Email address compromised - 1000's of spam emails being sent

[Time2Kill]

This is the first time I've had something like this happen and no idea how to solve it. For the past 10 days, I've been getting several hundred Undeliverable/Bounced back emails to my email account. They're all spam emails that I did not personally send, but are originating from my email address.

I've ran AVG virus scan and Malware Bytes on all my PCs and phone that have access to that email and have repeatedly changed passwords with absolutely no luck in getting this to stop.

Does anyone have any recommendations on how to solve this?

This is the header from one of the bounced emails:

Return-Path: <ti****@eadperformance.com>
Received: by gateway34.websitewelcome.com (Postfix, from userid 500)
id 33B7433D3E9E; Mon, 11 May 2015 18:09:30 -0500 (CDT)
Received: from cm2.websitewelcome.com (unknown [192.185.178.13])
by gateway34.websitewelcome.com (Postfix) with ESMTP id 319F433D3E84
for <[email protected]>; Mon, 11 May 2015 18:09:30 -0500 (CDT)
Received: from gator4123.hostgator.com ([192.185.4.135])
by cm2.websitewelcome.com with
id Sn9V1q00G2unBdc01n9Wmn; Mon, 11 May 2015 18:09:30 -0500
Received: from [2.177.28.231] (port=50410 helo=[127.0.0.1])
by gator4123.hostgator.com with esmtpa (Exim 4.82)
(envelope-from <ti*****@eadperformance.com>)
id 1YrveK-0007WG-N1; Mon, 11 May 2015 16:54:09 -0500
Message-ID: <[email protected]>
Date: Mon, 11 May 2015 21:54:11 +0000
From: "Brittany Stryker" <ti*****@eadperformance.com>
Subject: greets
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected]
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
X-Mailer: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20021120
Netscape/7.01
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - eadperformance.com
X-BWhitelist: no
X-Source-IP: 2.177.28.231
X-Exim-ID: 1YrveK-0007WG-N1
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([127.0.0.1]) [2.177.28.231]:50410
X-Source-Auth: ti****@eadperformance.com
X-Email-Count: 89
X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=

 

[Deleted member 88227]

Did you change your email password? Did you change the password for your login at the hosting company that's hosting your site the mail server is running on? Did you check all the code on your web server to ensure it hasn't been compromised?

 

[toast0]

Do all the bounces have similar Received paths? If so, I would definitely forward these to your host (hostgator), it looks like there's something fishy going on with some of the servers there. I don't know enough about hostgator works to know if there's a chance that it's sending with your credentials, or if it's just forgery that suspiciously appears to come from your host.

If it's forgery, you can look into SPF, DKIM and DMARC to help reduce acceptance of forgeries (the big US email providers follow DMARC pretty well)

 

[socK]

Are there any suspect rules or filters set on whatever client you use?

 

[MrGuvernment]

someone is spoofing your email address, basically nothing you can do.

They are sending out emails, spoofing the sender as your email address so all returns and notifications come back to you..

Who did you piss off lately?

Do you run your own mail server?

 

[diizzy]

Well, you have SPF etc as mentioned above
http://en.wikipedia.org/wiki/Sender_Policy_Framework
//Danne

 

[mwarps]

his email password has been hacked, and he's too derp to change it.
his domain actually uses hostgator, so they're not spoofing anything.
SPF does nothing for him. mail is coming from his MX.

 

[Time2Kill]

his email password has been hacked, and he's too derp to change it.
his domain actually uses hostgator, so they're not spoofing anything.
SPF does nothing for him. mail is coming from his MX.

Password has been changed about 10 different times, with increasingly difficult passwords. Old passwords are verified not to work.

Cpanel password has also been changed multiple times.

 

[Time2Kill]

someone is spoofing your email address, basically nothing you can do.

They are sending out emails, spoofing the sender as your email address so all returns and notifications come back to you..

Who did you piss off lately?

Do you run your own mail server?

Using hostgator.

Haven't pissed anyone off.

So you're basically saying I have to live with all the returned messages?

 

[Time2Kill]

Do all the bounces have similar Received paths? If so, I would definitely forward these to your host (hostgator), it looks like there's something fishy going on with some of the servers there. I don't know enough about hostgator works to know if there's a chance that it's sending with your credentials, or if it's just forgery that suspiciously appears to come from your host.

If it's forgery, you can look into SPF, DKIM and DMARC to help reduce acceptance of forgeries (the big US email providers follow DMARC pretty well)

Hostgator sucks, I already have several tickets open, none of them with responses from hostgator (going on 8 days now).

There's several different IPs being used, mostly from the middle east, india, and vietnam.


Here's a couple of the headers:

Return-Path: <ti****@eadperformance.com>
Received: by gateway23.websitewelcome.com (Postfix, from userid 500)
id 5F7C33F6CCE9; Tue, 12 May 2015 05:14:01 -0500 (CDT)
Received: from gator4123.hostgator.com (gator4123.hostgator.com [192.185.4.135])
by gateway23.websitewelcome.com (Postfix) with ESMTP id 5D6743F6CCCF
for <[email protected]>; Tue, 12 May 2015 05:14:01 -0500 (CDT)
Received: from [42.118.48.222] (port=17843 helo=[127.0.0.1])
by gator4123.hostgator.com with esmtpa (Exim 4.82)
(envelope-from <ti****@eadperformance.com>)
id 1Ys2Ik-0008JG-AX; Tue, 12 May 2015 00:00:19 -0500
X-MimeOLE: Produced By Microsoft MimeOLE V8.00.2900.4072
Message-ID: <[email protected]>
Date: Tue, 12 May 2015 05:00:20 +0000
From: "Brittany Stryker" <ti****@eadperformance.com>
Subject: Greets
To: [email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected], [email protected]
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - eadperformance.com
X-BWhitelist: no
X-Source-IP: 42.118.48.222
X-Exim-ID: 1Ys2Ik-0008JG-AX
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([127.0.0.1]) [42.118.48.222]:17843
X-Source-Auth: ti****@eadperformance.com
X-Email-Count: 4
X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=

