Menu
Reply
  • 931
  • 112
  • 624
coenoby
Well-informed
322 Views
Message 11 of 20
Flag for a moderator

Re: Bounces back from my hacked Blueyonder email


@JohnOrrett wrote:

X-Authenticated-User is my email address.

Hopefully they have just spoofed my email in that case.


The scammers are using your password to authenticate your VM email address and I would strongly suggest that for safety's sake you change your VM email password and security questions.

Your comments regarding the activity on your Amazon account should be a considerable cause for concern and you are right to have taken precautions against future fraud

You need to follow all the instructions in the link I gave earlier https://www.virginmedia.com/help/virgin-media-mail-my-email-has-been-hacked

You need to check that no filter rules or auto forwards that you do not know about have been set up in your VM Webmail account. That is a trick the fraudsters use so that emails from the online accounts they have accessed are sent to another email address that they control and you remain oblivious to their activity.

Coenoby

*******************************
I am just another Virgin Media customer.
If someone posts a useful reply you can say thanks by clicking on the thumbs up sign in their post.
If someone posts a message that solves your problem it helps everyone if you mark their post as a Helpful Answer
  • 54
  • 0
  • 3
JohnOrrett
On our wavelength
313 Views
Message 12 of 20
Flag for a moderator

Re: Bounces back from my hacked Blueyonder email

Hmm thanks Coenoby.

I had already checked the settings in webmail, and all appears normal, and still does. I will change my password and security question again. The question is, how did they get in to change my password or get access to my account in the first place? Smiley Mad

Thanks,

John

0 Kudos
Reply
  • 17.1K
  • 937
  • 6.86K
Superuser
Superuser
304 Views
Message 13 of 20
Flag for a moderator
Helpful Answer

Re: Bounces back from my hacked Blueyonder email


@JohnOrrett wrote:

I do not believe the emails are originating from my account, but it is being spoofed, but not sure why I am getting the bounce backs rather than the git who hacked me.

 

Thanks, John

 


Without seeing the bounces I wouldn't like to say for definite if you're being spoofed or not.  The headers can usually tell you a lot as can the From: address - Virgin Media emails use DMARC, SPF and DKIM - so if the From: address is ends in virginmedia.com and the bounce mail ended up in your inbox.  It's a safe bet that the sender was using Virgin Media's email servers to send it.  (The headers would tell us more but if you do post them please DON'T post full email addresses - just post the domains).

Tim 

Edit bounce backs always go to the Envelope sender.  This is the mail address that's declared to the server in the mail from: command of an SMTP exchange.

Note that this address is different to the From: address - but just like the From: address it can be faked.  However bounces will by design go back to this email address.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

  • 54
  • 0
  • 3
JohnOrrett
On our wavelength
285 Views
Message 14 of 20
Flag for a moderator

Re: Bounces back from my hacked Blueyonder email

Hi Ravenstar68, thanks for the post. Here are the headers to see if it helps. I have replaced the name with x's in the email. 

Received: from localhost ([191.53.193.142])
by cmsmtp with ESMTPA
id rmrIgoGkh7sFirmrbguPFQ; Thu, 07 Feb 2019 16:49:24 +0000
X-Originating-IP: [191.53.193.142]
X-Authenticated-User: xxxxxxxxxxxxx@blueyonder.co.uk
X-Spam: 0
X-Authority: v=2.3 cv=A45CwZeG c=1 sm=1 tr=0 a=WMfOpGmULz2Ixn1jdpDXaA==:117
a=WMfOpGmULz2Ixn1jdpDXaA==:17 a=x7bEGLp0ZPQA:10 a=Jgz2oKcMAAAA:8
a=fufvJ9-MpLoAD62UqiMA:9 a=YOno32Rzyd8A:10 a=-FEs8UIgK8oA:10
a=VxAk22fqlfwA:10 a=NWVoK91CQyQA:10 a=WLEPZ8S0KuMsaunnG7N9:22
a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blueyonder.co.uk;
s=meg.feb2017; t=1549558164;
bh=DPIwNOhdw2/zSAATZwBfKFEm89dWh/XH5spTeQ/WwXk=; h=From:ToSmiley Frustratedubject;
b=nS9HYUzv7HjRE87NNhV75AuJmWJ8SWG7wZF4rYcXaxZXAIAxG6gVbBEKvVzFEobAH
MGOvitmb8kg7UW+ej0bHNiBo5QmRiaRXTxFS7GuAAUNuUck8OrGJ1JoMWPST9qcfEX
+5uKl26ItXJOv+pzN6aq/t7Y+TBVlgu6CduQ5cT9cwXr8FdwJcwXB+DMm502sRKfhk
7S4T+3LxGcgwqAGdm6+ALj3pc5wAlzDBqslljNLr1VY/F/60OYoUxNOJ2hp+J5tDYK
L0jUq1XCZ3nCOtVxohLZ8OZ+DqMrMZadCyrEXK5ImuFffxcUk8bzBGTysJxcrncJcs
mnC6US1lxQmXQ==
From: Dodie Jensen <xxxxxxxxxxx@blueyonder.co.uk>
To: K C <kxxxxxxxx@q.com>
Subject: Fwd: for KC
X-CMAE-Envelope: MS4wfD0/wHKIKGGEEogEDufC1Y19hfI10yMBGhnP4yNu9x9zbrrOZ+MTclNJw/gCuudBut3iW0LoluqrrdE1jBFQi07jDxUzlZAnyavsUHRAwwE01Z2DOL9J
j/p+lTDCR/ZwC7iQ+x47V8q25Ab2pC2hAjAV1QnFqpTh5Brcs7bJ/+6F

This is from the Details .txt file on the email:Reporting-MTA: dns; know-smtprelay-1-imp [62.252.172.2]
Received-From-MTA: dns; localhost [191.53.193.142]
Arrival-Date: Thu, 07 Feb 2019 16:49:24 +0000

Dodie Jensen is would appear to be the name that would show as the sender, but with my email address.

Regards, John

0 Kudos
Reply
  • 17.1K
  • 937
  • 6.86K
Superuser
Superuser
272 Views
Message 15 of 20
Flag for a moderator
Helpful Answer

Re: Bounces back from my hacked Blueyonder email

First thing I can say for sure is that this isn't an example of email spoofing.  This was definitely sent using your account.

Clues:

 

X-Authenticated-User: xxxxxxxxxxxxx@blueyonder.co.uk

This is the user name used to authenticate the send.  It is in most cases the same as the Mail-From: address.  But unlike the Mail-From: address, the  Authenticated user cannot be faked as the username and password must be given BEFORE the send will continue.

 

know-smtprelay-1-imp

Is the banner of one of Virgin Media's outbound relays.(they have about 16).

I wouldn't take much notice of the name here

From: Dodie Jensen <xxxxxxxxxxx@blueyonder.co.uk>

Spammers will stick any display name in that they fancy.

 

 

________________________________________


Only use Helpful answer if your problems been solved.

  • 54
  • 0
  • 3
JohnOrrett
On our wavelength
264 Views
Message 16 of 20
Flag for a moderator

Re: Bounces back from my hacked Blueyonder email

Hmm thanks Ravenstar68, that's rather worrying. Would these have been sent from webmail or could someone be using any email client with my credentials set up? There is nothing in the sent folder in either the Outlook or webmail folder. The first I knew is when the bounces appeared in my inbox.

I am always careful not to open rogue emails and not click any links or open attachments. All filters in webmail look OK and only ones that I have set up are in there. I also have 2 other alias emails set up under my primary email address, and my family also have email addresses in 'my other VM accounts'. Could they have been the compromised one, or as the authenticated user was my address, is it solely originating from my account.

All very unsettling Smiley Frustrated

Thanks again for the assistance.

John

0 Kudos
Reply
  • 931
  • 112
  • 624
coenoby
Well-informed
263 Views
Message 17 of 20
Flag for a moderator
Helpful Answer

Re: Bounces back from my hacked Blueyonder email


@JohnOrrett

You said in your earlier post "Apart from the initial batch of bounce messages, I have not had any since."

If you changed your password after that receiving that batch of emails and you have had no further bounce backs since then hopefully that will have resolved the problem. Smiley Happy It would be worth running a full scan with Malwarebytes Free but make sure that you download from the official site.

You could check your email address on https://haveibeenpwned.com/  which will show whether your email address has been leaked in one of the many large data breaches over the years.

Coenoby

Just edited to add - the spam emails will not have been sent from your Webmail account, they will have used an email client of some sort.

