Has my email been hacked?

snappieT

Hey
I got a failed mail reply in my Spam box of gmail, but it looks like someone has sent an email using my address but their name (Josie Manuel)

Could someone take a look at the message and source to see if it's just a joke?

Also, my password would be VERY difficult to crack. There are punctuation marks and random letters all over the gaff.

Thanks,
Snapscan

bringitdown

Just guessing here:

Looks like a virus - perhaps someone you know has been infected and their email address book contains your email address....

Certainly doesn't look like you have been "hacked", report it to gmail / google and change your password to be sure.

snappieT

How exactly do I report it?

I also don't know anyone with the name Josie Manuel, or anyone in the company she is emailing.

I did a whois lookup on the IP Address:

Whois wrote:

OrgName: INETu, Inc.
OrgID: INU
Address: 744 Roble Road
City: Allentown
StateProv: PA
PostalCode: 18013
Country: US

NetRange: 209.235.192.0 - 209.235.255.255
CIDR: 209.235.192.0/18
NetName: INETU
NetHandle: NET-209-235-192-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS3.INETU.NET
NameServer: NS4.INETU.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-11-11
Updated: 2001-05-30

TechHandle: II25-ARIN
TechName: INetU, Inc.
TechPhone: +1-610-266-7441
TechEmail: operations@inetu.net

# ARIN WHOIS database, last updated 2005-03-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

I don't know anyone that lives there either.

Thanks for the prompt reply

toffo

Its called spoofing or phishing. Basically a spammer used your address as the reply to. It's mainly corperate mail boxes that have this problem. There is not much that can be done about it, but to be safe, report it to google and change your password.

Hobbes

There are viruses which scan the web, the machine or a persons address book for email addresses then spams those addresses with random email address from the same list.

It is quite possible that the person infected you might not even know (eg. They looked at a webpage which had your email address on it). I wouldn't worry too much and delete it.

The password protected zips contain the virus and they are set up like that to stop the automated virus checking programs from scanning them.

If its in gmail then flag it as spam and gmail autofilters should pick up any further ones. Or just bin it.

bringitdown

You can report it using this link:

https://services.google.com/inquiry/gmail_bugs?referrer=bugflow

snappieT

Cheers for the replies.

I also got a failed notice from Norton last month, but I deleted it. Same story.

Here is the source header btw:

X-Gmail-Received: 17d11cd6602e0e8896c0043e7929c82b3d297d75
Delivered-To: ***MY EMAIL***@gmail.com
Received: by 10.38.151.35 with SMTP id y35cs28505rnd;
        Sun, 13 Mar 2005 02:55:29 -0800 (PST)
Received: by 10.54.77.7 with SMTP id z7mr1156728wra;
        Sun, 13 Mar 2005 02:55:29 -0800 (PST)
Return-Path: <>
Received: from kiss1.inetu.net (kiss1.inetu.net [209.235.192.61])
        by mx.gmail.com with ESMTP id d8si453499wra.2005.03.13.02.55.29;
        Sun, 13 Mar 2005 02:55:29 -0800 (PST)
Received-SPF: pass (gmail.com: best guess record for domain of  designates 209.235.192.61 as permitted sender)
Received: (qmail 22788 invoked for bounce); 13 Mar 2005 10:55:28 -0000
Date: 13 Mar 2005 10:55:28 -0000
From: MAILER-DAEMON@kiss1.inetu.net
To: ***MY*NAME***@gmail.com
Subject: failure notice
Message-ID: <42341c21.38edead4.6aae.6215SMTPIN_ADDED@mx.gmail.com>

Is is counted as phishing and should I report it as so?

stevenmu

It's almost certainly a mass-mailing virus. When it infects someones PC, it reads through their address book and sends itself on to their contacts. It uses random addresses from the book as the from and reply-to addresses to hide itself. The only thing you can do about it really is to mail anyone you think would have you in their address book and tell them that if they have any @linray.com addresses in their address book that they probably have a virus. Other than that you could try submitting it to the various anti-virus companies in case it's a new one so they can update their definition files. There's not really anything google can do about it, altough it never hurts to change your password once in a while.

Snowbat

As stevenmu says, it is a mass-mailing virus. The giveaway is the .com executable file disguised as a gif MIME type

Content-Type: image/gif;
       name="ejilaadmail.com"
Content-Transfer-Encoding: base64

Your email address was scraped from the address book of a victim or harvested from a web page or Usenet and one or more virus mails were sent out using your email address as the From address. What you got there was an accept-and-bounce from kiss1.inetu.net for several undeliverable linray.com addresses (mail.linray.com has an ip address registered to inetu.net so that's legit). The sender is using a Korean ip address. You should report it through Spamcop to ensure that reports go to the correct ISPs.

If I received this, I'd also send a mail to operations (at) inetu.net asking why their mail system is configured to bounce undeliverables AFTER accepting for delivery instead of SMTP 5XX rejecting at SMTP time. This type of configuration is now frowned upon in mail circles - bouncing viruses will land kiss1.inetu.net in blocklists faster than they can say "spamtrap?".