Can my zoneedit account be involved in a spoofing ...

xtian

New Member
...accounts with twitter, wordpress, pinterest which I'm receiving in my gmail account. This gmail account also receives emails from my zoneedit managed domain email (redirects from a legacy gmail service). So I don't know if my gmail account or my zoneedit domain email is being attacked.
Here is an email sent to my gmail account for a domain I don't own--omegatronz.

I'm also receiving sign-up confirmations from wordpress, twitter, and this is from pinterest. I have accounts at all three. Any ideas what's going on and if the attack _could_ involve my zoneedit redirect?


pinterest_omegatrons_02.jpg
 
Last edited:

sandy

Administrator
Staff member
What is the domain name you have with Zoneedit?
OMEGATRONS.COM is not using zoneedit at present.

thanks
sandy
 

xtian

New Member
What is the domain name you have with Zoneedit?
OMEGATRONS.COM is not using zoneedit at present.

thanks
sandy

My personal domain registered with ZE/Easy is christiansimon DOT com. Emails sent to this domain are currently forwarded to my gmail account, and thus I don't know how to determine if the new accounts are Spoofed from @cs.com or my gmail. Since this is intermittent, I don't know what is a reliable test (eg. stopping @cs.com forwarding).

I don't know much about this sort of thing. I'm starting to recall I have a dns rule to forward ANYTHING @ cs.com to gmail. Maybe this is the problem?
 

sandy

Administrator
Staff member
If you can get a copy of the full message headers from your gmail account they might detail the actual email address being sent to.
In addition.. if you have another email account, say hotmail as example, you could change the mail maps to forward to that other email address and see what happens with the spoofed messages.

thanks
sandy
 

xtian

New Member
I forgot about this view from the Gmail pulldown.

Yikes, there it is. info AT cs DOT com and zoneedit!

What can we do about this besides turning off forwarding?

```
Delivered-To: xtiansimon AT gmail DOT com
Received: by 10.50.47.130 with SMTP id d2csp1447897ign;
Thu, 2 Apr 2015 09:25:31 -0700 (PDT)
X-Received: by 10.55.43.3 with SMTP id r3mr62944430qkh.80.1427991931329;
Thu, 02 Apr 2015 09:25:31 -0700 (PDT)
Return-Path: <SRS0=EsLk=EP=email.pinterest.com=bounces+644560-9c20-info=omegatrons.com@bounce.secureserver.net>
Received: from mailfwd2.zoneedit.com (mailfwd2.zoneedit.com. [166.88.18.34])
by mx.google.com with ESMTP id h8si5449178qgd.108.2015.04.02.09.25.30
for <xtiansimon AT gmail DOT com>;
Thu, 02 Apr 2015 09:25:31 -0700 (PDT)
Received-SPF: fail (google.com: domain of SRS0=EsLk=EP=email.pinterest.com=bounces+644560-9c20-info=omegatrons.com@bounce.secureserver.net does not designate 166.88.18.34 as permitted sender) client-ip=166.88.18.34;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of SRS0=EsLk=EP=email.pinterest.com=bounces+644560-9c20-info=omegatrons.com@bounce.secureserver.net does not designate 166.88.18.34 as permitted sender) smtp.mail=SRS0=EsLk=EP=email.pinterest.com=bounces+644560-9c20-info=omegatrons.com@bounce.secureserver.net;
dkim=pass header.i=@email.pinterest.com;
dmarc=pass (p=REJECT dis=NONE) header.from=pinterest.com
Received: from p3plsmtp22-01.prod.phx3.secureserver.net (p3plsmtp22-01.prod.phx3.secureserver.net [68.178.252.53])
by mailfwd2.zoneedit.com (Postfix) with ESMTP id 1FBBD2026E95 <---------------------- YIKES!
for <info AT christiansimon DOT com>; Thu, 2 Apr 2015 09:25:28 -0700 (PDT) <---------------------- YIKES!
Received: (qmail 4555 invoked from network); 2 Apr 2015 16:25:28 -0000
Delivered-To: info@omegatrons.com
Received: (qmail 4457 invoked by uid 30297); 2 Apr 2015 16:25:26 -0000
Received: from unknown (HELO p3plibsmtp01-12.prod.phx3.secureserver.net) ([72.167.238.228])
(envelope-sender <bounces+644560-9c20-info=omegatrons.com@email.pinterest.com>)
by p3plsmtp22-01.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <info@omegatrons.com>; 2 Apr 2015 16:25:26 -0000
Received: from o8.email.pinterest.com ([198.37.150.203])
by p3plibsmtp01-12.prod.phx3.secureserver.net with bizsmtp
id B4RR1q0044PZ1vJ014RRrA; Thu, 02 Apr 2015 09:25:26 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=email.pinterest.com;
h=content-type:mime-version:subject:from:to:reply-to;
s=s20150106; bh=xbQtn2K64yOcj/S6oM0btkfOnm8=; b=ZHjiC+MIkC71zPxH
26qQpuBM6ZzJ9QNN9/oZ47TSEMZ1GxvojhI9GfekWRfr08XS670npsQX/PtX1Ylb
v/Mw92/wjctInB/T2olqcuAvlo2j/x+8wpSf7ZP7/aFBIz1nZQBKryF3k5fKtsFc
HFJF3DTjL9UW/lBgP/N9GufR29M=
Received: by filter0244p1mdw1.sendgrid.net with SMTP id filter0244p1mdw1.25255.551D6D731D
2015-04-02 16:25:24.10641679 +0000 UTC
Received: from jobs-weeklyemail-lines-2fc5e106.ec2.pin220.com (ec2-54-162-55-93.compute-1.amazonaws.com [54.162.55.93])
by ismtpd-019 (SG) with ESMTP id 14c7af38ce1.519d.1a800b
for <info@omegatrons.com>; Thu, 02 Apr 2015 16:25:24 +0000 (UTC)
Content-Type: multipart/alternative;
boundary="===============3793775594225863021=="
MIME-Version: 1.0
Subject: Find out where Pins come from
From: Pinterest <pinbot@pinterest.com>
To: info@omegatrons.com
Date: Thu, 02 Apr 2015 16:25:23 -0000
Message-ID: <20150402162523.25774.99993@jobs-weeklyemail-lines-2fc5e106.ec2.pin220.com>
Reply-To: pinbot@email.pinterest.com
X-SG-EID: wrifuWbylMFDiFdWE6Tf/D3mkHW+5AOtw2pyqDpduKWV5oulxfGTGdBrtQRY9GqoOvtgmf77Flwsf4
dDCA5c+5rZyuJKz1PjnxQwReyCezo1EQvynVt4/0beykS0KKCCgQ5tqke2bLVL7iVDSjuP56mwEzI+
uLW3wcJfgzOlEm8=
X-SG-ID: WMLztlB6QyiGaIjT5SJciyjOkSlGknstdXwdvb4SuYvTxdsGaW+ZdfY5nYfmG/OenuoQ+Zv9bII4Is
KaJh1ZHD5bJNITN0qOIqgWINlxtxnCeIQfDL1wGV9NV1RQcKxxdNSVe240zQtzkxgSqeBKodk6jv+i
dzBcmuBMu3DVEWY6ojjKko8fL+dvkWBMT1YaypgYpGRRlsxewTgn3ilCHoZaCrImf38ElQd7S3VNo2
3M/hRZkMMWuGYcsRaw2yQ1d3tdQtmFxYKycDPTXlLW5b1/quaq2MLgh4hbfzdIfkiU8vzjCx5QEyvv
fJyXxKol

--===============3793775594225863021==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
```
 

sandy

Administrator
Staff member
there are a few options.
In Gmail you can set the message as spam so all further matching messages would also be marked as spam.
You could also remove that mail maps for a while then fire it up again in a week or so. Often this helps once the spoofing machine starts to get returned messages on the email address being sent to.
if the messages have an unsubscribe link try these as well.

If you think your email address was picked up while signing up for a service or something like that... create a mail map that you can use for sign up purposes only.
say signup@domain.com... then when you start receiving spam sent to that address you would know where it originated from.. or rather what site may be sharing your email address.



I hope this helps.

thanks
sandy
 

xtian

New Member
If it was picked up in the manner you suggest, it happened long ago. With wildcard email domains enabled, I had the habit of going even further and making the site part of the email!

The trouble is I've been signed up to Pinterest, Wordpress and Twitter in this spoof attack. While I could disable info@ for the time being, these accounts will stay until such time I reactivate that email again--naturally. What can I do about that?

Strangely, I also receiving emails regularly now from the spoofers. It seems my complaint with the above accounts has triggered something.

```
Omegatrons Simple Contact us Form
Inbox
x
info AT christiansimon DOT me

Apr 6 (1 day ago)

to info
Form details below.

Name: Christian Simon
Email: info AT christiansimon DOT me
Message: Jesus Loves You!
```

Seems this cs.me is registered (WHOIS) with these spoofers here in Penn. I feel like I'm on the fringes of an identity theft attack or some such nasty.
 

sandy

Administrator
Staff member
for the accounts that you want to maintain, you could create a new mail maps specific for those accounts then change the personal info on those accounts
to contain that new specific email address.

thanks
sandy
 
Top