|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
Hacked or spoofed?
Spam has been sent from my email.
In my gmail inbox, sent folder I found "sexy Asian women" spam sent Today I have changed password for gmail. But I wonder, can this file give information to how this happend? a) Attacker broke into my account? (No sign of login from strange place in gmail security page for account. I saw 30 days back. Only 4 spam mails where sent that are registert at my gmail account) b) I see refernces to sendgrid.net and sendgrid.me US based IP. I have never used such service. I only use gmail.smtp. Is this some kind of spoofing where attacker had no access to my email account? But how can spoofed item be list as sent by google, in the sent folder? c) Something else. I dont know. Code:
Delivered-To: hidden@gmail.com Received: by 10.176.86.76 with SMTP id z12csp813392uaa; Wed, 25 Jan 2017 07:09:29 -0800 (PST) X-Received: by 10.99.53.195 with SMTP id c186mr40060pga.24.1485969641; Wed, 25 Jan 2017 07:09:29 -0800 (PST) Return-Path: <bounces+4628381-eadc-hidden=gmail.com@sendgrid.net> Received: from o9.shared.sendgrid.net (o9.shared.sendgrid.net. [173.193.132.134]) by mx.google.com with ESMTPS id h186si20087pfe.17.2017.01.25.07.09.28 for <hidden@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jan 2017 07:09:29 -0800 (PST) Received-SPF: pass (google.com: domain of bounces+4628381-eadc-hidden=gmail.com@sendgrid.net designates 173.193.132.134 as permitted sender) client-ip=173.193.132.134; Authentication-Results: mx.google.com; dkim=pass header.i=@sendgrid.me; spf=pass (google.com: domain of bounces+4628381-eadc-hidden=gmail.com@sendgrid.net designates 173.193.132.134 as permitted sender) smtp.mailfrom=bounces+4628381-eadc-hidden=gmail.com@sendgrid.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me; h=mime-version:content-type:to:from:list-unsubscribe:cc:subject:sender:list-id:x-feedback-id; s=smtpapi; bh=cq1OM20YPw0qVurgX2FACj/WGWI=; b=ezyVSyrQiSw7hARaHC uUohe9hFp7tLC7Khqt/s5...hyEAp1OY6vLcMn5su5mqV4JnbcOCIiJoZqjXOY QEoJVJfXO/MSLFgUKXXBgijxsNpRGict8Ql6dZHdUx+RHWYV7jAiSOPH/GNKI3fo e+71HSi5G07yBwdqq....= Received: by filter0090p1las1.sendgrid.net with SMTP id filter0090p1las1-30064-5888BF65-92 2017-01-25 15:08:21.748146824 +0000 UTC Received: from webcommezrc.com (webcommezrc.com [50.21.180.110]) by ismtpd0005p1iad1.sendgrid.net (SG) with ESMTP id VBVs-CKdQuadV8M5RaNCWA for <hidden@gmail.com>; Wed, 25 Jan 2017 15:08:21.317 +0000 (UTC) Date: Wed, 25 Jan 2017 10:08:18 -0500 Mime-Version: 1.0 Content-Type: Multipart/MiXeD;Boundary="OIOUIOUIOUIOIO" Received: from 65.39.215.77 (127.0.0.1) smoothstone.net To: to@tqVZ.smoothstone.net X-Pnj: <AUT2b.7cLA.ERccoIaDssq@smoothstone.net> From: <hidden@gmail.com> List-Unsubscribe: <mailto:unsubscribe-mc.us11_80c1e39fe0fa900e4b1398044.4584703ca2-b81e2bacec@mailin1.us2.mcsv.net?subject=unsubscrib e> Cc: <cLfls.ThuB.DeRhDBytvP3@smoothstone.net> Subject: 0..AsɪᴀɴGɪʀʟsLá´á´á ´‹ÉªÉ´É¢Fá´Ê€SᴇʀɪᴠᴜsDᴀᴛɪɴɢ Sender: "National Protection" <sales=nationalvehiclewarranty.com@smoothstone.net > Message-id: <uTNqG.P8t8.6GUYluOW3ty@smoothstone.net> List-ID: 80c1e39fe0fa900e4b1398044mc list <80c1e39fe0fa900e4b1398044.331849.list-id.mcsv.net> X-SG-EID: eTvhVS1mkFCtXfJg9nYV8MWvTJDNxEqeJ9/v33QxYCIMFnBaH8RhStUHXSaJWQXSVraBdNODSGFbi0 FVEd2B+9B+c5cckDTAAIp+VjBsBpRhTJSh47Ffs4Blk4XOegzG Z2SuuDH3X4GgOQ4zj37CoDi8669a eTVWv9Jemh2FtMG1WVQVsx8/w6N4r2CGh8LS X-Feedback-ID: 4628381:IBsefFD+cJblXbyIZ4XnGd5gxHOdLFa8aesyzyBRBZ 8=:IBsefFD+cJblXbyIZ4XnGd5gxHOdLFa8aesyzyBRBZ8=:SG --OIOUIOUIOUIOIO Content-Type: text/html; Content-Type: text/html; Content-Type: text/html; Last edited by ocicat; 27th January 2017 at 03:57 PM. Reason: Please wrap file contents with [code] & [/code] tags. |
|
|||
It is in my gmail "sent" folder.
