Ingo Brown
asked on
Email Spoofing
Dear all.
I have a querie from a client who said they received an email from them self.
I can see that the sender was from a sender called "rj@stupidartist.com".
What would be the preferred course of action to take from here?
AV on my clients machine is up to date.
There is a super complex password on his mail box
This is a Microsoft 365 email address.
Below is the copied description of the email properties
Any thoughts suggestions most welcome
I have a querie from a client who said they received an email from them self.
I can see that the sender was from a sender called "rj@stupidartist.com".
What would be the preferred course of action to take from here?
AV on my clients machine is up to date.
There is a super complex password on his mail box
This is a Microsoft 365 email address.
Below is the copied description of the email properties
Any thoughts suggestions most welcome
Received: from winhexbeeu58.win.mail (10.76.23.59) by winhexbeeu57.win.mail
(10.76.18.61) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Mailbox
Transport; Tue, 29 Jan 2019 10:37:54 +0100
Received: from WINHEXFEEU6.win.mail (10.72.16.13) by winhexbeeu58.win.mail
(10.76.23.59) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 29 Jan
2019 10:37:53 +0100
Received: from mout-xforward.kundenserver.de (82.165.159.6) by
WINHEXFEEU6.win.mail (217.160.154.197) with Microsoft SMTP Server (TLS) id
15.0.1367.3 via Frontend Transport; Tue, 29 Jan 2019 10:37:53 +0100
Received: from [212.227.15.41] ([212.227.15.41]) by mx.kundenserver.de
(mxeue011 [212.227.15.41]) with ESMTPS (Nemesis) id 1MOzng-1gVktR0bJk-00PLoa
for <e678993856@1.exchange.1and1.eu>; Tue, 29 Jan 2019 10:37:53 +0100
Received: from cp-ny02.wswcp.net ([67.55.96.4]) by mx.kundenserver.de
(mxeue011 [212.227.15.41]) with ESMTPS (Nemesis) id 1Mowvu-1hW0BL0bHC-00qTM6
for <tim@brightym.com>; Tue, 29 Jan 2019 10:37:53 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=stupidartist.com; s=default; h=Message-ID:Subject:To:From:Date:MIME-Version
:Content-Type:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=51gKoln/5n6slmhF7Tw649wFIfncfg7XGvq2/qkHDJ0=; b=MYgenOE3z+fDCNJk02XgfIfHLj
gq96jk9lq+epMsJIXP/A0NZcCbeWmDe8xH4O8amIr5D2PiRfBva0f3aX2RkDVL718AiufohJKW17D
tTfBLpShdkQUWO0UeLdp/0EJf+OIfJVVCUd2/jgbyrDaJJ4rIc0r3wcu8TtAevQRalkU4NL/tOaUP
cqspd770nUuFUET1SsXylPKYt+BsBzJ4NGJVUk+Z/fbgjDPBHLrg14MMKjYE4dc8lrEDU+YWwxIWa
evRmcdMhCC1KQ3ciOid+UHPaJT6uG2+toDfg1Wh8mtylAfhRMr/+xWX+/oGibLt1UHU1WPzvKGJA+
NtHFdLQg==;
Received: from [14.161.17.151] (port=59280 helo=Vakebsan)
by cp-ny02.wswcp.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <tim@brightym.com>)
id 1goPq2-0001Nh-Tl
for tim@brightym.com; Tue, 29 Jan 2019 04:37:51 -0500
Content-Type: multipart/alternative; boundary="Y7MENG9UFN"
MIME-Version: 1.0
Date: Tue, 29 Jan 2019 09:37:49 -0000
From: tim@brightym.com
To: tim@brightym.com
Subject: This account has been hacked! Change your password right now!
