badrihippo Posted October 21, 2019 Posted October 21, 2019 I got a spam email today, ostensibly from myself, claiming to have access to my data. I know they don't, but the email was "sent-by: gmail" and "signed-by: [my domain]" so I'm wondering if they have access to that password. Is there any way to check server logs and see if an email was sent from my account on Sun 20 Oct 2019 17:00:29 (PDT)? I can provide my ID details and the email header if required (don't want to post it on a public forum). Quick overview of my current setup: I have an "send email" account via cPanel (eg. outgoing@mydomain.me), and several forwarders to my Gmail (alias1@example.me, alias2@mydomain.me). When I'm sending, I send via the outgoing@mydomain.me credentials so that it gets signed etc, but the "from" is from alias@mydomain.me). Usually, if someone sends a scam email setting the "from" then it'll say something like "from alias@mydomain.me via gmail.com", but this seems to have been sent from example.me itself, meaning they might actually have server access
Guest pooks Posted October 21, 2019 Posted October 21, 2019 (edited) Spoofing is a thinghttps://searchsecurity.techtarget.com/definition/email-spoofing(AMP as I'm on a phone.) Edited October 21, 2019 by flazepe AMP is a yikes
badrihippo Posted October 22, 2019 Author Posted October 22, 2019 Thanks. I'm aware of email spoofing, but not sure about the extent to which it could be done. Gmail says "signed by: mydomain.me" in the email details—doesn't that indicate the email actually went through mydomain at some point? Or is there a way to spoof the "signed by" too? I'm pasting the whole header here but it's pretty messy (forwards go from myself@mydomain.me -> myotheremail@gmail.com -> myemail @gmail.com, for some obscure reason which I should probably fix). Not expecting anyone to go through it all, but are there any hints as to how I could make sense of this? I basically want to satisfy myself that everything here can be spoofed. Delivered-To: myemail@gmail.com Received: by 2002:a67:e056:0:0:0:0:0 with SMTP id n22csp3631698vsl; Sun, 20 Oct 2019 17:00:29 -0700 (PDT) X-Received: by 2002:a17:90a:b391:: with SMTP id e17mr25748522pjr.132.1571616029662; Sun, 20 Oct 2019 17:00:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1571616029; cv=pass; d=google.com; s=arc-20160816; b=d3gg1WpWGBeVN9rRR8GGxlSAKY7RIdBTl7lzfS4mRBP2fXZ1sRne79QHFW2p7XbfIh Iir/BhL9aox5JISZTezCHpSIICuF+EBJAyaFXxFvMvY4MqNIe9t963xWvtCGaBTNo4Ne hWf3huz6iRo6aWEUVM/9bZlFzo5+EpsD8eDpdiNWlETO98cQ+8KYjK6CvofRQXTUd5rg nytjAfRAYSFoW/6r5mfb3BzWCrf6aKv8F4awJuzB6bc/ObEd7j5/QmS/nR7Fp90osVuC fnFTwS3WeivXyja3xPHFr080IKX3eILqsIytZInmF/NT91k6LGiI6dlmbMc1aNNcuBc7 mYxw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:thread-index:content-transfer-encoding:mime-version :message-id:date:to:from:dkim-signature:delivered-to; bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=; b=FHBntMhckROY063EttdiJQmVUNDWlcB3oPuoWdOCqJvTFIwpYJKABPWtUFZbk8UC3j 3fsDcoEuzLjuDs0JftRbaun3mkbrqWrtJcC59RE2sQhv6GxvNvW5w2TaYutDGQFqyk5T odwTWh6SDHDdkU4camntXV1T/5oKEIbea8NbjkF2qLhTSFy/bC6JyBazUgsrTH6vGF/6 NqavOmoItmE/1HsCxWnAHhb31HU7LdEcMlH9mOo2NgRZkHwoHIjzmZ1ddXaTEEM9IAcs 5Mzy76jJFdBw9dGphMZSoBqvtdpfwMEUoMr/sFPgufJcvQTgLVbGyHMaF6zd2f/EWKAl Lsug== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mydomain.me header.s=default header.b=Zr2vxWeJ; arc=pass (i=1 spf=pass spfdomain=mydomain.me dkim=pass dkdomain=mydomain.me); spf=pass (google.com: domain of myotheremail+caf_=myemail=gmail.com@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom="myotheremail+caf_=myemail=gmail.com@gmail.com" Return-Path: <myotheremail+caf_=myemail=gmail.com@gmail.com> Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id k3sor5206526plt.5.2019.10.20.17.00.28 for <myemail@gmail.com> (Google Transport Security); Sun, 20 Oct 2019 17:00:29 -0700 (PDT) Received-SPF: pass (google.com: domain of myotheremail+caf_=myemail=gmail.com@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41; Authentication-Results: mx.google.com; dkim=pass header.i=@mydomain.me header.s=default header.b=Zr2vxWeJ; arc=pass (i=1 spf=pass spfdomain=mydomain.me dkim=pass dkdomain=mydomain.me); spf=pass (google.com: domain of myotheremail+caf_=myemail=gmail.com@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom="myotheremail+caf_=myemail=gmail.com@gmail.com" X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:delivered-to:dkim-signature:from:to:date :message-id:mime-version:content-transfer-encoding:thread-index :subject; bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=; b=tAIh3Wif9WO6z7buxRRtN5R+yZtHg902bDj0qhP+jIadeQOVlQQxiMd1MG0yrhJb4g OPWIXRU9E5QC4jQ9ozkYlVXbvFBo32/Mg0rNtt0THLl2te4MwtkOlJdxwi6WRKyJupd4 yrqrvedMBxrIAmfSmdNpChNa8wjprtUG2w84+KFspbnfRwu22OlyUExyiDYqAUV3byRK ktBMpXWy0QJQLxC7xIE1GFuwWa2WK2B1SSIUlyD/2xPPybQbjmrj09fu1DgQRcbCqKzN h/JLkBtzyMJUgBRGYCwPS+/LfnGIUdFm33ME1f4ev9ZvaqH1X7vXmIFadsyHjxX+wxrJ cp0Q== X-Gm-Message-State: APjAAAX8cHavL9XjbtCoAo5sDSz8k4iOdo+3NqF3fwyQgupxmDzF1mjO Vb8Ix5RC47OQxbbImZusmHLsdlypQZquNP+il14wc5nDmYggkxo= X-Received: by 2002:a17:902:968f:: with SMTP id n15mr21395732plp.191.1571616028625; Sun, 20 Oct 2019 17:00:28 -0700 (PDT) X-Forwarded-To: myemail@gmail.com X-Forwarded-For: myotheremail@gmail.com myemail@gmail.com Delivered-To: myotheremail@gmail.com Received: by 2002:a17:90a:8b07:0:0:0:0 with SMTP id y7csp3685898pjn; Sun, 20 Oct 2019 17:00:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqz0NdzCfEJU8MRGTLqjbIkR5hTodUpoaS66VHt4/HfH8mIfK7xoCgUcCv/kuBAfQD2ezm/5 X-Received: by 2002:a63:cb4c:: with SMTP id m12mr9626899pgi.58.1571616027608; Sun, 20 Oct 2019 17:00:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571616027; cv=none; d=google.com; s=arc-20160816; b=rv/CpcR9ueqQYllVSXOEd/Iu1VFh5QmsHHMTtqSf92FXpXLCY7M5xvIXBhTCOF0tBi UOqA5dY17Ryi4GEbC6X6tgnQlNSP0xSpgoiLjBu6vmnupIgUlkLEGlVn47d9mpYeiYxU v8A0/5HfEJJ6vRo2wkF00fAXZ3KgQq52UtnwobqrhRLV53K4guQPjdjlmihh77k4TgSP lu9n1IYJBm7A+Xp/avkMvrzR5j2Pjt54I9BWikjVlfp/TiofbpKL1X391Fjg9EInuSrr w6PfWK6WzogSpCTrduKoKRBGalNQnaNkpPdMzoc+zVcK7LEbASU2InaZ+J7ZPNhAfaZa SJTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:thread-index:content-transfer-encoding:mime-version :message-id:date:to:from:dkim-signature; bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=; b=S2zQNAsFd26imXO6fzRZqPe+JnzT+m+S6RxOgJ14I3pK+L/qx38Hq0RtDcAbHtZr1X sOMm1rklmm+6fG6y32qIy5FNnxV9jrrhQbi7sBkUgoDV4w+NNRraEuhfVVTKctfuaFqU +FHcjKdlUEHiJUqCY1VCiDO2aiPbujlpZR926SvJbJC2V4qatZ8zSQTk7iPP7NviOT8j nfaWuXVvw1t0ggwfLI0rAZ28/RooIRln2VCU2+u2nLGFdneeZApV/UsWpaJrDvbWWKNe 7UKUhqvr7Gx+wFEEfcYjoMp1g4dDeQP53slkPMyS6VYLlZHWZkZ+qESFsOufT0W9TE07 iksA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mydomain.me header.s=default header.b=Zr2vxWeJ; spf=pass (google.com: domain of myself@mydomain.me designates 65.19.143.6 as permitted sender) smtp.mailfrom=myself@mydomain.me Return-Path: <myself@mydomain.me> Received: from tommy.heliohost.org (tommy.heliohost.org. [65.19.143.6]) by mx.google.com with ESMTPS id t21si14112972pfh.172.2019.10.20.17.00.26 for <myotheremail@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Oct 2019 17:00:27 -0700 (PDT) Received-SPF: pass (google.com: domain of myself@mydomain.me designates 65.19.143.6 as permitted sender) client-ip=65.19.143.6; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mydomain.me; s=default; h=Subject:Content-Transfer-Encoding:Content-Type:MIME-Version: Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=; b=Zr2vxWeJm7Zy7d3K0jmcv/U9jh NCf+mVIAxRV3jNDPF/l76iGxnncKOBDHNvSC0HCpUUWPy+r7cMICW6UhwadZOIgWifm/e5Uk0BG5L GT1wfLlmwIS2D7pIHCgXqyMVli64p1zZ4t24FFOsUrs2ceaPKbT3w89OuDu+pxrDPH9+DFdAZkWgB NAgwQnWR7X+IOfYSaZ7mU5omorSS3hWIGFXZUsXlmTaDZtoj6oTDlvvewfnelQJf0lS9uNV9huzvn qEoQAO7X4q5n40FdTm4S/cIeFAjp6ewFTD51o5fmifK095Ke1p6/blB8ec4/I1M+vmyRXDUaGUTsA K6L8Dn5A==; Received: from 189-18-165-106.dsl.telesp.net.br ([189.18.165.106]:24249) by tommy.heliohost.org with esmtp (Exim 4.92) (envelope-from <myself@mydomain.me>) id 1iML7X-000Wak-Rw for myself@mydomain.me; Mon, 21 Oct 2019 00:00:26 +0000 From: <myself@mydomain.me> To: <myself@mydomain.me> Date: 20 Oct 2019 18:42:43 -0300 Message-ID: <001301d58791$05c2c4ce$81ecb9aa$@mydomain.me> MIME-Version: 1.0 Content-Type: text/plain; charset="ibm852" Content-Transfer-Encoding: 8bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acf6ns9giqwc2mwhf6ns9giqwc2tyc== X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514 X-Spam-Status: Yes, score=45.3 X-Spam-Score: 453 X-Spam-Bar: +++++++++++++++++++++++++++++++++++++++++++++ X-Spam-Report: Spam detection software, running on the system "tommy.heliohost.