I have – diligently and without exception, and since pretty much email has entered my life in 1994 – composed every single one of my electronic correspondences with a subject line, a greeting, reasonable contents, a farewell, a name and a signature with a little promotional statement about my website, and hardly anyone noticed the recent breach of this for the last decade religiously observed principle.  Yes, my email account has become the victim of a not-so-rare-anymore hijack attack, and has been used to send out inappropriate web addresses to each contact in my email address book.

If you have taken notice of this and went out of your way to tell me that my email account got compromised, then I thank you enthusiastically.

If you have taken notice of this and you’ve immediately deleted the email, then it’s proof of your common sense.

If you have scratched your head and decided to ask me first what it is about before going any further, then I congratulate you on your cautious approach.

If you have clicked on the link and then asked me what it was I had sent you because the link didn’t open unfortunately, then….  In that case…..  In that case, my strictly adhered-to email composition principles (with a subject line, a personalized main text, a farewell and a signature) have not managed to set off your virtual alarms — then this article will be helpful with raising awareness…

Guys, please put your thinking caps on before clicking on random links in good faith.  Nothing’s safe nowadays.  Have some confidence in your email buddies and don’t assume that – out of the blue – they send you ‘something nice’ without a subject line, a hello, a farewell or anything that even remotely resembles a personal note.

A completely unmotivated spam email, in most cases a script-kiddie’s finger exercise targeting popular web email clients such as Yahoo Mail, simply screams “Delete Me!”.

In case a spam email is very cleverly written, does not reveal itself as such but still makes you wonder what it’s all about, you can always contact the sender and request clarification.  What’s completely the wrong thing to do though is to click on the link without thinking; and then ask the sender about the interesting and indispensable nature of the suggested website.

My brother has a good explanation for what happened, for those who are interested:

To ease your mind, at first glance the email doesn’t look like it was sent from your computer but from a bot computer in the Philippines.  How they gained access to your account though and were able to read your address book isn’t quite clear.  Very likely it’s Yahoo’s own fault because their web mail system is susceptible for brute force attacks (password inquiries and resets).  What helps is a complicated password, or to simply not use Yahoo.

Another possibility that can’t be ruled out is a cross site script attack through the browser but the Yahoo spam mails have made their rounds for a while now, therefore it’s rather unlikely.  You could check whether the sent mails were deleted as this would point to a hijacking attack from outside.  At least it wasn’t your computer that has sent out the emails which might give you some comfort.

Yahoo has noticed shortly after the attack that there was something wrong with my account, and has thankfully enough put me up in virtual chains.  I can now no longer send emails to a large amount of people (which is why I was unable to let you know about the spam mail), and I have to enter a captcha number code each time I email someone.  Both of those security measures make perfect sense but isn’t it a bit late now?  Having a super-complicated password now and not a single contact in the address book, I can only wish the next bot attack the best of luck…

To sum it up – always scrutinize what shows up in your mailbox or entices you to click on a web page, and don’t fall for old-school tricks.  If you figure that there’s something wrong with it, it probably is…  Just ignore it, instead of looking for a reason…

As a little tidbit, there’s some good web article about staying safe on the internet.  No worries – they’re clean, you can safely click on these links :-)

http://www.microsoft.com/business/en-us/resources/technology/security/5-tips-for-top-notch-password-security.aspx?fbid=b4gw_K7_0zK

http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html

http://dagblog.com/humor-satire/who-hijacked-yahoo-mail-3151