DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th January 2017
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 123
Default Hacked or spoofed?

Spam has been sent from my email.
In my gmail inbox, sent folder I found "sexy Asian women" spam sent
Today I have changed password for gmail.

But I wonder, can this file give information to how this happend?

a) Attacker broke into my account? (No sign of login from strange place in gmail security page for account. I saw 30 days back. Only 4 spam mails where sent that are registert at my gmail account)

b) I see refernces to sendgrid.net and sendgrid.me US based IP. I have never used such service. I only use gmail.smtp. Is this some kind of spoofing where attacker had no access to my email account? But how can spoofed item be list as sent by google, in the sent folder?

c) Something else. I dont know.
Code:
Delivered-To: hidden@gmail.com
Received: by 10.176.86.76 with SMTP id z12csp813392uaa;
Wed, 25 Jan 2017 07:09:29 -0800 (PST)
X-Received: by 10.99.53.195 with SMTP id c186mr40060pga.24.1485969641;
Wed, 25 Jan 2017 07:09:29 -0800 (PST)
Return-Path: <bounces+4628381-eadc-hidden=gmail.com@sendgrid.net>
Received: from o9.shared.sendgrid.net (o9.shared.sendgrid.net. [173.193.132.134])
by mx.google.com with ESMTPS id h186si20087pfe.17.2017.01.25.07.09.28
for <hidden@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 25 Jan 2017 07:09:29 -0800 (PST)
Received-SPF: pass (google.com: domain of bounces+4628381-eadc-hidden=gmail.com@sendgrid.net designates 173.193.132.134 as permitted sender) client-ip=173.193.132.134;
Authentication-Results: mx.google.com;
dkim=pass header.i=@sendgrid.me;
spf=pass (google.com: domain of bounces+4628381-eadc-hidden=gmail.com@sendgrid.net designates 173.193.132.134 as permitted sender) smtp.mailfrom=bounces+4628381-eadc-hidden=gmail.com@sendgrid.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me;
h=mime-version:content-type:to:from:list-unsubscribe:cc:subject:sender:list-id:x-feedback-id;
s=smtpapi; bh=cq1OM20YPw0qVurgX2FACj/WGWI=; b=ezyVSyrQiSw7hARaHC
uUohe9hFp7tLC7Khqt/s5...hyEAp1OY6vLcMn5su5mqV4JnbcOCIiJoZqjXOY
QEoJVJfXO/MSLFgUKXXBgijxsNpRGict8Ql6dZHdUx+RHWYV7jAiSOPH/GNKI3fo
e+71HSi5G07yBwdqq....=
Received: by filter0090p1las1.sendgrid.net with SMTP id filter0090p1las1-30064-5888BF65-92
2017-01-25 15:08:21.748146824 +0000 UTC
Received: from webcommezrc.com (webcommezrc.com [50.21.180.110])
by ismtpd0005p1iad1.sendgrid.net (SG) with ESMTP id VBVs-CKdQuadV8M5RaNCWA
for <hidden@gmail.com>; Wed, 25 Jan 2017 15:08:21.317 +0000 (UTC)
Date: Wed, 25 Jan 2017 10:08:18 -0500
Mime-Version: 1.0
Content-Type: Multipart/MiXeD;Boundary="OIOUIOUIOUIOIO"
Received: from 65.39.215.77 (127.0.0.1) smoothstone.net
To: to@tqVZ.smoothstone.net
X-Pnj: <AUT2b.7cLA.ERccoIaDssq@smoothstone.net>
From: <hidden@gmail.com>
List-Unsubscribe: <mailto:unsubscribe-mc.us11_80c1e39fe0fa900e4b1398044.4584703ca2-b81e2bacec@mailin1.us2.mcsv.net?subject=unsubscrib e>
Cc: <cLfls.ThuB.DeRhDBytvP3@smoothstone.net>
Subject: 0..AsɪᴀɴGɪʀʟsLá´á´á ´‹ÉªÉ´É¢FᴏʀSᴇʀɪᴠá´œsDᴀᴛɪɴɢ
Sender: "National Protection" <sales=nationalvehiclewarranty.com@smoothstone.net >
Message-id: <uTNqG.P8t8.6GUYluOW3ty@smoothstone.net>
List-ID: 80c1e39fe0fa900e4b1398044mc list <80c1e39fe0fa900e4b1398044.331849.list-id.mcsv.net>
X-SG-EID: eTvhVS1mkFCtXfJg9nYV8MWvTJDNxEqeJ9/v33QxYCIMFnBaH8RhStUHXSaJWQXSVraBdNODSGFbi0
FVEd2B+9B+c5cckDTAAIp+VjBsBpRhTJSh47Ffs4Blk4XOegzG Z2SuuDH3X4GgOQ4zj37CoDi8669a
eTVWv9Jemh2FtMG1WVQVsx8/w6N4r2CGh8LS
X-Feedback-ID: 4628381:IBsefFD+cJblXbyIZ4XnGd5gxHOdLFa8aesyzyBRBZ 8=:IBsefFD+cJblXbyIZ4XnGd5gxHOdLFa8aesyzyBRBZ8=:SG

--OIOUIOUIOUIOIO
Content-Type: text/html;
Content-Type: text/html;
Content-Type: text/html;

Last edited by ocicat; 27th January 2017 at 03:57 PM. Reason: Please wrap file contents with [code] & [/code] tags.
Reply With Quote
  #2   (View Single Post)  
Old 27th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,635
Default

Spoofed, not hacked.

Knowing only that you are a Gmail customer .... let's read the Email header together.

