 digit/character password to include capitals, lower case, numbers and symbols and to change this every fortnight. I have one which unreasonably requires 15 characters....

Worth while though for the business.

 

[stryvya]

Is that Malwarebytes?

No, its
IObit Malware Fighter Pro
Detect and Eradicate Malware on Your PC

 

[dejongj]

Yes, but only if you are jrprince, kimberwo, isomsbox and/or kristyl1. I've sent tons of varied spam to them, but to nobody else.

Actually, that's a bit odd, isn't it?
Yes to Android phone. Not sure about it being compromised. I've never lost it and it's protected with a join-the-dots PIN thing, so I very much doubt it's been compromised physically. Could it be compromised remotely? I have no idea. How would I tell?

It could be a rogue application that is installed with access rights to your phone. It wouldn't be the first time.

I'm nit sure whether google has stepped up and vets the applications on the store these days but it is another possibility.