Message-ID: <154359836.02860678553313@brightym.com>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cp-ny02.wswcp.net
X-AntiAbuse: Original Domain - brightym.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - brightym.com
X-Get-Message-Sender-Via: cp-ny02.wswcp.net: authenticated_id: rj@stupidartist.com
X-Authenticated-Sender: cp-ny02.wswcp.net: rj@stupidartist.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam-Flag: YES
X-UI-Out-Filterresults: junk:10;V03:K0:9zjqio6dw7U=:xjyI4CGR8/kZdAKp19HikCYf
SRZYMgoBshVlvt/hK36kBnksB6VqFxHBE9ZFG/2YN82mHz6OmUrTBrs0g1WHNjJtdOMCC5jtK
nXfaXYi0Rhcs3xMiX9dYBFqmybjAaTQrJOqmRTO6hzNtoYNW4WiKSMiduoGv/NA8jNHZxAG4e
eJESebSbGAd4oLOJvs4Vr72J+bFZcD2U3fquHB+LUy6IHicMKGyN557Hsl2VcndkvPuxAj+N+
UvevAhDZl9KhpP15aNremI2xgtpNjZ10e7cTHOv+CPwMz26GY2BWzzupIGiQWm8IRkIdCKTH0
bUaNURx+mRgHnCXQkggpBWeS59+FEQzdA5mF7IJDXHJ7QmMisf9v/qsfSbCAFwKh5AJvpRQMz
Nv/2eZc+fbrn9vcHwx+knplb4YJUZFMurdxuAethczSAGhH+cOHTfaXPPP2rCCQ4FEQkxpUks
m/3B/zxqKkIOV/XbxoKa5O+grF8rKTj9MIP8lqc5nBdosZwd7myP79hXR7Ittiq6UKCwhEYvg
aJuZyQAjrhYnYWEc6DoTrM7kpGc8PZ7sJ9W42zbZllId9YXgfWs5a32gLAQFF8ERZ7wfQu4rs
qudg8/ElKNpMHRbQlyHqY2IaIp/ArqnQsI853hhCb35werYlliRa4NIKeQhcIhxU8DOBQgv8W
7szfXE0US8c/jy+vjEGMSZbTupGrbAOQGM/sxm01I5wINGw90sRPRJYVeazTfvn1gPZ6pdnbm
Wq0Qtr2zfG13G9n7XZpN34Y6b+fsiAOQkqHHN/9LA53yjdD3b7wVCdYlHctmry1oaA1tor9Vi
DkF11SHkSg3tbdBmg7REA5ip6GnY/p4wBB43oGrnqLWdoK5bDMg/zhxNURfg8i9fa0bI8ICko
MCb4O4EnprH1xQ6jA+qOXEZWpSmxQUZB4Mo85Vl/9awN1JlvUSQYtvsZj0Vk41de56+tV5y44
XmqvP8JKjAK7GgNFmSCIPb0TuZhrENh8259GzqQLEl0D2UcaaQfLBz1vuVbm4UkAyfPjR6msY
xfsZHqEDTKrbszn9AtdYk4r2tJO1EkBhTRn6AlZoecTWbXii6aKTqQ7VZMfilRl9VOlVMEvFo
ARTQVze4325SQ6jx1ZoC/zmVgSmW+A/t2Cor+RB/O3803qQTTocUDy24TiRL7popvht45tkn1
YLVvqsN1Fq+c1oD8+MdPMWwro9XzfMuXul9tVN96m9Zo0xmQ/V+B1GNdPJ1voWOCDqKo4i7Xc
lyASuFBDXCOQov/
Return-Path: tim@brightym.com
X-MS-Exchange-Organization-Network-Message-Id: 9f216299-bf4a-49e9-105f-08d685cd715e
X-1and1-Spam-Score: 10/10
X-1and1-Spam-Level: High
X-1and1-Expurgate-Category: spam
X-Provags-ID: V02::ZqRNlDirsHfXIiGIVDkPY2qXDEf0MQIfB+2R9XKzGfhYp
G4Iztfx9tGAjEh8hPytzNBZgvzjt6JGsG+HxwRsHnrJCs1wGuy
xo5Hx4v/Mu5G8n9nDIYi+jafJBS/GbLsciex+HbM+qvqJfNj8Q
zsj1zUteZgRyUiUbU9b+kNWDO8NZeovl0PQ0S+rWFa5aXRr
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-SCL: 9
X-MS-Exchange-Organization-AuthSource: winhexfeeu6.win.mail
X-MS-Exchange-Organization-AuthAs: Anonymous
Have you implemented Spam Filtering? This works for me.
"What would be the preferred course of action to take from here?"
You can't stop the behavior - anyone can send an e-mail that looks on the surface as if it came from anyone else. it's as easy as me using your name and address as the return address on snail mail.
These can be ignored, but as noted above, they can sometimes be suppressed by spam filtering or using realtime blacklists.
You can't stop the behavior - anyone can send an e-mail that looks on the surface as if it came from anyone else. it's as easy as me using your name and address as the return address on snail mail.
These can be ignored, but as noted above, they can sometimes be suppressed by spam filtering or using realtime blacklists.
