This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How can Thunderbird address book(s) be hijacked by spammers?

  • 5 svar
  • 1 har dette problemet
  • 3 views
  • Siste svar av Matt

more options

Hello. So recently I helped my friend to set up TB with her two email accounts. We transferred address book from one of them and a second address book from a third email account (AOL service). Now yesterday I got a spam email with a bunch of other recipients in the CC list that looked like were from one (or both) of those address books. The smap email thou didn't come from her actual email account, but from some indian related domain name who had made an account name with her name. The problem is that the spam went to many important people and this is not the first time. With her name written under the email. She is REALLY pissed about the whole situation and basically blaming me that Thunderbird was hijacked. And asking how this can never happen again. I am trying to figure out, is it even possible to hijack all the address books and how? Is it possible? Is it possible if there is one SMTP connection that doesn't use secure connection settings (like encryption or ssl)? (I don't remember now, but it might be possible that there was one account where any other setting didn't work, even the one given from the domain provider).

So long story (not really) short, how is it possible to get all addresses from address books that are in Thunderbird, while the account itself is (supposedly) not compromised? I am asking because I don't know if it's even possible. Maybe the address books are kept offline and there is no direct access to them with some hijacking script?

I would appreciate any help and information. Thank you.

Hello. So recently I helped my friend to set up TB with her two email accounts. We transferred address book from one of them and a second address book from a third email account (AOL service). Now yesterday I got a spam email with a bunch of other recipients in the CC list that looked like were from one (or both) of those address books. The smap email thou didn't come from her actual email account, but from some indian related domain name who had made an account name with her name. The problem is that the spam went to many important people and this is not the first time. With her name written under the email. She is REALLY pissed about the whole situation and basically blaming me that Thunderbird was hijacked. And asking how this can never happen again. I am trying to figure out, is it even possible to hijack all the address books and how? Is it possible? Is it possible if there is one SMTP connection that doesn't use secure connection settings (like encryption or ssl)? (I don't remember now, but it might be possible that there was one account where any other setting didn't work, even the one given from the domain provider). So long story (not really) short, how is it possible to get all addresses from address books that are in Thunderbird, while the account itself is (supposedly) not compromised? I am asking because I don't know if it's even possible. Maybe the address books are kept offline and there is no direct access to them with some hijacking script? I would appreciate any help and information. Thank you.

All Replies (5)

more options

There isn't enough information to draw any conclusions. However, it's not impossible that there is some sort of malware on your friends computer, which has been reading the Thunderbird address book. I'd scan the computer for malware. https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware#w_how-do-i-get-rid-of-malware

more options

Hi christ1.

Thanks. Yes, there isn't much info about the whole thing available (or if you need something specific, please ask and I will see if I can find and provide it). Malware was one of my suspicions as well. We have used Spybot's full service (with anti-virus and malware protection) for a long time, but she had the subscription expired, so the computer was without protection for a week or two. So it could be an option.

I can take care of malware and keep the computer 'safe' in that way, but the main question for getting her off my back is that is it possible to hack Thunderbird directly to gain access to address book? And in this case I don't really mean a personal directed attack to a specific person (there is no motive for that), but rather a random scammers script that found a weak point in the TB settings. She has had an idea that if she doesn't keep the email addresses in the 'Email' field in the address book, then it's harder to get them. I don't know exactly how a hacker would try to gather them (by whichever means), but my argument is that the spammers 'code' would look for @ and . from anywhere. So it wouldn't matter which field the address would lie. If anybody knows, share some knowledge how it would be done, please. Thank you.

So far the Spybot didn't discover any 'red' threats in the system. So the different options are still there. It could be easily that the breach was from the domain provider or some other place. But I want to get to know about the possible holes in Thunderbird, to make it secure for future use.

Thank you in advance.

more options

Often we hear of people complaining their address book was Hijacked. My experience with these things is nothing of the sort happened. USer ignorance and poor decisions online are by far the most common cause of issues.

Thunderbird stores it's address book on the local computer in a file format called MORK. It is no more accessible from online that the contents of the your documents folder is. Given it is also in a proprietary, but published file format it would require someone to write a specific program to access the contents of Thunderbirds address book.

Almost all those who have issues with address books have the same contacts on their phone, and many also have them on Facebook, twitter etc as well as their web mail (a common point of compromise). However they automatically assume email... that must be my email client. I welcome anyone with actual evidence to come forward. But I doubt it will ever happen. If I wwere going to write software to extract email addresses, I would not mess around with a bit player like Thunderbird. I would be looking for the Googles and Outlook.com's the really big players.

It is interesting for say Google+ and Facebook, how many of the sites you use them to log into also access your complete contact list. What they do with that information is anybodies guess.

Basically I am saying I have no doubt your contact has had their address book compromised, but I can think of lots of more likely places to get those contacts than Thunderbird. Like the recipients list where an email was forwarded to half the address book as CC or To:

User ignorance as to what information they are hanging out freely is a huge issue on the internet. Of even greater concern to me personally is the general assumption that they can buy some software to protect them from their own ignorance.

more options

Hi Matt,

Thank you for your reply. The fact that the address book file is no more accessible from online than any other file or folder in the computer is relieving for me.

The arguments would be that she doesn't use social media (a person who wants to be 'hidden' in some sort), so it is less likely that those could be the places for a breach. And never have been any emails sent with a bunch of people in CC list.

The whole suspicion about Thunderbird was/is because I set it up for her just recently and some of the hijacked addresses kind of mix-matched with the TB address book and the other places they were imported. It is hard to know what has been hijacked and compromised, in total, to draw conclusions where exactly the breach could have been.

I told her to send an email to the mail service provider and ask how and if it's possible that the whole fiasco has something to do on their end.

more options

It could simply be software in one of the routing nodes collecting address from emails in transit.

While it is possible to encrypt email bodies, although very very few people do, the header information.including the From and To are transmitted around the internet in plain text. Unless encryption is used the whole email travels as plain machine readable text.

Those on the nefarious side of the internet are quite adept at sniffing out that sort of information as it travels from Point A to Point B. It is one of the reasons the Social Engineering parts of modern hacking is so successful. They know the email addresses to use to get you to action the mail they send. In the absence of digital signatures, the recipient has no way to know the information is spoofed.

You have to always remember that in these types of cases, it is not just your address book. If you in a club, a Business or any other sort of "Group" then many of the email addresses in the book of the other members will have similarity to yours. In a small business of five or six employees for instance all of them will more than likely have all of the others in their address books. As well as major customers or suppliers. Working out which of those address books information came form is about impossible.

Basically if you send mail, your advertising your email address and that of the recipient. That fundamental truth has not changes in this millennium. There are projects in the open source community to try and change that situation, but it is a complex business, hindered by the fact that encryption requires keys, and most folk don't have them, or the patience to manages them..

One project in this area is. P=P https://pep.foundation/index.html which is involved with Enigmail https://www.enigmail.net/index.php/en/ and Thunderbird. Trying to make the whole secure and private thing a default. But they are pushing decades of insecurity out of the way and people will not go quietly is my guess.

Folk like simple. Secure is never as simple as not. Look at the issues Microsoft had when they tried to button up Vista after the laissez-faire of XP. People basically boycotted it. But having said that it is a fight worth fighting, but it will be slow.