allheart55 (Cindy E)
Administrator
Q: I got spammed, and the junk e-mail came from my own address. Was my account hacked?
A: Not necessarily, because it's trivial to fake an a-mail address. But before you assume that somebody spoofed yours, you should verify that your account was secure.
In this case, the account in question was a friend's Gmail address. His sent-messages mailbox didn't have any copies of the spam e-mails, but more definitive proof awaited in Google's records of recent activity at the account.
The quickest way to look this up is to look at the bottom right corner of your Gmail window for the "Last account activity" line. It should list a time, like "2 hours ago"; click the "Details" link below that, and Gmail will pop up a window with records of each time your account was accessed in the last day or so.
Those details include the time, browser used, and the Internet Protocol address and rough geographic location of each connection, as determined from the numerical "IP." If you've given outside apps like the TripIt travel-monitoring service to read your mail, they'll show up here, too.
If Google sees what looks like a suspicious login attempt, it won't wait for you to check that list; it will flash a warning in a red box atop your inbox.
If nothing unusual shows up in those Gmail records, pull up Google's list of recent activity across your entire Google account. This covers actions like logging in or changing a password; the main list indicates where each one happened, and you can click on any entry to see the time and even what version of a browser was used.
These records may not be complete; in my case, on Wednesday they had a gap between Tuesday and May. But the friend in question saw no gaps in these records, and they only showed connections near his home in Ithaca, N.Y.
They also reported no changes to Gmail security settings except for those that he remembered making. One of those was his activation of Google's two-step verification, in which you confirm a login by entering a numeric code generated on the spot.
That should immunize an account against a mere password compromise, which is why I use two-step verification myself and have repeatedly recommended it here.
Just to be sure, I asked this Gmail user if he could forward one of the spam messages with its headers showing the path the message took from one server to the next. (To see these details in Gmail, click the downward-facing triangle at the top right of a message and select "Show original" from that menu.) A Google publicist had somebody on the Gmail security team inspect the message, and the verdict was that this was a spoofed e-mail address.
Why can't Gmail tell that a message with a Gmail address wasn't actually sent from there? As a general rule, the return address on an e-mail message doesn't have to match the site from which it was sent. With this message, it was a server in Taiwan. Gmail itself will let you send your messages from an alternate address, once you verify that you own that other address.
It and other mail servers have been working on tightening measures against address spoofing, but in this case those safeguards didn't work.
TIP: OTHER SITES WITH RECENT LOGIN INFORMATION
Google is not the only site to tell you the history of recent access to your account:
• With Microsoft's Outlook.com and other services, the recent-activity page lists the dates, times, locations and apps used for each access and also sometimes includes the kind of computer (Mac, Windows, etc.) employed.
• At Yahoo, sign into your account, bring up your account-info page and click the "View your recent sign-in activity" link to see when, where and with what your account was last accessed.
(Disclosure: I write a column on policy issues for Yahoo's Yahoo Tech news site but don't set any policy at the company.)
• At Facebook, bring up your security-settings page and click the "Where you're logged in" category to see when, where and how information for recent logins. You can also disconnect any of those logins if they look sketchy to you.
Twitter could use a feature like this but doesn't offer it. Hint, hint...