Source of malevolent e-mails
Every now and then, I receive e-mails with an obvious malevolent payload (such as a Word document with harmful macros).
I am not worried by these e-mails, which I can recognize, but I noticed that the alleged senders are all employees of the same company, which I know. Anyway, the senders addresses are fanciful.
So my question is: what is more likely ? That their mailbox has been hacked and abused, or that my own mailbox was hacked ?
Is there a way to know ?
email malware
asked Dec 6 '18 at 13:36
Harry Cover
12819
|
show 1 more comment
Every now and then, I receive e-mails with an obvious malevolent payload (such as a Word document with harmful macros).
I am not worried by these e-mails, which I can recognize, but I noticed that the alleged senders are all employees of the same company, which I know. Anyway, the senders addresses are fanciful.
So my question is: what is more likely ? That their mailbox has been hacked and abused, or that my own mailbox was hacked ?
Is there a way to know ?
email malware
asked Dec 6 '18 at 13:36
Harry Cover
12819
Are you an employee of this company? Does your IT support know?
– slhck
Dec 6 '18 at 13:39
@slhck: I am not, and I am my own IT support. Why ?
– Harry Cover
Dec 6 '18 at 13:44
I am asking since it makes a huge difference whether this is sent to your private address, or from within the same company. Particularly if you get these mails from multiple people at the same company to your private address, it's very likely that this is an issue with that company's mail system being compromised.
– slhck
Dec 6 '18 at 14:38
@slhck: they are sent to my business address, the only one this company knows. As I don't get similar mails from other sources, you are likely right.
– Harry Cover
Dec 6 '18 at 15:09
I just saw your update saying that the sender email addresses are "fanciful". This strongly suggests to me that the senders' domain name is not properly configured to prohibit spoofing.
– Deltik
Dec 6 '18 at 15:17
|
show 1 more comment
Every now and then, I receive e-mails with an obvious malevolent payload (such as a Word document with harmful macros).
I am not worried by these e-mails, which I can recognize, but I noticed that the alleged senders are all employees of the same company, which I know. Anyway, the senders addresses are fanciful.
So my question is: what is more likely ? That their mailbox has been hacked and abused, or that my own mailbox was hacked ?
Is there a way to know ?
email malware
asked Dec 6 '18 at 13:36
Harry Cover
12819
Every now and then, I receive e-mails with an obvious malevolent payload (such as a Word document with harmful macros).
I am not worried by these e-mails, which I can recognize, but I noticed that the alleged senders are all employees of the same company, which I know. Anyway, the senders addresses are fanciful.
So my question is: what is more likely ? That their mailbox has been hacked and abused, or that my own mailbox was hacked ?
Is there a way to know ?
email malware
email malware
asked Dec 6 '18 at 13:36
Harry Cover
12819
asked Dec 6 '18 at 13:36
Harry Cover
12819
edited Dec 6 '18 at 15:13
asked Dec 6 '18 at 13:36
Harry Cover
12819
asked Dec 6 '18 at 13:36
Harry Cover
12819
asked Dec 6 '18 at 13:36
Harry Cover
12819
12819
Are you an employee of this company? Does your IT support know?
– slhck
Dec 6 '18 at 13:39
@slhck: I am not, and I am my own IT support. Why ?
– Harry Cover
Dec 6 '18 at 13:44
I am asking since it makes a huge difference whether this is sent to your private address, or from within the same company. Particularly if you get these mails from multiple people at the same company to your private address, it's very likely that this is an issue with that company's mail system being compromised.
– slhck
Dec 6 '18 at 14:38
@slhck: they are sent to my business address, the only one this company knows. As I don't get similar mails from other sources, you are likely right.
– Harry Cover
Dec 6 '18 at 15:09
I just saw your update saying that the sender email addresses are "fanciful". This strongly suggests to me that the senders' domain name is not properly configured to prohibit spoofing.
– Deltik
Dec 6 '18 at 15:17
|
show 1 more comment
Are you an employee of this company? Does your IT support know?
– slhck
Dec 6 '18 at 13:39
@slhck: I am not, and I am my own IT support. Why ?
– Harry Cover
Dec 6 '18 at 13:44
I am asking since it makes a huge difference whether this is sent to your private address, or from within the same company. Particularly if you get these mails from multiple people at the same company to your private address, it's very likely that this is an issue with that company's mail system being compromised.
