Email has been compromised

[leSLIe]

Since a couple months ago, I have received a spam email from my own email. It's my work email. I only access my work email in my work PC or in my own PC at home ( I don't have it on my mobile phone) I might have access my webmail through another PC. But just in these two PCs since I changed my password

So I changed my passwords and didn't saved password, to make it more "secure". I've scanned my work and personal computer with: Combofix, MalwareBytes, SuperAntiSpyare, SpyBot S&D, and there were clean... In these two months there were a total 4 spam emails from my email. Once the IP was from India and the other time from Tunisia, I currently live in Peru.

Still, today I've received one more spam email from my own email, and I wasn't even logged in at that time, around 6am. BTW, in this email, there were always I small zip (~5kb) file attached

How can I fix this?

 

[klank]

You can't. It's called forging the headers. It's unlikely that you were even compromised.

How this happens is they get a list of email addresses whether its from a contact you've emailed or by whatever other means; then they start sending out spam with the from address as different email addresses (in this case yours) that they had harvested so when the email bounces back or is flagged as spam it doesn't affect them.

You can check the sent items folder when logging in via email, but more than likely it won't show any suspicious emails. If it does then that's another story.

 

[gimp]

You can't. It's called forging the headers. It's unlikely that you were even compromised.

So much this.
I occasionally see similar in my gmail account, yet my gmail account hasn't been accessed by anybody but me (according to the Google logs.)
Chances are, your email was not compromised and there isn't much you can do about it.

Besides, if your email was compromised, you wouldn't be receiving the spam in that email account.

 

[leSLIe]

You can't. It's called forging the headers. It's unlikely that you were even compromised.

How this happens is they get a list of email addresses whether its from a contact you've emailed or by whatever other means; then they start sending out spam with the from address as different email addresses (in this case yours) that they had harvested so when the email bounces back or is flagged as spam it doesn't affect them.

You can check the sent items folder when logging in via email, but more than likely it won't show any suspicious emails. If it does then that's another story.

I didn't know about this. Could this be my case? This is the code. We use Bluehost btw
Nothing unusual on my SENT FOLDER.

Return-path: <MY-EMAIL@COMPANYHOST>
Envelope-to: MY-EMAIL@COMPANYHOST
Delivery-date: Wed, 11 May 2016 05:32:38 -0600
Received: from COMPANYUSERNAME by box930.bluehost.com with local-bsmtp (Exim 4.86_2)
    (envelope-from <MY-EMAIL@COMPANYHOST>)
    id 1b0SNL-0004fB-UJ
    for MY-EMAIL@COMPANYHOST; Wed, 11 May 2016 05:32:37 -0600
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on box930.bluehost.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=5.0 tests=DOS_OUTLOOK_TO_MX,HELO_MISC_IP,
    RCVD_IN_BRBL_LASTEXT,RDNS_NONE,T_SPF_TEMPERROR shortcircuit=no
    autolearn=disabled version=3.4.1
Received: from [14.99.239.73] (port=3626 helo=[117.192.202.105])   // India IPs
    by box930.bluehost.com with esmtp (Exim 4.86_2)
    (envelope-from <MY-EMAIL@COMPANYHOST>)
    id 1b0SNL-0004bx-42
    for MY-EMAIL@COMPANYHOST; Wed, 11 May 2016 05:32:23 -0600
From: <MY-EMAIL@COMPANYHOST>
To: <MY-EMAIL@COMPANYHOST>
Subject: Emailing: Photo 05-11-2016, 97 69 69
Date: Wed, 11 May 2016 17:02:10 +0530
Message-ID: <5bf4fa5a58c3$8916ebda32d6d9083$@COMPANYHOST>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_9C46_BCB0A8CE.0EF7C9F3"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
X-Identified-User: {0000:box930.bluehost.com:local:local} {sentby:Delivered locally}
X-Identified-User: {2222:box930.bluehost.com:COMPANYUSERNAME:COMPANYDOMAIN} {sentby:spamassassin for local delivery to identified user}

This is a multipart message in MIME format.

