• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 968
  • Last Modified:

Customer receiving kickback emails for messages she did not send

Hi everyone,
I have a client who is receiving kickback messages for email that she did not send. At one time she was receiving a ton of these messages. I ran virus and malware scans on her pc and did some general cleanup. Since then the amount of kickbacks she is receiving is dramatically less but she is still getting a few everyday. My fear is that someone is using her email address to send spam and that it will eventually get the whole company blacklisted. She is the only one in the organization that is having this problem. She is using Outlook 2010 and their Exchange version is 2010 also. I am not too knowledgeable when it comes to troubleshooting problems like this so I am hoping one of you experts can help me out. Here is the content of one of the kickback messages:

kitsapsales@kitsapsun.com
#< #5.1.10 smtp;550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup> #SMTP#
Original message headers:
Received: from BN1PR02CA0037.namprd02.prod.outlook.com (10.141.56.37) by
 BY2PR02MB505.namprd02.prod.outlook.com (10.141.142.16) with Microsoft SMTP
 Server (TLS) id 15.1.154.19; Wed, 29 Apr 2015 19:18:29 +0000
Received: from BN1BFFO11FD007.protection.gbl (2a01:111:f400:7c10::1:199) by
 BN1PR02CA0037.outlook.office365.com (2a01:111:e400:2a::37) with Microsoft
 SMTP Server (TLS) id 15.1.148.16 via Frontend Transport; Wed, 29 Apr 2015
 19:18:29 +0000
Authentication-Results: spf=none (sender IP is 207.211.31.81)
 smtp.mailfrom=spobgyn.com; kitsapsun.com; dkim=none (message not signed)
 header.d=none;
Received-SPF: None (protection.outlook.com: spobgyn.com does not designate
 permitted sender hosts)
Received: from us-smtp-1.mimecast.com (207.211.31.81) by
 BN1BFFO11FD007.mail.protection.outlook.com (10.58.144.70) with Microsoft SMTP
 Server (TLS) id 15.1.160.8 via Frontend Transport; Wed, 29 Apr 2015 19:18:29
 +0000
Received: from spobgyn.com (wsip-184-178-18-196.pn.at.cox.net
 [184.178.18.196]) by us-mta-11.us.mimecast.lan; Wed, 29 Apr 2015 15:18:26
 -0400
Received: from spobgyn.com ([17.71.91.66]) by spobgyn.com        (mary) with
 ESMTPA (Nemesis) id EvlW3R-8AzJYEunft-3CQD4z for
        <kitsapsales@kitsapsun.com>; Wed, 29 Apr 2015 14:18:31 -0600
Message-ID: <55412E87.82A436FC@spobgyn.com>
Date: Wed, 29 Apr 2015 14:18:31 -0600
From: mary <mary@spobgyn.com>
MIME-Version: 1.0
Subject: Unusual activity in your American Express
To: <kitsapsales@kitsapsun.com>
X-MC-Unique: zbZ5Ab52SrOuRBLQeImhSA-1
Authentication-Results: mimecast.com; spf=none (spfCheck: 184.178.18.196 is neither permitted nor denied by domain of spobgyn.com) client-ip=184.178.18.196; envelope-from=mary@spobgyn.com; helo=spobgyn.com;
Return-Path: mary@spobgyn.com
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:207.211.31.81;CTRY:US;IPV:NLI;EFV:NLI;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR02MB505;
Content-Type: multipart/alternative;
      boundary="=_------------010107090302050805070902"
0
mboudreaux
Asked:
mboudreaux
  • 2
  • 2
  • 2
  • +1
1 Solution
 
CompProbSolvCommented:
Does your client ever log into her mail through a web interface?  A common problem is staying logged in to webmail and then browsing the internet and hitting something that will send mail through the open email account.

Have you changed the password for the account?
0
 
*** Hopeleonie ***IT ManagerCommented:
The User must change her password. Did you try that?
0
 
mboudreauxAuthor Commented:
She doesn't check her email on a website but does access it through an IPhone. And yes I did change her password yesterday afternoon. She did receive another kickback message since I did that. Thanks for the replies..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
jmcgOwnerCommented:
I would have hoped that you obscured the person's actual email address for purposes of posting here.

Based on the Subject: Unusual activity in your American Express I would immediately jump to the conclusion that your user's email address has been used as the sender address in a phishing campaign. It's very easy for someone to pretend that a mail has been sent by any given email address and this is often done in an attempt to improve the optics of phishing email. Because they are labeled as coming from someone the recipient presumably trusts, the chances are increased that the email will be opened and the crucial link will be clicked on.

Unfortunately, the way email systems exist today provides very little remedy for this kind of scamming. Spreading the knowledge that this can happen is good and may help ameliorate the reputation damage.

The fact that the email bounced, in this case, means that this particular email can have done no harm. But there are undoubtedly other emails that did not bounce, and you can't learn who those recipients are in order to control damage.

Administrators who blacklist domains based on phishing expeditions are just shooting themselves in the foot. It won't stop the phishing more than temporarily and will likely prevent legitimate communications.
0
 
mboudreauxAuthor Commented:
So basically there's no real way to stop it except for maybe changing her email address?
0
 
CompProbSolvCommented:
@jmcg
I'm trying to understand part of your response as I've run into this situation numerous times before and expect to run into it again.  The more I know about this, the better I am prepared to deal with it in the future.

In particular "your user's email address has been used as the sender...  very easy for someone to pretend..."

If I understand those comments properly, you are suggesting the possibility that someone is sending emails that  have Mary's email address as the sender but that they were not actually sent by her and (here is the important part) they were not actually sent through that email account.  I recognize this possibility, but would not have expected the rejection to get back to Mary under those circumstances since it was not really sent through her account.

If the email was sent through Mary's account (but not by her personally) I can imagine three scenarios:
1)   Someone has taken over her email program on her computer or iPhone and sent the messages from there
2)   Someone has her email password and is sending the mail through her account but not necessarily through one of her devices.  Changing her password should have resolved this unless there is still a rogue program on her computer that could monitor such a change.
3)  Someone has figured out how to send mail through her account at her email server without her password.  I would expect that any halfway respectable email server wouldn't allow this.

Please let me know if any of my suppositions are wrong or if my logic is faulty.
0
 
jmcgOwnerCommented:
The three scenarios you outline would indeed by issues of concern. These situations are alarming because of those possibilities, but - most often - the sender impersonation happens without any compromise of the sender's email account.

To get the answer, you have to look at the headers of the failed message (not the headers of the Failed-Delivery-Report itself, which were supplied here). Usually you can spot the improper sender's IP address (but the improper sender may also be an innocent PC that's been zombified) if you analyze the chain of Received: headers. If all of the Received: headers look proper, you may indeed have a compromised email account.

Yes, most respectable email servers do not allow relay (your number 3). But anyone can put an email server on the internet and improperly configured ones can be discovered and exploited without any particular bad intent on the part of the owner of the mail relay.

Given the existence of open relays, all you have to do to impersonate someone is to give their email address at the right spot in the SMTP conversation on port 25.

But a Failed-Delivery-Notice goes back to the stated sender, which is how you discover that your email name has been spoofed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now