How was this spam generated?

[jwriter]

Somebody is sending spam using my friend's return address. For discussion, let's say her address is "mary@yahoo.com". Please see snippets below taken from three of these messages.

Received: from [86.111.112.160] by web62302.mail.re1.yahoo.com via HTTP; Thu, 21 Apr 2011 14:38:00 PDT
Received: from [194.126.111.66] by web62301.mail.re1.yahoo.com via HTTP; Sat, 09 Apr 2011 06:39:32 PDT
Received: from [83.50.79.219] by web125413.mail.ne1.yahoo.com via HTTP; Fri, 17 Jun 2011 06:20:02 PDT

1) Were the computers that generated the spam connected to the listed IPs?
2) I believe these are in Poland, Estonia, and Spain, respectively. How does the spammer do this? Is there malware running on computers in these locations without their owners' knowing?
3) Does it appear that somebody logged onto yahoo and that yahoo accepted the messages as valid and sent them?
4) Did the spammer use a legitimate yahoo email address and password to do this?
5) Can we assume that the return address "mary@yahoo.com" was spoofed? Is it just a coincidence that she uses yahoo and the originating server is also apparently yahoo?
6) Can yahoo inform the legitimate user so that he/she can change their password?
7) Since the IP numbers are geographically far from my friend's location, can I assume her computer is not the source?
8) Is it likely that my friend has malware on her computer? In other words, does this problem indicate she might also be used as a spam source, and should she have her computer checked?

[tanstaafl]

1. Can't tell for sure without seeing more of the list of Received: from headers.
2. They might use a botnet. http://en.wikipedia.org/wiki/Botnet
3. Yes, but that doesn't mean they used yahoo webmail. Yahoo has a mail API they could have a program call.
4. Probably.
5. Yes.
6. There is no reason to believe your friends account has been compromised. You can easily spoof the From: address regardless of who actually sent it. In fact many email clients have a built-in feature to do that since its also useful for legitimate users.
7. Yes.
8. No. It wouldn't hurt to run (the free versions of) spybot search & destroy and malwarebytes anti-malware but there is no reason to believe your friend has malware.

Its common for spammers to spoof the from: address using somebody else's email address. Its happened to me. They don't even have to know for sure that it is a legitimate email address to do this. In fact the main aggravation is you may get a flurry of messages bounced to you due to them sending email to invalid addresses while using your from address.

[Daifne]

In addition, there have been a lot of Yahoo, Hotmail and GMail accounts getting hacked into recently. They will use the accounts to send out spam to the account's address book. Just to be on the safe side, have your friend change her password at Yahoo to a strong one.

[jwriter]

Thanks for the explanations.

6) Can yahoo inform the legitimate user so that he/she can change their password?

Sorry, what I meant to say was, can yahoo inform the person who owns the account that was used by the botnet to get in? I agree it is probably not my friend. If I send yahoo the headers, will they generally do this or is it too much trouble for them? It seems like the best way to stop the spammers is to disable the compromised account or change the password as soon as possible.

[tanstaafl]

No idea if contacting yahoo would do any good since its not clear that they would bother to do anything or that the owner of the PC even owns the yahoo account. There are also privacy concerns, especially in Europe.

Changing the password to something harder is a reasonable precaution, though its not clear that the account was ever compromised. It might even have been somebody else's account that was compromised, and your friend was in their address book.

You might find http://www.information-age.com/article- ... spam.thtml interesting, though its old.