One of Gmail's mail transfer agent servers (generically, mx.google.com) received this Email from IP address 173.193.132.134, a server that resolved to o9.shared.sendgrid.net.

Everything under that could be fake, but a quick check of blacklists at mxtools.com shows that sendgrid.net is trustworthy at this time. Let us assume the next connection shown in the headers is real. The next MTA connection was from 50.21.180.110, which resolved to webcommezrc.com.

The next received does not look correct, however. It is apparently from 65.39.215.77, but it also refers to a loopback address, and "smoothstone.net" resolves to a different IP address. It's mail servers also do not resolve to that address. This part of the message is false. Nothing below it can be trusted.

webcommezrc.com is a domain through namecheap.com, and its contacts are privacy protected. You can contact the privacy company, but then contacting the domain owner that way is less likely to be effective than reaching out to the server's ISP: 1and1.com. I recommend contacting their abuse desk for assistance.

If you do not actually have this email in your "Sent" folder, it is unlikely to have originated from your account at all, it is just a random ID plugged into some spam to cause confusion. Successfully.
Reply With Quote
  #3   (View Single Post)  
Old 27th January 2017
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 123
Default

It is in my gmail "sent" folder.

Every other mail there is "hidden@gmail.com" as sender.
The spam mail has "hidden@gmail.com via sendgrid.me" as the sender, in my "sent" folder.

Gmail has in help page about via:

I see "via" and a website name next to the sender's name

You'll see "via" and a website name next to the sender's name if the domain it was sent from doesn't match the domain in the "From:" address. For example, you got an email from john.smith@gmail.com, but it could've been sent through a social networking site and not Gmail.

You can't remove the "via" next to someone's name. Gmail shows this information so you're aware of where your messages are coming from.

If you notice that an email was sent via a program you don't recognize, the message might be spam.
Reply With Quote
  #4   (View Single Post)  
Old 27th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,635
Default

It looks like Gmail placed it there upon receipt of the spoofed Email. This does not appear to be a security issue, just an annoyance due to having your address harvested and used in Spam.

See: https://support.google.com/mail/answer/50200?hl=en
Reply With Quote
  #5   (View Single Post)  
Old 27th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,635
Default

https://en.wikipedia.org/wiki/Backscatter_(email)

Last edited by jggimi; 27th January 2017 at 03:57 PM. Reason: corrected link
Reply With Quote
  #6   (View Single Post)  
Old 27th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,635
Default

If you are still concerned the account was compromised, consider contacting Google abuse / security. They may be able to search outbound logs to confirm if this was among them. But a backscatter bounce due to a spoofed address is far more likely.
Reply With Quote
  #7   (View Single Post)  
Old 28th January 2017
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 123
Default

Thank you for looking into it jiggim

I think it was bounced back into Sent folder, and not sent.

a) No strange accivity repported at gmail secuirty page
b) jiggimi looking into it, and indicating bounnced, not hacked
c) If account where hacked, very modest attacker who only sent 4 mails for 24+ hours.
d) With full access to account, spam would look more legit coming from pure gmail.com domain, spammer used this "via"

Still to be on the safe side, these days, strong different password have been set for gmail and many other service I use, like this forum.
Reply With Quote
  #8   (View Single Post)  
Old 31st January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,635
Default

I have a new domain. It has existed for only 3 weeks.

Today its postmaster@ account received a DMARC report from Google stating that Google had received 41 incoming Emails sent "from" the domain in the prior 24 hours.

The number of Emails sent by the domain's mail server to Google in that time? Zero.

---

Spoofed "From" Email is very common. Far more common than "hacked" user accounts used to send Spam.

Last edited by jggimi; 31st January 2017 at 11:50 AM. Reason: clarity
Reply With Quote
  #9   (View Single Post)  
Old 2nd February 2017
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 425
Default

Doesn't google check dkim and SPF records?

Sigh.

Edit - got around to reading the actual headers. gg rocket357. So sendgrid does indeed have dkim/SPF records (sendgrid.net's SPF includes sendgrid.biz, which has 173.193.132.0/23). Interesting. So sendgrid noticed it was a spoof, and bounced a return to the OP's inbox.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 2nd February 2017 at 07:01 AM.
Reply With Quote
Old 2nd February 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,635
Default

Quote:
Originally Posted by rocket357 View Post
Doesn't google check dkim and SPF records?
(I'd thought this question was regarding Google's DMARC reporting.)

My DMARC configuration is set to "p=none" - rather than quarantine or reject. For two reasons: 1) the domain is a recent addition and I want to be sure SPF/DKIM are working correctly, and 2) the mail server is used to send to mailing lists mail every so often, as it is a personal server.

Mailing lists and DMARC do not go well together, and that includes @openbsd.org lists.

Just this morning, Google sent another consolidated DMARC report. The report said 1350 Emails processed. Now, I do not know how many of those may be spoofs, because because the server sent two Emails to an @openbsd.org mailing list in the prior 24 hours, and two Emails to a @gmail.com user. My hope is the majority of the 1350 are valid.

Last edited by jggimi; 2nd February 2017 at 02:22 PM. Reason: grammar, etc., and a correction, and then later realizing that I misinterpreted rocket357's question
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
My OpenBSD machine was hacked Peter_APIIT OpenBSD General 18 25th August 2015 03:48 AM
LastPass hacked rocket357 News 0 16th June 2015 09:50 PM
Million$ hacked from Banks shep News 0 14th February 2015 06:19 PM
Security NBC.com hacked and served up malware J65nko News 0 22nd February 2013 08:22 PM
Am I being hacked? newbsdied OpenBSD Security 14 6th November 2010 10:41 PM


All times are GMT. The time now is 09:50 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick