Mac Sending Emails At Night (by itself)

Discussion in 'Mac Basics and Help' started by Reasoned, Jun 4, 2011.

  1. Reasoned macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #1
    I've been looking around and didn't see this addressed. Emails were sent from my yahoo acct. to everyone on my contacts list. Obviously I let something onto the laptop I shouldn't have. :confused:

    Called Yahoo and changed the password, and unsubscribed to the few newsletters I get. (nothing weird, NPR, Wayside gardens, USDA, ect.) Each email that was generated had nothing in the subject header, and the content consisted of a link to a site. All content was different, and all links were nonfunctioning. There was no record in my sent box of any of these.

    The only thing in common was an admin from a messageboard mentioned I wasn't the only person with the problem, as they had been notified by other members.

    What is it, and how do I get rid of it? I did read the section containing info on Malware & Trojans. Lots of it went over my head. Especially the Keychain thing.

    Any assistance would be appreciated.
    (if this is in the wrong section I apologize)
     
  2. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #2
    This has nothing to do with your Mac. Your e-mail account was compromised, probably due to a weak password or weak password reset questions.
     
  3. Reasoned thread starter macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #3
    This will sound like the worlds dumbest question, how?
     
  4. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #4
    If you don't have a complex password, they can guess it. It has nothing to do with your Mac or malware of any kind. They simply hacked your email account password.
     
  5. Reasoned, Jun 4, 2011
    Last edited: Jun 4, 2011

    Reasoned thread starter macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #5
    Sorry, let me clarify, did it come on on a recieved email? since I save emails in folders will this happen again because I haven't trashed everything?
    Are these generated off site, while my computer is on at night? or from something hiding in my email acct?

    (for the love of...I sound like a moron...sigh)
     
  6. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #6
    No, that has nothing to do with it. Make sure your email password is long and complex, with upper and lower case letters, numbers and, if accepted by your email server, special characters. It's also a good idea to change your passwords on a regular basis, every few months or at least once a year.
     
  7. Reasoned thread starter macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #7
    Thank you for the speedy answers.
    I was looking to do what was recommended in the malware thread.

    17) For those needing extra email security (worried about emails being accessed while logged in):

    - Do NOT keep copies of emails for offline viewing and move the keychain entries for the email accounts from the login keychain to a keychain that does not remain unlocked. This is easy to set up if using IMAP email accounts with Mail.app.

    a) In the "Advanced" setting for the email account in Mail.app preferences, set "Keep copies of messages for offline viewing:" to "Don't keep copies of any messages."

    b) And, in the "Mailbox Behaviors" setting for the email account in Mail.app preferences, enable "Move deleted messages to the Trash mailbox," set "Permanently erase deleted messages when: Quitting Mail," and do not enable "Store deleted messages on the server."

    c) Also, do not enable "Store sent messages on the server" but set "Delete sent messages when: Quitting mail." Note: make sure to manually save all emails as drafts before being sent or the autosaved drafts will not be deleted once the email is sent; this is a glitch in Mail.app.

    Storing the "~/Library/Mail" folder in an encrypted disk image (see #18) and using an alias in the folder's place is effective in securing your emails if you need to keep local copies for offline viewing.

    I know you all aren't here for a yahoo-tutorial, but I couldn't find the advanced settings. Is there an internal one on the Mac?Or does this only apply if I'm using Thunderbird?
     
  8. Reasoned, Jun 4, 2011
    Last edited: Jun 4, 2011

    Reasoned thread starter macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #8
    A friend thought it was something else....so I'm including the sourse code provided. Please let me know if you think it's more than a hacked email password. I only deleted email addresses from this.
    My friend was wondering:
    I'm wondering if maybe all of our mails came from the compromised machine and a bot or script is generating mails from our accounts.

