Email address compromised - 1000's of spam emails being sent

Discussion in 'Networking & Security' started by Time2Kill, May 11, 2015.

  1. Time2Kill

    Time2Kill [H]ard|Gawd

    Messages:
    1,144
    Joined:
    Jul 10, 2005
    This is the first time I've had something like this happen and no idea how to solve it. For the past 10 days, I've been getting several hundred Undeliverable/Bounced back emails to my email account. They're all spam emails that I did not personally send, but are originating from my email address.

    I've ran AVG virus scan and Malware Bytes on all my PCs and phone that have access to that email and have repeatedly changed passwords with absolutely no luck in getting this to stop.

    Does anyone have any recommendations on how to solve this?

    This is the header from one of the bounced emails:

    Return-Path: <ti****@eadperformance.com>
    Received: by gateway34.websitewelcome.com (Postfix, from userid 500)
    id 33B7433D3E9E; Mon, 11 May 2015 18:09:30 -0500 (CDT)
    Received: from cm2.websitewelcome.com (unknown [192.185.178.13])
    by gateway34.websitewelcome.com (Postfix) with ESMTP id 319F433D3E84
    for <marv_lysak@yahoo.com>; Mon, 11 May 2015 18:09:30 -0500 (CDT)
    Received: from gator4123.hostgator.com ([192.185.4.135])
    by cm2.websitewelcome.com with
    id Sn9V1q00G2unBdc01n9Wmn; Mon, 11 May 2015 18:09:30 -0500
    Received: from [2.177.28.231] (port=50410 helo=[127.0.0.1])
    by gator4123.hostgator.com with esmtpa (Exim 4.82)
    (envelope-from <ti*****@eadperformance.com>)
    id 1YrveK-0007WG-N1; Mon, 11 May 2015 16:54:09 -0500
    Message-ID: <55512500.6BCA9524@eadperformance.com>
    Date: Mon, 11 May 2015 21:54:11 +0000
    From: "Brittany Stryker" <ti*****@eadperformance.com>
    Subject: greets
    To: andycozz@hotmail.com, poluch22@hotmail.com, slob_o@hotmail.com,
    bayemt@hotmail.com, marv_lysak@yahoo.com, garhi40@hotmail.com
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain; charset=UTF-8
    X-Mailer: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20021120
    Netscape/7.01
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
    X-AntiAbuse: Original Domain - yahoo.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - eadperformance.com
    X-BWhitelist: no
    X-Source-IP: 2.177.28.231
    X-Exim-ID: 1YrveK-0007WG-N1
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-Source-Sender: ([127.0.0.1]) [2.177.28.231]:50410
    X-Source-Auth: ti****@eadperformance.com
    X-Email-Count: 89
    X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=
     
  2. Skillz

    Skillz [H]ard DCOTY 2017

    Messages:
    21,710
    Joined:
    Aug 14, 2004
    Did you change your email password? Did you change the password for your login at the hosting company that's hosting your site the mail server is running on? Did you check all the code on your web server to ensure it hasn't been compromised?
     
  3. toast0

    toast0 Gawd

    Messages:
    893
    Joined:
    Jan 26, 2010
    Do all the bounces have similar Received paths? If so, I would definitely forward these to your host (hostgator), it looks like there's something fishy going on with some of the servers there. I don't know enough about hostgator works to know if there's a chance that it's sending with your credentials, or if it's just forgery that suspiciously appears to come from your host.

    If it's forgery, you can look into SPF, DKIM and DMARC to help reduce acceptance of forgeries (the big US email providers follow DMARC pretty well)
     
    Last edited: May 12, 2015
  4. socK

    socK 2[H]4U

    Messages:
    3,650
    Joined:
    Jan 25, 2004
    Are there any suspect rules or filters set on whatever client you use?
     
  5. MrGuvernment

    MrGuvernment [H]ard as it Gets

    Messages:
    19,167
    Joined:
    Aug 3, 2004
    someone is spoofing your email address, basically nothing you can do.

    They are sending out emails, spoofing the sender as your email address so all returns and notifications come back to you..

    Who did you piss off lately?

    Do you run your own mail server?
     
  6. diizzy

    diizzy 2[H]4U

    Messages:
    2,602
    Joined:
    Nov 6, 2008
    Last edited: May 12, 2015
  7. mwarps

    mwarps [H]ardness Supreme

    Messages:
    7,061
    Joined:
    Oct 6, 2002
    his email password has been hacked, and he's too derp to change it.
    his domain actually uses hostgator, so they're not spoofing anything.
    SPF does nothing for him. mail is coming from his MX.
     
