Darrell A. Martin wrote: > Using a "throwaway" account for such things is probably unnecessary > paranoia. But if so, it is a pretty intelligent form of the disorder. [grin] I have several reasons for using "throwaway" accounts, paranoia isn't one of them <G> It's mainly so that if I change my ISP for any reason, I can still be contacted because I'm not using an ISP address. And, yes, I have changed my ISP several times. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

Mary Ann Lubinsky wrote: > Every time a hacker hits one of my lists, I send out a warning to > the list not to click on the link or to respond to Yahoo. I also > warn them that if they did already click or respond, they are also > now infected with instructions on how to clean the hacking. You can't clean a hacking because it's not an infection as a virus is, but you can take steps to prevent it, possibly only in the short term. The usual and apparently effective method is changing the password, preferably to a very much stronger one. If someone has clicked a link, then they are likely to be infected with a virus, a trojan or other malware and steps do need to be taken to clean their machines. Unfortunately many people think just running a scan with an anti virus program will solve the problem. That's not necessarily correct. There are also many who think having the program on their machine is enough without realising (or accepting/believing) they need to update it regularly. The same goes for any security program, including software firewalls. > Each one of my lists has been warned countless times yet it keeps > happening over and over again. I can't help wonder how many > warnings it will take to sink in. Some people won't believe it'll happen to them, it'll happen to someone else. They don't realise they ARE that "someone else" to someone else. > > I just received this message supposedly from Yahoo: > > Dear Customer > > Your E-mail account has exceeded its limit and needs to be > verified, if not verified within 24hours, we shall suspend your > account. > > It was signed Yahoo and there was a link to click on which I have > not included in this message. This can only mean that there will > be another rash of hackings from Yahoo in the near future. If only > people would heed the warnings about these messages and not reply > or click on the link. I've had those supposedly from Gmail, which Gmail has dumped in the junk mail folder. I've also had them from other email providers and ISPs to my Gmail account! And treated with the same contempt LOL Most of my email accounts have been hit with similar false claims. Ditto banks, some of which I've heard of before. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

JYoung6180@aol.com wrote: > The only issue I have with just deleting the subscriber spam is that even > IF their own address is the from and TO address very often ISPs block that > mail as likely being spam. I know AOL would probably just block that and I'd > never see it. I'm not sure about that. It may be different your side of the pond to mine. It's a recommended way for sending out newsletters without disclosing long lists of addresses. Just put all the addresses in a folder with the senders name as the folder name, then put the folder name in the To field. The alternative is to put the recipient addresses in the BCC field but the sender's address in both the To and From fields. I would think ISPs and email providers would work on the content rather than purely the To and From fields, if they considered them at all. I know they do take bulk mailings into consideration because some of my subscribers have had to specifically tell their ISP or email provider to allow Rootsweb mail. I've had to tell mine to allow certain newsletters. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

Deloris- Getting spam on a list due to compromised subscriber email accounts is not a good reason to moderate the entire list. Just put the addresses on moderation that the spam is coming from until the people can fix the problem. I don't believe there is any correlation between real list posts and spam being generated from those subscribers with compromised accounts. It seems as if all of the compromised accounts trigger spam at the same times...times when the entity controlling the spam choose to send a batch of it over and over again on a semi-regular basis. All addresses you have under moderation that send spam will just get stuck in pending requests...they only get one through before they are moderated. Joan In a message dated 3/10/2013 7:10:24 P.M. Eastern Daylight Time, del_williams@comcast.net writes: But that same list had been receiving a lot of spam just before Christmas from members who were subscribed, where I constantly had to send the links to Archive Removal. It got so bad that I finally put the entire list on moderation for awhile. Apparently, many addresses had been compromised and whenever anyone posted a real message, we'd get bombarded with spam from the hacked accounts.

That was the problem, it wasn't just one spammer that was coming through, it was coming from a multitude of addresses after the first ones went through. It started with one or two different email accounts posting a link, and I suspect some of the members were clicking onto the link because next, a bunch of new addresses would start coming through with spam, and it kept going like that for several days, each day I was making sure that the ones that got through were removed from the Archives. Even though I was telling people to not click onto anything, some of them apparently were, and they seemed to have kept setting another round of spam off. So that was when I realized, that it had to be controlled, and I did put everybody on moderation for a couple of weeks so that at least that thing couldn't keep spreading to others. Even though it is no longer moderated, and RW has removed all of those addresses which had sent spam, this new round of spam is coming through non-subscribers, as I have said, which of course, can't get through, and I wouldn't be surprised if they were some of the same folks who had been unsubbed before because they may not have done anything about their computer. A lot of people who get hacked only just change their email addresses or get new ones and don't close or even try to fix their compromised accounts, not a very smart thing to do. Deloris From: JYoung6180@aol.com Sent: Sunday, March 10, 2013 9:00 PM To: del_williams@comcast.net ; listowners@rootsweb.com Subject: Re: [LO] Yahoo Spammers Deloris- Getting spam on a list due to compromised subscriber email accounts is not a good reason to moderate the entire list. Just put the addresses on moderation that the spam is coming from until the people can fix the problem. I don't believe there is any correlation between real list posts and spam being generated from those subscribers with compromised accounts. It seems as if all of the compromised accounts trigger spam at the same times...times when the entity controlling the spam choose to send a batch of it over and over again on a semi-regular basis. All addresses you have under moderation that send spam will just get stuck in pending requests...they only get one through before they are moderated. Joan In a message dated 3/10/2013 7:10:24 P.M. Eastern Daylight Time, del_williams@comcast.net writes: But that same list had been receiving a lot of spam just before Christmas from members who were subscribed, where I constantly had to send the links to Archive Removal. It got so bad that I finally put the entire list on moderation for awhile. Apparently, many addresses had been compromised and whenever anyone posted a real message, we'd get bombarded with spam from the hacked accounts.

famh1story@aol.com wrote: > This isn't hackers and to use that term is misleading. These are > emails that send you to a page that registers a click through and > also contains a phishing program that looks at your saved passwords > for hotmail and yahoo emails. All it needs to stop an account from > sending the mails is a change of password after running a spyware > checker. Sorry but it IS hacking. Whilst they do send a link with a payload, the origin is a hack. Yahoo have admitted as much. If it was a phishing program it wouldn't go purely for passwords for hotmail and yahoo mails, it would go for ALL email addresses in the account and a LOT more besides . If you look at the headers on these hacked addresses, you'll see addresses from a very wide range of ISPs and email providers. It's quite possible the hackers are also using a program which will tell them if a mail has been opened and how long it was open for and it won't be obvious by looking at the headers either. Nor is it a "read receipt". These can be refused any way in an email client at least - well, it can in mine. The program wasn't intended for hackers and spammers but, hey, since when's that stopped 'em? ALL the addresses this current round of malicious link mails are coming from are Yahoo accounts or accounts where Yahoo is providing the service, such as BTInternet, Xtra and ATT. There will be others. There are one or two coming from AOL addresses but I'm not currently seeing any from Hotmail addresses. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

Knowing Yahoo as we do, I would say that more problems are almost inevitable :-( Nivard Ovington in Cornwall (UK) On 10/03/2013 20:46, Charani wrote: > Nivard Ovington wrote: > >> It may be worth noting that Sky (currently Gmail) is passing all their >> email accounts over to *Yahoo* in April > > <groan> > > Thanks for the alert - I think. I'll add sky addresses to the list. > >> So expect plenty more hacked accounts > > Hopefully not but that's probably a hope in vain. > >

Nivard Ovington wrote: > It may be worth noting that Sky (currently Gmail) is passing all their > email accounts over to *Yahoo* in April <groan> Thanks for the alert - I think. I'll add sky addresses to the list. > So expect plenty more hacked accounts Hopefully not but that's probably a hope in vain. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

famh1story@aol.com wrote: > I know on the busier lists it may not be possible but I just email > the sender and inform them their accounts been compromised and they > should run a spyware cleaner and then change the password. This is > caused by people storing their hotmail and yahoo passwords. This is > also not hacking its a phishing scam to enable spam. It is hacking, that's for sure. I had a member of one of my lists have their account hacked. Someone else on the list asked if that person was on the list to be aware their account had been hacked. The /hackers/ then came back and said the account had not been hacked. There were numerous differences between mails from the genuine list member and the hackers version. I am not going into what those differences were They don't need to phish to enable spam. All they need to do to enable spam is to spoof the address. I've had one of my spoofed. Nothing was sent to anyone I knew because I don't keep an online address book and I can remember most of my regular contacts' addresses. Incidentally, can you remember to delete the list's bounces address please? -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

