Menu
Reply
  • 29
  • 0
  • 0
On our wavelength
535 Views
Message 1 of 19
Flag for a moderator

Email spoofed - tons of undelivered email spam today

So it seems I've just become a victim of email spoofing and have had a ton of mailer-daemon@virginmedia.com as well as other message delivery failures come in today, started roughly around 2PM.

Continuing to receive a ton of message delivery email failures.

Changed password, though I don't believe they actually had access to it as the sender is originating from an IP address that is based in NL (or from what I can gather)

Any assistance from the VM team would be grateful. 

Thanks

 

 

0 Kudos
Reply
Highlighted
  • 29
  • 0
  • 0
On our wavelength
491 Views
Message 2 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

Just received another 74 emails of auto replies/ PostMaster replies / Mailer-Daemon replies.

I'd appreciate if someone could look into this and advise ASAP.
0 Kudos
Reply
Highlighted
  • 1.51K
  • 82
  • 120
Forum Team
Forum Team
460 Views
Message 3 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

Hi doodalon,

 

I've located your post and here to help.

 

Have you received any communications from us via letter advising of any security issues with a device on your network?

 

Let me know.

 

Thanks


Melissa 

 

0 Kudos
Reply
Highlighted
  • 29
  • 0
  • 0
On our wavelength
452 Views
Message 4 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

Hi Melissa,

No I have not received anything in regards to security on my network.

I'm proficient with computers as well as networking and security. All connected devices have antivirus/anti-malware installed with daily scheduled scans. No devices are infected with anything. Password to my email account was changed after the first batch of emails (2PM), though there was no sign of any hijacking of my actual account. Emails are still being sent which is why I am 100% sure my email address is being spoofed.

From what I can see from the Mailer-daemon logs, the IP that is sending the emails originates from Netherlands, as well as an IP address based in York, UK.

If there's anyone on the VM team that understands email log details from Mailer-daemon emails, I'd be happy to send the Info.txt that gets attached to each auto reply.

 

0 Kudos
Reply
Highlighted
  • 18.12K
  • 1.02K
  • 7.7K
Very Insightful Person
Very Insightful Person
449 Views
Message 5 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

@doodalon 

Do the bounce messages look anything like this?

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed permanently:

* random@ravenstar68.co.uk

Reason: This is the mail system at host know-smtprelay-7-imp.

I am sorry to have to inform you that your message, "Test email bounce", could not be delivered to random@ravenstar68.co.uk.

The remote server returned the below error when attempting delivery:

550:550 5.1.1 <random@ravenstar68.co.uk>: Recipient address rejected: User unknown in virtual mailbox table


This is a genuine bounce message coming from one of Virgin Media's 16 outbound relay servers at Knowlsley after I sent a message to a non existent email address.

You mention the mail as coming from an address in the Netherlands

Were you looking at this part of the headers in blue?

Received: from md7.tb.ukmail.iss.local ([212.54.57.72])
        by mc60.tb.ukmail.iss.local with LMTP id kIVjO/p8VV7gegAADOOQZg
        for <myaddress@blueyonder.co.uk>; Tue, 25 Feb 2020 21:00:59 +0100
Received: from smtpclienthelo ([212.54.57.72])
        by md7.tb.ukmail.iss.local with LMTP
        id YAcmO/p8VV4XBAAAKMCudg
        (envelope-from <>)
        for <myaddress@blueyonder.co.uk>; Tue, 25 Feb 2020 21:00:58 +0100
Authentication-Results: ukmail.iss.as9143.net; spf=none (81.104.62.39;);
 dkim=pass header.d=virginmedia.com; dmarc=pass header.from=virginmedia.com
 (p=quarantine sp=quarantine dis=pass);
X-Env-Mailfrom:
X-Env-Rcptto: myaddress@blueyonder.co.uk
X-SourceIP: 81.104.62.39
X-CNFS-Analysis: v=2.3 cv=faI2N3YF c=1 sm=1 tr=0 cx=a_idp_d
 a=CfV53nqDiDc8x7ft4Yp3bw==:117 a=HpEJnUlJZJkA:10 a=jmdcTMp_Gj4A:10
 a=r77TgQKjGQsHNAKrUKIA:9 a=XP_wEGxnAAAA:8 a=XEBgXxCsW31kbhcooIYA:9
 a=Nr4rccC-4TmZ1zro:21 a=K48yPSigL2cR5PER:21 a=QEXdDO2ut3YA:10
 a=dLh3EnwUJhUA:10 a=nVn1pbx0GKFDd3c45fQA:9 a=FvpR-EhdHBCRCUc9:21
 a=MBa-erSxZMoXan-O:21 a=a5Gf7U6LAAAA:8 a=6aBFD6vPTFaoaOg-mi4A:9
 a=jhT8XYtxIES_BtMj:21 a=VYhJHEwZXrD1ROF9:21 a=JuliYi8OquoA:10
 a=7dQZfKizipBZ8GLoMIwA:9 a=rAr8EtZR1y37PMFkFbpG:22 a=VWYBCMy2-3DvUfgBPAUA:22
Received: from know-smtprelay-omd-7.server.virginmedia.net ([81.104.62.39])
        by mx5.tb.ukmail.iss.as9143.net with ESMTP
        id 6gO2jVb0FJbQQ6gO2j6ruG; Tue, 25 Feb 2020 21:00:58 +0100

It may surprise you to know that the Received from: line I've highlighted in red is the point at which the mail send arrives at Virgin Media's inbound servers.