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Hi, dear user of mydomain.me [excerpt of random threatening message I know is a bluff] Content analysis details: (45.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [189.18.165.106 listed in zen.spamhaus.org] 4.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL 0.4 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.0 TVD_RCVD_IP Message was received from an IP address 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [189.18.165.106 listed in bl.score.senderscore.com] 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [189.18.165.106 listed in psbl.surriel.com] 6.2 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [189.18.165.106 listed in bl.mailspike.net] 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <https://www.spamcop.net/bl.shtml?189.18.165.106>] 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 5.0 BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 2.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 3.4 BITCOIN_SPAM_07 BitCoin spam pattern 07 2.5 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX 2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX 1.4 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers 0.4 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address X-Spam-Flag: YES Subject: ***SPAM*** Frauders known your old passwords. Access data must be changed. X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - tommy.heliohost.org X-AntiAbuse: Original Domain - mydomain.me X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - mydomain.me X-Get-Message-Sender-Via: tommy.heliohost.org: redirect/forwarder owner myself@mydomain.me -> myotheremail@gmail.com X-Authenticated-Sender: tommy.heliohost.org: myself@mydomain.me X-Source: X-Source-Args: X-Source-Dir: Hi, dear user of mydomain.me [Random threatening message which I know is a bluff]Thanks in advance!
badrihippo Posted October 22, 2019 Author Posted October 22, 2019 Update: just noticed the "sender does not match SPF record" in the X-Spam-Report! So maybe Tommy's spam filters caught it @mydomain, but then it was auto-forwarded to Gmail with a new SPF record, which did match, so Gmail didn't notice the discrepancy and marked it as properly signed? Is that a possibility?
wolstech Posted October 22, 2019 Posted October 22, 2019 Your account is most definitely not the source, just the recipient. The DKIM will be valid because of the forwarders (both Tommy and Gmail re-signed as the mail went from mailbox to mailbox). The originating server did not sign the email. Also, the Tommy spam filter correctly identified it as spam. I would suggest adding a rule the Tommy filter to discard spam (as opposed to just tagging and delivering it) above a certain score to block these. The email source is actually: Received: from 189-18-165-106.dsl.telesp.net.br ([189.18.165.106]:24249) by tommy.heliohost.org The domain telesp.net.br has no valid content, but Googling shows it belongs to an ISP and is used as a domain for the DNS zones of a dynamic IP address block (further backed up by the dsl subdomain). From the looks of it, some random person using that ISP either has malware and his computer is unknowingly spewing spam, or he's intentionally running a spambot on his own (or a backdoored) PC. The IP address shown is blacklisted by most major spam blacklists as a known source of abuse.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now