Urgent - Possible Security Issue - Mail - Assistance Requested
Note: I just received a steady stream of 11 "System Administrator" Messages from an e mail that states it orginated from my .mac account but I didn't send it. That is to say, when I open the System Administrator e mail there is an e mail from ME to a LYCOS account and forwarded to 3-5 COX recipients. The COX system administrator then sends my .mac e mail a message that the mail box is over it's quota. I immediately changed my password via .mac and then my key chain password in mail. Am I over reacting here - it seems like some one got my .mac name and password? Any help would be appreciated because in light of recent iPod issues across the board and performance issues, I am chalking this up to the recent move to Intel Processors and not feeling to good about it.
It's not difficult for someone to send an email that looks like it came from your address but really doesn't. In all likely hood the "scammer" doesn't have access to your email account.
I fully concur with your note that it is easy to make an e mail look like it came from my e mail but this particular string all seemingly orginated from my e mail. In order to do that, wouldn't a scammer need my smtp password? When I looked at the e mail I about went in my pants because the original e mail has my name, my .mac e mail address, and it hyperlinks to my account also.
But isn't all that info in the spam you received in the emails you send out? Have your looked at the entire header from the spam? To do this select the spam email, select View from the top menu then select messages then Long Headers. It should have the entire path the email took to get to you. This is the info that i forward to my ISP when i get spam on my personal account which is very rarely now. They can then block that address from their servers.
In order to do that, wouldn't a scammer
need my smtp password?
No. A forged address is all that is necessary. Unless you find evidence that the original message appears in the sent mailbox of an account, you can be certain it wasn't actually sent from your account.
from mac.com (smtpin17-en2 [10.13.11.245]) by ms111.mac.com (iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005)) with ESMTP id <0J7P00GGXVZ2J8@ms111.mac.com> for markgaipo@mac.com; Wed, 25 Oct 2006 17:28:14 -0700 (PDT)
This is what the long header looks like form the message that was sent to the originator from my e mail.
The part of the long message header you provided that is directly below the Return Path is the final receiving part of the message at .Mac's incoming mail server which is why it includes your .Mac email address that you have included in the open in a public forum which spammers can easily harvest.
The sender's portion is the bottom/last "Received" line just above the Message ID line which also includes an earlier time stamp - usually by a few seconds only.
I am chalking this up to the recent move to Intel Processors
and not feeling to good about it.
The switch to Intel processors has no effect on OS X security. OS X does not become more or less secure based on a different processor. Windows would not become more secure by itself if all PC manufacturers switched to PPC processors.
I realize the public posting seems to lack any reasonable judgement but I had already changed all passwords and access in my keychain and on .Mac. Without becomming a high maint user, might I ask you (a) even though my computer is in Stealth mode, could a person some how "see" or access my e mail account, settings and passwords, (b) if not I assume a user sets up a bogus account but puts my e mail address in there for return mail and (c) Is this just a common ploy by spammers and not to worry as long as I take greater precaution in securing my settings. Appreciate your feedback.
I try to avoid using the words never and always so although (a) is possible, it isn't very likely.
Unless you have any services enabled such as Personal File Sharing, Windows Sharing, Remote Login, etc., it is even less likely.
Do you access a wireless network at home and/or in a public location?
If you access a wireless network at home, is it password protected and encrypted preferably with WPA2 Personal which is more secure that WEP?
It is possible for wireless network transmissions to be intercepted but it takes someone fairly knowledgeable to pull that off.
Forging a sending or return email address doesn't require setting up a bogus email account. Apple prevents entering/using a different email address to appear as the sending email address for messages sent with a .Mac account but they don't prevent providing a different Reply To email address in the message header but this must be done on an individual message by message basis.
The email account provided by my ISP doesn't have this restriction. I can enter your email address in the Email Address field under the Account Information tab for the account preferences which will appear as the sending email address for all messages I send with my ISP's email account.
So if I send a message with this account using your email address to appear as the sending email address and I send a message to an incorrect email address or to an email address that is rejected by the recipient's incoming mail server for whatever reason, you will receive the return email error message from the recipient's incoming mail server, not me.
Spammers never provide a valid sending or return email address which is constantly changing and one of the reasons you receive the identical spam from different email addresses. Some spammers pull a valid email address from their "known good" email address list to appear as the sending email address for a bulk spam mailing but since they are constantly changing their bogus email address, yours or mine will not be used long. The same has happened to me and to many others.
Since Windows is on the complete opposite end of the security spectrum when compared to OS X, a Windows PC can also be taken over or hijacked but I haven't seen a single report of the same occurring with a Mac running OS X.
You have changed your account password and Keychain settings, etc. so I believe you are covered.
(c) Is this just a common ploy by spammers and not to worry as long as I take greater precaution in securing my settings. Appreciate your feedback.
I get loads of emails which are bounces 'back' to my email account, even though I didn't send them. I would advise deleting them (never reply of course) and using the junk mail filter.
Just a final thank you to everyone who replied. Special thanks to the Lone Star State. In the end, this was a wake up call to me because I take a great deal of precaution but could do better (Home Network Protection). I think I, like many others fail to take internet and cyber security as serious as say, home security. It was a jolt and a wake up call - however a good reminder of the support I have become accustomed to by Apple Users - Thanks Again
As Allan explained, this is from one of the "Received:" headers in the message. A close examination of it shows that it is at least partially forged, just like the "From:" or "Return-path" items, to make it look like it came from you:
Look at the first item in the path: "mac.com (smtpin17-en2 [10.13.11.245])." The first part of this (mac.com) is what the message claims is the originating server's domain; the part in parentheses should be what the server that received it says it was, in both DNS (name lookup) & numeric form. In a legitimate header these will all point to the same server address.
Here we see that the apparent server is not mac.com (which has a numeric address of 17.250.248.32) but something called "smtpin17-en2" -- which isn't even a legitimate domain name. Another clue is that 10.xx.xx.xx addresses are reserved for local networks. Similarly, the info following "by" is forged, since it is missing the numeric form of the "ms111.mac.com" address (whatever that is) & otherwise doesn't follow the format of the header path info servers normally add.
IOW, this whole "Received:" header is suspect, as are any that follow it. In general, you can only trust the first (in the header list) "Received:" header, & within it, only the address indicated within the parentheses if it follows the conventions servers normally add. (You can get an idea of what they should look like by looking at the long headers of legitimate emails.)
Basically, spammers are adept at forging all sorts of header info, so you should never make any decisions based on what you see in them about origin, delivery path, or much of anything else. Leave this to experts, like SpamCop, who request you send them the entire message, including all header info, for detailed analysis.
Above all, never reply to such messages or publish your email address in a public forum like this one, even in a long string like this one. Spammers use automated "spambots" to comb through them, looking for anything of the form "something@somedomain.domain_class" to add to the spammers' lists of targeted email addresses. If you need to post info like this, change your email address name to something like "me" (for example, "me@mac.com") or replace "@" with "{at}" or do something similar so the spambots will ignore it but humans will understand.
