Email Spam or Hack

CL
CL used Ask the Experts™
on
Recently i receive this email.

My Nickname in darknet is ellerey15. I hacked this mailbox.

If  you dont believe me please check from address in header, will see send from your email from your mailbox.

...


How can i check this whether is spam or really  get hacked?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott SilvaNetwork Administrator

Commented:
it is a fake scam that was blasted out this morning. I filtered out dozens of them trying to come in here...
CL

Author

Commented:
I checked the header and smtp address, it show correct email address where the it return.

-  Public IP address -  My SMTP GW - email server -  user mailbox.

- i also checked on open relay, all checked is no open relay.
- suspect mailbox password been compromise, checked the email is from IP, not internal sending.

What else i can verify?
CL

Author

Commented:
@Scott,  you  receive similar email? with valid smtp address? I not sure how the mask it till it became same address
CL

Author

Commented:
https://malwaretips.com/threads/email-received-from-supposed-darknet-hacker.87366/

it look so similar...

just i cant understand why it can use the same email address... not a fake email... or it a masking
Scott SilvaNetwork Administrator

Commented:
We only got it because our spam filter has a licensing issue and is letting everything through...

I am waiting for a clean copy to look at from the server to do some digging.
I doubt they did anything unless you have big holes in your system.
Most likely a server set up to relay with spoofed headers
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
If you could share the header (remove any private info of course), we might be able to help explain.
Scott SilvaNetwork Administrator

Commented:
Digging in my logs the emails were probably from a botnet.
I see quite a few different IP's in the mix and most of them triggered our greylisting.

Only a couple made it in, and they were the initial salvo. Many of the sending addresses are now in the CBL blacklist.

They are definitely NOT a hack. We had them sent to dozens of users that have publically available e-mail addresses and several that either don't exist or are no longer with us... I assume they bought a spam list off the dark web and went phishing...
Scott SilvaNetwork Administrator

Commented:
You should also see SPF fails on these...
CL

Author

Commented:
on the message  header i do a analysis check : here is the out put.

1 * 103.95.99.162  smtp.xxxxserver.com  SMTP 10/17/2018 12:18:43 PM  
2 1 minutes smtp.xxxxserver.com 10.x.x.8  EmailServer.local.com 10.x.x.3 Microsoft SMTP Server 10/17/2018 12:19:48 PM  


smtp.xxxxserver.com = my smtp gateway
10.x.x.8  = smtp gateway internal IP
EmailServer.local.com = email server (exchange)
10.x.x.3 = internal Exchange Server IP
Scott SilvaNetwork Administrator

Commented:
103.95.99.162 is probably the bot host sending the spam.
CL

Author

Commented:
Hi Scott, maybe. I still trying to block the traffic and email coming in. Just i feel suprise it able to mask or send with correct SMTP address.

How can I block these?
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
Sorry if I missed this, but are you using any sort of RBL? That really helps cut down getting hit from compromised servers.
Scott SilvaNetwork Administrator

Commented:
Rbl's would block this, even SPF checks would help if set up properly...

Even simple checks that look to see of your domain comes from your addresses.

Are you using some sort of spam filters or are you trying to block things after they hit?

They are still trying to hit here but greylisting is stopping almost all of them, and the rest are getting blocked...
The SPF fails are killing them... And they are scoring in spamassassin
CL

Author

Commented:
HI Brian, i'm using the Symantec Brightmail Gateway in my environment.. without DKIM and TLS also.

HI Scott, yes there is SPF with this matter : v=spf1 a mx ip4:x.x.x.x/27-all

where x.x.x.x return is my STMP gateway public IP Address range.
Last week exactly same email I have received with my password (which I used years ago) unless you have some other indication that your account has been compromised, it is just spam made to look like it was sent from your account to yourself, and can be deleted. Use “Have I Been Pwned” to Check Breach Status.

Check few more suggestions here in my post: https://www.experts-exchange.com/questions/29121191/Personal-Account-Security-Issue.html
CL

Author

Commented:
HI Austin, Thanks for sharing these.

At this point of time, i 'm working on my SMTP to tighten the security.
Scott SilvaNetwork Administrator

Commented:
Every thing you can add will bump security up a little more...
Or find a spam filtering appliance...
Commented:
HI All, Mid of deploying a DKIM TLS, try to tighten the security .. hopefully it can provide better security on email.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial