What to do if someone else's account has been compromised

A compromised account is one in which somebody has the password who shouldn’t. IT Services have a number of ways to identify compromised accounts and deal with the problem immediately.

The following sections help you confirm that you are seeing evidence of a compromised email account and what you need to report to the IT Service Desk.

I received spam from a member of the University

There are two reasons why you might receive spam from another member of the University:

  1. Their account has been compromised. If the email is genuinely from a University address, please send the headers to the Service Desk (see below).
  2. Someone is pretending to be this person (“spoofing”). For spoofing, please use the “Report as spam” button in Google. This won’t affect the legitimate user’s email.

How do I spot a spoof?

  1. Open the email and click on the arrow, next to the “To:” address and look for “Signed by: bristol.ac.uk” or “Signed by: my.bristol.ac.uk” (see the above screenshot)
  2. If you cannot see this line, the “From:” address is false - it has been spoofed. Mark it as spam.
  3. If the email is signed, the account has been compromised. Please obtain the headers (see section below) and email them to the Service Desk.

How do I find the headers?

Email headers include the To: and From: fields but also a lot more information used by email programs and administrators. They are part of the process of identifying compromised accounts.

If you are using the normal Gmail webclient, use these instructions:

  1. Click on the down arrow next to the Reply button
  2. Click 'Show original' (see screenshot above). A new tab will open with the email code.
  3. Select all and paste into your email. (Click anywhere in the code, then press Ctrl + A (select all) followed by Ctrl + C (copy), then when you are writing your email, press Ctrl + V to paste the code into your email.)
  4. Close the tab to return to your email.

For other email clients see Google's information about viewing headers.

What are we looking for in the headers?

We look at headers to double-check the “Signed by” information. Users are not asked to read them but we are putting the information here for those that wish it.

There is a lot of email in message headers but there are only two lines relevant for checking the authenticity of a message.

Some examples from recent spam

Example 1 (genuine email):

Example 2 (genuine email):

Example 3 (spoofed email):

Spoof received via Sympa

Sympa complicates things because the email from Sympa passes the tests above, as it should. The information you need is further down.

look for “X-Original-Authentication-Results”. You will notice that there is another SPF result. In this case, it is a “softfail” indicating the original email was spoofed.

Where spoofed emails are delivered to members of a list, it often means the list sending options are set to “Public” i.e. unmoderated. The simple fix is to change this to “public, Bcc rejected” which will prevent most spam. This should be done by the list owner(s).