Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Removal of Permitted Designated Sender from Email(hacked)

javadudd
On our wavelength

on ‎08-09-2021 11:25

I appear to have had my email hacked and friends were report an email from myself i.e. proper email address etc. I actually received the same email to another email address.

I checked the original header and there is a suspicious entry in here

spf=pass (google.com: domain of <myemail>@blueyonder.co.uk designates 212.54.57.96 as permitted sender)

Is there a way to fix this?

I've changed account password etc and they obviously have managed to send out emails to a list of contacts

3 REPLIES 3

Sololobo
Superstar

on ‎08-09-2021 13:21

For Information.

The IP address noted resolves to smtpq1.tb.ukmail.iss.as9143.net, an email server run by Ziggo from the Netherlands, a company used by Virgin media for the provision of their email services.




It's What I Do.
I Drink and I
Remember Things.

Only mark a post as helpful if your issue has been resolved.

javadudd
On our wavelength
In response to Sololobo

on ‎08-09-2021 23:41

Ahh ok it must be ok then.

Just don't see how they have sent out emails to my contacts looks like me and the header has my return address but emails look like they are being diverted.

Or people are saying they have replied but I haven't seen any emails come through from them.

0 Kudos

ravenstar68
Very Insightful Person
Very Insightful Person
In response to javadudd

on ‎09-09-2021 03:43

Just to clarify this

I checked the original header and there is a suspicious entry in here

spf=pass (google.com: domain of <myemail>@blueyonder.co.uk designates 212.54.57.96 as permitted sender)

This is an authentication check on the Envelope Sender: (Which can be found in the header as Return-Path:)  It checks that the IP address is allowed to send mails for the domain.

Breaking it down:

SPF (Name of check) - Sender Policy Framework
google.com - Receiving Domain
myemail@blueyonder.co.uk - Envelope Sender
22.54.57.96 - IP address that connected to google.com's inbound server

In normal cases the IP address will belong to the mail servers used by the domain in red.  (Although there are circumstances where legitimate mail will fail SPF - Which is why VM sign their mails using DKIM as well).

SPF pass means that mails we're sent from an IP address authorised by Virgin Media
DKIM pass means that the mail is signed by a key belonging to the domain owner.

DMARC is used to evaluate the resuts - So long as EITHER SPF or DKIM pass then DMARC will pass.

Look for an X-Authorized: Header in the mail.

Is it blank or does it have your email address.

Also look at the Received lines starting at the bottom most and working up.  You should see the point at which it's delivered TO Virgin Media;s mail server.  Check the public IP address that makes the connection.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Top