IP Address used to hijack Outlook Express

Hello to all,

After 12 hours of research on the web trying to find out how someone I don't know (but sent an e-mail to through a 3rd party site on 2 occasions) got into my Outlook Express mailbox (resident on my hard drive) using my IP address. They stated that they had my IP address (from their e-mail), and that they could now "audit all my emails". How is that possible? How can I prevent this from happening again? How compromised is my machine/passwords/etc? I run Norton IS 2007 and have a cable modem with Cox Communications as my ISP. Cox Comm says that my IP address is leased in 24 hour increments, but that I have to turn the modem & computer off for 24 hours to reset the IP address - seems cumbersome.

I know this person has access to my OE because they read e-mails back to me verbatim, and they contacted at least one person that I communicate with regularly. Note: this person has no access to my machine as it's a home PC and I live alone. Any help would be greatly appreciated.

One last thing: I have an e-mail from this person with headers, etc, and they stated that they couldn't be traced because they use a "scrubbing system". Those of you that like payback, feel free to assist as you see fit - I'm about to the step of calling the police at the urging of my ISP, but I prefer to get even rather than getting mad... after getting my system secured of course. Any and all help is greatly appreciated!

SWD

 

Can NOBODY on this site give me any insight into what I'm experiencing or how this happened? I really thought that nearly a week after posting this message, I'd have some insight... Is a worldwide security forum the wrong place to get help? If so, where should I look?

 

Hi,

Maybe your system is infected by something.
So I would go to one of the forums where experts will have a look at your HijackThis logfile.
(The Wilders-forum doesn't do HijackThis anymore.)
Some examples:

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://www.dslreports.com/forum/cleanup

http://www.bleepingcomputer.com/forums/forum22.html

Usually such a forum has its own guidelines with steps required for HijackThis analysis.

 

Three possibilities:

• Spyware on your machine (follow FanJs recommendations or see the Castlecops Malware Removal and Prevention guide - if something is found, change all your online passwords also).
• Someone on your cable network segment running a packet sniffer to view everything you send and receive (switch to an encrypted protocol like POP3S or use an https:// webpage to view your email - assuming your email provider offers one).
• Someone at your email provider having access to their server (the least likely option, but reporting it and changing provider is the only option).

See Reading Email Headers for information on how to track down the real source of an email - unless this person is using anonymous remailers (which tend to be unreliable) or has hijacked someone else's system (a popular spammer tactic but totally illegal), it should be possible to determine their ISP/email provider and report this to them.

The downside of trying to "get even" is if the perpetrator calls in the police, or you goof up and target an innocent bystander. Unless you feel you have something to hide, contacting the police yourself on this would be a better option - at the very least it should provide more leverage in dealing with ISPs in tracking down this abuse.

 

Thank you for the help Paranoid2000. I have read the "Reading Email Headers" a few times, but I really can't make that much sense of it as I don't know what is important in the return path/source and what is not. I have also begun taking the steps that were suggested by the poster just before you and working to tighten my system security via the links he(she) provided, but it is pretty overwhelming to try to educate myself on the massive amounts of information out there.

Below is the complete "DETAILS" from the last e-mail that I received from this person that got into my mail, and it's shown below. I would like to be able to assist this investigator that's working on this more than I am right now.

What does this header tell you? I ask because you suggested that there might be a person on the inside at my mail service (Cox Communications) that my mail client, Outlook Express, sends and receives mail through. I believe that is a possibility, but can't be sure with the @gmail.com return address.

Again, thank you very much.




