Mac Sending Emails At Night (by itself)

[Reasoned]

I've been looking around and didn't see this addressed. Emails were sent from my yahoo acct. to everyone on my contacts list. Obviously I let something onto the laptop I shouldn't have.

Called Yahoo and changed the password, and unsubscribed to the few newsletters I get. (nothing weird, NPR, Wayside gardens, USDA, ect.) Each email that was generated had nothing in the subject header, and the content consisted of a link to a site. All content was different, and all links were nonfunctioning. There was no record in my sent box of any of these.

The only thing in common was an admin from a messageboard mentioned I wasn't the only person with the problem, as they had been notified by other members.

What is it, and how do I get rid of it? I did read the section containing info on Malware & Trojans. Lots of it went over my head. Especially the Keychain thing.

Any assistance would be appreciated.
(if this is in the wrong section I apologize)

 

[miles01110]

This has nothing to do with your Mac. Your e-mail account was compromised, probably due to a weak password or weak password reset questions.

 

[Reasoned]

This will sound like the worlds dumbest question, how?

 

[GGJstudios]

This will sound like the worlds dumbest question, how?

If you don't have a complex password, they can guess it. It has nothing to do with your Mac or malware of any kind. They simply hacked your email account password.

 

[Reasoned]

Sorry, let me clarify, did it come on on a recieved email? since I save emails in folders will this happen again because I haven't trashed everything?
Are these generated off site, while my computer is on at night? or from something hiding in my email acct?

(for the love of...I sound like a moron...sigh)

 

[GGJstudios]

Sorry, let me clarify, did it come on on a recieved email? since I save emails in folders will this happen again because I haven't trashed everything?

No, that has nothing to do with it. Make sure your email password is long and complex, with upper and lower case letters, numbers and, if accepted by your email server, special characters. It's also a good idea to change your passwords on a regular basis, every few months or at least once a year.

 

[Reasoned]

Thank you for the speedy answers.
I was looking to do what was recommended in the malware thread.

17) For those needing extra email security (worried about emails being accessed while logged in):

- Do NOT keep copies of emails for offline viewing and move the keychain entries for the email accounts from the login keychain to a keychain that does not remain unlocked. This is easy to set up if using IMAP email accounts with Mail.app.

a) In the "Advanced" setting for the email account in Mail.app preferences, set "Keep copies of messages for offline viewing:" to "Don't keep copies of any messages."

b) And, in the "Mailbox Behaviors" setting for the email account in Mail.app preferences, enable "Move deleted messages to the Trash mailbox," set "Permanently erase deleted messages when: Quitting Mail," and do not enable "Store deleted messages on the server."

c) Also, do not enable "Store sent messages on the server" but set "Delete sent messages when: Quitting mail." Note: make sure to manually save all emails as drafts before being sent or the autosaved drafts will not be deleted once the email is sent; this is a glitch in Mail.app.

Storing the "~/Library/Mail" folder in an encrypted disk image (see #18) and using an alias in the folder's place is effective in securing your emails if you need to keep local copies for offline viewing.

I know you all aren't here for a yahoo-tutorial, but I couldn't find the advanced settings. Is there an internal one on the Mac?Or does this only apply if I'm using Thunderbird?

 

[Reasoned]

A friend thought it was something else....so I'm including the sourse code provided. Please let me know if you think it's more than a hacked email password. I only deleted email addresses from this.
My friend was wondering:
I'm wondering if maybe all of our mails came from the compromised machine and a bot or script is generating mails from our accounts.

