Email Spam or Hack

Recently i receive this email.

My Nickname in darknet is ellerey15. I hacked this mailbox.

If  you dont believe me please check from address in header, will see send from your email from your mailbox.


How can i check this whether is spam or really  get hacked?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott SilvaNetwork AdministratorCommented:
it is a fake scam that was blasted out this morning. I filtered out dozens of them trying to come in here...
CLAuthor Commented:
I checked the header and smtp address, it show correct email address where the it return.

-  Public IP address -  My SMTP GW - email server -  user mailbox.

- i also checked on open relay, all checked is no open relay.
- suspect mailbox password been compromise, checked the email is from IP, not internal sending.

What else i can verify?
CLAuthor Commented:
@Scott,  you  receive similar email? with valid smtp address? I not sure how the mask it till it became same address
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

CLAuthor Commented:

it look so similar...

just i cant understand why it can use the same email address... not a fake email... or it a masking
Scott SilvaNetwork AdministratorCommented:
We only got it because our spam filter has a licensing issue and is letting everything through...

I am waiting for a clean copy to look at from the server to do some digging.
I doubt they did anything unless you have big holes in your system.
Most likely a server set up to relay with spoofed headers
Scott SilvaNetwork AdministratorCommented:
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
If you could share the header (remove any private info of course), we might be able to help explain.
Scott SilvaNetwork AdministratorCommented:
Digging in my logs the emails were probably from a botnet.
I see quite a few different IP's in the mix and most of them triggered our greylisting.

Only a couple made it in, and they were the initial salvo. Many of the sending addresses are now in the CBL blacklist.

They are definitely NOT a hack. We had them sent to dozens of users that have publically available e-mail addresses and several that either don't exist or are no longer with us... I assume they bought a spam list off the dark web and went phishing...
Scott SilvaNetwork AdministratorCommented:
You should also see SPF fails on these...
CLAuthor Commented:
on the message  header i do a analysis check : here is the out put.

1 *  SMTP 10/17/2018 12:18:43 PM  
2 1 minutes 10.x.x.8 10.x.x.3 Microsoft SMTP Server 10/17/2018 12:19:48 PM = my smtp gateway
10.x.x.8  = smtp gateway internal IP = email server (exchange)
10.x.x.3 = internal Exchange Server IP
Scott SilvaNetwork AdministratorCommented: is probably the bot host sending the spam.
CLAuthor Commented:
Hi Scott, maybe. I still trying to block the traffic and email coming in. Just i feel suprise it able to mask or send with correct SMTP address.

How can I block these?
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Sorry if I missed this, but are you using any sort of RBL? That really helps cut down getting hit from compromised servers.
Scott SilvaNetwork AdministratorCommented:
Rbl's would block this, even SPF checks would help if set up properly...

Even simple checks that look to see of your domain comes from your addresses.

Are you using some sort of spam filters or are you trying to block things after they hit?

They are still trying to hit here but greylisting is stopping almost all of them, and the rest are getting blocked...
The SPF fails are killing them... And they are scoring in spamassassin
CLAuthor Commented:
HI Brian, i'm using the Symantec Brightmail Gateway in my environment.. without DKIM and TLS also.

HI Scott, yes there is SPF with this matter : v=spf1 a mx ip4:x.x.x.x/27-all

where x.x.x.x return is my STMP gateway public IP Address range.
austin minorCommented:
Last week exactly same email I have received with my password (which I used years ago) unless you have some other indication that your account has been compromised, it is just spam made to look like it was sent from your account to yourself, and can be deleted. Use “Have I Been Pwned” to Check Breach Status.

Check few more suggestions here in my post:
CLAuthor Commented:
HI Austin, Thanks for sharing these.

At this point of time, i 'm working on my SMTP to tighten the security.
Scott SilvaNetwork AdministratorCommented:
Every thing you can add will bump security up a little more...
Or find a spam filtering appliance...
CLAuthor Commented:
HI All, Mid of deploying a DKIM TLS, try to tighten the security .. hopefully it can provide better security on email.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.