Jump to content

Did someone access my email?


badrihippo

Recommended Posts

I got a spam email today, ostensibly from myself, claiming to have access to my data. I know they don't, but the email was "sent-by: gmail" and "signed-by: [my domain]" so I'm wondering if they have access to that password. Is there any way to check server logs and see if an email was sent from my account on Sun 20 Oct 2019 17:00:29 (PDT)?

 

I can provide my ID details and the email header if required (don't want to post it on a public forum).

 

Quick overview of my current setup: I have an "send email" account via cPanel (eg. outgoing@mydomain.me), and several forwarders to my Gmail (alias1@example.me, alias2@mydomain.me). When I'm sending, I send via the outgoing@mydomain.me credentials so that it gets signed etc, but the "from" is from alias@mydomain.me). Usually, if someone sends a scam email setting the "from" then it'll say something like "from alias@mydomain.me via gmail.com", but this seems to have been sent from example.me itself, meaning they might actually have server access

Link to comment
Share on other sites

Thanks. I'm aware of email spoofing, but not sure about the extent to which it could be done.

 

Gmail says "signed by: mydomain.me" in the email details—doesn't that indicate the email actually went through mydomain at some point? Or is there a way to spoof the "signed by" too?

 

I'm pasting the whole header here but it's pretty messy (forwards go from myself@mydomain.me -> myotheremail@gmail.com -> myemail @gmail.com, for some obscure reason which I should probably fix). Not expecting anyone to go through it all, but are there any hints as to how I could make sense of this? I basically want to satisfy myself that everything here can be spoofed.