From - Sat Jun 04 06:19:28 2011
X-Account-Key: account5
X-UIDL: GmailId1305968eb9a4b9ad
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: $label4
Delivered-To:
Received: by 10.231.59.134 with SMTP id l6cs25799ibh;
Fri, 3 Jun 2011 23:48:27 -0700 (PDT)
Received: by 10.231.215.140 with SMTP id he12mr4130655ibb.57.1307170106958;
Fri, 03 Jun 2011 23:48:26 -0700 (PDT)
Return-Path:
Received: from nm13-vm0.bullet.mail.bf1.yahoo.com (nm13-vm0.bullet.mail.bf1.yahoo.com [98.139.213.79])
by mx.google.com with SMTP id z9si6930219ibd.14.2011.06.03.23.48.25;
Fri, 03 Jun 2011 23:48:25 -0700 (PDT)
Received-SPF: neutral (google.com: 98.139.213.79 is neither permitted nor denied by best guess record for domain of ) client-ip=98.139.213.79;
Authentication-Results: mx.google.com; spf=neutral (google.com: 98.139.213.79 is neither permitted nor denied by best guess record for domain of ) smtp.mail=; dkim=pass (test mode) header.i=@yahoo.ca
Received: from [98.139.212.148] by nm13.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jun 2011 06:48:25 -0000
Received: from [98.139.212.229] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jun 2011 06:48:25 -0000
Received: from [127.0.0.1] by omp1038.mail.bf1.yahoo.com with NNFMP; 04 Jun 2011 06:48:25 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 554714.74866.bm@omp1038.mail.bf1.yahoo.com
Received: (qmail 58153 invoked by uid 60001); 4 Jun 2011 06:48:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.ca; s=s1024; t=1307170105; bh=hSgZ9A05dQLTNODNLp0BeLFtSmug6W2J8RcCArf2dY8=; h=Message-ID:X-YMail-OSG:Received:X-Mailerate:From:To:MIME-Version:Content-Type; b=JosRH66wrMfIrScCoRT3Y1DbL0OT283DllGnY++Q2JDfsTFAAnVOm4UDfoWVhvNHvDWP2wRh3z5ira2KeDK5CifDOQZOTq6eKvb3cwWn1IUf3OUbuwRKWJJBm+BEgGrWGNghMPefxYGvlp5BiNhzIZRqrk3nNEdNRI31UAQFNJ4=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.ca;
h=Message-ID:X-YMail-OSG:Received:X-Mailerate:From:To:MIME-Version:Content-Type;
b=KxskND2uG9mK3PnyXImPgGgCXoNBgKYdT7J26tCPpvoqaET5hzU8wZmauiqNfApKvKst6XruK2a51NStASuiFi31N61V90hYx15ofiKmXlzMtpRKBLXZHwamnnLPGZPZ1Phz403ISRCdFsjgBXZgr2NtqdTnEwtjsNYJtQuuoAM=;
Message-ID: <364288.54616.qm@web161301.mail.bf1.yahoo.com>
X-YMail-OSG: wSZl_0sVM1md.zIBKH8HMs9S.Zrr24bYhqyAJlyorKXDq3n
7mncvhuII0po1PxKzEf_XZqPYsP_Qn.N4bTz.KfpxT9bldas6_X0UJ0hMpDm
9rS5.xyh_xl7yva5yeFwISxavQP6zVpF5cHUqbwjsgLDt17MT9_kqhpI2wuD
lCzfmC7zWkno2JorPoQtf868b.j92Jh6me2xETWOfKaeyYCyAMkXYfS42QKh
0XbdezsTJcCJA4DtO5u1Nxdwep1PhOsQ0oqjTR3VEm2a0ao4CnXD6zlxBZNn
OTSjtyjNFn1aJA.8G_BmJtzX9_Y_fH_z8q8gsNAMGwWZddvWN3ceZz9Z29lO
EXf5eytGIWtTVt38.7N3yndKdmj2Z4BlLbAS21g7_oK64fv9kURWLwVlRy_.
wLxU7xEbYx0GVP3Tw0u.crqlQysEGZVEAhJiB5EHoeSc3
Received: from [62.87.129.139] by web161301.mail.bf1.yahoo.com via HTTP; Fri, 03 Jun 2011 23:48:25 PDT
X-Mailer: YahooMailWebService/0.8.111.304355
Date: Fri, 3 Jun 2011 23:48:25 -0700 (PDT)
From:
To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-83759194-1307170105=:54616"

--0-83759194-1307170105=:54616
Content-Type: text/plain; charset=us-ascii

http://www.ambiente-villas.com/find11.html
--0-83759194-1307170105=:54616
Content-Type: text/html; charset=us-ascii

<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top" style="font: inherit;"><div>http://www.ambiente-villas.com/find11.html</div></td></tr></table>
--0-83759194-1307170105=:54616--

 

[Makosuke]

It's 7:30pm on a Saturday night, so it's a little unreasonable to be expecting an answer in under an hour.

Based on those headers, the emails were sent through Yahoo's webmail from somebody in Poland. As said, they certainly didn't go through your Mac, and in all likelihood getting your webmail password compromised had nothing at all to do with your Mac--it was probably just a simple password crack.