– slhck
Dec 6 '18 at 14:38
@slhck: they are sent to my business address, the only one this company knows. As I don't get similar mails from other sources, you are likely right.
– Harry Cover
Dec 6 '18 at 15:09
I just saw your update saying that the sender email addresses are "fanciful". This strongly suggests to me that the senders' domain name is not properly configured to prohibit spoofing.
– Deltik
Dec 6 '18 at 15:17
Are you an employee of this company? Does your IT support know?
– slhck
Dec 6 '18 at 13:39
Are you an employee of this company? Does your IT support know?
– slhck
Dec 6 '18 at 13:39
@slhck: I am not, and I am my own IT support. Why ?
– Harry Cover
Dec 6 '18 at 13:44
@slhck: I am not, and I am my own IT support. Why ?
– Harry Cover
Dec 6 '18 at 13:44
I am asking since it makes a huge difference whether this is sent to your private address, or from within the same company. Particularly if you get these mails from multiple people at the same company to your private address, it's very likely that this is an issue with that company's mail system being compromised.
– slhck
Dec 6 '18 at 14:38
I am asking since it makes a huge difference whether this is sent to your private address, or from within the same company. Particularly if you get these mails from multiple people at the same company to your private address, it's very likely that this is an issue with that company's mail system being compromised.
– slhck
Dec 6 '18 at 14:38
@slhck: they are sent to my business address, the only one this company knows. As I don't get similar mails from other sources, you are likely right.
– Harry Cover
Dec 6 '18 at 15:09
@slhck: they are sent to my business address, the only one this company knows. As I don't get similar mails from other sources, you are likely right.
– Harry Cover
Dec 6 '18 at 15:09
I just saw your update saying that the sender email addresses are "fanciful". This strongly suggests to me that the senders' domain name is not properly configured to prohibit spoofing.
– Deltik
Dec 6 '18 at 15:17
I just saw your update saying that the sender email addresses are "fanciful". This strongly suggests to me that the senders' domain name is not properly configured to prohibit spoofing.
– Deltik
Dec 6 '18 at 15:17
|
show 1 more comment
1 Answer
1
active
oldest
votes
It's hard to say for sure, but I think this is the most likely scenario:
- The sender's domain name does not have an SPF record that restricts what IP addresses are allowed to send emails for the domain.
Other possible scenarios off the top of my head in descending order of likeliness from my experience:
- The senders' email account or email server has been compromised and is sending spam to contacts known on the server.
- The senders' domain name does have sensible SPF records, but your mail server's anti-spam software is not checking for spoofed emails.
- Your mail server or account has been compromised, and a malware distributor is using your contacts list to place malware emails in your inbox.
Scenario 1 – Sender SPF Misconfigured
This is the most likely scenario because you indicated in an update to your question that the senders' email addresses are "fanciful"; the spoofing sender may not necessarily know any real mailboxes at the target domain.
Symptom
You receive an email from someone, but that person denies sending the email. They may be able to show no matching record in their sent messages folder or even the sending server's email logs.
Cause
The sender's domain name does not have an SPF (Sender Policy Framework) record that prevents spoofing.
Diagnosis
You can check the SPF record of domain example.com with this command:
nslookup -type=TXT example.com
Replace example.com with the sender's domain name. You may see a record that looks like this:
"v=spf1 +a +mx +ip4:127.0.0.1 -all"
In the example above,
+ameans to allow the IP address(es) of the domain's A record(s) to send emails on behalf of this domain.
+mxmeans to resolve the domain's MX records and allow those domains to send emails, too.
+ip4:127.0.0.1means to allow the IP address127.0.0.1to send emails for this domain.
-allmeans to reject all other IP addresses from sending emails for this domain.
If the sender does not have -all in their SPF record, receiving mail servers that validate SPF may accept spoofed emails that could have been sent by anyone.
You can check the actual sender of the email by reading the Received: headers in the malicious email you received. The Received: headers are in the reverse order of each mail server the email passed through, but note that the headers not added by your mail server can be spoofed. The first Received: header added by your mail gateway shows where the email came from. Example:
Received: from mail-eopbgr810054.outbound.protection.outlook.com ([40.107.81.54]:59584 helo=NAM01-BY2-obe.outbound.protection.outlook.com)
by example.deltik.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jason@luxurylifestylereport.net>)
id 1gUudZ-00BGJx-L7
for example@deltik.org; Thu, 29 Nov 2018 06:49:21 -0600
In the example above, the email came from 40.107.81.54, which passed the SPF record ("v=spf1 include:spf.protection.outlook.com -all") check on the spam sender's domain, luxurylifestylereport.net, so the email was accepted.
