It started Sunday afternoon. One of my gmail boxes was randomly sending out mail to everybody, and one of my kids kindly returned it.

No windows in sight, I wasn't using gmail when the mails went out, I certainly wasn't logged in. I will confess to a careless attitude about internet security. The other mailbox seems fine. I'll stick a mail up on

http://pastebin.com/kb1u4MQU

It looks more like script output than spam, but there are my mail contacts being used. Fortunately, that one has more bots and daemons than people as contacts, so humiliation is limited. I don't download dodgy codecs or packages, porn, or crap. I'm not on facebook, twitter, bebo or any social networking site. I'm running slackware-13.1 and firefox-3.6.x. I've killed the offending box just in case. My other one is on slackware64-13.1 and firefox-3.6x :-/. I do mail at home - not out.

Can anyone make sense of this?

Sorry, can't read the link, can you post the content of an email including headers ?

I can't get to the link either.

Does your Gmail account use the same password as any other login you have?

Also, Gmail kinda-sorta keeps a "log" of IP addresses used to login. It's at the bottom of Gmail, you should see something like "Last account activity: 4 hours ago", with a "Details" link following.

I couldn't get to the link either. It showed me a Microsoft Live login page.

First thing you do, change your Gmail password to something new, unique, and complex. Do not use that password for anything other than your Goggle account. Then troubleshoot.

Sorry about the links. I know a little about headers, but I didn't see any
I have this in my other gmail account. I did a 'view source', copied & pasted that into OO andedited out my name befiore saving it off as spam.html

http://cid-9936144096ff2c07.office.l...se.aspx/Public
Also
http://pastebin.com/kb1u4MQU


There's no 'received from' stuff. It looks like script output. I 'always use https' on gmail. I did a check with rkhunter and that seems fine.

It looks like an HTML and Javascript page, or an HTML based email. It is really hard to read in the current non-code-format, but scanning through it I see comments about alerting the user that they need to enable javascript, then lots of links of things like youtube, and other "if you can't access it, click this link", etc. I suspect that it an attempt to get them to go to a URL to obtain some garden variety malware.

If this was coming from your gmail account, there is a good chance that they compromised your gmail password and relayed using your account. Be sure to double check your local logs if you relay through your gmail from home.

Also, is there anyway you can get the "full" header from a message that was sent out? This would help confirm how the compromise happened.

That's what I thought - html-javascript. In fact all that crap is thrown up by gmail. Using the simple view, I still get no meaningful headers:-((. No relaying of mail going on here. I cut my teeth on spamassassin,dcc,Vipul's Razor, and mail servers, and have no wish to suffer that again.
There were 3 different types of spam sent in turn, and these had the same url, so I ran that down and complained there. What's upsetting me is that I used to snicker loudly at my windows users suffering email problems, spam, hacking, & malware. Now I'm the one apologising and it's their turn to laugh :-/. Needless to say, I want to end it. Changing the gmail password was a first step - I also notice the 'always use https' was no longer checked, so I fixed that. Still no clearer what happened.

I don't see anything unusual about that html you posted.

I agree with others in that probably your password was cracked. Was it strong ? If not, it's very likely that it was cracked.

There is no reason to think that Linux is involved. Public email providers are an easy target for bad guys. Once they get a valid email address they can use a program to continuously try to guess the password. Eventually they succeed on some email accounts. Email account break ins are more widely known about at Yahoo! Mail but any email provider, including your ISP, is susceptible to email account break ins.

Given that it is still wise to judiciously control Java in your web browser by means of NoScript or some other add on. Java is easiest way to get viruses to run on Linux. Web pages and email are the easiest method of delivering them. If you get a Java keylogger running in Firefox and then you log on to your email account then you are compromised.

1 members found this post helpful.

The password was reasonable, but not perfect in terms of security. one letter and a random number string.
I'll chase down that NoScript addon

Sorry for simple question, maybe do I not read you correctly, but how do you known this? Is that some people get mails with your email as sender or these posts are in your outbox folder? You known that when sending email everybody can enter any email as sender, even not belonging to him or nonexistent.

1 members found this post helpful.

eSelix, thank you for reminding us of this fact. One of the missing piece of key information in this thread has been the full email headers. Take for example the snippet from the email header below from one of those pharmacy spam messages that happened to make it past my spam filter. You can see that it claims to be from a yahoo mail, but in fact was not. Given that it was even relayed through a localhost address on the originating server is also noteworthy in that it suggests that this is the machine that is responsible.

1 members found this post helpful.

@eSelix: I concluded that my mailbox was sending out randomly when I found 9 spam messages in the sent mail.

@NoWay2: Agreed the headers are a vital piece of spam detection. Unfortunately gmail don't provide any option to give you headers. In this case, as the sent mails were lying in the sent mail of the offending mailbox, I think we can presume gmail sent the mail. After googling gmail help, I came up with the method for viewing headers, i.e.
1. Open the message
2. click on the down arrow beside the "Reply". 'Show Original' is an option - click on that. This gives:

[SNIP!]

Whether I unknowingly had a gmail tab open, or gmail was compromised I don't know. I think the chance of my password being available elsewhere are remote. The java exploit route seems the most likely to me atm. It's the one explanation that makes sense. Added to this, there is a paypal account with that handle which (lazily) had the same password, but that was untouched.

Unfortunately using the NoScript addon causes a lot of pages to decide Java is not enabled, e.g. youtube. ou learn as you go.

I'm marking this solved and thank you all for your kind help.
I've learned how to prevent a repeat, and a most probable scenario for what happened

I sent apologies to about 25% of the addresses spammed. I'm sure the spam fooled nobody. It was the mailbox I keep for 'online stuff' so the contacts were 75% subscribe & unsubscribe, something-users lists, bugzillas, lq, and the occasional real person. The Christmas shopping line, or any iphone ad would jar with those who know me. I don't do xmas/saturnalia at all, haven't done for years, and am an android user. That leaves the odd developer spammed on whatever mailbox he had years back :-/. It did prompt a cleanout of dud & ancient contacts, which I would recommend to anyone.

yeah went through the same thing in December... And I am most of the time a privacy paranoid... Someone from Brazil brute forced my pw.. Which was a strong pw.. 9 chars random numbers and letters.. Needless to say, I did the same thing you did, cleaned out ancient contacts, changed all passwords to Stronger num letters upper and lower with special char. Then turned that account into a junk account... Sucks but it happens to the best of us at times. =/

I def applaud Google for it though, because of the info they dumped on me, and did block the sent mail, cause of unusual activity.. So Thumbs up to them..

But a headache worth of work on my end...

Oh well Live and Learn.