Ask the Experts Q&A for January 2006

• Somebody is using my email address to spam people. I found this out because I get about 25 returned (undeliverable) emails a day from people I never emailed. They have letters attached with my name at the bottom that I never wrote. How do I stop this? Read more.
• I used a friend's computer while I was visiting him. I am back home now but he tells me now that he can check my information. He has my e-mail address and my password now. What can be done so he won't be able to access my account any longer? Read more.
• HELP! Someone is using my email address and they changed my password. It must be someone that I know but I can't find out who it is. This person is sending out pictures of me and saying bad things. Can you help me with this problem? Read more.
• Can something be done to prevent someone from opening accounts under my name? I have been receiving unsolicited phone calls generated by an e-mail account that was not set up by myself or by family members. Read more.
• Somebody from Turkey is using my e-mail address. What do you suggest? Read more.
• I received an email from "Duke Andrews, The National Lottery, Liverpool... I had won 300,000.00 GBP... contact representative within 7 days... I believe this is a scam or is fraudulent. How do I report this? Read more.

The good news is that no one is using your email account. Your email address was plucked at random from the lists that spammers compile and use to send their unwanted email out to other people. Your address was used as the faked sender.

How did they get your address in the first place? Let me count the ways! First, they can just guess. There's a good chance that at any given domain name (like hotmail.com) there's a mary@ or a dave@ or any other common first name.

A spammer may have even purchased your name. Have you signed up for any "free" web services lately? Some "services" aren't much of a bargain because they can turn around and resell your address to spammers. Names can also be harvested from profiles you've set up, or posts you've made to discussion groups.

We asked veteran spam fighter John Levine, author of Internet for Dummies, for his take on the problem. He wrote back, "Welcome to the club. It's usually nothing personal; spammers use random addresses from their spam lists as fake return addresses. Occasionally it is something personal, particularly for anti-spam outfits. On a bad day, Mr. abuse.net (that's me) gets 350,000 bounces from mail he didn't send."

John laments that there's not much he, or you, can do about it. A good spam filter should catch most of the bounces on their way to your mailbox. There is hope around the corner, though. John reports there's a new technology called "Bounce Address Tag Validation" (BATV) that your Internet Service Provider can use to put a digital "signature" on the mail you actually send. Legitimate bounces will have the signature and fake ones will not--so those bounces you're now receiving can be rejected by your ISP before they ever clutter your mailbox.

Microsoft has something called "Sender ID" that can help protect those with Hotmail accounts. There's an excellent article about it here and more details and technical information here.

Top of Page

The short answer is: change your password and change it now! See below to learn how.

First, here are a few tips on how to avoid giving your account information away in the future. When you log in to your Hotmail account, there are three boxes to select from in order to tell the computer how to handle your account information. These are:

• Save my e-mail address and password
• Save my e-mail address
• Always ask for my e-mail address and password

When you were on your friend's computer, did you happen to notice which one was checked? If it was the first box, that's how your friend got your email and password—his computer happily gave it to him after you left!

If you're using a friend's computer, or a public computer in a library or Internet cafe, you should always check the last box, so that the computer won't save any information about your account.

Watch carefully when you log on, because the middle choice, "Save my email address," is the default selection. This might provide some protection because someone trying to break into your account would still have to guess your password. Unfortunately, most people's passwords are not very good.

They often are easy to guess, especially if you know something about the person—like a pet's name, or child's name. If you left this box checked, your friend may have just watched you type all or part of your password. Also, when you're finished, don't forget to log out!

All is not lost, you can get your account back, but you'll need to reset your password. Here is the "help" information provided by Hotmail for this scenario. Note that it will give you a reading on how "strong" your new password is. The direct link to this information is here.

If you think an unauthorized person has used your account:

Change the password that is associated with your Microsoft Passport Network account

1. On the Passport Network home page, click Sign In.
2. Type your e-mail address and password, and then click Sign In.
3. Click Account information.
4. On the Account information page, click Change your password.
5. Type your old password, type your new password, retype your new password, and then click Continue.

Note:The Password Strength tab shows how strong the password is. Remember to use your new password every time that you use this e-mail address.

Reset the password that is associated with your Passport Network account. On the Passport Network home page, click Account Services.

1. On the sign-in page, click "Forgot your password?".
2. Type your e-mail address. In the Characters box, type the characters that appear in the Human Interactive Proof (HIP) validation window.
3. Click Continue, and then follow the instructions to reset your password.

Note: If you do not have another e-mail address to use for this process or if you cannot remember your secret question and password, click Contact Us at the bottom of this page.

