How did they send this?

[ralphzak]

I got this email to my Googlemail/gmail address. The email was claiming to have come from a Yahoo address and the yahoo address was one of mine.

So I figured that was odd. Putting aside how did they connect one email with the other one.. They perhaps broke into one of the accounts and got the other email address.

But that aside..

What method did they use to send the email?

It looks like it came from Yahoo, it has Yahoo headers. But I do need some convincing to believe they got into my account. I don't see anything in my Sent Mail for example.

Is it a sure thing that they must've logged in as me on my Yahoo account and sent that email? Or is there any other way they may have done it?

I changed my yahoo mail password just to make sure.

Delivered-To: gadopphin1@googlemail.com
Received: by 10.229.222.212 with SMTP id ih20csp52711qcb;
Sat, 24 Mar 2012 08:01:51 -0700 (PDT)
Received: by 10.68.194.3 with SMTP id hs3mr38085144pbc.119.1332601310062;
Sat, 24 Mar 2012 08:01:50 -0700 (PDT)
Return-Path: <todroly31@yahoo.co.uk>
Received: from nm19-vm0.bullet.mail.ird.yahoo.com (nm19-vm0.bullet.mail.ird.yahoo.com. [77.238.189.92])
by mx.google.com with SMTP id r7si12772130pbq.158.2012.03.24.08.01.48;
Sat, 24 Mar 2012 08:01:50 -0700 (PDT)
Received-SPF: neutral (google.com: 77.238.189.92 is neither permitted nor denied by best guess record for domain of todroly31@yahoo.co.uk) client-ip=77.238.189.92;
Authentication-Results: mx.google.com; spf=neutral (google.com: 77.238.189.92 is neither permitted nor denied by best guess record for domain of todroly31@yahoo.co.uk) smtp.mail=todroly31@yahoo.co.uk; dkim=pass (test mode) header.i=@yahoo.co.uk
Received: from [77.238.189.50] by nm19.bullet.mail.ird.yahoo.com with NNFMP; 24 Mar 2012 15:01:47 -0000
Received: from [217.146.188.166] by tm3.bullet.mail.ird.yahoo.com with NNFMP; 24 Mar 2012 15:01:47 -0000
Received: from [127.0.0.1] by smtp134.mail.ird.yahoo.com with NNFMP; 24 Mar 2012 15:01:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1332601307; bh=jUEqsk8PcibGwaZI1hhXdfQFuvG4zkDe7l/vywrToMI=; h=X-Yahoo-Newman-Id:Message-IDate:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Subject:From; b=uNTOdDv3BwuQ7Nz2BCPvCggaTKp2Wsfh2/qcKHhsjGIbSerSsQTpcVN+KwKZUdkVox5SH3oXAwRCqUu+vTNrtdx70n+J3mNhwbbqRMnApf6kOeVIthS1VWv5L43mRQ5EEaBDg+mKKFgy3TQ5fI1RjhBYrLrnL5O9h9Oqe9sUrU0=
X-Yahoo-Newman-Id: 655289.55666.bm@smtp134.mail.ird.yahoo.com
Message-ID: <655289.55666.bm@smtp134.mail.ird.yahoo.com>
Date: Sat, 24 Mar 2012 08:01:47 -0700 (PDT)
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: T1mF3ekVM1k1h3G9pq9D55.n2MkxPZBGXcky4RUxqfix4jf
wFIncPrPBjLKUno5Pkqxmtd.7PHoV5TVUkxYw3dfxlFEvx3UFN6ZbW63aOlU
0gn3vpmV7uEys3W6ksKU4uV1z7HSSZFdaammFU1bRV9Q9nXJ4eXjkOtpq70Q
BdKFxsi4YKzIRPgf15CiP_LrdKpJgnAq2DnM7PaWBSOxYnAf0hLohuwbbAhr
brw1BhXb29_K6DshXn68.hgAung1Go0Z6HAJWQGjXU2VUNSkOhVi7BuUwBng
2oxOobIRACFXRa2HBcZaJoLU1yqRLdHSNxEgiq_YnQTykp3GQevL9pchABhr
irVvUQODTEJPbnqt.yaR4GlKou_P_0heUGmDWngDcREvJn9_xA6cbVODnigG
AZD5uaLRHpsoyzobbcZVyF3Np9UoXzDzmCbXULI2H8aAVQCXarIX0DtqbYV1
relJLjf3zQhmXWwPg7D.6p.eabtz4ZYjJ9qQ4mBRkD2VI5vqWhOERy5aF_yG
YrV0Og.Wz
X-Yahoo-SMTP: HNff29SswBBgnCZ2jGCkOnemaWKiK4_EUbs-
Received: from xybipaly (todroly31@77.224.248.3 with plain)
by smtp134.mail.ird.yahoo.com with SMTP; 24 Mar 2012 08:01:47 -0700 PDT
Subject: Re:
From: todroly31@yahoo.co.uk

[David]

It's very easy to forge a 'from address' - which may be your own email address (or any other)

More info here.

[kijinbear]

The message does seem to have gone through Yahoo's servers -- it contains Yahoo's IP addresses and Yahoo's DKIM signature. Google actually received it from one of Yahoo's servers, so it's unlikely that the sender forged those headers.

It may be easy to forge a "From:" address, but it's less easy to get a company to accept and sign a message that contains a forged address belonging to its own domain. I don't know what Yahoo's policy on aliases/personalities/identities is, but I can't imagine that they'd allow any Yahoo user to impersonate any other Yahoo user.

Unless there's a hole in Yahoo's system that allows this (which is unlikely), I'd assume that your Yahoo account was compromised. Better be safe than sorry! That might also explain how the sender got hold of your other e-mail address. Check if anybody else in your Yahoo address book has received similar messages lately.

The following lines look interesting, as they contain the only IP address in those headers that doesn't belong to either Yahoo or Google.

Code:

Received: from xybipaly (todroly31@77.224.248.3 with plain)
by smtp134.mail.ird.yahoo.com with SMTP; 24 Mar 2012 08:01:47 -0700 PDT

77.224.248.3 is located in Spain, and "with plain" indicates that the sender logged in via SMTP. Messages sent via SMTP usually don't get saved in your Sent folder unless your mail client explicitly saves it via IMAP, so it's not surprising that your Sent folder is empty. It's also possible that the sender was trying to delete all traces of his actions.

tl;dr: Change your Yahoo password and security questions. Make sure that the e-mail address you're using for password recovery hasn't been compromised, too.