Menu
Reply
  • 26
  • 0
  • 6
cazz
On our wavelength
1,841 Views
Message 1 of 28
Flag for a moderator

Hacked Email since move to new platform

Received 2 emails so far this week addressed to me from my email address ?? - Both spam. This is since the new move to the new email platform.........

 

I've changed my password and ran a virus scan - is there anything else  I need to do ? 

 

 

0 Kudos
Reply

Helpful Answers
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
2,623 Views
Message 2 of 28
Flag for a moderator
Helpful Answer

Re: Hacked Email since move to new platform

Hi

 

You should also consider filing a report here under email account hijacking.

http://netreport.virginmedia.com/netreport/

 

However while I recommend doing the above you should know that you may not have actually been hacked.

 

One trick that spammers use is to spoof the From: and To: headers in an email when sending.  It's a trivial thing to do.

 

To check for this you can do the following.

  1. Select the mail in Webmail and in the reading pane click the menu Icon (On the right next to the Delivery time)
  2. Select "View Source"  A panel will open with the full email including all the headers.

Here's one that has been sent from me and to me.  (Not spam though - an Outlook test message)

 

Return-Path: <myaddress@blueyonder.co.uk>
Delivered-To: myaddress@blueyonder.co.uk
Received: from md2.tb.ukmail.iss.local ([212.54.57.70])
	by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id fUFOIQyszVUpNwAAVqD7fw
	for <myaddress@blueyonder.co.uk>; Fri, 14 Aug 2015 10:52:08 +0200
Received: from mx3.tb.ukmail.iss.as9143.net ([212.54.57.70])
	by md2.tb.ukmail.iss.local (Dovecot) with LMTP id kp4SLiAhrlVMBAAAaJkqCg
	; Fri, 14 Aug 2015 10:52:08 +0200
Received: from know-smtprelay-omc-5.server.virginmedia.net ([80.0.253.69])
	by mx3.tb.ukmail.iss.as9143.net with bizsmtp
	id 4Yo91r00P1Wc93C01Ys8yW; Fri, 14 Aug 2015 10:52:08 +0200
X-SourceIP: 80.0.253.69
Received: from TimsLaptop ([77.98.xxx.xxx])
	by know-smtprelay-5-imp with bizsmtp
	id 4Ys71r00b0NGvmM01Ys86d; Fri, 14 Aug 2015 09:52:08 +0100
X-Originating-IP: [77.98.xxx.xxx]
X-Spam: 0
X-Authority: v=2.1 cv=Sd8KDalu c=1 sm=1 tr=0 a=h6yIpIiFA6mHwAidIMClUg==:117
 a=h6yIpIiFA6mHwAidIMClUg==:17 a=a5Gf7U6LAAAA:8 a=jPJDawAOAc8A:10
 a=IkcTkHD0fZMA:10 a=o8vTjCv1nhgqmWcrq9kA:9 a=QEXdDO2ut3YA:10
From: Microsoft Outlook <myaddress@blueyonder.co.uk>
To: =?utf-8?B?VGltIER1dHRvbg==?= <myaddress@blueyonder.co.uk>
Subject: =?utf-8?B?TWljcm9zb2Z0IE91dGxvb2sgVGVzdCBNZXNzYWdl?=
MIME-Version: 1.0
Content-Type: text/html;
    charset="utf-8"
Content-Transfer-Encoding: 8bit

It looks confusing but it isn't

 

 

One of the first things to look for is the first server the mail was sent to.  Because of the way new headers are added to the top of the existing mail, this is actually the bottom most received from: header.

 

Received: from TimsLaptop ([77.98.xxx.xxx])
by know-smtprelay-5-imp with bizsmtp
id 4Ys71r00b0NGvmM01Ys86d; Fri, 14 Aug 2015 09:52:08 +0100

 

If sent via one of Virgin's Knowlsley servers then you may have a problem, especially if the IP address the mail is sent from is a non Virgin IP address.

 

The other thing to look at is the sender-envelope. This is different to the From: header and indicates where the mail should be returned to if it bounces.

 

Return-Path: <myaddress@blueyonder.co.uk>

 

Again if this shows an address other than your own, then the mail most likely has not been sent via your account.  It is possible to spoof this though so use a combination of the server address and the Return-Path address

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
2,605 Views
Message 4 of 28
Flag for a moderator
Helpful Answer

Re: Hacked Email since move to new platform

Look at the next Received-From: line upwards which is the delivery from the relay to the mail exchange on the new email platform

 

Received: from know-smtprelay-omc-5.server.virginmedia.net ([80.0.253.69])
	by mx3.tb.ukmail.iss.as9143.net with bizsmtp
	id 4Yo91r00P1Wc93C01Ys8yW; Fri, 14 Aug 2015 10:52:08 +0200

It will look something like the above.

They all start know-smtprelay and all end with virginmedia.net,

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply

All Replies
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
2,624 Views
Message 2 of 28
Flag for a moderator
Helpful Answer

Re: Hacked Email since move to new platform

Hi

 

You should also consider filing a report here under email account hijacking.

http://netreport.virginmedia.com/netreport/

 

However while I recommend doing the above you should know that you may not have actually been hacked.

 

One trick that spammers use is to spoof the From: and To: headers in an email when sending.  It's a trivial thing to do.

 

To check for this you can do the following.

  1. Select the mail in Webmail and in the reading pane click the menu Icon (On the right next to the Delivery time)
  2. Select "View Source"  A panel will open with the full email including all the headers.

Here's one that has been sent from me and to me.  (Not spam though - an Outlook test message)

 

Return-Path: <myaddress@blueyonder.co.uk>
Delivered-To: myaddress@blueyonder.co.uk
Received: from md2.tb.ukmail.iss.local ([212.54.57.70])
	by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id fUFOIQyszVUpNwAAVqD7fw
	for <myaddress@blueyonder.co.uk>; Fri, 14 Aug 2015 10:52:08 +0200
Received: from mx3.tb.ukmail.iss.as9143.net ([212.54.57.70])
	by md2.tb.ukmail.iss.local (Dovecot) with LMTP id kp4SLiAhrlVMBAAAaJkqCg
	; Fri, 14 Aug 2015 10:52:08 +0200
Received: from know-smtprelay-omc-5.server.virginmedia.net ([80.0.253.69])
	by mx3.tb.ukmail.iss.as9143.net with bizsmtp
	id 4Yo91r00P1Wc93C01Ys8yW; Fri, 14 Aug 2015 10:52:08 +0200
X-SourceIP: 80.0.253.69
Received: from TimsLaptop ([77.98.xxx.xxx])
	by know-smtprelay-5-imp with bizsmtp
	id 4Ys71r00b0NGvmM01Ys86d; Fri, 14 Aug 2015 09:52:08 +0100
X-Originating-IP: [77.98.xxx.xxx]
X-Spam: 0
X-Authority: v=2.1 cv=Sd8KDalu c=1 sm=1 tr=0 a=h6yIpIiFA6mHwAidIMClUg==:117
 a=h6yIpIiFA6mHwAidIMClUg==:17 a=a5Gf7U6LAAAA:8 a=jPJDawAOAc8A:10
 a=IkcTkHD0fZMA:10 a=o8vTjCv1nhgqmWcrq9kA:9 a=QEXdDO2ut3YA:10
From: Microsoft Outlook <myaddress@blueyonder.co.uk>
To: =?utf-8?B?VGltIER1dHRvbg==?= <myaddress@blueyonder.co.uk>
Subject: =?utf-8?B?TWljcm9zb2Z0IE91dGxvb2sgVGVzdCBNZXNzYWdl?=
MIME-Version: 1.0
Content-Type: text/html;
    charset="utf-8"
Content-Transfer-Encoding: 8bit

It looks confusing but it isn't

 

 

One of the first things to look for is the first server the mail was sent to.  Because of the way new headers are added to the top of the existing mail, this is actually the bottom most received from: header.

 

Received: from TimsLaptop ([77.98.xxx.xxx])
by know-smtprelay-5-imp with bizsmtp
id 4Ys71r00b0NGvmM01Ys86d; Fri, 14 Aug 2015 09:52:08 +0100

 

If sent via one of Virgin's Knowlsley servers then you may have a problem, especially if the IP address the mail is sent from is a non Virgin IP address.

