Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email/name being spoofed


  • Please log in to reply
7 replies to this topic

#1 amadeuus

amadeuus

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 02 November 2016 - 01:13 PM

Hi within the last 24 hours i saw in my email that i had mail from myself, yet when i clicked my name on the header it said a completely different email address but with my name in it. I then saw it messaged myself as well as a few of my contacts. It asks to 'click here' which links to I'm guessing a malicious site as you can see at the very end of the message source I'm not quite sure if this is the correct forum to post this on but i really need someones advice on how to go about resolving this, Thank you. The message source is as follows:

Return-Path: <MYNAME@o2.co.uk>
Received: from mail.o2.co.uk (jabba.london.02.net [82.132.130.169])
	by mtaiw-aad03.mx.aol.com (Internet Inbound) with ESMTP id A80417000008D;
	Wed,  2 Nov 2016 04:29:02 -0400 (EDT)
Received: from mail.02.net (119.207.60.140) by mail.o2.co.uk (8.5.140.03) (authenticated as 07763942358@o2.co.uk)
        id 58179C3700DA8ED2; Wed, 2 Nov 2016 08:28:51 +0000
Message-ID: <900690077be1$eaee9ccb$d8a336e7$@o2.co.uk>
From: MYNAME <MYNAME@o2.co.uk>
To: "MULTIPLE CONTACTS OF MINE INCLUDING MY OWN REAL EMAIL">
Subject: 
Date: Wed, 2 Nov 2016 08:27:52 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=Apple-Mail-5886D6FF-7830-4E8D-BAD2-7562BFB99969
Importance: Normal
X-Mailer: iPhone Mail (12B466)
x-aol-global-disposition: G
X-AOL-SCOLL-DMARC: mtaiw-aad03.mx.aol.com ; domain : o2.co.uk ; policy : none ; result : F
Authentication-Results: mx.aol.com;
	spf=permerror (aol.com: while processing the SPF record for o2.co.uk we encountered a fatal error.) smtp.mailfrom=o2.co.uk;
	dmarc=fail (aol.com: the domain o2.co.uk reports that Neither SPF nor DKIM align.) header.from=o2.co.uk;
x-aol-sid: 3039ac1a7fdd5819a3ce7421
X-AOL-IP: 82.132.130.169
X-AOL-SPF: domain : o2.co.uk SPF : permerror


--Apple-Mail-5886D6FF-7830-4E8D-BAD2-7562BFB99969
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit

Unable to show full message.
To view this message please click here



Wed, 2 Nov 2016 08:27:52 +0000
Mail error code: u1mv9 

--Apple-Mail-5886D6FF-7830-4E8D-BAD2-7562BFB99969
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: 7bit

<HTML><HEAD></HEAD>
<BODY dir=ltr><DIV dir=ltr><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000"><DIV><FONT color=#ff0000>This message can only be viewed in a browser.</FONT></DIV><DIV>To view this message please <A href="http://benznuts.co.za/htqehshd.php?un6/=pzs2?sx11r/=lpr">click here</A></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV><EM>Wed, 2 Nov 2016 08:27:52 +0000</EM></DIV><DIV><FONT style="COLOR: #ffffff">Mail error code: b0yfy </FONT></DIV></DIV></DIV></BODY></HTML>

--Apple-Mail-5886D6FF-7830-4E8D-BAD2-7562BFB99969--

Edited by amadeuus, 02 November 2016 - 01:15 PM.


BC AdBot (Login to Remove)

 


#2 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 6,875 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:15 PM

Posted 02 November 2016 - 07:02 PM

Pending an answer from someone with greater technical knowledge in this area it is possible that your contact list has been hacked.

 

As an immediate action I would change the password for your email acccount ASAP, preferably using a strong password. And if you used your email password for anything else I would change them as well, preferably to different ones. And then, or perhaps first, run an A/V scan and a anti-malware scan. This should deal with any malicious software that may have got into your computer. If it doesn't, or you have reason to believe you may still be infected, start a topic in the 'Am I infected?' section of BC, but read the guides first.