*******************************
I am just another Virgin Media customer.
If someone posts a useful reply you can say thanks by clicking on the thumbs up sign in their post.
If someone posts a message that solves your problem it helps everyone if you mark their post as a Helpful Answer
  • 54
  • 0
  • 3
JohnOrrett
On our wavelength
248 Views
Message 18 of 20
Flag for a moderator

Re: Bounces back from my hacked Blueyonder email

Thanks coenoby. I have a paid for subscription to Malwarebyes and that has always come up clean. I have used the pwned website before and all of my email addresses, mail and aliases are on the list. 

As an aside, I am trying to log in to my alias accounts, but none of the passwords seem to work, as they are not often used. Should the alis password mirrow the primary email password?

Appreciate the assistance as ever, John

0 Kudos
Reply
  • 17.1K
  • 937
  • 6.86K
Superuser
Superuser
245 Views
Message 19 of 20
Flag for a moderator

Re: Bounces back from my hacked Blueyonder email


@JohnOrrett wrote:

Hmm thanks Ravenstar68, that's rather worrying. Would these have been sent from webmail or could someone be using any email client with my credentials set up?

They'll be sending in a way similar to an email client, but most likely a PHP script somewhere, Webmail uses different outgoing servers based in the Netherlands.

There is nothing in the sent folder in either the Outlook or webmail folder. The first I knew is when the bounces appeared in my inbox.

SMTP transactions aren't normally copied to the Sent folder online in the way people think.  A well behaved email client will copy the mail to the Sent Folder on the computer that sends the mail.  If that mail client uses IMAP then any sent mails not on the server are uploaded when the computer downloads incoming mails.  This is why mails sent from clients using POP3 don't appear in webmail either.

I am always careful not to open rogue emails and not click any links or open attachments. All filters in webmail look OK and only ones that I have set up are in there. I also have 2 other alias emails set up under my primary email address, and my family also have email addresses in 'my other VM accounts'. Could they have been the compromised one, or as the authenticated user was my address, is it solely originating from my account.

No - The Authenticated user is the one to watch for - this comes as a result of this part of an email send.

AUTH LOGIN
334 VXNlcm5hbWU=
bXlhZGRyZXNzQGJsdWV5b25kZXIuY28udWs=
334 UGFzc3dvcmQ=
TXlwYXNzd29yZA==
235 Authentication Succeeded

These lines send Virgin Media my Email address and password.  It is the address sent here that appears in the X-Authenticated-User: Header.  It looks encrypted but it's not BTW.  If you put the lines into a Base64 Decoder you'll be able to read them. (Note to Mods:  Needless to say, in this case decoding them won't give the anyone my username or password Smiley Wink so there's no need to edit them out)

bXlhZGRyZXNzQGJsdWV5b25kZXIuY28udWs= is myaddress@blueyonder.co.uk
TX1wYXNzd9yZA== is mypassword

So were I to send the X-Authenticated-User: line in the mail would read myaddress@blueyonder.co.uk

This authentication has to be done BEFORE the mail client can send the mail from: command which gives the envelope sender  Virgin's server rejects any attempt to send mail until the user has sent a valid username and password.

All very unsettling Smiley Frustrated

Thanks again for the assistance.

John


 

________________________________________


Only use Helpful answer if your problems been solved.

  • 11.37K
  • 1.52K
  • 4.96K
Superuser
Superuser
231 Views
Message 20 of 20
Flag for a moderator
Helpful Answer

Re: Bounces back from my hacked Blueyonder email


@JohnOrrett wrote:

Thanks coenoby. I have a paid for subscription to Malwarebyes and that has always come up clean. I have used the pwned website before and all of my email addresses, mail and aliases are on the list. 

As an aside, I am trying to log in to my alias accounts, but none of the passwords seem to work, as they are not often used. Should the alis password mirrow the primary email password?

Appreciate the assistance as ever, John


Yes, aliases of blueyonder email accounts share the mailbox and password of the parent address of which they are an alias.  It was possible to set up aliases for the the primary account and for additional accounts back in the Telewest/Blueyonder days.

_________________________________________________________
Graham
I am a VM customer. There are no guarantees that my advice will work. To say thanks click the kudos thumb. If I have solved your problem please click the helpful answer button.