JYoung6180@aol.com wrote: > If the spam is non-subscriber emails I agree with Charani---discard and > don't let the spammer know the address they spammed is valid. It just leads > to MORE spam. > > But if you have a compromised subscriber sending the spam and you have them > on moderated status rejecting the spam in pending requests from them can > help to alert the person that they have been hacked. When I've checked the addresses to which it's been sent, strangely it includes the address of the hacked account as well. That in itself would alert the victim as to what's happened. Whether the hackers realise what they are doing or not is another matter of course. Even when it's a subscribed member, I still discard. Then again, I've had hackers still in control of an account who've responded to mail sent to it. I have an address I use to advise subscribers with compromised accounts. It's not used for any other purpose. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

Hi Deloris It may be worth noting that Sky (currently Gmail) is passing all their email accounts over to *Yahoo* in April So expect plenty more hacked accounts Which is also causing me much work to swap over on all lists to another Gmail account Nivard Ovington in Cornwall (UK) On 10/03/2013 17:27, Deloris Williams wrote: > Yahoo must have had another major hacking this weekend, I've seen a lot of > people with those accounts coming through the lists the past couple of days > with spam. We need to keep a lookout and get those reported to the > Archives Removal, even though it won't be until tomorrow at the earliest > that RW does anything. > > > Deloris Williams >

One of my Lists that is usually an extremely active one, but which has been fairly idle since around Christmas, is receiving nothing but lots and lots of spam from non-subscribed addresses, so luckily all I've had to do was discard them. But that same list had been receiving a lot of spam just before Christmas from members who were subscribed, where I constantly had to send the links to Archive Removal. It got so bad that I finally put the entire list on moderation for awhile. Apparently, many addresses had been compromised and whenever anyone posted a real message, we'd get bombarded with spam from the hacked accounts. I kept telling people to get off of their computers and run both an anti-virus scan and an anti-malware scan, also pointing out to them that they needed to make sure that they were using an up-to-date anti-virus program. I frankly wouldn't be surprised if the same addresses that are now sending out spam to the list, were some of the ones who had been unsubscribed by RW back in December. It seems that no matter how many times one may tell people not to click onto any links in messages that come through with no subject and includes nothing but a link, there is always somebody who doesn't listen or understand. I've had some people tell me that they regularly stop their av scan when they're on their computer because it annoys them; I've also heard people who are totally surprised that just having av software on their computer isn't enough, that they also have to make sure that it is updating regularly, one lady told me she hadn't paid for her Norton in 2 years and it was still working on her computer. When I asked did she noticed if it had been updating in those 2 years, she said, "what's that? It's on my computer, that's all I need, right?". People really need to learn a little about their computers before they're allowed to use them. Deloris Williams -------------------------------------------------- From: "Darrell A. Martin" <darrellm@sprynet.com> Sent: Sunday, March 10, 2013 4:57 PM To: <listowners@rootsweb.com> Subject: Re: [LO] Yahoo Spammers > Greetings: > > A notorious gangster in the 1930s was asked, "Why do you rob banks?" His > answer was, "That is where the money is." > > If a spammer today were asked, "Why do you target Yahoo and AOL > accounts?", he might answer, "Because that is where the most addresses > are." > > Whether e-mail accounts are *hacked* (the evildoer actually gets some > level of control over the account), or *spoofed* (the spammer sends out > messages that only pretend to come from the account), the reason that > certain domains seem to generate more than others is 1+1=2 simple. AOL > and Yahoo have more subscribers. There are probably other factors, > including the relative sophistication of the typical user, but sheer > numbers is the big one. > > As list admins, it may help if we become familiar enough with message > headers to tell the difference between something coming from a hacked > account, or one that only pretends to. In the case of hacking, the > subscriber's account has been compromised; there is often something that > person can do to recover (and truth be told, there is often something > silly they have done to be in the position). In the case of spoofing, > though, the subscriber has no more control over the situation than if a > kid went out trick-or-treating wearing a mask with their picture on it. > > My recent experience has been that spoofing to my lists is very rare. > They don't even pop up in pending, that I notice. Perhaps RW has figured > out how to stop spoofed messages. > > Hacked accounts keep happening, however. Whether it is just dumb luck on > my part, or the relative inactivity of most of my lists, I don't seem to > get much of that, either -- and if there is any pattern among the > addresses, I haven't seen it. Almost all of the attempted spam to my > lists is now routed through the message boards. That is true to such an > overwhelming extent that I closed all the gateways (discussed a number > of weeks ago). > > Darrell > > > > ------------------------------- > To unsubscribe from the list, please send an email to > LISTOWNERS-request@rootsweb.com with the word 'unsubscribe' without the > quotes in the subject and the body of the message