Alternatively, if you have access to the email server logs, you can read the origin of the email from there.
Resolution
The sender's postmaster should configure an SPF record for their domain that prevents spammers from spoofing the domain for emails. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 2 – Sender's Email Compromised
This scenario is less likely because you said this problem happens every now and then, but someone else should have noticed and reported this in the past.
Symptom
You can see in the email headers that the email came from an IP address that is permitted to send emails for the sender's domain.
Cause
The mail server at the IP address or a server that sends mail through it has been compromised. The hacker may also have found a copy of contacts that the sender knows about and is trying to email those in the hopes of finding someone relatable.
Diagnosis
Same process as that of Scenario 1
Resolution
The sender's postmaster needs to stop and secure their email system. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 3 – Receiving Mail Server Doesn't Check SPF Records
This scenario is less likely because spammers won't want to waste resources to try to spoof emails for a domain that already protects itself from spoofing. You'd probably get a lot of spoofed mail from other domain names, too.
Symptom
You receive an email from someone, but that person can prove they didn't send it. In fact, anyone can validate that the domain's SPF record is configured properly, yet the email you received came from an IP address forbidden by the domain's SPF record.
Cause
Your email server is not filtering out spoofed emails.
Diagnosis
Same process as that of Scenario 1, but you can see that the sender's IP address fails the SPF check
Resolution
Consult your email server's documentation for how to configure SPF validation.
Scenario 4 – Recipient Email Account Compromised
This scenario is less likely because it's more lucrative to hide the fact that you've been compromised from you and use your email address's good reputation to send out spam to others. Also, the malicious entity probably would be diversifying the source email address.
Symptom
Your incoming email logs don't show the email that appeared, or the headers of the received email don't make sense.
Cause
Someone is hoping to get more access to you by dropping malware emails into your already compromised email account without actually sending any emails. Emails can be added over the IMAP protocol.
Diagnosis
Check your mail server logs for authentications that you don't recognize.
Resolution
Change your email account's password.
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381345%2fsource-of-malevolent-e-mails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's hard to say for sure, but I think this is the most likely scenario:
- The sender's domain name does not have an SPF record that restricts what IP addresses are allowed to send emails for the domain.
Other possible scenarios off the top of my head in descending order of likeliness from my experience:
- The senders' email account or email server has been compromised and is sending spam to contacts known on the server.
- The senders' domain name does have sensible SPF records, but your mail server's anti-spam software is not checking for spoofed emails.
- Your mail server or account has been compromised, and a malware distributor is using your contacts list to place malware emails in your inbox.
Scenario 1 – Sender SPF Misconfigured
This is the most likely scenario because you indicated in an update to your question that the senders' email addresses are "fanciful"; the spoofing sender may not necessarily know any real mailboxes at the target domain.
Symptom
You receive an email from someone, but that person denies sending the email. They may be able to show no matching record in their sent messages folder or even the sending server's email logs.
Cause
The sender's domain name does not have an SPF (Sender Policy Framework) record that prevents spoofing.
Diagnosis
You can check the SPF record of domain example.com with this command:
nslookup -type=TXT example.com
Replace example.com with the sender's domain name. You may see a record that looks like this:
"v=spf1 +a +mx +ip4:127.0.0.1 -all"
In the example above,
+ameans to allow the IP address(es) of the domain's A record(s) to send emails on behalf of this domain.
+mxmeans to resolve the domain's MX records and allow those domains to send emails, too.
+ip4:127.0.0.1means to allow the IP address127.0.0.1to send emails for this domain.
-allmeans to reject all other IP addresses from sending emails for this domain.
If the sender does not have -all in their SPF record, receiving mail servers that validate SPF may accept spoofed emails that could have been sent by anyone.