------=_NextPart_000_9C46_BCB0A8CE.0EF7C9F3
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit


Your message is ready to be sent with the following file or link     //Message and attached zip file
attachments:

Photo 05-11-2016, 97 69 69


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

------=_NextPart_000_9C46_BCB0A8CE.0EF7C9F3
Content-Type: application/x-compress;
    name="Photo 05-11-2016, 97 69 69.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
    filename="Photo 05-11-2016, 97 69 69.zip"

UEsDBBQAAgAIAEVgq0jnPxd72gwAANgbAAAdAAAAUGhvdG8gMDUtMTEtMjAxNiwgNDIgMTQg
NTEuanOtWetS3DoS/s2pOu/gctWezAQOmRuE3E4VDBAI90sCCUulZFsei5EtR7ZnmOzm3z7D
PuA+yX7d8gxDgD1bW5tKPLIsdbf6+rWypw+qo62Bzbx3nv91u/3Vf/PrLyNhvSorpEz1BPOt
n6bamGu3nrdbiyvPu97ibB7LAlHI1d5WFppI9hNhCyK7vtHf3Np+v7P7YW//4PDo+OT07Pzj
p4vLz19EEEYyHiTqZqjTzOTfbFFWo/Ht5Hur3en2VlZfrr1afEEieZ4jvSnnSV9d16JZmQtr
MfM3Wup5z14/e+09W362VL9+pNezZ7/+svCDicXGeg2Pdio6TGftjad+//2N15wSUDG+P2B5
heXX3rt373BmCK4yGXlNt8F7crX3e5t5unWPrHqgtOUQzz7e1ssGaDSZimIiP3795b4xOvi0
+mIVH89Kq7LBcm5NacpJLpelNtlAlJDxnRdXWVgqk3mN2RGJylgGqShKOac6+hMmKpWvvTJR
hZt0WvPu1i+nMlJirIakv7tZ3njVaPihFqmxpir8JR+aklmhRhLjQo6lxW8ospEo6GtsK1Xy
MiUCTWtSmQbSFonK8TK2sihpo99c9KvgtPQXG77IMoMDyVRmvHWgTVEIO8GwVIOE15eG1IFR
oDSUYIWmhVVWJiyAxCT0gZFVRBpLm8twIy1C2fBP/aXap67gO9fLpdk3ELwPSzWazevGVPtL
d3Zo1iqysqwQTo9oCgtIj84XHlgLYolwWMzZyplq4c5aYXvJCzv418W/3pu7D2rJ0zJb8kxV
YnaBpoqSbEoWXC5yrcqG/0VFrRYOeWNU1vD9qbzYiIVYvozRoEzqaVUHPo1BluLYnzpBorRs
KO8t7XUyvngO4bznLzCMDM+wG1GmeOjwxGvOw9XiYtP7zWvdxjGF88KP+wy8335jQhRHJPOC
ihuz95pRYKUYsmpZks5DSTr/L0k6P0nSeVIS0triO682dGxN2q9ZNegAb996nab3d69BNIhp
t9X0/vjD6zWbdyfpPjxJt7bW43K/qZeRaF0SbZVFW6i9snaQGaGHKgm7Tx69+9PRu//T0evj
Xm43SQW9WgVdp4I+q6Azr4LeQxX0/msV9P6zCnqPq6D3pAp6P6mg97gK/kQB7rCtLmtglTQQ
9qbh+ONeFnHCctJ/kDAKk8ojymYHp1vHD1P8AjR0WacAEolLnqt4KquTG+Sus369mH5mWVDN
cqC6bjox5kSjpXVGo1lXlZDwRBQj72Wy4ALtr/uLPsQa4UdeHgWUvcNKWZf7U0PyJ8ZElJFv
wVZlNI9jazHGQFTWWEH1wiDPZiXviZApkd1pIXZMOJ3fyLD0m0uevwVGtzkeImNeBmUi5yIB
2+Su9iQyHLraEMlCDbJpJQhRVJCxA6EFdmGiyhQmMvrM5WOk6n0WJc1KLCLBoy0uIHREZYnp