The instructions you quoted are specifically related to Apple's built-in Mail.app mail client. If you're using Thunderbird, the settings will be somewhat different. If you're only using webmail, they're completely irrelevant--those only apply to locally-stored email.

Regardless, those instructions are only for people who are tremendously paranoid about having their computer stolen or their email hacked into (such as yours was, via password compromise) and having their old email read. Almost nobody has reason to be that paranoid, and frankly if you WERE that paranoid, you should probably be using something more secure than email for communication--email is inherently VERY insecure when it comes to being intercepted in-flight.

For your case, just make sure you use a strong password, as previously explained, and don't download anything sketchy or reply to phishing emails.

 

[Reasoned]

Makosuke....LOL!!
Not gripeing....I knew it was everyones night out....just when I got some reasonable speedy replies I assumed some folks were hanging out on the forum.
I'm not that wacked or paranoid about the email, just it was recomended and I had no idea where in the Mac those settings would be.

Mac's are beautiful in that a "Monkey" can get up an running with them....I did! But the simple stuff trips me up every time. I can't find 2/3 of the stuff included in the laptop....My BIL put all the info I would ever need in it...
but I can't find it. It's in a folder, somewhere....LMAO!!!

He's twisted....that's all I can say.
Thank you for looking at the code....I am on a few messageboards where confidentiality is paramount, so when everyone got shipped each other's emails it was a nightmare...no..lol!! not "adult" ones, science ones....folks are working on things & in competition sometimes with each other.
Besides as my family's addy's were included in the mailing list, to me it was a big deal.

Thanks again for the explaination....and now I know not to play on Polish websites!! Grin....and everyone had guessed it was the Russian ones...

 

[Urusai89]

it happens quite often to people it seems. Just have a decent password containing at least 8 characters, and make the last one a random number.

the more random the password is, the better, so maybe try r3p1ac1ng some letters with numbers within the password, or use special characters/CaPiTaL LeTteRs if they're allowed.

Most sites will allow capital letters, but not all of them are case-sensitive. That means that you can make your password "PASSword", but login by typing "password", "PASSWORD", or "passWORD". The site will ignore the character case.

If it is case-sensitive, then you can throw random capitals in to make it even harder to crack.

 

[Reasoned]

Thanks everyone for your assistance!
Obviously this is much more common than I expected. I have changed my password & just decided to unplug the DSL when the computer isn't in use. It's not a hassle but I figure can't hurt.

 

[miles01110]

I have changed my password & just decided to unplug the DSL when the computer isn't in use.

Has nothing to do with your problem, but OK.

 

[Dark Dragoon]

just decided to unplug the DSL when the computer isn't in use. It's not a hassle but I figure can't hurt.

They logged into your email account by using their computer and sent out the emails using their computer, it almost certainly has nothing to do with your computer or your internet connection.

So turning off your DSL when you aren't using it will have no effect on this, it would not have stopped this from happening.

 

[alamein]

freaking Yahoo decided to follow in Gmails steps and is now masking the sender's IP with the IP of their mail servers (unless you happen to live in the same city)...

Normally the answer would be in your headers, but this is what I get from an ip-lookup

NetRange: 98.0.0.0 - 98.255.255.255
CIDR: 98.0.0.0/8
OriginAS:
NetName: NET98
NetHandle: NET-98-0-0-0-0
Parent:
NetType: Allocated to ARIN
RegDate: 2006-10-02
Updated: 2010-06-30
Ref: http://whois.arin.net/rest/net/NET-98-0-0-0-0

OrgName: American Registry for Internet Numbers
OrgId: ARIN
Address: 3635 Concorde Parkway
Address: Suite 200
City: Chantilly
StateProv: VA
PostalCode: 20151
Country: US
RegDate: 1997-12-22
Updated: 2011-03-19
Comment: For abuse issues please see URL:
Comment: http://www.arin.net/abuse.html
Comment: The Registration Services Help Desk is open
Comment: from 7 a.m. to 7 p.m., U.S. Eastern time to assist you.
Comment: Phone Number: (703) 227-0660; Fax Number: (703) 227-0676.
Ref: http://whois.arin.net/rest/org/ARIN

it's pointing to default Yahoo servers, so there's no way of telling if it was sent from your PC or if they had your email credentials...