M Nickless wrote: > > While looking at my list archives this morning to see if a > suspected spam message from a subscriber went into the archives, I > noticed that another ‘Spam” email made it through the list the > other day. > > I have already completely deleted that the email from my own > mailbox/spam box/deleted messages files, so can’t forward it with > all headers/footers to the Help Desk. > > Can anyone tell me if there is another way to remove that message? > Obviously I don’t want to use the Archive Removal Tool as it will > trigger a message to the spammer! Not necessarily. Even if it does, it'll tell the spammers you're on to them and won't let the spam remain. If the mail is in the pending folder, simply discard it - don't reject it and don't mark it as spam before deleting it. If you send the archive URL through to the Help Desk and ask them to remove it from the archives they will do so. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

Deloris Williams wrote: > Yahoo must have had another major hacking this weekend, I've seen a lot of > people with those accounts coming through the lists the past couple of days > with spam. We need to keep a lookout and get those reported to the > Archives Removal, even though it won't be until tomorrow at the earliest > that RW does anything. I've seen the same but I don't know whether it is another hack attack or the hackers/ spammers selling on the addresses they've harvested. I've put all Yahoo addresses on mod together with Yahoo supplied addresses as a result.. I know, there'll now be an outcry against that action BUT it stops the spam hitting the list then having to get it removed from the archives if the account holder can't or won't complete the removal process themselves. -- Charani (UK) OPC for Walton, Ashcott, Shapwick, Greinton and Clutton, SOM http://wsom-opc.org.uk

The only issue I have with just deleting the subscriber spam is that even IF their own address is the from and TO address very often ISPs block that mail as likely being spam. I know AOL would probably just block that and I'd never see it. Joan In a message dated 3/10/2013 4:31:23 P.M. Eastern Daylight Time, charani.b@gmail.com writes: When I've checked the addresses to which it's been sent, strangely it includes the address of the hacked account as well. That in itself would alert the victim as to what's happened. Whether the hackers realise what they are doing or not is another matter of course. Even when it's a subscribed member, I still discard. Then again, I've had hackers still in control of an account who've responded to mail sent to it. I have an address I use to advise subscribers with compromised accounts. It's not used for any other purpose.

Yes...if it made the list it didn't come through Pending Requests which would mean it is subscriber spam from a compromised account. Joan In a message dated 3/10/2013 3:48:46 P.M. Eastern Daylight Time, unicorn1950@comcast.net writes: I do just discard the non-subscriber spam that’s pending my approval without any further action. At this point I have no idea exactly where the one in Archives came from as it was deleted from all my mail boxes. It was not one that I was notified that was “pending approval”. I do have one in Archives as of this morning that came from the current Yahoo account of someone I have known for a long time. I’m waiting on a response from her before I use the removal tool, or moderate.

On 3/10/2013 4:28 PM, Mary Ann Lubinsky wrote: > Every time a hacker hits one of my lists, I send out a warning to > the list not to click on the link or to respond to Yahoo. I also warn them that if they did already click or respond, they are also now infected with instructions on how to clean the hacking. > > Each one of my lists has been warned countless times yet it keeps happening over and over again. I can't help wonder how many warnings it will take to sink in. > ... > Mary Ann Lubinsky Mary: It will take at least one more warning than the number you send out. And it is a moving target. [wry grin] Darrell

