AOL mail account sending 'spoofs' on my behalf

[Welly]

Last night my private e-mail account was 'invaded' and everyone in my address book got a 'spoof' e-mail (looking like it was from me of course) with a link to something or other (daren't open it) - looked like the usual crap and said something like "the man is the richest who's pleasures are the cheapest" with a link to open around about the same time I got an e-mail looking like it was from DHL asking for me to confirm a tracking number or some sh*t - I've had those before and just delete them. This all happened at around 03:30am so peoples phones were bleeping/sounding upon receipt

Spoke to AOL who were quite dismissive about it, said my account is safe, and we changed the password. I've deleted loads of old contacts just in case it happens again, one of my business contacts got one of the e-mails so it was embarrassing explaining "it wasn't me"

AOL said that we must have opened a Spam e-mail at some point and a 'bug' entered the system allowing access to my contacts and being able to Forward e-mail to them (none of this stuff appears in the sent box either).

Just want to confirm: I quite often 'open' weird-looking e-mail but NEVER click any links or respond in any way, is this wrong? should you not even open it at all? my work e-mails get filtered and any dodgy-looking links are removed automatically so it still lets you 'read' it but that's it.

[steve_earwig]

AOL, seriously?

I suspect this actually happens their end but it probably won't hurt to check over your security (hopefully someone who knows what they're talking about will advise ). spackers seem to target the "big boys", rather than pisspot ISPs in pisspot little countries because it gets them harder. Or something.

Anyway, what you should do is add your own email to your contacts list, that way if it happens again you'll know about it sooner and can start making repairs earlier, rather than waiting for the MD of your biggest customer to ring up asking about an email you've sent him/her entitled "demolish walls with your enormous knob."

[Welly]

I am in my own address book because my work e-mail address is in there. I've now found whereabouts on AOL you can disable all images and links from unknown sources so I've 'checked' that.

Someone also recommended that you should put AAAAA@AAAAA (must be 5 x A's ) as your very first contact and ZZZZZ@ZZZZZ as your last and apparently this confuses spam programmes? - sounds stupid but it kinda makes sense to me ("this can't be a contact list") etc. ??

[steve_earwig]

I think I've read something like that somewhere, I think it was more something undeliverable that'll bounce straight back you, so you know what's been sent in your name, so it's rather like the including yourself thing.

[mjb]

Most likely explanation is you ran some dodgy code in your web browser (malicious banner ads are a common attack vector) which gave the spammer access to your AOL account via XSS or similar, or merely proxied an address book request

Someone also recommended that you should put AAAAA@AAAAA (must be 5 x A's ) as your very first contact and ZZZZZ@ZZZZZ as your last and apparently this confuses spam programmes? - sounds stupid but it kinda makes sense to me ("this can't be a contact list") etc. ??

The spambot will merely try to send emails to aaaaa@aaaaaa and zzzzz@zzzzz along with the rest of your contacts. No effect.