Fake Messages from Smartertools.com
Problem reported by kevind - 11/29/2019 at 1:28 PM
Resolved
Suggest that SmarterTools enable DKIM and change SPF (currently at soft fail) for your domain so people don't use it to send fraudulent emails. Our SmarterMail users are receiving this message:

Body
   Dear sales@xxxxxxx.com,

   You have received a protected message on your (sales@xxxxxxx.com) email address.


   For more information on protected messages, please refer to the  Help Center.

   Best regards,
   Gunter Eberling
   Head of Customer Satisfaction

Header:
Return-Path: <do-not-reply@smartertools.com>
 Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75]) by mail.xxxxxxx.com with SMTP (version=TLS\Tls12  cipher=Aes256 bits=256); Thu, 28 Nov 2019 10:16:27 -0500
 Received: from smartertools.com ([77.68.27.99]) by mrelayeu.kundenserver.de
 (mreue108 [213.165.67.115]) with ESMTPSA (Nemesis) id
 1MeD1l-1hz4Dj3b4J-00bLsd for <sales@xxxxxxx.com>; Thu, 28 Nov 2019 15:07:08  +0100
 From: Smartermail Message Protection <do-not-reply@smartertools.com>

22 Replies

Reply to Thread
0
Alex Clarke Replied
We’ve seen these email across various accounts too.

The link points to a fake SM 15.x interface. 
0
Jade D Replied
@kevind

Is your server by any chance sm02.internetmailserver.net?
0
Jade D Replied
Update,

Kevin, the attack looks like its targeted specifically at your clients.
If you run through the process of trying to log into the fake sm website, after successful capture the site performs a redirect to one of your mail servers.

My suggestion is to start an investigation into a possible exploit uploaded on to your mail server that is linked to your CP demo, and review other mail servers for suspicious logins etc.
0
Sébastien Riccio Replied
sm02.internetmailserver.net is probably from where they saved the html for the fake page and they forgot to remove absolute urls...

(but this can also of course be the target as they probably adapt the phishing html page with the same version of smartermail as the intended target...)


0
Alex Clarke Replied
The phishing page for the emails I received was for SM 15.7, yet we’re on the latest 17 release. 
3
Steve Norton Replied
Hi all, 
Let's not get bogged down with the content of the email and get back to @Kevind 's original point, SmarterTools should be setting the example for secure mail configuration and close this attack vector by setting SPF to hard fail (-all) and changing their DMARC record from a policy of 'none' to a policy of 'reject.'
This also requires you guys to have DMARC policy checking enabled on you mail servers so that emails like this don't make it to spool, but you've already done that I'm sure....
I can accept that SmarterTools may want to leave the SPF record as ~all as the email in question did not come from the SmarterTools server it was missing the DKIM signature and wouldn't have made it to spool with an accompanying 'reject' policy.
Let's see if a shout out to @andrea-rogers can help here.
2
Sébastien Riccio Replied
True, Steve.

It would be also the opportunity to fix the glue records and remove the not answering ns server.

ps: smartertools.com doesn't support receiving mail with TLS ?

3
kevind Replied
@Jade - our server is not sm02.internetmailserver.net, but thanks for the suggestions. Will watch out for exploits.

@Steve - nailed it, 2 thumbs up! We use SPF and DMARC and this message would be stopped if ST would secure their domain.

@Sébastien - interesting. You'd expect an email software vendor to set a good example with their own server.
1
David Jamell Replied
Just got one of these too.  It looks exactly the same as OP.

Header:
Return-Path: Received: from mout-xforward.kundenserver.de (mout-xforward.kundenserver.de [82.165.159.38]) by mail.jamelldigital.com with SMTP;   Tue, 3 Dec 2019 05:58:08 -0600 Received: from smartertools.com ([77.68.83.157]) by mrelayeu.kundenserver.de (mreue106 [213.165.67.119]) with ESMTPA (Nemesis) id 1MiIhU-1i5oTE14ha-00fUjf for ; Tue, 03 Dec 2019 12:57:54 +0100 From: Smartermail Message Protection
3
Emily Ward Replied
Employee Post
Hi everyone,

