Email Spoofing Issue
-
We changed the password multiple times.. but still the same.. the emails are being delivered to unknown users and even we don't know what exactly is being sent in the email..
This is urgent and I need a resolution for the same.
Thanks!
@webliska Send the header from the Email Log here and check if you have the application password in the “Profiles” tab.
-
Is there maybe an app running which is configured to send email via that user's account? If so, maybe the app has been compromised and is sending out emails.
You might want to consider temporarily disable outbound email for this domain until the the issue has been resolved. This may not be an option of course as it would impact other addresses on the same domain.
The email headers would be interesting here as @matix131997 already mentioned.
-
Hello, how to send the header of the emails? Can you guide me on this? I'm just receiving Mailer Demon Failure emails and not the ones that are sent.
No app is configured with the email. For now, I have inactivated the email account.
@webliska You have to click on the list of the email in question then the information should appear underneath.
-
Hello,
Please check this:
{
"ts": 1756622347138,
"type": "delivered",
"direction": "outbound",
"uuid": "1332F07B-0C99-419E-A058-C1C88C5B8A94.1.3",
"messageId": "<8cdb5704f0341e15369841ea1ed2d8d2ec82cb3e@w******.in>",
"mailFrom": "<dikshant@w*****.in>",
"spamStatus": null,
"mailbox": null,
"quotaPercent": null,
"rcptTo": [
"saqrhani@gmail.com",
"60saladino@gmail.com"
],
"server": {
"host": "142.250.27.27",
"ip": "142.250.27.27",
"port": 25
},
"response": "OK 1756622347 4fb4d7f45d1cf-61cfc20e76csi3275416a12.146 - gsmtp"
} -
"direction": "outbound",
Sending is from the outside i.e. someone has taken over your App Passwords on Profile.
-
@matix131997 Direction outbound just means mail leaving the server but the origin can still be the server itself. This is why we also need to see the second log entry. In either case the sender has access to the account and there is a good chance your app password theory is correct.
@webliska Not the mail queue, the queued for delivery log entry for the mail you already posted. Each successfully sent email should have two log entries: queued and delivered. You might need to change the display filters if you only see delivered.
Also check whether an app password is set for the mail user in question and delete it if it is.
-
Hello @webliska
Most things have already been mentioned.
Check for an app password and if there is one, delete it.Another approach and thought.
If you change the password of userdikshantdoes the outbound mail sending stop for a brief time?
Because, it might be the case that userdikshantmight have his local computer infected with a virus that constantly is stealing login credentials and whole browser sessions.
Thunderbird also stores passwords in clear text.
So this might be another reason why even a password change is not enough. -
Hello @webliska
Most things have already been mentioned.
Check for an app password and if there is one, delete it.Another approach and thought.
If you change the password of userdikshantdoes the outbound mail sending stop for a brief time?
Because, it might be the case that userdikshantmight have his local computer infected with a virus that constantly is stealing login credentials and whole browser sessions.
Thunderbird also stores passwords in clear text.
So this might be another reason why even a password change is not enough.@james said in Email Spoofing Issue:
Because, it might be the case that user dikshant might have his local computer infected with a virus that constantly is stealing login credentials and whole browser sessions.
Thunderbird also stores passwords in clear text.
So this might be another reason why even a password change is not enough.This is what I was wondering too.
-
+1 for virus on desktop. Windows?
-
This is what I found as a queued email:
{
"ts": 1756359482397,
"type": "queued",
"direction": "outbound",
"uuid": "1332F07B-0C99-419E-A058-C1C88C5B8A94.1",
"messageId": "<8cdb5704f0341e15369841ea1ed2d8d2ec82cb3e@w*****.in>",
"mailFrom": "<dikshant@w*****.in>",
"spamStatus": null,
"mailbox": null,
"quotaPercent": null,
"rcptTo": [
"blinbernard@sfr.fr",
"cfcappa@hotmail.com",
"saqrhani@gmail.com",
"60saladino@gmail.com",
"johnbagby@yahoo.com"
],
"remote": {
"ip": "118.151.221.26",
"port": 41442,
"host": "NXDOMAIN",
"info": "NXDOMAIN",
"closed": false,
"is_private": false,
"is_local": false
},
"authUser": "dikshant@w******.in",
"message": "Message Queued (1332F07B-0C99-419E-A058-C1C88C5B8A94.1)"
}
No app passwords as well.
Also, I'm sure there is no virus as well in the system.
-
The log entry shows that the email originated from an IP in Indonesia which does not have the best reputation (the ISP is PT Centrin Online Prima) and was sent whilst logged in as dikshant@... Does this information help you to identify the connections?
If you do not recognise the connections, check some of the other log entries. Are the mails all being sent from the same IP? If so, you could block it in the network settings. If not, do you see a pattern?
-
@robi Yes, I did that already, but if not don,e then even if changing the password for the email won't log them out on its own?
@webliska logins are session based.
You can change the password all you like, as long as the session is active, it doesn't prevent access.
The logs may be misleading in printing the user logged in, when it's really just checking for an active session.
Hence the button exists.
-
@webliska logins are session based.
You can change the password all you like, as long as the session is active, it doesn't prevent access.
The logs may be misleading in printing the user logged in, when it's really just checking for an active session.
Hence the button exists.
@robi said in Email Spoofing Issue:
logins are session based.
You can change the password all you like, as long as the session is active, it doesn't prevent access.
This was the other thing I was wondering, together with a virus laden local machine somewhere, i.e. an active session on a dodgy machine.