    From - Sat Jun 04 06:19:28 2011
    X-Account-Key: account5
    X-UIDL: GmailId1305968eb9a4b9ad
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys: $label4
    Delivered-To:
    Received: by 10.231.59.134 with SMTP id l6cs25799ibh;
    Fri, 3 Jun 2011 23:48:27 -0700 (PDT)
    Received: by 10.231.215.140 with SMTP id he12mr4130655ibb.57.1307170106958;
    Fri, 03 Jun 2011 23:48:26 -0700 (PDT)
    Return-Path:
    Received: from nm13-vm0.bullet.mail.bf1.yahoo.com (nm13-vm0.bullet.mail.bf1.yahoo.com [98.139.213.79])
    by mx.google.com with SMTP id z9si6930219ibd.14.2011.06.03.23.48.25;
    Fri, 03 Jun 2011 23:48:25 -0700 (PDT)
    Received-SPF: neutral (google.com: 98.139.213.79 is neither permitted nor denied by best guess record for domain of ) client-ip=98.139.213.79;
    Authentication-Results: mx.google.com; spf=neutral (google.com: 98.139.213.79 is neither permitted nor denied by best guess record for domain of ) smtp.mail=; dkim=pass (test mode) header.i=@yahoo.ca
    Received: from [98.139.212.148] by nm13.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jun 2011 06:48:25 -0000
    Received: from [98.139.212.229] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jun 2011 06:48:25 -0000
    Received: from [127.0.0.1] by omp1038.mail.bf1.yahoo.com with NNFMP; 04 Jun 2011 06:48:25 -0000
    X-Yahoo-Newman-Property: ymail-3
    X-Yahoo-Newman-Id: 554714.74866.bm@omp1038.mail.bf1.yahoo.com
    Received: (qmail 58153 invoked by uid 60001); 4 Jun 2011 06:48:25 -0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.ca; s=s1024; t=1307170105; bh=hSgZ9A05dQLTNODNLp0BeLFtSmug6W2J8RcCArf2dY8=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:To:MIME-Version:Content-Type; b=JosRH66wrMfIrScCoRT3Y1DbL0OT283DllGnY++Q2JDfsTFAAnVOm4UDfoWVhvNHvDWP2wRh3z5ira2KeDK5CifDOQZOTq6eKvb3cwWn1IUf3OUbuwRKWJJBm+BEgGrWGNghMPefxYGvlp5BiNhzIZRqrk3nNEdNRI31UAQFNJ4=
    DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=yahoo.ca;
    h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:To:MIME-Version:Content-Type;
    b=KxskND2uG9mK3PnyXImPgGgCXoNBgKYdT7J26tCPpvoqaET5hzU8wZmauiqNfApKvKst6XruK2a51NStASuiFi31N61V90hYx15ofiKmXlzMtpRKBLXZHwamnnLPGZPZ1Phz403ISRCdFsjgBXZgr2NtqdTnEwtjsNYJtQuuoAM=;
    Message-ID: <364288.54616.qm@web161301.mail.bf1.yahoo.com>
    X-YMail-OSG: wSZl_0sVM1md.zIBKH8HMs9S.Zrr24bYhqyAJlyorKXDq3n
    7mncvhuII0po1PxKzEf_XZqPYsP_Qn.N4bTz.KfpxT9bldas6_X0UJ0hMpDm
    9rS5.xyh_xl7yva5yeFwISxavQP6zVpF5cHUqbwjsgLDt17MT9_kqhpI2wuD
    lCzfmC7zWkno2JorPoQtf868b.j92Jh6me2xETWOfKaeyYCyAMkXYfS42QKh
    0XbdezsTJcCJA4DtO5u1Nxdwep1PhOsQ0oqjTR3VEm2a0ao4CnXD6zlxBZNn
    OTSjtyjNFn1aJA.8G_BmJtzX9_Y_fH_z8q8gsNAMGwWZddvWN3ceZz9Z29lO
    EXf5eytGIWtTVt38.7N3yndKdmj2Z4BlLbAS21g7_oK64fv9kURWLwVlRy_.
    wLxU7xEbYx0GVP3Tw0u.crqlQysEGZVEAhJiB5EHoeSc3
    Received: from [62.87.129.139] by web161301.mail.bf1.yahoo.com via HTTP; Fri, 03 Jun 2011 23:48:25 PDT
    X-Mailer: YahooMailWebService/0.8.111.304355
    Date: Fri, 3 Jun 2011 23:48:25 -0700 (PDT)
    From:
    To:
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="0-83759194-1307170105=:54616"

    --0-83759194-1307170105=:54616
    Content-Type: text/plain; charset=us-ascii

    http://www.ambiente-villas.com/find11.html
    --0-83759194-1307170105=:54616
    Content-Type: text/html; charset=us-ascii

    <table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top" style="font: inherit;"><div>http://www.ambiente-villas.com/find11.html</div></td></tr></table>
    --0-83759194-1307170105=:54616--
     
  9. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #9
    It's 7:30pm on a Saturday night, so it's a little unreasonable to be expecting an answer in under an hour.