t8qUTJPPSMWHf7HasRE2oi8ii6wc0ygRk6JE9qePVmF9XZlkKDTxxVsTdFFrICGxtEIVzBvC
JVWhBNfI3JTYS1UwFoOBKfmAIzWtwiMDLECGoaIodew2pZKlR131ycV8KoVY4TVARDvRc6hb
scQjRZrn09QyQh5FgnyrpKT3ovpeDRXJHN9VfZY+hHRiIJ0sRamymYpKK7IC/pmycYAg2OTF
WMqSaQZiaq9YwyB0wL+Q0Odk7IPjv0BaH6Nl0j0wR+nWCm1MXB83kiJkcUUYmjQXmZLONnYo
2ZFMUFYFiSpSgiHEAk4wqCAwu6Zk5zolDiYn/5u6RCFHsMGEf9g7R450VBW1HAX8LSUq7Eu1
RmJdFQnbITKVcookFg3/gAxxSQfbJ26FgZsUhr0zTeGQfPxhVoVDBktjhQCn/bHSNd6xCuCH
ZUuUJRN3lklbl0R5fweP8/M6NGK4Du/JjZ7kiclUyC+2DCut2eSBrqxlVxNBVIV1pIyNDWVR
ewfyUqhy7TQqXTwe/+sf/ySmFx/5EFJrp+fckBZ4OEZynTgPknZgRVQhUoiEKoraMQpIMWG/
Exz7oWVPKnIzlE6zRgvrgjtUvDu2YkCwsEaDiQVui2oQKkpmF5oRy8iMEXfwYFYC8CYkLl8z
wvxWwcOr1NGosesELUrBWkGUukGkCkpNRjvZiyoSGXu0qu1TAAeTN58lRBx6AAK7l7kbTao2
xtjoor8pXRvWmbVhLopkncev7uXXZdg3Lt3+i+/v0yy2WUIELkene3vnBdGQt6QXUgg+AJfD
dcnNPfhVDoIlDbXhrOshzhIkloyG+eXe0fnm6aGETtDi+Rsy+pxkSEeHRzjArLNoUF1ANCPz
qNBxAHonykRERFA0swiMGRaOF/ga7US4HQ3Phb7tnynHZHg4mXz8bIIHHKbN04MaiMwUJl9L
cy5vy3slUDTn+5lZ7Qu4aQR6ZnSLn7eemOJeLwSGCK5CarYEft7c7a9LXjDDznddEfW8ZQnn
R7viFGByCqBppOK0EmGlyAdKY3QgLHtjiHLECQepSbuOZGR0xXmFXRduBe0hcuglY+fJfWjp
MUzRbrUWZ43I83a72ZyCfm5qmA4rkut/Jqoih0ioC1zy510qN3ljtplj+M2049QQGJyxJZPj
qWM25qldtRknbJ6L7DA/2jbOmbszZ8aRXDVlxk9SaTGVYP+4sPLj6Zaj0ptRya3UVUQhUUv0
RFQ0Hp0m0gfbF+u33xzdFaY7JmNoZ7/MUEblGuhTYFvnzBSvABCwUEivqdIu3wJy3Hxaj+3N
7njs3Pj93plJiw+7p/33DzyZDyCRPDOqhWB4IMpkGfUvMilw2+w6A3VEMjid+tZ82zZz87TS
JWXeRiw1lFdCe0seASSWjUPAeWppJ/Px4C4QCPxY6rnBaKpUiP+CvGxGhERaWLi/eO5t0XtU
y3OxQzcpcyf+w2vdC03G4Xd+ceWOfk2p6jaXSM2IPK4sYJPS73sSz9mLtN3wVTSBpCH3/BPO
uUQLaou4HACR4/eciuu8lgBuCjkv5w86p3u9+H58G4a3p/sfBs5JXn6d9r7zos7yHkkRaOre
3X0GoLErB5DfhyNyuyBHQjf8KN2ecCO+u3PYCro8pMHB4Phs3XxqH96EqebZcdRft7tqd3B8
3hrs6igP0tNRhIUfO4cTcbnR2t1KRrwy7J6ovbP19IPauAk6K60vFystcfGqHU5Wvke84v12
K7o8YEoHN+vj3f7ndHfndCV8/wkUkvLkYpuX7UXpbedL+yTHwle7/Q9tsNRfUl19uThRR+PW
Xv/k3Tt/elPhYomvEE52DgenTlVrM1WR4QFE6K9rSBbuO6BK80oTHPopF8D0iZnlwKJK83KK
megOhnEBnEGXCS9BhVGxCp3CB6bGM9KmAu47ZHwigbzp6zqjh1iMDIFsdipxi60Bg3ECNMwV
9SmVdXEHJnJ4F0FstBI1HCWIThldRCKv4czZ1tERZenNDcIPAFSakf0ksiZMNDiShwaVHiCh
iGm3ESpeBREZGtZdiDZpwOTvNRLLZwxP7Nr8RRW4UgranJ9boxlEi9+8F4dTdc9CbP7r9zD4