Return-Path: <mmurtazina@gmail.com>
Received: from eastrmimpi03.cox.net ([68.1.16.121])
by eastrmmtai102.cox.net
(InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP
id <20070404201034.LBBW15593.eastrmmtai102.cox.net@eastrmimpi03.cox.net>
for <swd2k@cox.net>; Wed, 4 Apr 2007 16:10:34 -0400
Received: from an-out-0708.google.com ([209.85.132.247])
by eastrmimpi03.cox.net with IMP
id j8AM1W03N5LRCXD0000100; Wed, 04 Apr 2007 16:10:32 -0400
Received: by an-out-0708.google.com with SMTP id c25so389467ana
for <swd2k@cox.net>; Wed, 04 Apr 2007 13:10:34 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
d=gmail.com; s=beta;
h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
b=gQhAIVwk16oLxiI4F4FJCCsUbRBfwPm6IZZEUKQtcvnFZvN0KXnnB329mFq8t7XvLM9Qr7acQSO/J5AIMsbl/MI2KGVt1f0ptNWXD/LvoU/sghLwP6EMl9hcAudLpXBek/Ihe30s398+vXEiRe82uXZhpNGD3M6xfYLRYdSVb5o=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=beta;
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
b=nNFa4DVjZz2d9/m94dIUTqwevcwYKLyNuAcGrO4OZft3C6v0xHkS5pScNbgpBTDAPNCZWhPlQsW5cqA4t06PX63WabiPB/TnHeDcInzG7TqP3MW/aW3qpPW0E4sW2Y2ISpmQfyhW/v418hEO+U15kjVVfdgD0u9PHLIQhg+HdWk=
Received: by 10.100.111.16 with SMTP id j16mr764851anc.1175717433341;
Wed, 04 Apr 2007 13:10:33 -0700 (PDT)
Received: by 10.100.213.12 with HTTP; Wed, 4 Apr 2007 13:10:33 -0700 (PDT)
Message-ID: <1fa41e7d0704041310n5d69617fp5e5cd36ffaf1ac7b@mail.gmail.com>
Date: Wed, 4 Apr 2007 16:10:33 -0400
From: maria <mmurtazina@gmail.com>
To: swd2k <swd2k@cox.net>
Subject: Re: my fantasy - w4m - 20
In-Reply-To: <007601c776f1$653693e0$6e00a8c0@HPDesktop>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_93201_21672285.1175717433103"
References: <002801c776b9$84278bc0$6e00a8c0@HPDesktop>
<1fa41e7d0704041229q16a11c95q97569a80f8542a4a@mail.gmail.com>
<007601c776f1$653693e0$6e00a8c0@HPDesktop>

 

Received: from an-out-0708.google.com ([209.85.132.247])

This email came from Gmail (209.85.132.247 is a Google address and it has a DomainKey signature to prevent spoofing) so report it to their abuse address, gmail-abuse at google.com.

Received: by 10.100.111.16 with SMTP id j16mr764851anc.1175717433341;
Wed, 04 Apr 2007 13:10:33 -0700 (PDT)
Received: by 10.100.213.12 with HTTP; Wed, 4 Apr 2007 13:10:33 -0700 (PDT)

These lines indicate the actual source but 10.x.x.x addresses are reserved for private use only so they are most likely servers in Google's internal network (I'm not saying the abuser is Google though - the last line showing HTTP is most likely typical of someone using Gmail's webpage).

There's nothing to stop this individual from opening another Gmail account should this one be closed, but if you keep reporting them then they have to work a little harder - and should realise they're wasting their time a little sooner.

 

Paranoid2000,

If I understand you correctly, the e-mail most likely originated from a Gmail account and came through the Google servers. Right? Is the IP address that you zeroed in on the user's IP, or is it a Google IP, one in a range that they might randomly assign as a dynamic IP to any given user at any given login time?

The police detective that I spoke with this morning is anxious to work on this, but I'm sure you can surmise where it falls on his priority list as it doesn't appear anything serious has occurred yet (no passwords stolen, no bank accounts accessed, no sensitive data erased, etc.). I could not find a link in Google's help screens to report the IP you mentioned, but I'm also not anxious to move on this at light speed. I want to be deliberate and cover all my bases as I build the case.

Any other suggestions are greatly appreciated. Thank you again.

 

That email definitely came from Google's server - only Google themselves can check where it came from prior to that by reviewing their server logs.

They should, in turn, be able to provide the IP address from which the post was made which will (unless this person was using an anonymising proxy, in which case there is likely nothing further you can do) give you that person's ISP (lookup the IP address using NWtools as per the previous link above). You then need to contact that ISP to find out who was allocated that IP address at the time of posting (though most should require a court order for this).

Please report this to Google using the email address I gave you previously - gmail-abuse at google.com (you need to replace " at " with @ to get the proper address, I'm obfuscating it to avoid having it picked up by spammers).

 

It is a bit late for this to be helpful to the original, perhaps, but perhaps a future Googler will get something from this reply.

I has something like this happen to me. In my case, people kept getting messages that their email to me was undeliverable, even though I was receiving their messages. The error message always referenced an address that was supposedly invalid, and which no one recognized.

I usually use Outlook Express, but one day I had to access my email via Internet Explorer, and so used the online access to my account my provider (comcast) offers. I discovered a whole batch of email settings that are controllable online that were not configurable within Outlook Express.

It appears that someone hacked my password (which is now less obvious and changed more often, thank you) and then went into the Comcast settings and had all of my email forwarded to them. So long as the forwarding address was valid, they got copies of my mail, and no one had any clue anything was wrong. It was only when the hackers forwarding account was inactivated that folks started getting the bounce messages.

For quite a while, I was just clueless about what was going on. Comcast security was no help, either. It was not until I stumbled on my online settings that I found the problem. There were other problems as well, but they are not relevant to the problem.

So, if someone seems to be getting your email, or you are just paranoid, it is worth accessing your email online via your service provider and looking thru your settings.