Delivered-To: myemail@gmail.com
Received: by 2002:a67:e056:0:0:0:0:0 with SMTP id n22csp3631698vsl;
        Sun, 20 Oct 2019 17:00:29 -0700 (PDT)
X-Received: by 2002:a17:90a:b391:: with SMTP id e17mr25748522pjr.132.1571616029662;
        Sun, 20 Oct 2019 17:00:29 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1571616029; cv=pass;
        d=google.com; s=arc-20160816;
        b=d3gg1WpWGBeVN9rRR8GGxlSAKY7RIdBTl7lzfS4mRBP2fXZ1sRne79QHFW2p7XbfIh
         Iir/BhL9aox5JISZTezCHpSIICuF+EBJAyaFXxFvMvY4MqNIe9t963xWvtCGaBTNo4Ne
         hWf3huz6iRo6aWEUVM/9bZlFzo5+EpsD8eDpdiNWlETO98cQ+8KYjK6CvofRQXTUd5rg
         nytjAfRAYSFoW/6r5mfb3BzWCrf6aKv8F4awJuzB6bc/ObEd7j5/QmS/nR7Fp90osVuC
         fnFTwS3WeivXyja3xPHFr080IKX3eILqsIytZInmF/NT91k6LGiI6dlmbMc1aNNcuBc7
         mYxw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:thread-index:content-transfer-encoding:mime-version
         :message-id:date:to:from:dkim-signature:delivered-to;
        bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=;
        b=FHBntMhckROY063EttdiJQmVUNDWlcB3oPuoWdOCqJvTFIwpYJKABPWtUFZbk8UC3j
         3fsDcoEuzLjuDs0JftRbaun3mkbrqWrtJcC59RE2sQhv6GxvNvW5w2TaYutDGQFqyk5T
         odwTWh6SDHDdkU4camntXV1T/5oKEIbea8NbjkF2qLhTSFy/bC6JyBazUgsrTH6vGF/6
         NqavOmoItmE/1HsCxWnAHhb31HU7LdEcMlH9mOo2NgRZkHwoHIjzmZ1ddXaTEEM9IAcs
         5Mzy76jJFdBw9dGphMZSoBqvtdpfwMEUoMr/sFPgufJcvQTgLVbGyHMaF6zd2f/EWKAl
         Lsug==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@mydomain.me header.s=default header.b=Zr2vxWeJ;
       arc=pass (i=1 spf=pass spfdomain=mydomain.me dkim=pass dkdomain=mydomain.me);
       spf=pass (google.com: domain of myotheremail+caf_=myemail=gmail.com@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom="myotheremail+caf_=myemail=gmail.com@gmail.com"
Return-Path: <myotheremail+caf_=myemail=gmail.com@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id k3sor5206526plt.5.2019.10.20.17.00.28
        for <myemail@gmail.com>
        (Google Transport Security);
        Sun, 20 Oct 2019 17:00:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of myotheremail+caf_=myemail=gmail.com@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mydomain.me header.s=default header.b=Zr2vxWeJ;
       arc=pass (i=1 spf=pass spfdomain=mydomain.me dkim=pass dkdomain=mydomain.me);
       spf=pass (google.com: domain of myotheremail+caf_=myemail=gmail.com@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom="myotheremail+caf_=myemail=gmail.com@gmail.com"
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:delivered-to:dkim-signature:from:to:date
         :message-id:mime-version:content-transfer-encoding:thread-index
         :subject;
        bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=;
        b=tAIh3Wif9WO6z7buxRRtN5R+yZtHg902bDj0qhP+jIadeQOVlQQxiMd1MG0yrhJb4g
         OPWIXRU9E5QC4jQ9ozkYlVXbvFBo32/Mg0rNtt0THLl2te4MwtkOlJdxwi6WRKyJupd4
         yrqrvedMBxrIAmfSmdNpChNa8wjprtUG2w84+KFspbnfRwu22OlyUExyiDYqAUV3byRK
         ktBMpXWy0QJQLxC7xIE1GFuwWa2WK2B1SSIUlyD/2xPPybQbjmrj09fu1DgQRcbCqKzN
         h/JLkBtzyMJUgBRGYCwPS+/LfnGIUdFm33ME1f4ev9ZvaqH1X7vXmIFadsyHjxX+wxrJ
         cp0Q==
X-Gm-Message-State: APjAAAX8cHavL9XjbtCoAo5sDSz8k4iOdo+3NqF3fwyQgupxmDzF1mjO Vb8Ix5RC47OQxbbImZusmHLsdlypQZquNP+il14wc5nDmYggkxo=
X-Received: by 2002:a17:902:968f:: with SMTP id n15mr21395732plp.191.1571616028625;
        Sun, 20 Oct 2019 17:00:28 -0700 (PDT)
X-Forwarded-To: myemail@gmail.com
X-Forwarded-For: myotheremail@gmail.com myemail@gmail.com
Delivered-To: myotheremail@gmail.com
Received: by 2002:a17:90a:8b07:0:0:0:0 with SMTP id y7csp3685898pjn;
        Sun, 20 Oct 2019 17:00:27 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz0NdzCfEJU8MRGTLqjbIkR5hTodUpoaS66VHt4/HfH8mIfK7xoCgUcCv/kuBAfQD2ezm/5
X-Received: by 2002:a63:cb4c:: with SMTP id m12mr9626899pgi.58.1571616027608;
        Sun, 20 Oct 2019 17:00:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571616027; cv=none;
        d=google.com; s=arc-20160816;
        b=rv/CpcR9ueqQYllVSXOEd/Iu1VFh5QmsHHMTtqSf92FXpXLCY7M5xvIXBhTCOF0tBi
         UOqA5dY17Ryi4GEbC6X6tgnQlNSP0xSpgoiLjBu6vmnupIgUlkLEGlVn47d9mpYeiYxU
         v8A0/5HfEJJ6vRo2wkF00fAXZ3KgQq52UtnwobqrhRLV53K4guQPjdjlmihh77k4TgSP
         lu9n1IYJBm7A+Xp/avkMvrzR5j2Pjt54I9BWikjVlfp/TiofbpKL1X391Fjg9EInuSrr
         w6PfWK6WzogSpCTrduKoKRBGalNQnaNkpPdMzoc+zVcK7LEbASU2InaZ+J7ZPNhAfaZa
         SJTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:thread-index:content-transfer-encoding:mime-version
         :message-id:date:to:from:dkim-signature;
        bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=;
        b=S2zQNAsFd26imXO6fzRZqPe+JnzT+m+S6RxOgJ14I3pK+L/qx38Hq0RtDcAbHtZr1X
         sOMm1rklmm+6fG6y32qIy5FNnxV9jrrhQbi7sBkUgoDV4w+NNRraEuhfVVTKctfuaFqU
         +FHcjKdlUEHiJUqCY1VCiDO2aiPbujlpZR926SvJbJC2V4qatZ8zSQTk7iPP7NviOT8j
         nfaWuXVvw1t0ggwfLI0rAZ28/RooIRln2VCU2+u2nLGFdneeZApV/UsWpaJrDvbWWKNe