It may also surprise you to know that the main mail platform is based in the Netherlands, and has been ever since Gmail closed their Apps for ISP service several years ago.

The rejected mail is attached to the bounce message.  If you want to play it safe you can save it out as a text file and view it in notepad.

If you look at the headers you should be able to see the following two lines:

X-Originating-IP: [81.151.xxx.xxx]
X-Authenticated-User: myaddress@blueyonder.co.uk

Neither of these lines can be spoofed.  They are added by Virgin Media's outbound system

X-Originating-IP - The IP address that connected to Virgin Media's outbound server to send the mail.
X-Authenticated-User - The email address used as the user name to authenticate the send.

In fact there's also this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blueyonder.co.uk;
        s=meg.feb2017; t=1582660858;
        bh=cSNeMHzRzViOWsmxAAMHRud6hBaXbt6u3u4NLZ/evKs=;
        h=Subject:From:To:Date;
        b=H4JkBBh1uJMjY7MX+d7U59eJHLNC3zUEl/kDR+o93d8FKIF4xrxU6VIhHxMssP7Ys
         /UFzFlM/EYRd3GmUpI20Z6P+ynvOY7z95CIOBSQ6IHQxtKfnnoS63oOqz836/9RmWr
         VvPiG+k4MCnnd+eihBW2dTevUpjinQSxSbmqe5jh5jydpTD9jQW8OyogcwtacgFOmO
         wqGfnLFMpQbmvpgjtTrkuuCbUDLFNb/A9iCRFozR5d+HfT9FBT24UfWyk8cLSdJLDS
         BpA3EbAyrFusUMGibvDHs8IlVHEy0KI8lJqKIGvatoJWedpTYxuQv+ILU4XBtQFOLM
         x6d9PPiYQl1vw==

The DKIM signature verifies that the outbound mail was Signed with a private key authorised by Virgin Media themselves in this case for the blueyonder.co.uk domain

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

Highlighted
  • 29
  • 0
  • 0
On our wavelength
441 Views
Message 6 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

Hi Tim,

Thanks for the message.

Ah I see, yes those lines were what I was looking at. Not very familiar with email logs, though following your advice, I've taken a look at the header, this is the information I've taken from a mailer-daemon@virginmedia.com email bounce:

Received: from  [REMOVED]
by cmsmtp with SMTP
id 6fwjjdnTpIUP96fx8jLsyZ; Tue, 25 Feb 2020 19:33:11 +0000
X-Originating-IP: [REMOVED]
X-Authenticated-User:
X-Spam: 0

I can confirm that the IP isn't mine, and the Authenticated-User section is blank.

It does indeed have a DKIM-Signature, though again, the IP is not one that is attached to my network.

Unsure if this actually helps anything as I understand once an email is spoofed, not much you can do.

0 Kudos
Reply
Highlighted
  • 29
  • 0
  • 0
On our wavelength
435 Views
Message 7 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

Checked roughly 20+ of the bounce emails from the mailer-daemon@VM containing several different Originating IP addresses, each batch of bounced emails contain the same IP, though changes to the next batch. See below for the changes and times.

Received: from [REMOVED]
by cmsmtp with SMTP
id 6g8GjwupW6cf46g8LjRTI7; Tue, 25 Feb 2020 19:44:46 +0000
X-Originating-IP: [REMOVED]
X-Authenticated-User:
X-Spam: 0

----

Received: from [REMOVED]
by cmsmtp with SMTP
id 6fjljlrMzqQ1e6fkAjvSOM; Tue, 25 Feb 2020 19:19:47 +0000
X-Originating-IP: [REMOVED]
X-Authenticated-User:
X-Spam: 0

-----

Received: from [REMOVED]
by cmsmtp with SMTP
id 6fIojdAFEfuiH6fJajORqE; Tue, 25 Feb 2020 18:52:19 +0000
X-Originating-IP: [REMOVED]
X-Authenticated-User:
X-Spam: 0

----

Received: from[REMOVED]
by cmsmtp with SMTP
id 6cxzjhgqOczU46cyqjPk08; Tue, 25 Feb 2020 16:22:45 +0000
X-Originating-IP: [REMOVED]
X-Authenticated-User:
X-Spam: 0

----

0 Kudos
Reply
Highlighted
  • 18.12K
  • 1.02K
  • 7.7K
Very Insightful Person
Very Insightful Person
430 Views
Message 8 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

@Melissa_F 

Can you capture the data and edit it to remove the IP addresses?

I'm going to drop you a PM to discuss what we're seeing here.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 1.51K
  • 82
  • 120
Forum Team
Forum Team
416 Views
Message 9 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

We're on it @ravenstar68

 

Looking forward to your PM. Any insight would be appreciated 🙂

0 Kudos
Reply
Highlighted
  • 29
  • 0
  • 0
On our wavelength
413 Views
Message 10 of 19
Flag for a moderator

Re: Email spoofed - tons of undelivered email spam today

Anything I need to be concerned about?

Let me know if there's any thing else I can do to help, whether you need more extracts from the bounce email attachments etc. 

0 Kudos
Reply