lprJ+adLZ8ZXMzPe27tMVZczQF1s5hYdXR5+ONio75Fbj++/IttmqHO6IoRtTI2RZ00dtXKA
6gHf6kloYsAgxYf6UOy49VGRAjp1+8akEm5aYP7rxnx0AsPZUERO10AMhWALgBPchXODVoGt
/SypLFA6412CxK5poPaLYScxOaUGtsAjh5EWn7wbxCIyf2JQzUp4IGMAUZUGADcnwI9touDU
MKh0zN0gVRbwpI/ooghkT3tR2rxhiH008a/n7bW/eZSfTC/t208pew79IbEbkiyGzhE+dLWK
7rOo8T/iOTNjpMyBw9B0iQrY4r5BpxRAmesndULdnWubkZpnTTSrlC4YwQRbB+h7EVraKR+n
5+QtMKjdH8GlMjp5yXe0iD/y+Eyib1Wzhlyg0a6Ixhpf0vL0nKe36j6GYCZjqCIUcWx0DejB
GNpkwaCUug+GRmYhFYppr1kq1FKXQ1prVCumyb15PXcRSn/62/3D3Q+15jtPujkgdema94F2
lx3U+KANCsuKtZJKahJcD1kqrltJlcK52eqFdq7H195iJNGx+Wabbhg0OfpcBV7yOvOOcTY8
2M4OPvdvzmsRu09EcqhNDQpnW8vbDS126n29e/v+BGrdk2eWHAj4F1tneucwCT75/P8mvlnf
OI/7JxsiBpTxyo/xxdmuqFnelVkU4x9eSODea2wMPtt8Q/dRRLzp/TkSVt+cZ0eXm/VWB+Ow
bQaJfLFz2go3zWh/fK9oLfp/rVqt1S1+rvCzS8+XHR5v87h7N1/PtPj5ip4dt3ft5/Uve74j
/tKRXb8b11vcMp7v8MYuE+m+vCO++vLnmXq+Q7ng4NtEx8N8NDmb3t+ff9/Nysu0VsPqVIP/
BlBLAQIUABQAAgAIAEVgq0jnPxd72gwAANgbAAAdAAAAAAAAAAEAIAAAAAAAAABQaG90byAw
NS0xMS0yMDE2LCA0MiAxNCA1MS5qc1BLBQYAAAAAAQABAEsAAAAVDQAAAAA=

------=_NextPart_000_9C46_BCB0A8CE.0EF7C9F3--

So much this.
I occasionally see similar in my gmail account, yet my gmail account hasn't been accessed by anybody but me (according to the Google logs.)
Chances are, your email was not compromised and there isn't much you can do about it.

Besides, if your email was compromised, you wouldn't be receiving the spam in that email account.

This stuff is new for me, I thought my email was hijacked, or that I have some sort of ring 0 rootkit

 

[Biznatch]

Does the domain have an SPF record that lists allowed IPs to send mail for that domain? If not, there's your problem. Most large companies won't even accept mail for domains without an SPF record since they can't do an rDNS check to make sure it's not spoofed.

 

[leSLIe]

Does the domain have an SPF record that lists allowed IPs to send mail for that domain? If not, there's your problem. Most large companies won't even accept mail for domains without an SPF record since they can't do an rDNS check to make sure it's not spoofed.

Interesting, I'll look into it, thank you