Every other mail there is "hidden@gmail.com" as sender. The spam mail has "hidden@gmail.com via sendgrid.me" as the sender, in my "sent" folder. Gmail has in help page about via: I see "via" and a website name next to the sender's name You'll see "via" and a website name next to the sender's name if the domain it was sent from doesn't match the domain in the "From:" address. For example, you got an email from john.smith@gmail.com, but it could've been sent through a social networking site and not Gmail. You can't remove the "via" next to someone's name. Gmail shows this information so you're aware of where your messages are coming from. If you notice that an email was sent via a program you don't recognize, the message might be spam. |
|
||||
It looks like Gmail placed it there upon receipt of the spoofed Email. This does not appear to be a security issue, just an annoyance due to having your address harvested and used in Spam.
See: https://support.google.com/mail/answer/50200?hl=en |
|
||||
If you are still concerned the account was compromised, consider contacting Google abuse / security. They may be able to search outbound logs to confirm if this was among them. But a backscatter bounce due to a spoofed address is far more likely.
|
|
|||
Thank you for looking into it jiggim
I think it was bounced back into Sent folder, and not sent. a) No strange accivity repported at gmail secuirty page b) jiggimi looking into it, and indicating bounnced, not hacked c) If account where hacked, very modest attacker who only sent 4 mails for 24+ hours. d) With full access to account, spam would look more legit coming from pure gmail.com domain, spammer used this "via" Still to be on the safe side, these days, strong different password have been set for gmail and many other service I use, like this forum. |
|
||||
I have a new domain. It has existed for only 3 weeks.
Today its postmaster@ account received a DMARC report from Google stating that Google had received 41 incoming Emails sent "from" the domain in the prior 24 hours. The number of Emails sent by the domain's mail server to Google in that time? Zero. --- Spoofed "From" Email is very common. Far more common than "hacked" user accounts used to send Spam. Last edited by jggimi; 31st January 2017 at 11:50 AM. Reason: clarity |
|
||||
Doesn't google check dkim and SPF records?
Sigh. Edit - got around to reading the actual headers. gg rocket357. So sendgrid does indeed have dkim/SPF records (sendgrid.net's SPF includes sendgrid.biz, which has 173.193.132.0/23). Interesting. So sendgrid noticed it was a spoof, and bounced a return to the OP's inbox.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 2nd February 2017 at 07:01 AM. |
|
||||
(I'd thought this question was regarding Google's DMARC reporting.)
My DMARC configuration is set to "p=none" - rather than quarantine or reject. For two reasons: 1) the domain is a recent addition and I want to be sure SPF/DKIM are working correctly, and 2) the mail server is used to send to mailing lists mail every so often, as it is a personal server. Mailing lists and DMARC do not go well together, and that includes @openbsd.org lists. Just this morning, Google sent another consolidated DMARC report. The report said 1350 Emails processed. Now, I do not know how many of those may be spoofs, because because the server sent two Emails to an @openbsd.org mailing list in the prior 24 hours, and two Emails to a @gmail.com user. My hope is the majority of the 1350 are valid. Last edited by jggimi; 2nd February 2017 at 02:22 PM. Reason: grammar, etc., and a correction, and then later realizing that I misinterpreted rocket357's question |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
My OpenBSD machine was hacked | Peter_APIIT | OpenBSD General | 18 | 25th August 2015 03:48 AM |
LastPass hacked | rocket357 | News | 0 | 16th June 2015 09:50 PM |
Million$ hacked from Banks | shep | News | 0 | 14th February 2015 06:19 PM |
Security NBC.com hacked and served up malware | J65nko | News | 0 | 22nd February 2013 08:22 PM |
Am I being hacked? | newbsdied | OpenBSD Security | 14 | 6th November 2010 10:41 PM |