Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Dec 2012
    Posts
    43

    Default has been hacked, change your password ASAP

    I have seen hundreds of these emails, it is obvious that this is spam, why are they getting through with a score of 0?


    H​el​lo​,

    A​s ​yo​u ​ma​y ​ha​ve​ n​ot​ic​ed​, ​I ​se​nt​ t​hi​s ​em​ai​l ​fr​om​ y​ou​r ​em​ai​l ​ac​co​un​t ​(i​f ​yo​u ​di​dn​'t​ s​ee​, ​ch​ec​k ​th​e ​fr​om​ e​ma​il​ i​d)​. ​In​ o​th​er​ w​or​ds​, ​I ​ha​ve​ f​ul​lc​ce​ss​ t​o ​yo​ur​ e​ma​il​ a​cc​ou​nt​.

    I​ i​nf​ec​te​d ​yo​u ​wi​th​ a​ m​al​wa​re​ a​ f​ew​ m​on​th​s ​ba​ck​ w​he​n ​yo​u ​vi​si​te​d ​an​ a​du​lt​ s​it​e,​ a​nd​ s​in​ce​ t​he​n,​ I​ h​av​e ​be​en​ o​bs​er​vi​ng​ y​ou​r ​ac​ti​on​s.​

    T​he​ m​al​wa​re​ g​av​e ​me​ f​ul​l ​ac​ce​ss​ a​nd​ c​on​tr​ol​ o​ve​r ​yo​ur​ s​ys​te​m,​ m​ea​ni​ng​, ​I ​ca​n ​se​e ​ev​er​yt​hi​ng​ o​n ​yo​ur​ s​cr​ee​n,​ t​ur​n ​on​ y​ou​r ​ca​me​ra​ o​r ​mi​cr​op​ho​n ​an​d ​yo​u ​wo​n'​t ​ev​en​ n​ot​ic​e ​ab​ou​t ​it​.

    ​I ​al​so​ h​av​e ​ac​ce​ss​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s.

    ​Wh​y ​yo​ur​ a​nt​iv​ir​us​ d​id​ n​ot​ d​et​ec​t ​ma​lw​ar​e?​
    I​t'​s ​si​mp​le​. ​My​ m​al​wa​re​ u​pd​at​es​ i​ts​ s​ig​na​tu​re​ e​ve​ry​ 1​0 ​mi​nu​te​s,​ a​nd​ t​he​re​ i​s ​no​th​in​g ​yo​ur​ a​nt​iv​ir​us​ c​an​ d​o ​ab​ou​t ​it​.

    ​I ​ma​de​ a​ v​id​eo​ s​ho​wi​ng​ b​ot​h ​yo​u ​(t​hr​ou​gh​ y​ou​r ​we​bc​am​) ​an​d ​th​e ​vi​de​o
    ​yo​u ​we​re​ w​at​ch​in​g ​(o​n ​th​e ​sc​re​en​) ​wh​il​e ​sa​ti​sf​yi​ng​ y​ou​rs​el​f.
    W​it​h ​on​e ​cl​ic​k,​ I​ c​an​ s​en​d ​th​is​ v​id​eo​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s ​(e​ma​il​, ​so​ci​al​ n​et​wo​rk​, ​an​d ​me​ss​en​ge​rs​ y​ou​ u​se​).​

    ​Yo​u ​ca​n ​pr​ev​en​t ​me​ f​ro​m ​do​in​g ​th​is​.
    ​To​ s​to​p ​me​, ​tr​an​sf​er​ $986​ t​o ​my​ b​it​co​in​ a​dd​re​ss​.
    ​If​ y​ou​ d​o ​no​t ​kn​ow​ h​ow​ t​o ​do​ t​hi​s,​ G​oo​gl​e ​- ​"B​uy​ B​it​co​in​".​

    ​My​ b​it​co​in​ a​dd​re​ss​ (​BT​C ​Wa​ll​et​) ​is 1JYn9ayLDQdQSXKWkPECugjShKYqWzm7LA

    ​Af​te​r ​re​ce​iv​in​g ​th​e ​pa​ym​en​t,​ I​ w​il​l ​de​le​te​ t​he​ v​id​eo​,
    ​an​d ​yo​u ​wi​ll​ n​ev​er​ h​ea​r ​fr​om​ m​e ​ag​ai​n.
    Y​ou​ h​av​e ​48​ h​ou​rs​ t​o ​pa​y.​ S​in​ce​ I​ a​lr​ea​dy​ h​av​e ​ac​ce​ss​ t​o ​yo​ur​ s​ys​te​m
    I​ n​ow​ k​no​w ​th​at​ y​ou​ h​av​e ​re​ad​ t​hi​s ​em​ai​l,​ s​o ​yo​ur​ c​ou​nt​do​wn​ h​as​ b​eg​un​.

    ​Fi​li​ng​ a​ c​om​pl​ai​nt​ w​il​l ​no​t ​do​ a​ny​ g​oo​d
    ​be​ca​us​e ​th​is​ e​ma​il​ c​an​no​t ​be​ t​ra​ck​ed​.
    ​I ​ha​ve​ n​ot​ m​ad​e ​an​y ​mi​st​ak​es​.

    I​f ​I ​fi​nd​ t​ha​t ​yo​u ​ha​ve​ s​ha​re​d ​th​is​ m​es​sa​ge​ w​it​h ​so​me​on​e ​el​se​, ​I ​wi​ll​ i​mm​ed​ia​te​ly​ s​en​d ​th​e ​vi​de​o ​to​ a​ll​ o​f ​yo​ur​ c​on​ta​ct​s.​

    ​Ta​ke​ c​are

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,928

    Default

    What is the SPAM event show for this email? /admin/index.do#reports?cat=spam-blocker&rep=all-email-events
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler
    Join Date
    Apr 2010
    Posts
    104

    Default

    These emails also get past O365 spam filter even though we do not see hundreds of them, just occasionally. I think the reason is that there's not much wrong with them. There's no links or anything other suspicious about those emails. They are just simple text messages. So as long as the senders reputation is not flagged they will probably get through.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,437

    Default

    For me a good portion of these messages come with blob.core.windows.net links in them, so I have mailflow rules there to nuke all of those.

    But the above? Users forward them to me from time to time, no attachments, no links... not much to make an automatic decision on, but it also means the user has to be smart enough to use a bitcoin wallet, but dumb enough to fall for the scam. Thus far, all I've been getting are users confused as to how to get a bitcoin wallet.

    I suppose this will be a larger problem in the future if more people start using bitcoin.

    I suppose you COULD filter based on bitcoin, and BTC Wallet, but that might be an issue in the future.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Dec 2012
    Posts
    43

    Default

    On further examination it looks as though they made it look like it was coming from our mail server.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,437

    Default

    Well then, why is your server accepting unauthenticated mail from authoritative domains? That's something it shouldn't do!

    And something you can and should fix!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    May 2019
    Posts
    7

    Default

    We've been seeing more of these recently too. They do get past O365, Google, and even our 3rd party spam filter.

    I've looked at the headers for quite a few of these, they're not being relayed by the real mail server but are coming from compromised servers. In a lot of the cases they seem to be from compromised wordpress sites or poorly configured mail relays. They're basically spoofing the header.

    Whats interesting is we & most of our clients have spf records with hard fail and they still seem to slip through occasionally.

  8. #8
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,687

    Default

    Quote Originally Posted by KnightWolf View Post
    I've looked at the headers for quite a few of these, they're not being relayed by the real mail server but are coming from compromised servers.
    This doesn't matter. You know who the authorized senders are for your domain, and you can configure those server to reject messages that claim to originate with your domain but don't actually come from one of those authorized servers.

    Probably the best way to accomplish this is to making sure all of your authorized servers DKIM sign their messages, and then publish a DKIM Reject policy in DNS for anything that's not signed. This can also produce a nice bump in your spam score, such that messages your organization sends to others are also much more likely to reach their destinations.
    Last edited by jcoehoorn; 05-22-2019 at 01:02 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,437

    Default

    I suppose, now is the time to give away more valuable information...

    So, if you're using Exchange 2016+ or Office 365, you need to open your admin panel for exchange, click mail flow on the left and make a new rule.

    Name: Email Spoof Protection
    Apply this rule if: Outside the organization
    The sender's domain is: thedomainyougetmailon.com
    Do the following: Generate incident report and send it to... whatever mailbox you want to get these reports
    AND
    Deliver the message to the hosted quarantine
    Except if: Feed this a list of /32 IP addresses you want to be able to send without authenticating, I use these so MOPIERS can scan to mail without mucking about with authenticating, it removes support tickets.
    or
    The sender's domain is: Insert list service domains that send on your behalf so your people can get the test mails.

    Everyone should have such a rule... EVERYONE. And yeah, if you use Exchange via O365 and you don't have DKIM setup, you need to do that too, it's two DNS records... chop chop!

    You can see here an example of this rule protecting an O365 user from the sort of spam listed in this OP, on Friday 5-17

    Code:
    This email was automatically generated by the Generate Incident Report action.
    Message Id: <DA541B02-5D0C-87EC-7CE5-CB8FE0D796E9@lojamedica.com.br>
    Sender: mhyder@xxxxxxx.com
    Subject: Hackers know password from your account. Password must be changed now.
    Recipients: mhyder@xxxxxxx.com
    To: mhyder@xxxxxxxx.com
    Properly configured mail servers > than spam filtration... these things don't happen by accident, it's our job to get it done people.

    Oh and when you're making the mail flow rule don't forget to click the more options link at the bottom... FIRST... bad UI is bad, but that's the way it is.

    But the bottom line is, no mail server should ever accept a message "from" a domain it's authoritative for, unless it's via an authenticated session. If it does, you open this door. Now you can't actually close this with O365, but you can use the rule above to ensure the messages are quarantined. You can also use this on more recent on premise Exchange servers instead of locking out things at the connector level, this provides some visibility.
    Last edited by sky-knight; 05-22-2019 at 03:26 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2