AOL Email Spam Nightmare

I was in two minds about writing concerning this subject, but it has caused me so much anguish I decided that fingers to keyboard were required.

Unfortunately last weekend I found myself to be the owner of an email address that out of its own volition had taken to sending spam to what appeared to be all the contacts in my address book.  The first I knew about this was when I awoke on Sunday morning to messages in my inbox from “MAILER DAEMON”, stating that I had undelivered mail.  I initially thought that it was just an error, but when I opened it the full horror started to emerge.  I found that I appeared to have sent an email to the contacts in my address book, that stated “Hi, How are you... check out the following... xxxxx”, where xxxxx was a website.  Oh dear I was gutted, as I had no idea what the website was, or if it contained any malicious code.  Would the people on my contact list open this, and, become infected?

The next distressing event was the receipt of emails from various companies (including financial institutions), stating that they had received my email, and, would respond in due course.  At this point worry started to set in.  Had my computer been hacked, and, were the hackers stripping me of my financial assets?  Seeing that I was imminently due to go to work, the only action I had time to undertake was to change the password on my email account, hoping that this would help the situation.

As you can imagine my journey to work, and, the whole day was somewhat marred by the events in the morning.  I had hoped that firewalls, and, antivirus software, etc. would prevent the spread of the email, but alas, during the day, I started receiving text messages from people enquiring about the email I had sent to them, which were mostly to warn me, but one of my friends, accused me of sending a virus that had deleted all of his work emails.  During this time I was absolutely powerless because I didn’t have access to my computer, and, was just left to wonder what was going on.  As you can imagine the anxiety levels were building up.

When I returned home in the evening I logged into my email straight away.  I had more returned mail errors, company emails saying that I had contacted them, and, some friends warning me that it looked as if I had a virus, and, I should change my password.  At this point I thought I had better ring my internet service provider.  I had to wait over 30 nail biting minutes to speak to an operator.  Although they were efficient, they seemed unconcerned about what had happened.  They reset my password from their side, and, said that my account should now be secure.   They stated I should also run an antivirus program on my computer, and, that they could sell me such a program to help me!  I enquired about how this could have happened, and, was told that I must have entered my email password into a “dodgy website”.  This puzzled me somewhat as I always tried to be careful, and, only entered my password into their email client software.

Anyway feeling slightly better that the email account maybe secure, I ran several antivirus/malware programs.  These were malwarebytes, AVG (antivirus guard), and, MSE (Microsoft security essentials).  I already had AVG installed on my computer, but had to download the other two.  You have no idea of how nerve racking this was.  Due to what had happened I did not trust anything that was happening on my computer.  After running these programs, I then set about changing all my website passwords.  The whole process took around five hours, and, in all fairness I still felt apprehensive.

The next morning I awoke to more erroneous emails in my inbox.  I was hoping that they were just remnants from the other day making their way through the system.  To be safe though I thought I would delete my entire address book, and all of the contents of my email folders (inbox / old, etc.)   I was incredibly surprised to find that some email in my “old” box went back as far as 2006!

Another restless day at work, with the only text message I received from my friend who accused me of deleting his work emails, asking “If I had found anything out?  And if I had reported it?”  Reported it to who I wondered?  I had phoned my internet service provider, but apart from resetting my account, they were disinterested?  Should I report it the authorities?  If so which one?   Arriving home that night the erroneous mail had diminished, so I was feeling slightly better, although I was running all three antivirus / malware programs daily.

And so on to the third day, thinking the worst was over; in the afternoon my heart sank.  I received a text message from a friend saying he had received another spam email from me.  How could this have happened?  The hackers either had a key logging virus on my computer, or, had worked out my new password.  Another restless, and, fraught afternoon at work.  On arriving home I checked my email, but was somewhat surprised to find that I didn’t have any erroneous email in my inbox.  I immediately phoned my internet service provider again, but had to abandon the call as I was informed the waiting time was over one hour and thirty minutes.  From this I assumed I couldn’t be the only person having problems, so I searched the internet for “AOL email spam”.

Well if you have gotten this far, you may have deduced that my internet service provider was in fact AOL.  There were now multiple news stories emerging on the web relating to AOL, with users stating they were the victims of spam (in fact described as a spam tsunami) being sent from their email account to their contacts address book.  The exact problem I was experiencing.  It also stated that there was a twitter storm brewing.  I do not use twitter, so cannot comment on this aspect!

From what I could deduce it appears that the AOL email servers had been hacked (apparently admitted by AOL to the newspaper USA today).  The hackers had obtained the AOL mail clients email address plus their address book contact details.  This had enabled the hackers to send emails to address book contacts, and, make it look as if the email had come from you.  The hackers had not obtained access to the actual email account; they were using a process known as spoofing, making emails look as if they are sent from someone else.  This was possible because AOL allowed “aol.com” emails to be sent from other non AOL webmail servers.  To fix the problem AOL had changed the system to only allow AOL mail to be sent from AOL servers, which effectively fixed the problem.

AOL issued a statement saying that it took user security and privacy etc. seriously, but stated that the email had not originated from AOL accounts, and, were in fact being spoofed.  The problem I had with this was that it made no mention that their servers had been compromised in the first place to allow this information to be obtained.  It felt in my view that by changing their system they were doing us a favour, and, it was really nothing to do with them.  When I relayed the story to my friends the next night about what had happened, they were oblivious to any problem with AOL email, even though a couple of them work in the IT arena.  You would have thought the whole issue would have been made more public, if only to warn other users of the dangers.

So what are my conclusions?  I have been an AOL customer for 16 of my 18 years online, and, I am at the moment deciding whether to end my relationship with them.  I have not received any communication from AOL regarding the issue.  I am disappointed with the public statement they made, and, the fact they tried to sell me their antivirus software.  I would love to know at what point they first knew of the problems.  Unless you have been through it, it is hard to know the stress it actually causes.  My experience compared with some was fairly mild, but it was constantly on my mind, worrying if I had caused other people any problems, and, whether my own information was safe.  Coincidentally my friend who had the problem with his works emails, had the issue rectified, but, never did tell me if my email was the cause of his predicament.

Over the last week I have been toying with the idea of giving up with the internet.  The whole debacle has led me to question whether it is worth it, but then you have to query how much of your life is tied up with the technology?  How much harder would it be to live without it?

I am still pondering, but, have reduced the number of times I run the antivirus / malware programs!