Menu
Reply
Cocojojo
  • 2
  • 0
  • 0
Joining in
365 Views
Message 1 of 5
Flag for a moderator

Spoof email issue

My email address is being spoofed and I'm getting hundreds of auto replies and delivery failure bouncebacks a day. It happens for a few days, then goes quiet for a few weeks, then happens again. Fairly confident that the account itself hasn't been compromised as changing my password had no effect. Does anyone know if there's anything I can do to stop this?

0 Kudos
Reply
coenoby
  • 1.81K
  • 247
  • 1.11K
Super solver
328 Views
Message 2 of 5
Flag for a moderator
Helpful Answer

Re: Spoof email issue


@Cocojojo wrote:

Fairly confident that the account itself hasn't been compromised as changing my password had no effect.


If the bounce back emails are coming from mailer-daemon@virginmedia.com or postmaster@virginmedia.com then the emails have come from VM's outbound SMTP servers. In that case the spammer must have had either:

1) access to a PC on the Virgin Media network 

or 2) your VM email address and password

It is fairly easy to determine whether your email address has just been spoofed or whether emails are being sent out using your password and email address to authenticate the messages through the VM outbound server.

Look at one of the bounce back messages and you will see a number of attachments.

If you are using the VM Webmail service to view the email, one attachment will be an ".eml" file.  Click on that attachment and you will then see a drop down list. Click on  "Download" from that list and then open the file using  a text editor such as Notepad.

When that file opens, search for your email address in the text and see if you find a line where your email address is prefixed with either:

X-Authenticated-Sender: youraddress@virginmedia.com (or which ever VM domain you use)

or  X-Authenticated-User: youraddress@virginmedia.com

If either of these lines exists it means that your correct email password was used to authenticate the SMTP connection prior to sending the original email.

That can't be faked so it would mean that your VM email account has been hacked rather than the address being spoofed.

If you find the X-Authenticated-User / Sender, it is important that you follow all the advice here https://www.virginmedia.com/help/virgin-media-mail-my-email-has-been-hacked to secure your email account and prevent it happening again. Note that just changing your password is not enough!

However, if your address has merely been spoofed then there is nothing you can do to stop it. You could hide future bounce back messages by setting up a filter rule in your Webmail account but I would strongly advise against that. It would mean that you would also miss any genuine bounce back messages if, for example, you mistyped  an email address  or one of your contacts was having issues with their mailbox.

Either way it's pain. 😞

Coenoby

*******************************
I am just another Virgin Media customer.
If someone posts a useful reply you can say thanks by clicking on the thumbs up sign in their post.
If someone posts a message that solves your problem it helps everyone if you mark their post as a Helpful Answer
Cocojojo
  • 2
  • 0
  • 0
Joining in
298 Views
Message 3 of 5
Flag for a moderator

Re: Spoof email issue

Thanks for that - very helpful. If I open the eml attachment with Notepad, I can find the words X - authenticated user, but not followed by my email address. It's just blank after.  The full text in this section is:

My email address followed by SMTP

By cmsmtp with SMTP

Id (a long alphanumeric string) then the date

X - originating IP: [REMOVED]

X - Authenticated -  user :

X - Spam: 0

X - Authority (a long alphanumeric string)

Any thought as to whether this indicates a hack or a spoof?

Thanks

 [MOD EDIT: Personal and private information has been removed from this post. Please do not post personal or private information in your public posts. Please review the Forum Guidelines]

0 Kudos
Reply
coenoby
  • 1.81K
  • 247
  • 1.11K
Super solver
261 Views
Message 4 of 5
Flag for a moderator

Re: Spoof email issue


@Cocojojo 

Any thought as to whether this indicates a hack or a spoof?

To be honest it would be useful if you could post the full text of the email header.

But do take care to edit any email addresses to remove the part before the @ symbol, for example as in "xxxxxxxxxxxx@virginmedia.com" and also edit  any IP addresses for example "xx.xx.xxx.xx"

Coenoby

*******************************
I am just another Virgin Media customer.
If someone posts a useful reply you can say thanks by clicking on the thumbs up sign in their post.
If someone posts a message that solves your problem it helps everyone if you mark their post as a Helpful Answer
0 Kudos
Reply
ravenstar68
  • 18.73K
  • 1.09K
  • 8.06K
Very Insightful Person
Very Insightful Person
257 Views
Message 5 of 5
Flag for a moderator

Re: Spoof email issue

@Cocojojo 

Are you able to PM me the originating IP address?

Are you able to confirm as well whether the originating IP address is your public IP.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks