Welcome to the MacNN Forums.

Laminar · Jul 14, 2014, 09:15 AM

At some point, my wife succumbed to a phishing attack, giving someone her gmail account details. Since then we've changed passwords and set up 2-step verification with Google, but the issues persist. Whoever got into her account pulled her whole address book, and occasionally sends more phishing emails to people from that address book with my wife's email address as the return path, so now everyone thinks the emails are coming from her.

When the phishing attack first happened, I was able to find the IP address that accessed her account but since then no one else has accessed it. Clearly they just pulled her name, email address, and address book and they're hitting it sporadically.

Here's what part of the header looks like:

Code:
Received-SPF: softfail (google.com: domain of transitioning [wife]@gmail.com does not designate 62.220.129.11 as permitted sender) client-ip=62.220.129.11;

So it looks like Google knows the message is a fake, and when viewing the message in Gmail's webmail, it's able to warn users that the email is not legit, but in any other mail client there's no such warning and we have no idea who's getting these emails.

Is there any solution to this besides creating a new email address and telling her entire address book to disregard the old one? Emails are going to friends, neighbors, family, and professional contacts with her name on them.

subego · Jul 14, 2014, 03:24 PM

We won't judge you for falling for it Lam. No reason to throw the wife under the bus.

The Final Dakar · Jul 14, 2014, 03:26 PM

Originally Posted by subego

We won't judge you for falling for it Lam. No reason to throw the wife under the bus.

reader50 · Jul 14, 2014, 06:40 PM

All contacts will continue to get fake emails from your wife for a long time. If even one buys something, the email volume will increase to everyone.

Yes, get her a new address and notify everyone. Except Aunt Edna, who sends all those links for you to (not) read. Keep the old account in case she registered with any services through it. At least until you are certain you've updated all such services to the new email.

mattyb · Jul 16, 2014, 04:13 PM

Contact the abuse mailbox, they might be able to do something.

62.220.129.11/webmail.eracom.ch IP Address Whois | DomainTools.com

Laminar · 03:36 PM

Just got hit again.

Code:
Received: from BN1AFFO11FD013.protection.gbl (2a01:111:f400:7c10::111) by
 BLUPR05CA0074.outlook.office365.com (2a01:111:e400:855::44) with Microsoft
 SMTP Server (TLS) id 15.0.1024.12 via Frontend Transport; Sun, 7 Sep 2014
 13:23:56 +0000
Received: from vps.winterhost.com (207.58.164.49) by
 BN1AFFO11FD013.mail.protection.outlook.com (10.58.52.73) with Microsoft SMTP
 Server (TLS) id 15.0.1019.14 via Frontend Transport; Sun, 7 Sep 2014 13:23:56
 +0000
Received: from [37.140.119.36] (port=50838 helo=thebicycleaccident.com)	by
 vps.winterhost.com with esmtpa (Exim 4.82)	(envelope-from
 <[email protected]>)	id 1XQcRf-0000WL-2o; Sun, 07 Sep 2014
 09:23:55 -0400

The email contained nothing but a link:

Code:
http://secure.hostexper.com/wc/mqfkejazwak.hnxhxxx

(I added "xxx" onto the end of the link. If you really want to click it, remove those.)

Laminar · Sep 7, 2014, 09:50 AM

So really, there is no good solution here. We can create a new email address and transfer everything over to that address without too much issue. We would then have to email every single person in her contact list and let them know to disregard the old email address. I'm not sure what the take % on that would be, but I assume not great.

She would start using her new email address, but there's no guarantee contacts wouldn't still try to email her old address (I guess we could set up forwarding). The attackers would still send emails to her contacts care of her old address, and there's no guarantee that anyone would remember to disregard it if it only happens once every few months.

So basically we're shit out of luck.

besson3c · Sep 7, 2014, 01:26 PM

Laminar: one reason why having a [email protected] as a redirect to another account is nice.

reader50 · Sep 7, 2014, 01:36 PM

Originally Posted by Laminar

Just got hit again.

The email contained nothing but a link:

Notice that the link contains a random sequence of characters? (mqfkejazwak) Each person they spam gets a link with a slightly different URL. So they can match clicks vs email addresses. By clicking it, you just confirmed her email address is 'hot' - read by a real person. Posting it here means lots more people may click that exact link. Expect more spam.

Don't follow links in spam. Not even unsubscribe links, unless it's a major retailer or someone she's done business with before.

Laminar · Sep 7, 2014, 03:41 PM

I didn't click the link, and I just edited my last post to alter the link text. I really don't care about getting spam - Gmail and Mail.app filter well enough that I see nothing. I'm not worried about security - with two factor authentication and some brains, I have no issue steering clear of phishing attacks.

The biggest issue is the ongoing emails sent on her behalf, with no real solution for solving them. Like I said before, even if we get a new address for her and tell all 300+ of her contacts to ignore the old email address, Aunt Sally and Sorority Sister Jill will probably forget the warning after about 10 seconds and continue receiving emails.

Laminar · Sep 7, 2014, 03:42 PM

Originally Posted by besson3c

Laminar: one reason why having a [email protected] as a redirect to another account is nice.

