Email compromised by spammers


#1

I have a user whose email keeps getting compromised by spammers. It has happened around 3x and not sure what to do to resolve it. His laptop has been checked and has active and up-to-date
virus/malware screening. Anyone have any suggestions?

Thank you.


#2

You mean they’re using his account to send out spam email?

Is the email hosted on DreamHost or on Google Apps?


#3

correct and yes it’s an email hosted by DreamHost. This is the message I keep receiving from support:
We have received notification that your e-mail
address has been compromised by spammers and was being used to send out spam . This means that your user’s password has likely been compromised.
Your user’s password has been changed to a random string to prevent the intruder
from logging back in. Please do NOT change the password back to what it was previously! Going
forward we need you to:

  1. Ensure that you (and all of your users) have active and up-to-date
    virus/malware screening on all computers they use to connect to
    DreamHost. Infected computers are often how strong passwords are stolen.

  2. Pick a new password for this user via the DreamHost control panel
    under “E-mail” -> “Manage Addresses” -> “Edit”. Your new password should
    not bear any similarity to the old one, should not be one you’ve used
    with any other online service, and should not contain any guessable
    components.

– Dreamhost Email Security Team


#4

Is the user changing the password back? I know it’s a silly question, but the simplest answer is usually the most obvious. If this is user the only one getting spammed like that, then it’s probably not your IDs/passwords that are compromised, which is a good thing.

The next obvious answer is that his laptop may not actually be clean :confused: Which is hard to check remotely. I’d ask him what kind of virus checking he’s using.

Also, does he have any hosting with contact forms that use that email? It’s possibly that form is being used to spam.


#5

no the user is not changing the password back. I only handle the website part but have been told by their IT that they have checked his laptop multiple times and have found nothing. He is also the only user that this having this problem.

I am using a form (plug-in) that is associated with his email or directs to his email. How would I troubleshoot that? There are other forms on the site that direct to other emails that aren’t experiencing any problems.

Thank you.


#6

Does the plugin log the emails sent?


#7

not that I’m aware of. I’m using Contact Form 7. Users complete the form and the form is set-up to distribute to various emails.


#8

That plugin should log the emails to the DB, but basically it’s very possible that the form is tripping the spam-filter, since it’s going to ‘various’ emails and not just one.

Since the email associated with your forum ID isn’t the one for your site, I can’t go look at that for you.


#9

I didn’t see an Admin menu or anything listed under Contact other than the list of my forms. Also only one email is assigned to each form. I’m still unclear on what I should be doing differently to resolve this problem.

Thank you.


#10

Double posting now that I have the domain. I checked out your tickets. It looks like you make a ‘new’ email address, because the old one was getting repeat alerts. But that old email is still out there. Since it’s a POP email, everything can be downloaded and you can delete it, to stop that.

Are you getting any alerts for the new email? I didn’t see any.

Mind you, I would really upgrade and activate Akismet and use these directions to prevent spammers: http://contactform7.com/spam-filtering-with-akismet/


#11

no problems with the new email yet, but based on the emails I was receiving from DreamHost I was under the impression that passwords were being compromised so I figured it was just a matter of time before problems began again. I didn’t think it had anything to do with the forms.

Once I upgrade to askimet can I continue to use old email? That is the one on his business card and that he has used since he started work there.

Thank you.


#12

That’s a tough question. It depends on how the email’s being compromised. If you changed your contact forms to use the new email, then it’s unlikely they’re the cause (though still use Akismet, it’ll help you out in the long run).

I would delete the account anyway. You can always re-create it, and removing it may reveal (via error logs) the actual culprit. I’d make an email alias for the old account (so oldjoe emails are sent to newjoe). That way he won’t lose any emails, but people still can’t send mail as oldjoe.