You can check the actual sender of the email by reading the Received: headers in the malicious email you received. The Received: headers are in the reverse order of each mail server the email passed through, but note that the headers not added by your mail server can be spoofed. The first Received: header added by your mail gateway shows where the email came from. Example:
Received: from mail-eopbgr810054.outbound.protection.outlook.com ([40.107.81.54]:59584 helo=NAM01-BY2-obe.outbound.protection.outlook.com)
by example.deltik.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jason@luxurylifestylereport.net>)
id 1gUudZ-00BGJx-L7
for example@deltik.org; Thu, 29 Nov 2018 06:49:21 -0600
In the example above, the email came from 40.107.81.54, which passed the SPF record ("v=spf1 include:spf.protection.outlook.com -all") check on the spam sender's domain, luxurylifestylereport.net, so the email was accepted.
Alternatively, if you have access to the email server logs, you can read the origin of the email from there.
Resolution
The sender's postmaster should configure an SPF record for their domain that prevents spammers from spoofing the domain for emails. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 2 – Sender's Email Compromised
This scenario is less likely because you said this problem happens every now and then, but someone else should have noticed and reported this in the past.
Symptom
You can see in the email headers that the email came from an IP address that is permitted to send emails for the sender's domain.
Cause
The mail server at the IP address or a server that sends mail through it has been compromised. The hacker may also have found a copy of contacts that the sender knows about and is trying to email those in the hopes of finding someone relatable.
Diagnosis
Same process as that of Scenario 1
Resolution
The sender's postmaster needs to stop and secure their email system. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 3 – Receiving Mail Server Doesn't Check SPF Records
This scenario is less likely because spammers won't want to waste resources to try to spoof emails for a domain that already protects itself from spoofing. You'd probably get a lot of spoofed mail from other domain names, too.
Symptom
You receive an email from someone, but that person can prove they didn't send it. In fact, anyone can validate that the domain's SPF record is configured properly, yet the email you received came from an IP address forbidden by the domain's SPF record.
Cause
Your email server is not filtering out spoofed emails.
Diagnosis
Same process as that of Scenario 1, but you can see that the sender's IP address fails the SPF check
Resolution
Consult your email server's documentation for how to configure SPF validation.
Scenario 4 – Recipient Email Account Compromised
This scenario is less likely because it's more lucrative to hide the fact that you've been compromised from you and use your email address's good reputation to send out spam to others. Also, the malicious entity probably would be diversifying the source email address.
Symptom
Your incoming email logs don't show the email that appeared, or the headers of the received email don't make sense.
Cause
Someone is hoping to get more access to you by dropping malware emails into your already compromised email account without actually sending any emails. Emails can be added over the IMAP protocol.
Diagnosis
Check your mail server logs for authentications that you don't recognize.
Resolution
Change your email account's password.
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
add a comment |
It's hard to say for sure, but I think this is the most likely scenario:
- The sender's domain name does not have an SPF record that restricts what IP addresses are allowed to send emails for the domain.
Other possible scenarios off the top of my head in descending order of likeliness from my experience:
- The senders' email account or email server has been compromised and is sending spam to contacts known on the server.
- The senders' domain name does have sensible SPF records, but your mail server's anti-spam software is not checking for spoofed emails.
- Your mail server or account has been compromised, and a malware distributor is using your contacts list to place malware emails in your inbox.
Scenario 1 – Sender SPF Misconfigured
This is the most likely scenario because you indicated in an update to your question that the senders' email addresses are "fanciful"; the spoofing sender may not necessarily know any real mailboxes at the target domain.
Symptom
You receive an email from someone, but that person denies sending the email. They may be able to show no matching record in their sent messages folder or even the sending server's email logs.
Cause
The sender's domain name does not have an SPF (Sender Policy Framework) record that prevents spoofing.
Diagnosis
You can check the SPF record of domain example.com with this command:
nslookup -type=TXT example.com
Replace example.com with the sender's domain name. You may see a record that looks like this:
"v=spf1 +a +mx +ip4:127.0.0.1 -all"
In the example above,
+ameans to allow the IP address(es) of the domain's A record(s) to send emails on behalf of this domain.
+mxmeans to resolve the domain's MX records and allow those domains to send emails, too.
+ip4:127.0.0.1means to allow the IP address127.0.0.1to send emails for this domain.
-allmeans to reject all other IP addresses from sending emails for this domain.
If the sender does not have -all in their SPF record, receiving mail servers that validate SPF may accept spoofed emails that could have been sent by anyone.