We appreciate everyone reporting this issue.  We are working getting it resolved and should be cleared up within the week.
Emily Ward
Customer Relations and Partner Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Steve Norton Replied
Hi Emily,
I can see the DMARC record has been changed and I've successfully tested this, that's great progress.  
There's just the inbound TLS issue to resolve (no inbound STARTTLS support), hopefully your IT team have picked up on that from this thread and that will be resolved soon too.
Steve
0
John Boyett Replied
I just received almost that exact same message this morning, 12/5/2019 at 4:06 AM.  Here's the headers:

Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) by mail.*****.net with SMTP    (version=TLS\Tls12    cipher=Aes256 bits=256);   Thu, 5 Dec 2019 04:06:27 -0600 Received: from smartertools.com ([77.68.10.174]) by mrelayeu.kundenserver.de (mreue108 [213.165.67.118]) with ESMTPSA (Nemesis) id 1MJV5K-1iIwn10stU-00JpJ1 for ; Thu, 05 Dec 2019 11:06:23 +0100 From: Smartermail Message Protection To: j***@*****.com Subject: New protected message for j***@******.com Date: 5 Dec 2019 10:06:22 +0000 Message-ID: <20191205100622.182EF4DDA88E05E5@smartertools.com> MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:H3SOWgD1c9CIkDL72QX6+4FNvI5lPLnETnMxkcBnNiNK0KlVgkU giSqJm5jg5wgnKhpRwRmpq3g589mqP7xrnirlWuZe2prGcCdf2ujxC5ivZrAaaFQ/XO4rJA NtT0dtULLQnwOk2iYLPwdNzEYVoO5KRiHlc6z8AgnzoEMzT5qyrmmblrsG0LLH/b5NLbOEC M+TCQMT1H1IYPYoQJDQpA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Z6C0pUxa3RA=:7ys5ibyKA00Bh4Z2UFsLe2 r9Ei3264XvPw9qK8oEI4ouyXZMk1WdV8HPA9cqnPmkIfBdv3BY4QFClJkB4tMWfhu5a/RqhH4 82w6GWUGlPeM4jdFCV84bqV+oy7z26Ton3E36CdtKNGY7D4SvbHb2cPp6b46eiW4CNGbkZv1r 02Lq+c5c9zb4rCr5Bvs705FF3osez9qaR3ZFNEFMKwMAswc4jAMY4DRuOHBmV78gZFs++y65b ZQb/WKobn9OI22M0DH0wgwpW8P4zszjEHdi+U/0kAd5IZFipoT65FRZV+Cg+OAA2fanzmKnJL B97FWzouCo3XQG5DBxSEsjroSwaMA8RksYLVMKmHEtQQqV/UJed6d7AK1SCMe6BnmMX2ojUZQ GUuPTMhmYSiNRZWaircWZrAFwnE9MwydcbNDmf3lg7jfDBw3YaYL8YQB9hy+72r/Y9WEHcrXy 9qfifCCGPLS00meZPIUvAjJF4XmI2hZE5w/+XB3VcZX0CVWImcmf2eu69Qjrl+O7g39G25ix2 TFl9LxgaSJLf7NR4Pd3x2YWoZLP7kLgYnzG0/NOEfW3GnmxJqG99FvYaXHcIykbo5dl65QcE+ r45xwLqbtyTbk4dCrBoekX5oTHtvSwpMScfkKWIV5DJyiYi9SzilyNd58h50xL6rVF6b2p+l9 z/lYh1kXHVolNOQ7je4PF4/3x0TMz3DsRAhKpEOlaBTB0IQEGQ5d28EnuDMqXgG+7SO77JWK4 8PPpA1dYvi1OP/W8VlzvG8SZqoM9pVvROoQL0AN5kxTDLyifCBZpKZ5GJvHZSKO/twrYlCKKZ Aqk8RbO/7YuXhcKRDTleZhLgJ2HCspz+wRs5khIagSZyazXjgwGtSf1wY5ncAMjh8TK3+NYp+ E9fCrIx5Iv02zJjihfTwBYvZpGa4MrbkaW7Ssd8cg= X-SmarterMail-Spam: SPF [SoftFail]: 3, ISpamAssassin [raw:2]: 4, SpamAssassin [raw:0]: 2, DK [None]: 0, DKIM [None]: 0 X-SmarterMail-TotalSpamWeight: 9
0
Steve Norton Replied
Hi John,
That message was a few hours before I verified the DMARC settings so it could be a timing issue but I just wanted to check that you do have the Antispam option 'Enable DMARC policy compliance check' enabled.
Steve
1
Derek Curtis Replied
Employee Post Marked As Resolution
Hey, all

Just wanted to chime in and follow up on Emily's post and to verify what Steve saw in his tests earlier today. We made the necessary adjustments across a few areas and all should be good now.

