There’s a bucket-load of issues here, and quite frankly an awful lot of confusion.
This can be a very frustrating situation, but what happens next, if anything, depends on what’s really going on.
Is it really you?
First, I have to ask: how do you know that it’s your account being used to send spam?
What’s incredibly important is to realize that just because the spam says it’s “from” your email address, that doesn’t necessarily mean that the spam was actually sent from your account.
Spammers can fake the “from” address. It’s very easy to do. That means that they can make an email message look like it came from you or me without ever having to access our accounts. They don’t have to hack anything. It’s trivial.
So, the first thing is: never assume that spam with your email address in the “from” line actually came from you. In most cases, it actually hasn’t.
How to tell
How do you tell for sure? Well, there are two ways. Is the spam in your sent mail folder? If it is, then yes, your account has been hacked and it was used to send spam. There’s clear evidence. Of course, hackers can and often do delete the sent mail, so finding no spam in your sent mail doesn’t rule out a hack.
The other approach is to look at the headers of the spam messages themselves. Now I’m not saying the simple headers – like the “from” line -that you see by default in most email programs, but the full list of headers that geeky people, like me, look at. If you “view original” in Gmail on a message you’ll see them. Or in Outlook, look in the “Advanced Properties” of the message, I believe.
And of course there are other ways on other mail services and programs to take a look at these full message headers. Someone knowledgeable about what to look for can look at those headers and determine if indeed the message came from your actual email account, or if it’s just a spammer faking the “from” address.
Given what you’ve described, I think it’s most likely that a spammer faked the “from” address without accessing your account.
What to do
So, what do you do if they’re sending email that looks like it came from you but your account was never involved?
You can do absolutely nothing.
It is completely out of your hands since you and your account were never actually involved. Let your friends know that it’s not you, it’s not your account; and get on with your life.
If it was a hack
If your account was involved, things get more interesting. You need to change everything in that account that could be used for password recovery. That means the passwords and the secret questions, like you mentioned. It also means confirming that the associated mobile number or alternate email address is what you expect it to be.
You even need to check if that hacker added automatic forwarding or messaging-processing rules that would still allow them into your account. You need to check it all. As long as one tidbit remains that the hacker could use to regain access by faking a lost password recovery, he will.
And about your contacts: As long as the contacts came from your online address book and you’re really, really certain about this, then it’s possible that your account has been compromised at least once. The problem is that now the cat’s out of the bag. All the hacker needed to do at that time is make a copy of your contacts, exporting the entire list perhaps. Then no matter what you do with the account after that, he still has that list. He can still send fake email to look like it comes from you and send it to that list.
Once again, there’s nothing that can be done about this either, other than making sure you can completely recover your account and secure it properly.
Once the hacker has your contact list, he has your contact list forever.
- Email Hacked? 7 Things You Need to do NOW Email account theft is rampant. If it happens to you, there are several steps that you need to take not only to recover your account, but to prevent it from being easily hacked again.
- Someone’s sending from my email address! How do I stop them?! Email spoofing is rampant. Spammers often send email that looks like it came from you. And there’s little that you can do about it.
- SPAM Articles relating to the plague that is spam – why it exists, what to do about it, what NOT to do about it, and basically how to live with minimal frustration in a spam-filled world.