Explain to them what's going on - if they own a business domain then they could set up SPF & DKIM to reduce the risk of recurrence (SPF can allow email systems to check that an email actually comes from the IP address of the domain it claims to) but with most spam campaigns if you ride it out over a month or so it will probably come to a natural conclusion as spammers lists are updated and they move on to other targets. Bear in mind that other users on the same domain may have been targeted - if this isn't a personal account - and they may need advice too.
You make 2x assertions.
1) I have a querie from a client who said they received an email from them self.
2) I can see that the sender was from a sender called "rj@stupidartist.com".
These are incongruent. If #1 is true, then #2 is false.
Fix for #1 - setup correct SPF records.
Fix for #2 - setup SPAM filtering.
1) I have a querie from a client who said they received an email from them self.
2) I can see that the sender was from a sender called "rj@stupidartist.com".
These are incongruent. If #1 is true, then #2 is false.
Fix for #1 - setup correct SPF records.
Fix for #2 - setup SPAM filtering.
Top notch spam filtering works really well for me. That stops the vast majority of the spoofed emails.
ASKER
Thanks everybody for all your comments so far
@John - I´ll look into the spam filter settings ,but my gut feeling says it should not even be allowed to get out. The sending of the mail should fail at source.. but I agree there can be no harm hardening the SPAM filter settings. I´ll look into that and revert
@Paul - Blacklists might be tricky and require maintenance?
@MASQ - I like where you´re going here. I´ve been reading those links and will try it out on my domain first. Using the tools I can see I have problems too. I guess once the SPF and DKIM entries and keys are entered and made respectively, a domain is generally better protected? Its the best one can do for the time being (even if the spammers update their heuristics in the future)?
@Paul - I had to google the word "incongruent" :-) I think you´re bang on with the SPF records suggestion. I´m on it now. Thanks to you too. I will revert
@John - I´ll look into the spam filter settings ,but my gut feeling says it should not even be allowed to get out. The sending of the mail should fail at source.. but I agree there can be no harm hardening the SPAM filter settings. I´ll look into that and revert
@Paul - Blacklists might be tricky and require maintenance?
@MASQ - I like where you´re going here. I´ve been reading those links and will try it out on my domain first. Using the tools I can see I have problems too. I guess once the SPF and DKIM entries and keys are entered and made respectively, a domain is generally better protected? Its the best one can do for the time being (even if the spammers update their heuristics in the future)?
@Paul - I had to google the word "incongruent" :-) I think you´re bang on with the SPF records suggestion. I´m on it now. Thanks to you too. I will revert
but my gut feeling says it should not even be allowed to get out.
The spoofing is likely not coming from within your company
The spoofing is likely not coming from within your company
You said, "I´ll look into the spam filter settings ,but my gut feeling says it should not even be allowed to get out. The sending of the mail should fail at source.. but I agree there can be no harm hardening the SPAM filter settings. I´ll look into that and revert."
This is only true if email is being forged from inside your infrastructure.
You only have control over email your infrastructure sends.
This will never be true for majority of forged email, which can be sent by anyone... anywhere... anytime...
This is only true if email is being forged from inside your infrastructure.
You only have control over email your infrastructure sends.
This will never be true for majority of forged email, which can be sent by anyone... anywhere... anytime...
ASKER
Gents
When I use a SPF checking tool on my own domain, I get the following report:
Checking to see if there is a valid SPF record.
Found v=spf1 record for deep-data.es:
v=spf1 include:spf.protection.out look.com -all
When I check my client´s domain , I get
SPF record lookup and validation for: brightym.com
SPF records are published in DNS as TXT records.
The TXT records found for your domain are:
Checking to see if there is a valid SPF record.
No valid SPF record found of either type TXT or type SPF.
As my client uses office365 as their email host, does than mean I can add the same SPF record into his mail host´s records ,replacing deep-data.es for brightym.com ?
When I use a SPF checking tool on my own domain, I get the following report:
Checking to see if there is a valid SPF record.
Found v=spf1 record for deep-data.es:
v=spf1 include:spf.protection.out
When I check my client´s domain , I get
SPF record lookup and validation for: brightym.com
SPF records are published in DNS as TXT records.
The TXT records found for your domain are:
Checking to see if there is a valid SPF record.
No valid SPF record found of either type TXT or type SPF.
As my client uses office365 as their email host, does than mean I can add the same SPF record into his mail host´s records ,replacing deep-data.es for brightym.com ?
In word, yes
Setup spf with any ip they use and additionally include the outlok.com record.
And makr sure your own server trashes whatever icoming mail does not validate spf
Setup spf with any ip they use and additionally include the outlok.com record.
And makr sure your own server trashes whatever icoming mail does not validate spf
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.