    Based on those headers, the emails were sent through Yahoo's webmail from somebody in Poland. As said, they certainly didn't go through your Mac, and in all likelihood getting your webmail password compromised had nothing at all to do with your Mac--it was probably just a simple password crack.

    The instructions you quoted are specifically related to Apple's built-in Mail.app mail client. If you're using Thunderbird, the settings will be somewhat different. If you're only using webmail, they're completely irrelevant--those only apply to locally-stored email.

    Regardless, those instructions are only for people who are tremendously paranoid about having their computer stolen or their email hacked into (such as yours was, via password compromise) and having their old email read. Almost nobody has reason to be that paranoid, and frankly if you WERE that paranoid, you should probably be using something more secure than email for communication--email is inherently VERY insecure when it comes to being intercepted in-flight.

    For your case, just make sure you use a strong password, as previously explained, and don't download anything sketchy or reply to phishing emails.
     
  10. Reasoned thread starter macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #10
    Makosuke....LOL!!
    Not gripeing....I knew it was everyones night out....just when I got some reasonable speedy replies I assumed some folks were hanging out on the forum.
    I'm not that wacked or paranoid about the email, just it was recomended and I had no idea where in the Mac those settings would be.

    Mac's are beautiful in that a "Monkey" can get up an running with them....I did!:rolleyes: But the simple stuff trips me up every time. I can't find 2/3 of the stuff included in the laptop....My BIL put all the info I would ever need in it...
    but I can't find it. It's in a folder, somewhere....LMAO!!!

    He's twisted....that's all I can say.
    Thank you for looking at the code....I am on a few messageboards where confidentiality is paramount, so when everyone got shipped each other's emails it was a nightmare...no..lol!! not "adult" ones, science ones....folks are working on things & in competition sometimes with each other.
    Besides as my family's addy's were included in the mailing list, to me it was a big deal.

    Thanks again for the explaination....and now I know not to play on Polish websites!! Grin....and everyone had guessed it was the Russian ones...:D:D:D
     
  11. Urusai89 macrumors newbie

    Joined:
    May 15, 2011
    Location:
    Internet
    #11
    it happens quite often to people it seems. Just have a decent password containing at least 8 characters, and make the last one a random number.

    the more random the password is, the better, so maybe try r3p1ac1ng some letters with numbers within the password, or use special characters/CaPiTaL LeTteRs if they're allowed.

    Most sites will allow capital letters, but not all of them are case-sensitive. That means that you can make your password "PASSword", but login by typing "password", "PASSWORD", or "passWORD". The site will ignore the character case.

    If it is case-sensitive, then you can throw random capitals in to make it even harder to crack.
     
  12. Reasoned thread starter macrumors newbie

    Reasoned

    Joined:
    Dec 28, 2010
    Location:
    Eastern USA
    #12
    Thanks everyone for your assistance!
    Obviously this is much more common than I expected. I have changed my password & just decided to unplug the DSL when the computer isn't in use. It's not a hassle but I figure can't hurt.
     
  13. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #13
    :rolleyes:

    Has nothing to do with your problem, but OK.
     
  14. Dark Dragoon macrumors 6502a

    Dark Dragoon

    Joined:
    Jul 28, 2006
    Location:
    UK
    #14
    They logged into your email account by using their computer and sent out the emails using their computer, it almost certainly has nothing to do with your computer or your internet connection.

    So turning off your DSL when you aren't using it will have no effect on this, it would not have stopped this from happening.
     
  15. alamein macrumors member

    Joined:
    Nov 22, 2010
    #15
    freaking Yahoo decided to follow in Gmails steps and is now masking the sender's IP with the IP of their mail servers (unless you happen to live in the same city)...

    Normally the answer would be in your headers, but this is what I get from an ip-lookup

    it's pointing to default Yahoo servers, so there's no way of telling if it was sent from your PC or if they had your email credentials...
     

Share This Page