  8. Time2Kill

    Time2Kill [H]ard|Gawd

    Messages:
    1,144
    Joined:
    Jul 10, 2005
    Password has been changed about 10 different times, with increasingly difficult passwords. Old passwords are verified not to work.

    Cpanel password has also been changed multiple times.
     
  9. Time2Kill

    Time2Kill [H]ard|Gawd

    Messages:
    1,144
    Joined:
    Jul 10, 2005
    Using hostgator.

    Haven't pissed anyone off.

    So you're basically saying I have to live with all the returned messages?
     
  10. Time2Kill

    Time2Kill [H]ard|Gawd

    Messages:
    1,144
    Joined:
    Jul 10, 2005
    Hostgator sucks, I already have several tickets open, none of them with responses from hostgator (going on 8 days now).

    There's several different IPs being used, mostly from the middle east, india, and vietnam.


    Here's a couple of the headers:

    Return-Path: <ti****@eadperformance.com>
    Received: by gateway23.websitewelcome.com (Postfix, from userid 500)
    id 5F7C33F6CCE9; Tue, 12 May 2015 05:14:01 -0500 (CDT)
    Received: from gator4123.hostgator.com (gator4123.hostgator.com [192.185.4.135])
    by gateway23.websitewelcome.com (Postfix) with ESMTP id 5D6743F6CCCF
    for <candy_man1413@yahoo.com>; Tue, 12 May 2015 05:14:01 -0500 (CDT)
    Received: from [42.118.48.222] (port=17843 helo=[127.0.0.1])
    by gator4123.hostgator.com with esmtpa (Exim 4.82)
    (envelope-from <ti****@eadperformance.com>)
    id 1Ys2Ik-0008JG-AX; Tue, 12 May 2015 00:00:19 -0500
    X-MimeOLE: Produced By Microsoft MimeOLE V8.00.2900.4072
    Message-ID: <270d2ede$1d63d5d9$3f8b4f03@eadperformance.com>
    Date: Tue, 12 May 2015 05:00:20 +0000
    From: "Brittany Stryker" <ti****@eadperformance.com>
    Subject: Greets
    To: candy_man010010@yahoo.com, candy_man082008@yahoo.com,
    candy_man126@yahoo.com, candy_man12@hotmail.com, candy_man1413@yahoo.com,
    candy_man16434@yahoo.com, candy_man20077@hotmail.com, candy_man210@yahoo.com
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain; charset=UTF-8
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
    X-AntiAbuse: Original Domain - yahoo.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - eadperformance.com
    X-BWhitelist: no
    X-Source-IP: 42.118.48.222
    X-Exim-ID: 1Ys2Ik-0008JG-AX
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-Source-Sender: ([127.0.0.1]) [42.118.48.222]:17843
    X-Source-Auth: ti****@eadperformance.com
    X-Email-Count: 4
    X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=

    ----------------------------------------------------------------------------------------------

    Return-Path: <ti****@eadperformance.com>
    Received: by gateway32.websitewelcome.com (Postfix, from userid 500)
    id 75AC5419D5BE; Tue, 12 May 2015 07:38:01 -0500 (CDT)
    Received: from cm1.websitewelcome.com (cm.websitewelcome.com [192.185.0.102])
    by gateway32.websitewelcome.com (Postfix) with ESMTP id 736D9419D58F
    for <davematt69@hotmail.com>; Tue, 12 May 2015 07:38:01 -0500 (CDT)
    Received: from gator4123.hostgator.com ([192.185.4.135])
    by cm1.websitewelcome.com with
    id T0e01q00X2unBdc010e1NS; Tue, 12 May 2015 07:38:01 -0500
    Received: from [183.81.81.207] (port=56795 helo=[127.0.0.1])
    by gator4123.hostgator.com with esmtpa (Exim 4.82)
    (envelope-from <ti****@eadperformance.com>)
    id 1Ys8aq-000599-RO; Tue, 12 May 2015 06:43:25 -0500
    Message-ID: <5551E759.30B2F87E@eadperformance.com>
    Date: Tue, 12 May 2015 11:43:27 +0000
    From: "Brittany Stryker" <ti****@eadperformance.com>
    Subject: Sup
    To: davematt69@hotmail.com, ericbunyan73@yahoo.com, brandon8sf@gmail.com,
    tmarch90@gmail.com, bigdaddyo1@outlook.com, cdoriety@yahoo.com,
    corybkr61@gmail.com, msdivine07@aol.com, kadrijaha_6@hotmail.com
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain; charset=UTF-8
    X-Mailer: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019
    Netscape6/6.2
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
    X-AntiAbuse: Original Domain - hotmail.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - eadperformance.com
    X-BWhitelist: no
    X-Source-IP: 183.81.81.207
    X-Exim-ID: 1Ys8aq-000599-RO
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-Source-Sender: ([127.0.0.1]) [183.81.81.207]:56795
    X-Source-Auth: ti****@eadperformance.com
    X-Email-Count: 372
    X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=