On 3/10/2013 3:31 PM, Charani wrote: [snip] > Even when it's a subscribed member, I still discard. Then again, I've > had hackers still in control of an account who've responded to mail > sent to it. I have an address I use to advise subscribers with > compromised accounts. It's not used for any other purpose. Charani: Using a "throwaway" account for such things is probably unnecessary paranoia. But if so, it is a pretty intelligent form of the disorder. [grin] Darrell

Greetings: A notorious gangster in the 1930s was asked, "Why do you rob banks?" His answer was, "That is where the money is." If a spammer today were asked, "Why do you target Yahoo and AOL accounts?", he might answer, "Because that is where the most addresses are." Whether e-mail accounts are *hacked* (the evildoer actually gets some level of control over the account), or *spoofed* (the spammer sends out messages that only pretend to come from the account), the reason that certain domains seem to generate more than others is 1+1=2 simple. AOL and Yahoo have more subscribers. There are probably other factors, including the relative sophistication of the typical user, but sheer numbers is the big one. As list admins, it may help if we become familiar enough with message headers to tell the difference between something coming from a hacked account, or one that only pretends to. In the case of hacking, the subscriber's account has been compromised; there is often something that person can do to recover (and truth be told, there is often something silly they have done to be in the position). In the case of spoofing, though, the subscriber has no more control over the situation than if a kid went out trick-or-treating wearing a mask with their picture on it. My recent experience has been that spoofing to my lists is very rare. They don't even pop up in pending, that I notice. Perhaps RW has figured out how to stop spoofed messages. Hacked accounts keep happening, however. Whether it is just dumb luck on my part, or the relative inactivity of most of my lists, I don't seem to get much of that, either -- and if there is any pattern among the addresses, I haven't seen it. Almost all of the attempted spam to my lists is now routed through the message boards. That is true to such an overwhelming extent that I closed all the gateways (discussed a number of weeks ago). Darrell

How do I find the "Archive Removal Tool". I had one get through last week. Jerry On Mar 10, 2013, at 3:48 PM, M Nickless <unicorn1950@comcast.net> wrote: > I do just discard the non-subscriber spam that’s pending my approval without any further action. At this point I have no idea exactly where the one in Archives came from as it was deleted from all my mail boxes. It was not one that I was notified that was “pending approval”. I do have one in Archives as of this morning that came from the current Yahoo account of someone I have known for a long time. I’m waiting on a response from her before I use the removal tool, or moderate. > > > > > > > > From: JYoung6180@aol.com > Sent: Sunday, March 10, 2013 11:58 AM > To: charani.b@gmail.com ; unicorn1950@comcast.net ; Listowners@rootsweb.com > Subject: Re: [LO] Help on removing a message from the Archives > > If the spam is non-subscriber emails I agree with Charani---discard and don't let the spammer know the address they spammed is valid. It just leads to MORE spam. > > But if you have a compromised subscriber sending the spam and you have them on moderated status rejecting the spam in pending requests from them can help to alert the person that they have been hacked. > > Joan > > In a message dated 3/10/2013 1:46:04 P.M. Eastern Daylight Time, charani.b@gmail.com writes: > M Nickless wrote: >> >> While looking at my list archives this morning to see if a >> suspected spam message from a subscriber went into the archives, I >> noticed that another ‘Spam” email made it through the list the >> other day. >> >> I have already completely deleted that the email from my own >> mailbox/spam box/deleted messages files, so can’t forward it with >> all headers/footers to the Help Desk. >> >> Can anyone tell me if there is another way to remove that message? >> Obviously I don’t want to use the Archive Removal Tool as it will >> trigger a message to the spammer! > > Not necessarily. Even if it does, it'll tell the spammers you're on > to them and won't let the spam remain. > > If the mail is in the pending folder, simply discard it - don't reject > it and don't mark it as spam before deleting it. > > If you send the archive URL through to the Help Desk and ask them to > remove it from the archives they will do so. > > -- > Charani (UK) > OPC for Walton, Ashcott, Shapwick, > Greinton and Clutton, SOM > http://wsom-opc.org.uk > > > ------------------------------- > To unsubscribe from the list, please send an email to LISTOWNERS-request@rootsweb.com with the word 'unsubscribe' without the quotes in the subject and the body of the message > > ------------------------------- > To unsubscribe from the list, please send an email to LISTOWNERS-request@rootsweb.com with the word 'unsubscribe' without the quotes in the subject and the body of the message