To report a security or privacy issue, send an e-mail message to msnprivacy@msn.com, and include the following information:

• Your first name
• Your last name
• Your full sign-in name (e-mail address)
• The e-mail address to which you want MSN to send the response
• A complete description of the issue

Top of Page

Since you have a Hotmail account, you can report this problem using the instructions below. Keep in mind that you will need a different email account in order to communicate with the folks at Hotmail security about your compromised account. MSN recommends that every Hotmail account have an alternate email address associated with it--useful in situations like this.

Report a security or privacy issue

To report a security or privacy issue, send an e-mail message to msnprivacy@msn.com, and include the following information:

• Your first name
• Your last name
• Your full sign-in name (e-mail address)
• The e-mail address to which you want MSN to send the response
• A complete description of the issue

More information may be found at this MSN Support link for Hotmail.

Keep in mind there are several ways others can get access to your account. Be careful when logging on at an Internet café, at school, or at a friend’s house. The computer itself can be giving away your secrets!

When you log in to your Hotmail account, there are three boxes to select from in order to tell the computer how to handle your account information. These are:

• Save my e-mail address and password
• Save my e-mail address
• Always ask for my e-mail address and password

Which to choose? If you’re at home, and no one else but you ever use your computer, you might elect to have your machine remember your username and password.

If you’re using friend’s computer, or a public computer in a library or Internet cafe, you should always check the last box, so that the computer won’t save any information about your account.

Watch carefully when you log on, because the middle choice, "Save my email address," is the default selection. This might provide some protection because someone trying to break into your account would still have to guess your password. Unfortunately, most people’s passwords are not very good. They often are easy to guess, especially if you know something about the person—like a pet's name, or child’s name. If you left this box checked, someone may have just watched you type all or part of your password.

Also, don't forget to log out!

Top of Page

There is currently no way to prevent someone else from using your name while signing up for email. However, if your name is being used fraudulently, it is against the law. The Federal Trade Commission’s site features a concise guide to fighting back against identity theft. Steps to take are outlined in this link.

While the Internet is a great source of information, everyone should be vigilant for fraudulent email offers and deceptive websites. It’s also worth visiting this link for tips from the National Consumers League. You’ll find information on everything from bogus sweepstakes notifications to Nigerian "inherited money" offers.

Is there a way to prove that email did come from a particular person? Maybe, using something known as "digital signatures" and "digital certificates." You can learn about them and read the pros and cons here.

Top of Page

First, someone may be using your email account. To stop that, change your email password right away. Be sure to select a password that is not in the dictionary and is hard to guess. MSN has some excellent suggestions about creating a "strong" password. According to MSN, a good password should not be a common word or name, or a close variation of one.

Safer passwords also contain three of the following four different types of characters:

• Uppercase letters (for example: A, B, C)
• Lowercase letters (for example: a, b, c)
• Numerals (for example: 1, 2, 3)
• Symbols (' ˜ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; < > ? , . /)

Unfortunately, not all sites allow symbols in the password. For more, read the complete article.

The good news is that it is likely that your email account isn't really being used, but that the spammer has randomly selected your email address and has borrowed it to list as a fake return address. There is currently nothing that can be done about this. On the horizon, there are many initiatives to make sure the sender is really who he says he is, and not someone masquerading as another person.

Microsoft has something called "Sender ID" that can help protect those with Hotmail accounts. There's an excellent article about it here and more details and technical information here.

Top of Page

All of these email scenarios are common scams. According to a January 2006 report from the Federal Trade Commission, the FTC received more than 196,000 Internet-related fraud complaints in 2005 Consumers reported average losses of $2100. In 35 percent of the cases, the company contacted the victim by email—this is up from 26 percent in 2003.

You can learn about these types of fraudulent emails at the Federal Bureau of Investigation (FBI) site.

To make a complaint report, visit the Internet Crime Complaint Center. The site is the product of a partnership between the FBI and the National White Collar Crime Center (NW3C). Your complaint will be screened and passed on to local, state, or Federal authorities. The specific scams are in the "Protect Yourself" area. Click on "Internet Crime Schemes."

You should also be aware of "phishing" (pronounced "fishing") attempts—trick email that really looks like it's from a bank or some other trusted institution. It's really an attempt to get you to give up personal or financial data via a subsequent click to a bogus web page. To learn more about these, visit the Anti-phishing Working Group.

Microsoft also offers an excellent guide to preventing identity theft from email "phishing" scams. Read it here.

Top of Page