Domain Email Hijacked?


S

Steven Banks

Hello All:

I have an issue that is bugging the living daylights out of me. I started
using 1and1 MS Hosting services for my domain. In the past three weeks I
have been getting email that appears to be from my domain. I know for a fact
that they are not because none of the email addresses really exist. To add
fuel to the fire, these emails contain an attached virus in the form of a
..zip file.

Typically the emails look to be from these addresses:
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)

You can see the pattern here...

I'm smart enough to not have opened a single one, and have spam and junk
filters to "move" but not get rid of the problem. The fact that this is
happening at all really irks me. Plus, I don't know if this technique is
being used to send other people this destructive email using my domain name.
That'd be horrible!

How are the perpetrators doing this, why is it getting past my domain hosts,
and what can/should 1and1 hosting be doing to stop this from taking
happening?

Any clues or help appreciated.

Steve Banks
 
Ad

Advertisements

V

Vince Averello [MVP-Outlook]

Sounds like someone out there has a virus/worm that's creating emails with
fake addresses that are getting delivered to you. It's happened to me at
times also. Not much you can do from your end (other than filtering them and
using an antivirus program). Maybe you can setup some server side filtering.
 
S

Steven M. Goldfein

This is the common method that trojans and virus use to spread today. The
last one I did any real research on pulled random addresses from the inbox,
address book and sent items folder for the recipients and the sender. Thus
it makes the emails look even more "legit." :(

Steve
 
S

Steven Banks

Thank you Vince and Steven,

I have server side spam filtering turned on, I guess I have to take it from
medium to high. My real concern was that it appears to be generated from 1&1
mail servers, almost as though they are doing all of this from within 1&1 as
another customer?

And though Steven mentioned addresses being pulled form a persons inbox, in
this case that's not the modus operandi. They are generating what I would
call common and assumed prefixes for domains, e.g., support, info, mail,
admin, etc. with my domain name at the end.

To see mail I did not create from an email address that doesn't exist e.g.,
From: (e-mail address removed) is upsetting to say the least.

Thanks for you insight guys!

Steve Banks
 
W

Wolfman

Steve,

We're suffering from a very similar thing but luckily it's not getting as
far as yours. We have in place SurfControl E-mail filter and from looking at
our system we are having someone/something attempt to use us to e-mail out.
What we are seeing on SurfControl is this:

Denied Relay from <[email protected]> from host 195.102.244.132 to
<[email protected]> (Senders IP not in relay sources list)

We are getting those from these:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

And we get those like clockwork every 20 minutes. The IP address shown is
like in your case, the Mail servers of our ISP. Because we have our system to
deny relays like these it's not as such causing a problem. Apart from filling
up logs etc. We are not hitting anything major. Most of the addresses they
try to e-mail to do not exist but there is one that is correct. So if we
didn't have the system set up as we do then we could potentially be in the
same boat as you.

I would suggest looking in to the Denying Relays. I'm not sure as to how and
where to do it as this was something my Boss set up before I started here.

Hope that can be of some help.
 
B

Brian Tillman

Steven Banks said:
Typically the emails look to be from these addresses:
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)
(e-mail address removed)

That's the modus operandi of the Mytob-CF virus, among others.
 
Ad

Advertisements

S

Steven Banks

Wolfman & Brian Tillman,

Thank you... got an email from 1&1 hosting today saying they might attempt
blocking the IP Address, since all the emails originate from the same IP
address 207.202.164.254.

After looking at their site, looks like SurfControl is an enterprise
solution and their home office, public utility doesn't offer the same
protection for "deny rely." But this is great information and it is
appreciated. I'll do my homework and research.

Thank you guys!
Steve Banks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top