----------------------------------------------------------------------------------------------

Return-Path: <ti****@eadperformance.com>
Received: by gateway32.websitewelcome.com (Postfix, from userid 500)
id 75AC5419D5BE; Tue, 12 May 2015 07:38:01 -0500 (CDT)
Received: from cm1.websitewelcome.com (cm.websitewelcome.com [192.185.0.102])
by gateway32.websitewelcome.com (Postfix) with ESMTP id 736D9419D58F
for <[email protected]>; Tue, 12 May 2015 07:38:01 -0500 (CDT)
Received: from gator4123.hostgator.com ([192.185.4.135])
by cm1.websitewelcome.com with
id T0e01q00X2unBdc010e1NS; Tue, 12 May 2015 07:38:01 -0500
Received: from [183.81.81.207] (port=56795 helo=[127.0.0.1])
by gator4123.hostgator.com with esmtpa (Exim 4.82)
(envelope-from <ti****@eadperformance.com>)
id 1Ys8aq-000599-RO; Tue, 12 May 2015 06:43:25 -0500
Message-ID: <[email protected]>
Date: Tue, 12 May 2015 11:43:27 +0000
From: "Brittany Stryker" <ti****@eadperformance.com>
Subject: Sup
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected], [email protected]
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
X-Mailer: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019
Netscape6/6.2
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - eadperformance.com
X-BWhitelist: no
X-Source-IP: 183.81.81.207
X-Exim-ID: 1Ys8aq-000599-RO
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([127.0.0.1]) [183.81.81.207]:56795
X-Source-Auth: ti****@eadperformance.com
X-Email-Count: 372
X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=


----------------------------------------------------------------------------------------------------

Return-Path: <ti****@eadperformance.com>
Received: by gateway07.websitewelcome.com (Postfix, from userid 5007)
id 87ECF45D43F6E; Tue, 12 May 2015 07:38:01 -0500 (CDT)
Received: from cm2.websitewelcome.com (unknown [192.185.178.13])
by gateway07.websitewelcome.com (Postfix) with ESMTP id 800FD45D43F26
for <[email protected]>; Tue, 12 May 2015 07:38:01 -0500 (CDT)
Received: from gator4123.hostgator.com ([192.185.4.135])
by cm2.websitewelcome.com with
id T0e01q00W2unBdc010e1hD; Tue, 12 May 2015 07:38:01 -0500
Received: from [183.81.81.207] (port=56795 helo=[127.0.0.1])
by gator4123.hostgator.com with esmtpa (Exim 4.82)
(envelope-from <ti****@eadperformance.com>)
id 1Ys8aq-000599-RO; Tue, 12 May 2015 06:43:25 -0500
Message-ID: <[email protected]>
Date: Tue, 12 May 2015 11:43:27 +0000
From: "Brittany Stryker" <ti****@eadperformance.com>
Subject: Sup
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected], [email protected]
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
X-Mailer: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019
Netscape6/6.2
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - eadperformance.com
X-BWhitelist: no
X-Source-IP: 183.81.81.207
X-Exim-ID: 1Ys8aq-000599-RO
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([127.0.0.1]) [183.81.81.207]:56795
X-Source-Auth: ti****@eadperformance.com
X-Email-Count: 367
X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=

 

[Time2Kill]

Are there any suspect rules or filters set on whatever client you use?

Using Outlook and Windows Live Mail, no rules/filters set at all.

 

[Haven]

Have you checked the sent mail folder and trash on the server to see if the original outgoing spam messages are in there?

This will tell you if your server is sending them. You can also try checking your mail logs from sendmail/exim/qmail/etc to see if your server is sending the original messages. Once you verify that you have or have not send the messages that leads you to your next step.

If your account is compromised and you have changed the password, then you need to check to see if any new accounts have been created that have root/admin capabilities. They could change the password back or do send as.

If you have a website, check to make sure there is not anything on the site to send e-mail.

If it isn't coming from your server at all, then there isn't much you can do as your address is being spoofed.

 

[Time2Kill]

Have you checked the sent mail folder and trash on the server to see if the original outgoing spam messages are in there?

This will tell you if your server is sending them. You can also try checking your mail logs from sendmail/exim/qmail/etc to see if your server is sending the original messages. Once you verify that you have or have not send the messages that leads you to your next step.

If your account is compromised and you have changed the password, then you need to check to see if any new accounts have been created that have root/admin capabilities. They could change the password back or do send as.

If you have a website, check to make sure there is not anything on the site to send e-mail.

If it isn't coming from your server at all, then there isn't much you can do as your address is being spoofed.

Checked sent/trash folders and nothing shows up there. No extra accounts that I can see have been created for access.

Unfortunately, hostgator doesn't allow access to email logs. I've got a request into support to have them sent to me.

Nothing is currently hosted on the site. Mostly just an image dump right now. I did go thru all the directories and don't see anything out of the ordinary.

 

[MrGuvernment]

If someone is spoofing your address, yes, you basically have to live with the crap that will come back to you, unless you implement rules and filters.

It would be like me signing up for crap under your home address, unless you tell the post office to stop deliverying things, not much you can do.

Also, if you have a "catch all" email address, get ride of it, or the option.

 

[bocaratonsh]

Enable rDNS and SPF filters. That will surely trim the spam emails down.