You can check the actual sender of the email by reading the Received: headers in the malicious email you received. The Received: headers are in the reverse order of each mail server the email passed through, but note that the headers not added by your mail server can be spoofed. The first Received: header added by your mail gateway shows where the email came from. Example:
Received: from mail-eopbgr810054.outbound.protection.outlook.com ([40.107.81.54]:59584 helo=NAM01-BY2-obe.outbound.protection.outlook.com)
by example.deltik.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jason@luxurylifestylereport.net>)
id 1gUudZ-00BGJx-L7
for example@deltik.org; Thu, 29 Nov 2018 06:49:21 -0600
In the example above, the email came from 40.107.81.54, which passed the SPF record ("v=spf1 include:spf.protection.outlook.com -all") check on the spam sender's domain, luxurylifestylereport.net, so the email was accepted.
Alternatively, if you have access to the email server logs, you can read the origin of the email from there.
Resolution
The sender's postmaster should configure an SPF record for their domain that prevents spammers from spoofing the domain for emails. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 2 – Sender's Email Compromised
This scenario is less likely because you said this problem happens every now and then, but someone else should have noticed and reported this in the past.
Symptom
You can see in the email headers that the email came from an IP address that is permitted to send emails for the sender's domain.
Cause
The mail server at the IP address or a server that sends mail through it has been compromised. The hacker may also have found a copy of contacts that the sender knows about and is trying to email those in the hopes of finding someone relatable.
Diagnosis
Same process as that of Scenario 1
Resolution
The sender's postmaster needs to stop and secure their email system. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 3 – Receiving Mail Server Doesn't Check SPF Records
This scenario is less likely because spammers won't want to waste resources to try to spoof emails for a domain that already protects itself from spoofing. You'd probably get a lot of spoofed mail from other domain names, too.
Symptom
You receive an email from someone, but that person can prove they didn't send it. In fact, anyone can validate that the domain's SPF record is configured properly, yet the email you received came from an IP address forbidden by the domain's SPF record.
Cause
Your email server is not filtering out spoofed emails.
Diagnosis
Same process as that of Scenario 1, but you can see that the sender's IP address fails the SPF check
Resolution
Consult your email server's documentation for how to configure SPF validation.
Scenario 4 – Recipient Email Account Compromised
This scenario is less likely because it's more lucrative to hide the fact that you've been compromised from you and use your email address's good reputation to send out spam to others. Also, the malicious entity probably would be diversifying the source email address.
Symptom
Your incoming email logs don't show the email that appeared, or the headers of the received email don't make sense.
Cause
Someone is hoping to get more access to you by dropping malware emails into your already compromised email account without actually sending any emails. Emails can be added over the IMAP protocol.
Diagnosis
Check your mail server logs for authentications that you don't recognize.
Resolution
Change your email account's password.
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
add a comment |
It's hard to say for sure, but I think this is the most likely scenario:
- The sender's domain name does not have an SPF record that restricts what IP addresses are allowed to send emails for the domain.
Other possible scenarios off the top of my head in descending order of likeliness from my experience:
- The senders' email account or email server has been compromised and is sending spam to contacts known on the server.
- The senders' domain name does have sensible SPF records, but your mail server's anti-spam software is not checking for spoofed emails.
- Your mail server or account has been compromised, and a malware distributor is using your contacts list to place malware emails in your inbox.
Scenario 1 – Sender SPF Misconfigured
This is the most likely scenario because you indicated in an update to your question that the senders' email addresses are "fanciful"; the spoofing sender may not necessarily know any real mailboxes at the target domain.
Symptom
You receive an email from someone, but that person denies sending the email. They may be able to show no matching record in their sent messages folder or even the sending server's email logs.
Cause
The sender's domain name does not have an SPF (Sender Policy Framework) record that prevents spoofing.
Diagnosis
You can check the SPF record of domain example.com with this command:
nslookup -type=TXT example.com
Replace example.com with the sender's domain name. You may see a record that looks like this:
"v=spf1 +a +mx +ip4:127.0.0.1 -all"
In the example above,
+ameans to allow the IP address(es) of the domain's A record(s) to send emails on behalf of this domain.
+mxmeans to resolve the domain's MX records and allow those domains to send emails, too.
+ip4:127.0.0.1means to allow the IP address127.0.0.1to send emails for this domain.
