SPAM sent to all my contacts from me

and there really is no easy answer.

If your email account was hacked, then you should immediately change your email account password. Make the password difficult. For example, 1234, Pin number, names or dates of birth, don't work.

All my passwords are on the order of jK7Wds4eyIpl&d0DKj . I don't even pretend to be able to remember such passwords so have them written down securely and also use a secure password manager.

But the problem is, email address spoofing is easy for the spammers. They can send an email that "looks as if" it has come from any sender they choose. They can even send emails to you that looks as if they come from you. So if these spammers already have your email address there is nothing you can do about it.

Sure you can send everyone in your contacts list an email explaining the problem, but that won't solve the issue. Eventually it will die down.

Mark

I did change my password but not my email address and you are right, I did receive one of the emails and it looked like I had sent it to myself. Yahoo Mail issued a bulletin saying they were working on the problem but if it happens again I'll close my Yahoo email account. That password of yours, you write them all down in a notebook then refer to your notebook when you need the password? There is no way I would remember such a password. Do you store them on your computer under "MY DOCUMENTS" and label the document "MY PASSWORDS"?

We all use what works best for us. My written record is a backup in case I lose the OS for any reason, I have backups of my password file itself, but the paper one is the definitive, as it were. No I never refer to it except to add or change passwords. The paper record is kept in a secure place under lock and key.

I use a password manager application. The application is password protected itself so I must remember that to open the application. Then I can just copy/paste as need be.Since it's an application it has its own folders. No, I don't label anything "Passwords" or "My Passwords". Prying eyes?

However, for services like email, I always use the 'remember my password' option, otherwise I would be logging in countless times during the day. I do the same for CNET, where little trouble can be caused other than nuisance value.

I would offer the password manager software but it is no longer available. Not a problem for me as the application is stand-alone, it doesn't connect to the internet, (my firewall ensures that as well), and it still works.

I'm not sure Yahoo Mail can be blamed here. Once your email account had been hacked, (and we're not even sure that's the case), then the contacts list was out in the wild and there was nothing Yahoo could do about that. However, perhaps I read your post wrong and you're not blaming Yahoo, but simply saying that you will close the Yahoo account. If so then it's a good idea because you can then email your contacts and tell them to ignore as spam any emails from that account.

It may not stop spam emails from being sent though. It goes like this;

I'm a spammer! (I'm not, just imagining). I have, somehow, got a lot of your contacts list. I will use that to send emails to them spoofed so that it looks like they came from you. I will send millions of emails a day, not just spoofed from you but with any number of real and fake 'sender email addresses'. They will be sent, not just to your contacts list, but to millions of other email addresses.

I use a computer algorithm to generate recipient email addresses. Why? Because so many of us use John123@isp.com, (where isp.com are known email servers). What I mean is, none of us use completely random email account names, and so guesses are as likely to work as not.

I don't care if the majority of those emails I send fail to get results. Many will fail because the senders don't exist. Many will fail because the email providers intercept them. Many will fail because the recipient has their own Junk or Spam mail controls that simply delete the emails without them being opened or previewed.

But out of those millions, some will get through and will be either previewed or opened fully. I don't mind which as a preview is just as good as opened. Most of those will then be deleted, but I only need a few where the recipient reads the email and decides to take advantage of whatever I am advertising.

That's all I need, just a small %age of those millions to succeed for my business to be profitable.

Why don't I care if an email is just previewed? Well, I'm clever. In my email I have included an image which I have stored on my web server. When the email is opened, either preview or fully opened, the email software sends a request to the web server to download the image so it can be displayed in the email. Since the web server needs an IP address to send the image, I can use that to correlate with the millions of emails I sent to find which one was successful. I note that email address so I can send even more spam to it.

I am no longer the imaginary spammer.

You can see how difficult this is. Once they have our email address from any source, it is very difficult to stop them using it. Anyone who contacts the spammer requesting to 'unsubscribe' or demanded to be removed from the list is just proof that the email address is genuine. They don't care.

All we can hope for is that a period of no response to their spam and they will do a 'cleanup' exercise eventually to remove useless addresses.

One other point. It may not have been your contacts list that was hacked. Think of this. Do you send emails to multiple recipients at the same time? If so, what if you included some other email contact who has already been hacked? The CC email information could then be passed on to the spammer.

Do you open "Round Robin" emails and then send them on to all your friends and relatives? What if one of those round robin emails was from a spammer?

It gets more complicated doesn't it.

Mark

Man, how long did it take you to type out that post? I thought I was long winded but to answer some of your questions when the incident happened Yahoo posted a memo similar to Twitter when Twitter is having problems. I only have about 15 contacts in my Yahoo email but a few are business types and I did not like it when it appeared to me they received emails from a Canadian pharmacy advertising sex drugs.

I'll keep them short from now on.

Previews. What do you use to manage your emails, email software or a web browser?

If a web browser then there may not be any Preview option. I don't know as I don't use web mail that much.

But in email software there is the option for emails in your Inbox listing to preview in a window 'under' the listing. As you highlight an email in the list, the preview of it displays. But in fact it is not a preview because it shows everything that you can normally see when you open the email to read it.

Where did I say I can access your Contacts List?

You store passwords where you see fit. I'm not about to tell you what you should or shouldn't do.

Mark

I guess I use a web browser. I was using IE8, switched to IE9 now I'm using Google Chrome. Why I use web based email is this, this laptop which I currently use was purchased for me to use by my brother who lives in another state and any day now he might decide to ask for it back and if he does I don't want him to be able to read any of my emails stored on this, his laptop computer, that's why I use Yahoo Email, Gmail and AT&T Webmail, all require login and password information. I have not activated whatever is on this computer which took the place of Outlook Express which is on my older computer which once he or some of his lieutenants got their hands on that other computer they could immediately open up and read all of my emails.

My desktop crashed on me two months ago and thank God I printed out all my usernames and passwords before this happened. After getting another desktop computer, I scanned the list and saved it into excel and password protected it. Whew!

and as you say, backing up your passwords is absolutely necessary.

May I ask, that Excel file. Have you backed that up as well? If not, it would be a good idea.

Mark

I have place that file on a usb thumb drive that is a Sauza Hornitos bottle shaped thumb drive.

And well set out. Thank you.

I am intrigued by Microsoft's Password Testing page. I almost considered testing a couple of my passwords, but I held back. Not that I don't trust Microsoft at all, but.... inputting passwords into some 3rd party site? Hmm, not sure.

Mark

The site uses javascript to parse the string so all processing is done locally and nothing is sent over the Internet. The javascript file it uses is https://www.microsoft.com/security/pc-security/assets/scripts/passwdcheck.js, but that may get stripped out of this forum. Basically, a password seems to get bonus points for variety of characters, length, and avoiding common password strings.

This afternoon my AT&T webmail account got hit, I opened it up to find almost 40 "failure to deliver" email notices where it was made to appear that I had sent these 40 contacts an email from a Canadian pharmacy pushing male enhancement drugs, the same pharmacy that hit my Yahoo account earlier.

I changed my password on Yahoo so I guess I need to contact AT&T and have them change my password? Could "about blank" be causing this because it's still showing up on both of my computers? Would changing my email address stop this from happening again or not? If it keeps up I'm tempted to disconnect my email but if I did disconnect my email could these spam emails still go out as if I was the person sending them?

Late this afternoon I did as you recommended, I contacted AT&T's DSL tech support and changed my email password to a much stronger one. The tech support guy for AT&T told me they would monitor my account through their servers to determine where these emails were coming from and block them if they try doing it again. AT&T did not recommend storing my passwords on my computer, since I'm the only one in the house, AT&T told me to write them down in a notebook and store them in my desk drawer instead.

What did you say? Clean out what? I have this installed on my computer, one of which isn't working that good, Avast AV. I also have SAS and Malwarebytes. I haven't been able to do a thorough scan or even a quick scan with Avast AV in months. When I start my Avast scans I come back 3 hours later and it says only 6% has been scanned so I abort those scans. I'm thinking about switching to a different AV.

Clicking on a link from a friend's facebook page is going to get your computer in trouble. Also, without your knowledge, porn sites have trojan worms that can go undetected by Avast AV planted by unscrupulous people onto those sites. Your problem is not software but poor decisions on what you open up and sites you visit. I had this same problem 5 years ago which crashed my PC running windows 2000