 

Email addresses are very easy to 'spoof' - I don't know how to myself - but I know from experience with spam that this is the case. I average perhaps two spam emails a day apparently from all sorts of reputable sources but lookiing at the source code tells a different story.

 

Chris Cosgrove



#3 Platypus

Platypus

  • Moderator
  • 14,962 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:05:15 AM

Posted 02 November 2016 - 07:23 PM

Also, if only a few of your own contacts have been included, it may be someone else whose contact list includes both you and some contacts you have in common that has been compromised, and their contact list is being used to spoof addresses.

Again, pending more expert response, I suggest telling your contacts you have received suspicious emails showing names on your contact list, and ask if they would please check to make sure that their email account has not been compromised and you are doing the same.

Top 5 things that never get done:

1.


#4 amadeuus

amadeuus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 02 November 2016 - 07:26 PM

Thanks Chris, I ran an avira scan this morning after i saw the email, and changed my password. I already had 2 step auth for my email which sends me a text whenever I login so im not sure how they would have gotten some of my contacts. I also emailed the people it got sent to telling them to delete the email as it was not from me.



#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:15 AM

Posted 02 November 2016 - 09:49 PM

This here shows as it failing the SPF record mate.

Authentication-Results: mx.aol.com;
    spf=permerror (aol.com: while processing the SPF record for o2.co.uk we encountered a fatal error.) smtp.mailfrom=o2.co.uk;
    dmarc=fail (aol.com: the domain o2.co.uk reports that Neither SPF nor DKIM align.) header.from=o2.co.uk;

Also DMARC

X-AOL-SCOLL-DMARC: mtaiw-aad03.mx.aol.com ; domain : o2.co.uk ; policy : none ; result : F

So the originating email came from the AOL servers from IP 119.207.60.140 which is from Korea mate.

When looking at Email headers, always check the SPF and or DMARC for failures when authenticating from the ISP host.

 

Report = http://urlquery.net/report.php?id=1478141535919

 

All in all i get these daily, all they do is spoof the Return-Path and display name but i have rules in place with SPF and DMARC on my email server along with mail flow rules to detect spoofing from outside the organization, i always get a report when someone tries to spoof.

You can email abuse@ that ISP from korea mate but they never reply and they dont care LOL.


Edited by JohnnyJammer, 02 November 2016 - 09:57 PM.


#6 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:15 AM

Posted 02 November 2016 - 10:01 PM

Thanks Chris, I ran an avira scan this morning after i saw the email, and changed my password. I already had 2 step auth for my email which sends me a text whenever I login so im not sure how they would have gotten some of my contacts. I also emailed the people it got sent to telling them to delete the email as it was not from me.

I wouldnt worry to much mate, the best prize for accessing (Infecting a remote node) and using a spam bot is getting contact lists from mirosoft outlook, mail, and or other means to start a local SMTP server on the infect machine and start hitting their contact list of which they spoof per indexed name (Each of your users would have been spoofed to i would say).

You should see some of the ones i get LOL

Anyone remember adding the G=+2000 i think it was at the end of email address in outlook? That would send 2000 emails.



#7 amadeuus

amadeuus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 02 November 2016 - 10:09 PM

So what you're saying is I shouldn't be too concerned about it? Do you think this could be a vulnerability on aol's end?



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:15 AM

Posted 02 November 2016 - 10:17 PM

So what you're saying is I shouldn't be too concerned about it? Do you think this could be a vulnerability on aol's end?

No you can even login to many email servers with out using a username and password (telnet mail.somestmpserver.com 25), even office365's online exchange can be used to spoof mate.

Its just an email pretending to be from you because most filters dont block emails from them selves.

So if i sent an email from dude@dude.com to dude@dude.com, why would i be blocking my own emails?

 

SPF and to a further extent DMARC can help with encrypting an exchange key between mail exchanges but even then that can be spoofed/tricked into a false key and also remember that crafting headers manually gives you more chances of bypassing some poorly configured email servers when creating the email envelope.

Do all this from a Dos prompt mate or any termianl with access to the internet, google it and do it to your self and see in just 7 lines of text you will spoof your own email.


Edited by JohnnyJammer, 02 November 2016 - 10:19 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users