    ----------------------------------------------------------------------------------------------------

    Return-Path: <ti****@eadperformance.com>
    Received: by gateway07.websitewelcome.com (Postfix, from userid 5007)
    id 87ECF45D43F6E; Tue, 12 May 2015 07:38:01 -0500 (CDT)
    Received: from cm2.websitewelcome.com (unknown [192.185.178.13])
    by gateway07.websitewelcome.com (Postfix) with ESMTP id 800FD45D43F26
    for <cdoriety@yahoo.com>; Tue, 12 May 2015 07:38:01 -0500 (CDT)
    Received: from gator4123.hostgator.com ([192.185.4.135])
    by cm2.websitewelcome.com with
    id T0e01q00W2unBdc010e1hD; Tue, 12 May 2015 07:38:01 -0500
    Received: from [183.81.81.207] (port=56795 helo=[127.0.0.1])
    by gator4123.hostgator.com with esmtpa (Exim 4.82)
    (envelope-from <ti****@eadperformance.com>)
    id 1Ys8aq-000599-RO; Tue, 12 May 2015 06:43:25 -0500
    Message-ID: <5551E759.30B2F87E@eadperformance.com>
    Date: Tue, 12 May 2015 11:43:27 +0000
    From: "Brittany Stryker" <ti****@eadperformance.com>
    Subject: Sup
    To: davematt69@hotmail.com, ericbunyan73@yahoo.com, brandon8sf@gmail.com,
    tmarch90@gmail.com, bigdaddyo1@outlook.com, cdoriety@yahoo.com,
    corybkr61@gmail.com, msdivine07@aol.com, kadrijaha_6@hotmail.com
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain; charset=UTF-8
    X-Mailer: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019
    Netscape6/6.2
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - gator4123.hostgator.com
    X-AntiAbuse: Original Domain - yahoo.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - eadperformance.com
    X-BWhitelist: no
    X-Source-IP: 183.81.81.207
    X-Exim-ID: 1Ys8aq-000599-RO
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-Source-Sender: ([127.0.0.1]) [183.81.81.207]:56795
    X-Source-Auth: ti****@eadperformance.com
    X-Email-Count: 367
    X-Source-Cap: ZWFkcGVyZjE7ZWFkcGVyZjE7Z2F0b3I0MTIzLmhvc3RnYXRvci5jb20=
     
  11. Time2Kill

    Time2Kill [H]ard|Gawd

    Messages:
    1,144
    Joined:
    Jul 10, 2005
    Using Outlook and Windows Live Mail, no rules/filters set at all.
     
  12. Haven

    Haven I Only Post Important Stuff

    Messages:
    6,049
    Joined:
    Oct 11, 2002
    Have you checked the sent mail folder and trash on the server to see if the original outgoing spam messages are in there?

    This will tell you if your server is sending them. You can also try checking your mail logs from sendmail/exim/qmail/etc to see if your server is sending the original messages. Once you verify that you have or have not send the messages that leads you to your next step.

    If your account is compromised and you have changed the password, then you need to check to see if any new accounts have been created that have root/admin capabilities. They could change the password back or do send as.

    If you have a website, check to make sure there is not anything on the site to send e-mail.

    If it isn't coming from your server at all, then there isn't much you can do as your address is being spoofed.
     
  13. Time2Kill

    Time2Kill [H]ard|Gawd

    Messages:
    1,144
    Joined:
    Jul 10, 2005

    Checked sent/trash folders and nothing shows up there. No extra accounts that I can see have been created for access.

    Unfortunately, hostgator doesn't allow access to email logs. I've got a request into support to have them sent to me.

    Nothing is currently hosted on the site. Mostly just an image dump right now. I did go thru all the directories and don't see anything out of the ordinary.
     
  14. MrGuvernment

    MrGuvernment [H]ard as it Gets

    Messages:
    19,167
    Joined:
    Aug 3, 2004
    If someone is spoofing your address, yes, you basically have to live with the crap that will come back to you, unless you implement rules and filters.

    It would be like me signing up for crap under your home address, unless you tell the post office to stop deliverying things, not much you can do.

    Also, if you have a "catch all" email address, get ride of it, or the option.
     
  15. bocaratonsh

    bocaratonsh n00b

    Messages:
    4
    Joined:
    Jul 31, 2015
    Enable rDNS and SPF filters. That will surely trim the spam emails down. [​IMG]