         7UKUhqvr7Gx+wFEEfcYjoMp1g4dDeQP53slkPMyS6VYLlZHWZkZ+qESFsOufT0W9TE07
         iksA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mydomain.me header.s=default header.b=Zr2vxWeJ;
       spf=pass (google.com: domain of myself@mydomain.me designates 65.19.143.6 as permitted sender) smtp.mailfrom=myself@mydomain.me
Return-Path: <myself@mydomain.me>
Received: from tommy.heliohost.org (tommy.heliohost.org. [65.19.143.6])
        by mx.google.com with ESMTPS id t21si14112972pfh.172.2019.10.20.17.00.26
        for <myotheremail@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 20 Oct 2019 17:00:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of myself@mydomain.me designates 65.19.143.6 as permitted sender) client-ip=65.19.143.6;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mydomain.me;
     s=default; h=Subject:Content-Transfer-Encoding:Content-Type:MIME-Version: Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=86xW1/5gFPKtL1yqGX8BUniDPjrrBK/lP/Gdca3ESBY=; b=Zr2vxWeJm7Zy7d3K0jmcv/U9jh NCf+mVIAxRV3jNDPF/l76iGxnncKOBDHNvSC0HCpUUWPy+r7cMICW6UhwadZOIgWifm/e5Uk0BG5L GT1wfLlmwIS2D7pIHCgXqyMVli64p1zZ4t24FFOsUrs2ceaPKbT3w89OuDu+pxrDPH9+DFdAZkWgB NAgwQnWR7X+IOfYSaZ7mU5omorSS3hWIGFXZUsXlmTaDZtoj6oTDlvvewfnelQJf0lS9uNV9huzvn qEoQAO7X4q5n40FdTm4S/cIeFAjp6ewFTD51o5fmifK095Ke1p6/blB8ec4/I1M+vmyRXDUaGUTsA K6L8Dn5A==;
Received: from 189-18-165-106.dsl.telesp.net.br ([189.18.165.106]:24249) by tommy.heliohost.org with esmtp (Exim 4.92) (envelope-from <myself@mydomain.me>) id 1iML7X-000Wak-Rw for myself@mydomain.me; Mon, 21 Oct 2019 00:00:26 +0000
From: <myself@mydomain.me>
To: <myself@mydomain.me>
Date: 20 Oct 2019 18:42:43 -0300
Message-ID: <001301d58791$05c2c4ce$81ecb9aa$@mydomain.me>
MIME-Version: 1.0
Content-Type: text/plain; charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Acf6ns9giqwc2mwhf6ns9giqwc2tyc==
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514
X-Spam-Status: Yes, score=45.3
X-Spam-Score: 453
X-Spam-Bar: +++++++++++++++++++++++++++++++++++++++++++++
X-Spam-Report: Spam detection software, running on the system "tommy.heliohost.org", has identified this incoming email as possible spam.
  The original message has been attached to this so you can view it or label similar future email.
  If you have any questions, see root\@localhost for details. Content preview:
  Hi, dear user of mydomain.me [excerpt of random threatening message I know is a bluff]
  Content analysis details:
   (45.3 points, 5.0 required)
  pts rule name
              description ---- ---------------------- --------------------------------------------------
  3.6 RCVD_IN_PBL
            RBL: Received via a relay in Spamhaus PBL
                             [189.18.165.106 listed in zen.spamhaus.org]
  4.7 RCVD_IN_XBL
            RBL: Received via a relay in Spamhaus XBL
  0.4 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
                             (Split IP)
  0.0 TVD_RCVD_IP
            Message was received from an IP address
  1.3 RCVD_IN_RP_RNBL
        RBL: Relay in RNBL,
                             https://senderscore.org/blacklistlookup/
                            [189.18.165.106 listed in bl.score.senderscore.com]
  2.7 RCVD_IN_PSBL
           RBL: Received via a relay in PSBL
                             [189.18.165.106 listed in psbl.surriel.com]
  6.2 RCVD_IN_MSPIKE_L5
      RBL: Very bad reputation (-5)
                             [189.18.165.106 listed in bl.mailspike.net]
  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
                             bl.spamcop.net
              [Blocked - see <https://www.spamcop.net/bl.shtml?189.18.165.106>]
  1.5 SPF_SOFTFAIL
           SPF: sender does not match SPF record (softfail)
  0.0 RCVD_IN_MSPIKE_BL
      Mailspike blacklisted
  5.0 BITCOIN_EXTORT_01
      Extortion spam, pay via BitCoin
  2.6 RDNS_DYNAMIC
           Delivered to internal network by host with
                             dynamic-looking rDNS
  3.9 HELO_DYNAMIC_IPADDR2
   Relay HELO'd using suspicious hostname (IP
                             addr 2)
  2.5 HELO_DYNAMIC_HCC
       Relay HELO'd using suspicious hostname (HCC)
  3.4 BITCOIN_SPAM_07
        BitCoin spam pattern 07
  2.5 TO_EQ_FM_DIRECT_MX
     To == From and direct-to-MX
  2.0 MIMEOLE_DIRECT_TO_MX
   MIMEOLE + direct-to-MX
  1.4 DOS_OUTLOOK_TO_MX
      Delivered direct to MX with Outlook headers
  0.4 NO_FM_NAME_IP_HOSTN
    No From name + hostname using IP address
X-Spam-Flag: YES
Subject: ***SPAM***
  Frauders known your old passwords. Access data must be changed.
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - tommy.heliohost.org
X-AntiAbuse: Original Domain - mydomain.me
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - mydomain.me
X-Get-Message-Sender-Via: tommy.heliohost.org: redirect/forwarder owner myself@mydomain.me -> myotheremail@gmail.com
X-Authenticated-Sender: tommy.heliohost.org: myself@mydomain.me
X-Source:
X-Source-Args:
X-Source-Dir:

Hi, dear user of mydomain.me

[Random threatening message which I know is a bluff]

Thanks in advance!

Link to comment
Share on other sites

Update: just noticed the "sender does not match SPF record" in the X-Spam-Report!

 

So maybe Tommy's spam filters caught it @mydomain, but then it was auto-forwarded to Gmail with a new SPF record, which did match, so Gmail didn't notice the discrepancy and marked it as properly signed? Is that a possibility?

Link to comment
Share on other sites

Your account is most definitely not the source, just the recipient. The DKIM will be valid because of the forwarders (both Tommy and Gmail re-signed as the mail went from mailbox to mailbox). The originating server did not sign the email. Also, the Tommy spam filter correctly identified it as spam. I would suggest adding a rule the Tommy filter to discard spam (as opposed to just tagging and delivering it) above a certain score to block these.

 

The email source is actually: 

Received: from 189-18-165-106.dsl.telesp.net.br ([189.18.165.106]:24249) by tommy.heliohost.org

The domain telesp.net.br has no valid content, but Googling shows it belongs to an ISP and is used as a domain for the DNS zones of a dynamic IP address block (further backed up by the dsl subdomain). From the looks of it, some random person using that ISP either has malware and his computer is unknowingly spewing spam, or he's intentionally running a spambot on his own (or a backdoored) PC. The IP address shown is blacklisted by most major spam blacklists as a known source of abuse.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...