Email Spam or Hack
Recently i receive this email.
My Nickname in darknet is ellerey15. I hacked this mailbox.
If you dont believe me please check from address in header, will see send from your email from your mailbox.
...
How can i check this whether is spam or really get hacked?
My Nickname in darknet is ellerey15. I hacked this mailbox.
If you dont believe me please check from address in header, will see send from your email from your mailbox.
...
How can i check this whether is spam or really get hacked?
Last Comment
Scott Silva
it is a fake scam that was blasted out this morning. I filtered out dozens of them trying to come in here...
ASKER
I checked the header and smtp address, it show correct email address where the it return.
- Public IP address - My SMTP GW - email server - user mailbox.
- i also checked on open relay, all checked is no open relay.
- suspect mailbox password been compromise, checked the email is from IP, not internal sending.
What else i can verify?
- Public IP address - My SMTP GW - email server - user mailbox.
- i also checked on open relay, all checked is no open relay.
- suspect mailbox password been compromise, checked the email is from IP, not internal sending.
What else i can verify?
ASKER
@Scott, you receive similar email? with valid smtp address? I not sure how the mask it till it became same address
ASKER
https://malwaretips.com/threads/email-received-from-supposed-darknet-hacker.87366/
it look so similar...
just i cant understand why it can use the same email address... not a fake email... or it a masking
it look so similar...
just i cant understand why it can use the same email address... not a fake email... or it a masking
We only got it because our spam filter has a licensing issue and is letting everything through...
I am waiting for a clean copy to look at from the server to do some digging.
I doubt they did anything unless you have big holes in your system.
Most likely a server set up to relay with spoofed headers
I am waiting for a clean copy to look at from the server to do some digging.
I doubt they did anything unless you have big holes in your system.
Most likely a server set up to relay with spoofed headers
Here is another similar write up.
https://malwaretips.com/threads/email-received-from-supposed-darknet-hacker.87366/page-2
https://malwaretips.com/threads/email-received-from-supposed-darknet-hacker.87366/page-2
If you could share the header (remove any private info of course), we might be able to help explain.
Digging in my logs the emails were probably from a botnet.
I see quite a few different IP's in the mix and most of them triggered our greylisting.
Only a couple made it in, and they were the initial salvo. Many of the sending addresses are now in the CBL blacklist.
They are definitely NOT a hack. We had them sent to dozens of users that have publically available e-mail addresses and several that either don't exist or are no longer with us... I assume they bought a spam list off the dark web and went phishing...
I see quite a few different IP's in the mix and most of them triggered our greylisting.
Only a couple made it in, and they were the initial salvo. Many of the sending addresses are now in the CBL blacklist.
They are definitely NOT a hack. We had them sent to dozens of users that have publically available e-mail addresses and several that either don't exist or are no longer with us... I assume they bought a spam list off the dark web and went phishing...
You should also see SPF fails on these...
ASKER
on the message header i do a analysis check : here is the out put.
1 * 103.95.99.162 smtp.xxxxserver.com SMTP 10/17/2018 12:18:43 PM
2 1 minutes smtp.xxxxserver.com 10.x.x.8 EmailServer.local.com 10.x.x.3 Microsoft SMTP Server 10/17/2018 12:19:48 PM
smtp.xxxxserver.com = my smtp gateway
10.x.x.8 = smtp gateway internal IP
EmailServer.local.com = email server (exchange)
10.x.x.3 = internal Exchange Server IP
1 * 103.95.99.162 smtp.xxxxserver.com SMTP 10/17/2018 12:18:43 PM
2 1 minutes smtp.xxxxserver.com 10.x.x.8 EmailServer.local.com 10.x.x.3 Microsoft SMTP Server 10/17/2018 12:19:48 PM
smtp.xxxxserver.com = my smtp gateway
10.x.x.8 = smtp gateway internal IP
EmailServer.local.com = email server (exchange)
10.x.x.3 = internal Exchange Server IP
103.95.99.162 is probably the bot host sending the spam.
ASKER
Hi Scott, maybe. I still trying to block the traffic and email coming in. Just i feel suprise it able to mask or send with correct SMTP address.
How can I block these?
How can I block these?
Sorry if I missed this, but are you using any sort of RBL? That really helps cut down getting hit from compromised servers.
Rbl's would block this, even SPF checks would help if set up properly...
Even simple checks that look to see of your domain comes from your addresses.
Are you using some sort of spam filters or are you trying to block things after they hit?
They are still trying to hit here but greylisting is stopping almost all of them, and the rest are getting blocked...
The SPF fails are killing them... And they are scoring in spamassassin
Even simple checks that look to see of your domain comes from your addresses.
Are you using some sort of spam filters or are you trying to block things after they hit?
They are still trying to hit here but greylisting is stopping almost all of them, and the rest are getting blocked...
The SPF fails are killing them... And they are scoring in spamassassin
ASKER
HI Brian, i'm using the Symantec Brightmail Gateway in my environment.. without DKIM and TLS also.
HI Scott, yes there is SPF with this matter : v=spf1 a mx ip4:x.x.x.x/27-all
where x.x.x.x return is my STMP gateway public IP Address range.
HI Scott, yes there is SPF with this matter : v=spf1 a mx ip4:x.x.x.x/27-all
where x.x.x.x return is my STMP gateway public IP Address range.
Last week exactly same email I have received with my password (which I used years ago) unless you have some other indication that your account has been compromised, it is just spam made to look like it was sent from your account to yourself, and can be deleted. Use “Have I Been Pwned” to Check Breach Status.
Check few more suggestions here in my post: https://www.experts-exchange.com/questions/29121191/Personal-Account-Security-Issue.html
Check few more suggestions here in my post: https://www.experts-exchange.com/questions/29121191/Personal-Account-Security-Issue.html
ASKER
HI Austin, Thanks for sharing these.
At this point of time, i 'm working on my SMTP to tighten the security.
At this point of time, i 'm working on my SMTP to tighten the security.
Every thing you can add will bump security up a little more...
Or find a spam filtering appliance...
Or find a spam filtering appliance...
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