Could you explain a little more about how this works? We're probably going to end up setting up a new account, and I'm not above getting my own domain and a little bit of hosting, especially if it gives me any more control over this sort of stuff.

P · Sep 7, 2014, 04:00 PM

Originally Posted by Laminar

Could you explain a little more about how this works? We're probably going to end up setting up a new account, and I'm not above getting my own domain and a little bit of hosting, especially if it gives me any more control over this sort of stuff.

Register your domain with someone. Add email. Tell the registrar to park the domain and forward all mails from it to some other address. Most registrars do this, but one I have heard a lot of good about is hover.com. They apparently charge $5/year for the mail forward service, plus whatever the domain cost (com is $15/year).

besson3c · Sep 7, 2014, 04:06 PM

Laminar, would you like a free [email protected] account?

Laminar · Sep 7, 2014, 05:03 PM

And then this new email is what I use for every web service/site that I use? Emails have to pass through that server to get to my real address. Because I only log in to sites with a "fake" front-end address, if I fall victim to phishing, the attacker gets those front end credentials and not my actual email address, so they can't access my actual phone book. Is that how it works?

In this case, she was sent a fake link to a Google Doc from a known contact. In an attempt to open that Google doc, it asked for her Google credentials. In this case, having a fake front-end address wouldn't help, because it wasn't asking for an email address, but the keys to her whole Google account. Or am I missing something?

besson3c · Sep 7, 2014, 05:12 PM

Originally Posted by Laminar

And then this new email is what I use for every web service/site that I use? Emails have to pass through that server to get to my real address. Because I only log in to sites with a "fake" front-end address, if I fall victim to phishing, the attacker gets those front end credentials and not my actual email address, so they can't access my actual phone book. Is that how it works?

Yes, and while pointing your TLD (top level domain) at a different email account won't stop the spam if they have latched onto using this address, if your provider starts slipping at flagging the spam you have the ability to try another without having to notify everybody of another address change.

In this case, she was sent a fake link to a Google Doc from a known contact. In an attempt to open that Google doc, it asked for her Google credentials. In this case, having a fake front-end address wouldn't help, because it wasn't asking for an email address, but the keys to her whole Google account. Or am I missing something?

In this case, if you were to create a [email protected] address and get people to start using it, you could point it at another Google/GMail account, and eventually ditch the old one once everybody has made the jump.

TL;DR: [email protected] will eliminate having to retrain people to send email to a new address whenever you want to make changes as to where mail is routed.

reader50 · Sep 7, 2014, 06:27 PM

What stops the spammers from finding [email protected] and spamming the hell out of it?

Being able to silently change the final address might be convenient, but it opens two spamming routes to your wife. And the one that's easy to change would be the one that's not publicly exposed, and therefore least likely to draw spam.

besson3c · Sep 7, 2014, 06:41 PM

Originally Posted by reader50

What stops the spammers from finding [email protected] and spamming the hell out of it?

Being able to silently change the final address might be convenient, but it opens two spamming routes to your wife. And the one that's easy to change would be the one that's not publicly exposed, and therefore least likely to draw spam.

Yes, but of course changing addresses requires getting all sorts of people to jump ship. My solution is, to me, the best way to handle not having to deal with that.

I will add though that if you went this route it would be very smart to be extremely selective about who you give your [email protected] address to. Use the throwaway GMail address it is pointing to whenever you are in doubt about something, like any sort of signup deal or when dealing with complete strangers.

Laminar · Sep 7, 2014, 07:09 PM

Since my contact list lives on my Gmail account, if an attacker got my Gmail credentials they have a list of legit email addresses that will trust an email coming from me. So would I choose a Gmail address that can't actually be tied to me? Something like "[email protected]", so that if they try and use that as a mailto address people won't recognize it?

besson3c · Sep 7, 2014, 07:34 PM

Originally Posted by Laminar

Since my contact list lives on my Gmail account, if an attacker got my Gmail credentials they have a list of legit email addresses that will trust an email coming from me. So would I choose a Gmail address that can't actually be tied to me? Something like "[email protected]", so that if they try and use that as a mailto address people won't recognize it?

That's not a bad idea, although I think some people are used to the fact that spoofing and backscatter is pretty normal, and that the from address is not the be-all-end-all (although they probably don't know exactly why to not take the from address at face value other than vague concepts of hackers).

Laminar · Sep 7, 2014, 10:58 PM

Well, the next issue I see is that because my wife's email is in my address book, both my Win7 Outlook client and the iPad automatically put her name in the "From" field, and the spammer made her full name the subject line.

I'm certainly not against setting something like this up, but the more I think about it, the less effective it seems to me.

If I'm sending an email to a personal contact, do I send it straight from my Gmail or do I route it through the [email protected] mail server so that no one ever sees my Gmail address?

besson3c · Sep 7, 2014, 11:18 PM

Originally Posted by Laminar

If I'm sending an email to a personal contact, do I send it straight from my Gmail or do I route it through the [email protected] mail server so that no one ever sees my Gmail address?

If the account is just a redirect, you'll have no SMTP authentication to your [email protected] account.

Everything as it stands today would be identical, you'd just change your from address to [email protected] when sending to the GMail SMTP servers. You could setup multiple identities within your email account so that you can send as either your GMail or [email protected] address.