 

The other thing to look at is the sender-envelope. This is different to the From: header and indicates where the mail should be returned to if it bounces.

 

Return-Path: <myaddress@blueyonder.co.uk>

 

Again if this shows an address other than your own, then the mail most likely has not been sent via your account.  It is possible to spoof this though so use a combination of the server address and the Return-Path address

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 26
  • 0
  • 6
cazz
On our wavelength
1,811 Views
Message 3 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Thanks for the info - maybe a silly question but how do I tell if it's from a Virgin server ? will it have virgin in the address ?

 

There is no return path on it at all...

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
2,606 Views
Message 4 of 28
Flag for a moderator
Helpful Answer

Re: Hacked Email since move to new platform

Look at the next Received-From: line upwards which is the delivery from the relay to the mail exchange on the new email platform

 

Received: from know-smtprelay-omc-5.server.virginmedia.net ([80.0.253.69])
	by mx3.tb.ukmail.iss.as9143.net with bizsmtp
	id 4Yo91r00P1Wc93C01Ys8yW; Fri, 14 Aug 2015 10:52:08 +0200

It will look something like the above.

They all start know-smtprelay and all end with virginmedia.net,

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 26
  • 0
  • 6
cazz
On our wavelength
1,796 Views
Message 5 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Thank you - it was not sent from a Virgin server so looks like it was not hopefully hacked from my account.  Still worrying though and it has only been happening since the new webmail platform Smiley Sad

 

 

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
1,783 Views
Message 6 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Did you check the Return-Path: line?

 

Google would have most likely filtered this mail as spam.  And delivered it to the spam folder.  Unless you regularly checked that folder  (and it is tucked away in their folder tree) You might never have seen them.

 

It's a known trick to spoof the From: line in order to try and get round spam filters.  Indeed if I had your address I could send you a mail that would appear to be for a different person entirely.

 (I'm not a spammer but I find learning their tricks useful, in order to put my mind at ease,  especially as I have been caught out in the past before digging into the workings of email).

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 26
  • 0
  • 6
cazz
On our wavelength
1,776 Views
Message 7 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Source code of email starts as follows - 

 

Return-Path: my email address
Delivered-To: my email address

 

I've submitted a report to Virgin so hopefully they will look into it for me.

 

Thanks again for your help.

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
1,762 Views
Message 8 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Would you consider posting the header on here?

 

Clean out the first part of any email addresses though just leave the parts after the @ symbols.

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 26
  • 0
  • 6
cazz
On our wavelength
1,755 Views
Message 9 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Here it is - Any help ?

 

Return-Path: <myemail@blueyonder.co.uk>
Delivered-To: myemail@blueyonder.co.uk
Received: from md10.tb.ukmail.iss.local ([212.54.59.70])
by mc4.tb.ukmail.iss.local (Dovecot) with LMTP id 6rNAGEUszVVoFQAAHW8Adg
for <myemail@blueyonder.co.uk>; Fri, 14 Aug 2015 01:47:59 +0200
Received: from mx3.mnd.ukmail.iss.as9143.net ([212.54.59.70])
by md10.tb.ukmail.iss.local (Dovecot) with LMTP id 34slCxIhrlVjBAAAnwjGaw
; Fri, 14 Aug 2015 01:47:59 +0200
Received: from dup-201-113-20-191.prod-dial.com.mx ([201.113.20.191])
by mx3.mnd.ukmail.iss.as9143.net with bizsmtp
id 4Pnx1r00K47Mchl01PnyJL; Fri, 14 Aug 2015 01:47:59 +0200
X-SourceIP: 201.113.20.191
Message-ID: <31CA415AC4BAD1DF24AFB42A543F31CA@JW5ELCEEE31>

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
1,722 Views
Message 10 of 28
Flag for a moderator

Re: Hacked Email since move to new platform

Based on the sending IP that's being sent from an outbound mail server in Mexico city.

 

They appear to be using a mailer that's spoofing the mail from: the from: and the to: lines with the target email address.

 

Based on that header I would say that your account itself hasn't been hacked.

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.