Email Spoofing Issue
-
Hello,
I'm frequently facing an issue of email spoofing, basically someone spammer or hacker, gets into any of my users' email accounts and starts sending bulk emails to users.
I'm not sure how this is getting into even though I changed the password of the email account; still, the spammer gets into the account and sends spam to users.
Is there any way to find out what's causing this infiltration and how the spammer is getting into the system?
Please let me know and guide me on this.
Thanks!
-
Hello,
I'm frequently facing an issue of email spoofing, basically someone spammer or hacker, gets into any of my users' email accounts and starts sending bulk emails to users.
I'm not sure how this is getting into even though I changed the password of the email account; still, the spammer gets into the account and sends spam to users.
Is there any way to find out what's causing this infiltration and how the spammer is getting into the system?
Please let me know and guide me on this.
Thanks!
@webliska ah you sure they are really coming from the users email and don't just look like they are? Can you share an example of the actual email header code? can you see these emails actually getting sent by your server in the email log?
-
The basic question is: did you change your Cloudron account password? Did you sometimes have a generated application password, e.g., for your email application?
In my opinion, this looks like the password for the email application assigned to the Cloudron account has been compromised.
-
Definitely change the password on the compromised account if you have not already done so. That should stop these emails. If you allow this to continue you risk having your server's IP blacklisted, which will then affect the deliverability of legitimate emails.
This is not email spoofing but emails being sent from the respective account on your server.
-
Thank you for your reply.
But as I have mentioned in my first email that I have already changed the password of the user right away when I found it compromised.
Can't we find out from where and how these emails are being executed? Like any script running or via authentication, is it being done?
As this is something that is of grave concern, if we can't find the loophole in how this is being executed.
I hope you understand.
-
We changed the password multiple times.. but still the same.. the emails are being delivered to unknown users and even we don't know what exactly is being sent in the email..
This is urgent and I need a resolution for the same.
Thanks!
@webliska Send the header from the Email Log here and check if you have the application password in the “Profiles” tab.
-
Is there maybe an app running which is configured to send email via that user's account? If so, maybe the app has been compromised and is sending out emails.
You might want to consider temporarily disable outbound email for this domain until the the issue has been resolved. This may not be an option of course as it would impact other addresses on the same domain.
The email headers would be interesting here as @matix131997 already mentioned.
-
Hello, how to send the header of the emails? Can you guide me on this? I'm just receiving Mailer Demon Failure emails and not the ones that are sent.
No app is configured with the email. For now, I have inactivated the email account.
@webliska You have to click on the list of the email in question then the information should appear underneath.
