wiki:faq/email/address-hijacked

Help! My Email Address has been hijacked

Often a friend or colleague will email us a message that seems to have been sent from us, but that we didn't send. Other times, we get a bounce, that seems to indicate that we sent a message to a non-working email address, however, we didn't send the original message.

Usually, there is no need for concern

This common occurrence happens because the email system in place on the Internet does not verify the from address. So, we can send email messages from any address we choose simply by telling our email program to use a different address in our from field (anyone with Thunderbird/Icedove can add an arbitrary from address by clicking on the "Manage identities" button in your account settings). Try it - it's fun! You can send a message to your friends from george.bush@whitehouse.gov or che@revolution.org.

Other people on the Internet do not necessarily do this trick for fun. More often, it is done by spammers and virus writers to convince you to open the message. If a message comes from a familiar looking from address, you might be more likely to open it. Virus writes have used the trick to great effect. If you're friend's computer is compromised, the virus might check the address book and try to re-send itself to everyone in the address book in an email from your friend.

The bottom line is: there's nothing we can do to stop someone from sending a message from your email address.

How can I be sure an email is from the person it claims to be from?

Along with the bottom line comes another one: you should never believe a message came from someone just because their email address is in the from line!

A more effective method for ensuring that the email you are receiving comes from the person you think they are, is to use Gnu Privacy Guard.

There's a decent introduction to the concept here:

http://aplawrence.com/Basics/gpg.html

The examples all used the command line - but that's not necessary! If you are using the Thunderbird/Icedove email program, you can get started with GnuPG with this tutorial.

No really, I think my account is hijacted

Of course, your account might really be hijacked... meaning that someone may have access to your username and password and is sending messages through our servers from you.

The best way to find out is to examine the headers of the message. Each email is sent with extensive information about the various computers it passed through on it's way to you. Most email programs hide all but the basic headers. The steps to view the full headers are different for each email program. This web site provide a comprehensive list of directions for many different programs.

The key headers to watch for are the ones that start with Receive. From the bottom up, they report each mail server that message has passed through. Alghouth they can also be spoofed (so you should not believe them 100%), they typically can tell you where your message has been.

The bottom most received headers on a message I just sent are:

Received: from chavez.mayfirst.org ([127.0.0.1])
        by localhost (chavez.mayfirst.org [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 4EtnYPmvbvgY for <jmcclelland@chavez.mayfirst.org>;
        Mon,  5 Jul 2010 15:45:26 -0400 (EDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender:
        jmcclelland@chavez.mayfirst.org) with ESMTPSA id DB7F744113
Received: by chicken.mayfirst.org (Postfix, from userid 1000)
        id AA80F36F4E; Mon,  5 Jul 2010 15:44:23 -0400 (EDT)

The bottom most one says "chicken.mayfirst.org" - that's my own computer. Next comes the anonymized line the strips your personal information about receiving the message on our servers. The third, top-most line, is chavez reporting that it has received the message.

Typically, a spoofed email will show other servers prior to the chavez line, indicating that the message was sent by a server not under our control.

If you have a spoofed email that has headers resembling the ones above please open a ticket with a copy of the headers so we can determine if your account is compromised.

jamie

Last modified 7 years ago Last modified on Feb 2, 2013, 4:34:08 PM