Email Spoofing Issue

jdaviescoates

@webliska ah you sure they are really coming from the users email and don't just look like they are? Can you share an example of the actual email header code? can you see these emails actually getting sent by your server in the email log?

webliska

I'm not sure from where these emails are going.. for the time being I need to deactivate the email account to stop the SPAM. Attached screenshot of the event log.

webliska

Any help to stop this SPAM is appreciated

matix131997

The basic question is: did you change your Cloudron account password? Did you sometimes have a generated application password, e.g., for your email application?

In my opinion, this looks like the password for the email application assigned to the Cloudron account has been compromised.

ccfu

Definitely change the password on the compromised account if you have not already done so. That should stop these emails. If you allow this to continue you risk having your server's IP blacklisted, which will then affect the deliverability of legitimate emails.

This is not email spoofing but emails being sent from the respective account on your server.

webliska

Thank you for your reply.

But as I have mentioned in my first email that I have already changed the password of the user right away when I found it compromised.

Can't we find out from where and how these emails are being executed? Like any script running or via authentication, is it being done?

As this is something that is of grave concern, if we can't find the loophole in how this is being executed.

I hope you understand.

webliska

We changed the password multiple times.. but still the same.. the emails are being delivered to unknown users and even we don't know what exactly is being sent in the email..

This is urgent and I need a resolution for the same.

Thanks!

matix131997

@webliska Send the header from the Email Log here and check if you have the application password in the “Profiles” tab.

ccfu

Is there maybe an app running which is configured to send email via that user's account? If so, maybe the app has been compromised and is sending out emails.

You might want to consider temporarily disable outbound email for this domain until the the issue has been resolved. This may not be an option of course as it would impact other addresses on the same domain.

The email headers would be interesting here as @matix131997 already mentioned.

webliska

Hello, how to send the header of the emails? Can you guide me on this? I'm just receiving Mailer Demon Failure emails and not the ones that are sent.

No app is configured with the email. For now, I have inactivated the email account.

matix131997

@webliska You have to click on the list of the email in question then the information should appear underneath.

webliska

Hello,

Please check this:

{
"ts": 1756622347138,
"type": "delivered",
"direction": "outbound",
"uuid": "1332F07B-0C99-419E-A058-C1C88C5B8A94.1.3",
"messageId": "<8cdb5704f0341e15369841ea1ed2d8d2ec82cb3e@w******.in>",
"mailFrom": "<dikshant@w*****.in>",
"spamStatus": null,
"mailbox": null,
"quotaPercent": null,
"rcptTo": [
"saqrhani@gmail.com",
"60saladino@gmail.com"
],
"server": {
"host": "142.250.27.27",
"ip": "142.250.27.27",
"port": 25
},
"response": "OK 1756622347 4fb4d7f45d1cf-61cfc20e76csi3275416a12.146 - gsmtp"
}

ccfu

Please also post the log entry for queued for delivery for this email, remembering to also obfuscate any sensitive information such as hostnames.

webliska

My Email Queue seems empty.

matix131997

"direction": "outbound",

Sending is from the outside i.e. someone has taken over your App Passwords on Profile.

ccfu

@matix131997 Direction outbound just means mail leaving the server but the origin can still be the server itself. This is why we also need to see the second log entry. In either case the sender has access to the account and there is a good chance your app password theory is correct.

@webliska Not the mail queue, the queued for delivery log entry for the mail you already posted. Each successfully sent email should have two log entries: queued and delivered. You might need to change the display filters if you only see delivered.

Also check whether an app password is set for the mail user in question and delete it if it is.

james

Hello @webliska

Most things have already been mentioned.
Check for an app password and if there is one, delete it.

Another approach and thought.
If you change the password of user dikshant does the outbound mail sending stop for a brief time?
Because, it might be the case that user dikshant might have his local computer infected with a virus that constantly is stealing login credentials and whole browser sessions.
Thunderbird also stores passwords in clear text.
So this might be another reason why even a password change is not enough.

jdaviescoates

@james said in Email Spoofing Issue:

Because, it might be the case that user dikshant might have his local computer infected with a virus that constantly is stealing login credentials and whole browser sessions.
Thunderbird also stores passwords in clear text.
So this might be another reason why even a password change is not enough.

This is what I was wondering too.

luckow

+1 for virus on desktop. Windows?

webliska

@ccfu

This is what I found as a queued email:

{
"ts": 1756359482397,
"type": "queued",
"direction": "outbound",
"uuid": "1332F07B-0C99-419E-A058-C1C88C5B8A94.1",
"messageId": "<8cdb5704f0341e15369841ea1ed2d8d2ec82cb3e@w*****.in>",
"mailFrom": "<dikshant@w*****.in>",
"spamStatus": null,
"mailbox": null,
"quotaPercent": null,
"rcptTo": [
"blinbernard@sfr.fr",
"cfcappa@hotmail.com",
"saqrhani@gmail.com",
"60saladino@gmail.com",
"johnbagby@yahoo.com"
],
"remote": {
"ip": "118.151.221.26",
"port": 41442,
"host": "NXDOMAIN",
"info": "NXDOMAIN",
"closed": false,
"is_private": false,
"is_local": false
},
"authUser": "dikshant@w******.in",
"message": "Message Queued (1332F07B-0C99-419E-A058-C1C88C5B8A94.1)"
}

No app passwords as well.

Also, I'm sure there is no virus as well in the system.