attempted phishing scam from zoneedit customer - Advice Requested

bob_labla

New Member
I got this phishing email that is attempting to say they have hacked into my mail server.

I know it is nonsense because I don't run a mail server to be hacked. I just have e-mails from my domain.org forwarded to my google account.

My question is:
How do I prevent people from spoofing my domain like this. To most people it will look like a message like this came from me unless you look at the message details and you can see that it is not originating from my domain. I believe this person is a zoneedit customer as well. The message looks like it came from Brazil.

How should MX and TXT be setup to allow forwards but not allow others to spoof with my domain? Looks like SPF did nothing here to stop it.
I have changed items in bold to be generic.

ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of srs0=gylq=m5=mydomain.org=username@srszone.org designates 64.68.198.24 as permitted sender) smtp.mailfrom="SRS0=gyLq=M5=mydomain.org=username@srszone.org"
Return-Path: <SRS0=gyLq=M5=mydomain.org=username@srszone.org>
Received: from mxc02.zoneedit.com (mxc02.zoneedit.com. [64.68.198.24])
by mx.google.com with ESMTPS id g187-v6si11779960iof.28.2018.10.17.09.11.58
for <username@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Wed, 17 Oct 2018 09:11:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of srs0=gylq=m5=mydomain.org=username@srszone.org designates 64.68.198.24 as permitted sender) client-ip=64.68.198.24;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of srs0=gylq=m5=mydomain.org=username@srszone.org designates 64.68.198.24 as permitted sender) smtp.mailfrom="SRS0=gyLq=M5=mydomain.org=username@srszone.org"
Received: from 189-73-36-188.mganm703.e.brasiltelecom.net.br (unknown [189.73.36.188]) by mxc02.zoneedit.com (Postfix) with ESMTP id CB940877EB for <username@mydomain.org>; Wed, 17 Oct 2018 16:11:57 +0000 (UTC)
From: <username@mydomain.org>
To: <username@mydomain.org>
Subject: username@mydomain.org is hacked
Date: 17 Oct 2018 08:40:58 -0400
Message-ID: <001801d4661a$038cc88b$e31da6b2$@mydomain.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Acab5anvc67qqw2xab5anvc67qqw2x==
Content-Language: en
 

egrus

New Member
Same thing is going on with me man!
They've been targeting my domain for a few weeks now and I've had enough

And I do the same thing, I have a free ZoneEdit domain and I use it for mail forwarding to my GMail

I'm not too technical when it comes to the inner workings of email / smtp but I can see that if I look at the full original mail it shows who the message really came from

Received: from abts-north-dynamic-125.7.163.122.airtelbroadband.in (unknown [122.163.7.125]) by mxc01.zoneedit.com (Postfix) with ESMTP id B5C1B12750A for <username@mydomain.org>; Tue, 23 Oct 2018 12:27:43 +0000 (UTC)

This is very annoying though, and alarming that they're able to spoof the sender so easily
I too would like to know how exactly they're able to do this, and what we can do to stop it from happening in the future
 

sandy neal

Administrator
Staff member
do you have SPF enabled on the domains zone file as well as the receiving mail server?

thanks
sandy
 

bob_labla

New Member
do you have SPF enabled on the domains zone file as well as the receiving mail server?

thanks
sandy
Sandy,

Can you walk us exactly what to change in SPF settings on zoneedit. I currently only allow forwards to my gmail as described above. I think the problem is the spammers are also using zoneedit so it is going to pass right through.
 

bob_labla

New Member
Sandy,

I have the following SPF setup through zoneedit.

v=spf1 mx -all

The problem is that Zoneedit is what the spammers are using to send all this junk out so it is going to let them though.

If I change the SPF to:
v=spf1 -all

then my forward no longer works because no domains are allowed to send mail though.
 

bob_labla

New Member
Sandy,

I will private message my domain name over to you. However, I think the real concern is that zoneedit/srszone.org is allowing the spammers to use their service. Can you look at the log above and boot these guys off your service for doing stuff like this?
 

Chris Cherry

Mr. Happy To Help You.
To understand how the forwarding mail server works. Let's say YOU are the forward mail server. I would like you to imagine a knock at your door. Would you know whether the person at the door is delivering a message for a friend or a solicitor (spammer)?

A messenger is at your door, greets you properly and asks you to deliver this to your Son or Daughter who has asked you to forward mail to their new address. You don't recognize the messenger nor have you heard anything bad about them, so you deliver the message to the Son/Daughter. Your Son/Daughter then reports to you that it was a scam or unwanted solicitation. Does that make you the problem in this scenario?

The same goes for these "You've Been Hacked" emails. We receive these emails from hacked or compromised accounts so they come from "legitimate" sources. There are likely a lot more of these emails being sent to you but are being blocked because of where/how they're sent. The ones that do make it through are difficult to block since they'll likely never originate from that same place as the person or server who is compromised will be notified and patched up. They have hundreds, if not thousands of compromised mailboxes and servers (likely a botnet).

So it's not about booting these guys off our service/server, there is no one to boot because it simply doesn't work that way.
 

bob_labla

New Member
I do NOT originate any email from my domain. This is the key point.

Well, using your analogy....

If someone knocks on the door and claims to be you (your domain), no matter how friendly they greet you. Is obviously not legitimate because messages are NOT supposed to be originated from me (my domain). So they should get this fake person's information and have them tossed out of the neighborhood for attempting to spoof other people.
 

Chris Cherry

Mr. Happy To Help You.
The explanation was to shed light on how the spoofed emails are not some malicious users logged into our service or server that we can boot them off of.

To continue the analogy above and your thoughts: then the messenger would have a message with a return address of your address (so yeah that would be strange, but not uncommon for people to do). However, you are designated to deliver the message per your Son/Daughters request.
 

John Walker

New Member
Hello all,

We use Zone Edit to forward all email that goes to @ourdomain.com to our gmail account which works. The issue is that we have a vacation response setup in gmail that is now failing. We were successfully using that up until recently.

Any ideas how to fix this please? We are an animal rescue site and need to know how we can auto-reply please.

Thanks!

to:SRS0=4J8L=RU=edi3.zoneedit.com=www-data@srszone.org
date:Mar 17, 2019, 9:15 AM
subject:Auto-Reply Re: ZoneEdit: Login notification
mailed-by:gmail.com

to:SRS0=CIFQ=RU=gmail.com=kaibuthepoofy@srszone.org
date:Mar 17, 2019, 8:51 AM
subject:Auto-Reply Re:
mailed-by:gmail.com
 

Chris Cherry

Mr. Happy To Help You.
I've seen a couple of tickets escalated with regards to this situation. Our devs are currently looking into it.
 
Top