-allmeans to reject all other IP addresses from sending emails for this domain.
If the sender does not have -all in their SPF record, receiving mail servers that validate SPF may accept spoofed emails that could have been sent by anyone.
You can check the actual sender of the email by reading the Received: headers in the malicious email you received. The Received: headers are in the reverse order of each mail server the email passed through, but note that the headers not added by your mail server can be spoofed. The first Received: header added by your mail gateway shows where the email came from. Example:
Received: from mail-eopbgr810054.outbound.protection.outlook.com ([40.107.81.54]:59584 helo=NAM01-BY2-obe.outbound.protection.outlook.com)
by example.deltik.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jason@luxurylifestylereport.net>)
id 1gUudZ-00BGJx-L7
for example@deltik.org; Thu, 29 Nov 2018 06:49:21 -0600
In the example above, the email came from 40.107.81.54, which passed the SPF record ("v=spf1 include:spf.protection.outlook.com -all") check on the spam sender's domain, luxurylifestylereport.net, so the email was accepted.
Alternatively, if you have access to the email server logs, you can read the origin of the email from there.
Resolution
The sender's postmaster should configure an SPF record for their domain that prevents spammers from spoofing the domain for emails. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 2 – Sender's Email Compromised
This scenario is less likely because you said this problem happens every now and then, but someone else should have noticed and reported this in the past.
Symptom
You can see in the email headers that the email came from an IP address that is permitted to send emails for the sender's domain.
Cause
The mail server at the IP address or a server that sends mail through it has been compromised. The hacker may also have found a copy of contacts that the sender knows about and is trying to email those in the hopes of finding someone relatable.
Diagnosis
Same process as that of Scenario 1
Resolution
The sender's postmaster needs to stop and secure their email system. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 3 – Receiving Mail Server Doesn't Check SPF Records
This scenario is less likely because spammers won't want to waste resources to try to spoof emails for a domain that already protects itself from spoofing. You'd probably get a lot of spoofed mail from other domain names, too.
Symptom
You receive an email from someone, but that person can prove they didn't send it. In fact, anyone can validate that the domain's SPF record is configured properly, yet the email you received came from an IP address forbidden by the domain's SPF record.
Cause
Your email server is not filtering out spoofed emails.
Diagnosis
Same process as that of Scenario 1, but you can see that the sender's IP address fails the SPF check
Resolution
Consult your email server's documentation for how to configure SPF validation.
Scenario 4 – Recipient Email Account Compromised
This scenario is less likely because it's more lucrative to hide the fact that you've been compromised from you and use your email address's good reputation to send out spam to others. Also, the malicious entity probably would be diversifying the source email address.
Symptom
Your incoming email logs don't show the email that appeared, or the headers of the received email don't make sense.
Cause
Someone is hoping to get more access to you by dropping malware emails into your already compromised email account without actually sending any emails. Emails can be added over the IMAP protocol.
Diagnosis
Check your mail server logs for authentications that you don't recognize.
Resolution
Change your email account's password.
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
It's hard to say for sure, but I think this is the most likely scenario:
- The sender's domain name does not have an SPF record that restricts what IP addresses are allowed to send emails for the domain.
Other possible scenarios off the top of my head in descending order of likeliness from my experience:
- The senders' email account or email server has been compromised and is sending spam to contacts known on the server.
- The senders' domain name does have sensible SPF records, but your mail server's anti-spam software is not checking for spoofed emails.
- Your mail server or account has been compromised, and a malware distributor is using your contacts list to place malware emails in your inbox.
Scenario 1 – Sender SPF Misconfigured
This is the most likely scenario because you indicated in an update to your question that the senders' email addresses are "fanciful"; the spoofing sender may not necessarily know any real mailboxes at the target domain.
Symptom
You receive an email from someone, but that person denies sending the email. They may be able to show no matching record in their sent messages folder or even the sending server's email logs.
Cause
The sender's domain name does not have an SPF (Sender Policy Framework) record that prevents spoofing.
Diagnosis
You can check the SPF record of domain example.com with this command:
nslookup -type=TXT example.com
Replace example.com with the sender's domain name. You may see a record that looks like this:
"v=spf1 +a +mx +ip4:127.0.0.1 -all"
In the example above,
+ameans to allow the IP address(es) of the domain's A record(s) to send emails on behalf of this domain.
+mxmeans to resolve the domain's MX records and allow those domains to send emails, too.
+ip4:127.0.0.1means to allow the IP address127.0.0.1to send emails for this domain.
-allmeans to reject all other IP addresses from sending emails for this domain.
If the sender does not have -all in their SPF record, receiving mail servers that validate SPF may accept spoofed emails that could have been sent by anyone.
You can check the actual sender of the email by reading the Received: headers in the malicious email you received. The Received: headers are in the reverse order of each mail server the email passed through, but note that the headers not added by your mail server can be spoofed. The first Received: header added by your mail gateway shows where the email came from. Example:
Received: from mail-eopbgr810054.outbound.protection.outlook.com ([40.107.81.54]:59584 helo=NAM01-BY2-obe.outbound.protection.outlook.com)
by example.deltik.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jason@luxurylifestylereport.net>)
id 1gUudZ-00BGJx-L7
for example@deltik.org; Thu, 29 Nov 2018 06:49:21 -0600
In the example above, the email came from 40.107.81.54, which passed the SPF record ("v=spf1 include:spf.protection.outlook.com -all") check on the spam sender's domain, luxurylifestylereport.net, so the email was accepted.
Alternatively, if you have access to the email server logs, you can read the origin of the email from there.
Resolution
The sender's postmaster should configure an SPF record for their domain that prevents spammers from spoofing the domain for emails. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 2 – Sender's Email Compromised
This scenario is less likely because you said this problem happens every now and then, but someone else should have noticed and reported this in the past.
Symptom
You can see in the email headers that the email came from an IP address that is permitted to send emails for the sender's domain.
Cause
The mail server at the IP address or a server that sends mail through it has been compromised. The hacker may also have found a copy of contacts that the sender knows about and is trying to email those in the hopes of finding someone relatable.
Diagnosis
Same process as that of Scenario 1
Resolution
The sender's postmaster needs to stop and secure their email system. This is not something that you can do.
Until their postmaster fixes this, you can try adjusting your anti-spam settings to block emails with malicious attachments or spammy contents.
Scenario 3 – Receiving Mail Server Doesn't Check SPF Records
This scenario is less likely because spammers won't want to waste resources to try to spoof emails for a domain that already protects itself from spoofing. You'd probably get a lot of spoofed mail from other domain names, too.
Symptom
You receive an email from someone, but that person can prove they didn't send it. In fact, anyone can validate that the domain's SPF record is configured properly, yet the email you received came from an IP address forbidden by the domain's SPF record.
Cause
Your email server is not filtering out spoofed emails.
Diagnosis
Same process as that of Scenario 1, but you can see that the sender's IP address fails the SPF check
Resolution
Consult your email server's documentation for how to configure SPF validation.
Scenario 4 – Recipient Email Account Compromised
This scenario is less likely because it's more lucrative to hide the fact that you've been compromised from you and use your email address's good reputation to send out spam to others. Also, the malicious entity probably would be diversifying the source email address.
Symptom
Your incoming email logs don't show the email that appeared, or the headers of the received email don't make sense.
Cause
Someone is hoping to get more access to you by dropping malware emails into your already compromised email account without actually sending any emails. Emails can be added over the IMAP protocol.
Diagnosis
Check your mail server logs for authentications that you don't recognize.
Resolution
Change your email account's password.
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
answered Dec 6 '18 at 15:20
Deltik
11.9k134384
11.9k134384
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381345%2fsource-of-malevolent-e-mails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you an employee of this company? Does your IT support know?
– slhck
Dec 6 '18 at 13:39
@slhck: I am not, and I am my own IT support. Why ?
– Harry Cover
Dec 6 '18 at 13:44
I am asking since it makes a huge difference whether this is sent to your private address, or from within the same company. Particularly if you get these mails from multiple people at the same company to your private address, it's very likely that this is an issue with that company's mail system being compromised.
– slhck
Dec 6 '18 at 14:38
@slhck: they are sent to my business address, the only one this company knows. As I don't get similar mails from other sources, you are likely right.
– Harry Cover
Dec 6 '18 at 15:09
I just saw your update saying that the sender email addresses are "fanciful". This strongly suggests to me that the senders' domain name is not properly configured to prohibit spoofing.
– Deltik
Dec 6 '18 at 15:17