[lug] Hacked e-mail accounts

[David L. Anselmi]

John Dollison wrote:
>
> Lately I've seen a rash of hacked e-mail accounts among neighbors, coworkers and friends.  It
> even happened to my son.  In each case, it was clear that it wasn't just a faked "From / Return
> To" address; someone actually had access to the victim's adress book, and the offending e-mail
> showed up in the victim's "Sent" folder.  In each case the victims told me they were running an
> up-to-date anti-virus program and a full system scan did not detect anything on their system
> (although I suppose it's possible there's some new malware out there that can avoid detection).

I've gotten two of these this week.  My guess is that it has nothing to do with the victim's 
computer--it's their email account on Yahoo or wherever.

> But I'm still not clear on exactly how these accounts are being hacked.  Is someone cracking
> their passwords?  Finding a back door into Yahoo?  Grabbing them with a "man in the middle"
> attack?  Any ideas?

It seems to be unauthorized use of email accounts used via the web.  So maybe there's another reason 
to run your own mail server--go Freedom Box!  At least on your own server you can choose two factor 
authentication if you want it.

Any chance that the big mail providers allow public keys or certificates for authentication?  How 
about SecureID or other one time passwords?  Anything better than a password?  (I don't know whether 
openid counts as better.  I haven't figured out how those work yet.)

> Not PLEASE, DO remove my email address when forwarding. It's like wearing a condom; it reduces
> your chances of catching a virus. And learn to use 'BCC'; it could save your computer... or
> mine. http://www.nopeddlers.com/email-safety-tips.php

First, I'd say that if you're getting ready to remove email addresses you should stop and not send 
the message.  What are the odds that I want to see something that a random acquaintance of yours 
sent to everyone they know?

Second, the spammers have my email address, and my IP address.  So it doesn't bother me if my 
address appears on email I send.

If you have something to send to many people who don't know each other, *DO* use BCC.  It's polite 
not to tell your crazy cousin how to reach me.  Especially if you might not want him telling me what 
he thinks about your message.  And it makes the message shorter for the recipients.

If you're forwarding a message (like this one), *DO* leave the sender's email in it (all the way 
back through the chain).  We might get fewer stupid "have you heard about this???!!!" messages if we 
knew who said it first and who thought it was worth forwarding.  If you can't trace who said it 
first *DON'T* forward it.

Not to mention, this message is copyrighted by me.  People who get this should know that I wrote it 
(except for the parts you wrote, which don't have your address, which I don't worry about because 
it's in the archives).

Dave