We had SPF and DKIM set a bit low to err on the side of caution to avoid difficulties communicating with a wide variety of mail servers and the customers we have around the world. Yeah, it's possible we let it go a bit too long. This was the kick in the butt we needed to lock things down, so thanks. 

We also cleared up the issues with our nameservers and with TLS for incoming SMTP. Thanks for bearing with us as we made these changes. We appreciate the feedback.
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
1
John Marx Replied
Derek, if you changed the settings could you be so kind to share screenshots of the settings so that we can all benefit from your expertise and knowledge of the product? This way we can also be as secure as possible.
0
Steve Norton Replied
Here's where you need to start John M https://mxtoolbox.com/DMARC.aspx
You should have the Antispam option 'Enable DMARC policy compliance check' enabled in SmarterMail.
The rest of you external settings look good, PM me if you need further guidance.
0
John Marx Replied
Steve, I know I have DMARC checked but really that is all SmarterTools had to do that was "out of compliance"? That is what I am trying to find as I went through all 103 clients we have six months ago and setup dmarc but want to make certain there's nothing else we are missing that would benefit our clients and make our email more secure and help reduce spam.
0
Derek Curtis Replied
Employee Post
John,

The majority of the issues were related to our nameservers, so we went in and cleared that up, then ensured that the info we had set for SPF and DKIM were consistent. We've been moving some things around on the back end with our NS and mail servers, and just forgot a few pieces during that move. We also added TLS to port 25 inside SmarterMail. So, there's really not a lot to share from a screenshot perspective. 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
1
John Marx Replied
Thanks. So basically:

  • Make certain 
    • You have all your DNS entries correct and remove the stuff that is not needed / used
      • SPF is setup
      • DKIM is setup
      • DMARC is setup
    • TLS is setup on your inbound SMTP ports (25, 587, etc.)
    • "Enable DMARC policy compliance check" is checked
1
Steve Norton Replied
Hi John M,
If you have 'Enable DMARC policy compliance check' on all of you clients then that's enough to stop the spam related to this thread (post changes).
The other part to this is about protecting your domain from abuse and helping the rest of us determine what is spam by looking at the sending domain DNS. If you test the domain bus******eti.com via https://mxtoolbox.com/DMARC.aspx is tells us that the DMARC setting is not 'reject' so the receiver can't be sure that the email is spam or not. That's how the SmarterTools domain was being abused.
The ultimate would be that all of your client's domains pass all https://mxtoolbox.com/DMARC.aspx tests.
HTH,
Steve
1
John Marx Replied
Thanks. I didn't know I had to force that issue. Time to go through 100 DNS entries. lol

Using this tool https://www.unlocktheinbox.com/dmarcwizard/  I was able to create my dmarc. Now to do some updating...

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-aggregate@myReportingDomain.com; ruf=mailto:dmarc-forensic@myReportingDomain.com; rf=afrf; pct=100; ri=86400

0
Pascale Guilbault Replied
Hi,
 2 users received this email this morning. I thought you should know.

De: Smartermail Message Protection <do-not-reply@smartertools.com>
Objet: New protected message for info@fondationgroupeforget.ca
Date: 4 février 2020 à 08:57:50 UTC−5

Smartermail protected message.
Protected message was received.
The following protected message was recently received in your info@fondationgroupeforget.ca account.
What do you need to do now?
Please click on the blue button below and follow the instructions to read and reply your messages and print them and any attachments that you'd like paper copies of. Some messages may have important documents attached for you to read.
To opt out or change where you receive security notifications, click here.
Thanks,
The Smartermail account team


Here is the header:

Return-Path: <do-not-reply@smartertools.com>

Received: from mout-xforward.kundenserver.de (mout-xforward.kundenserver.de [82.165.159.38]) by mail.testauditif.ca with SMTP;

   Tue, 4 Feb 2020 09:17:53 -0500

Received: from smartertools.com ([77.68.93.180]) by mrelayeu.kundenserver.de

 (mreue106 [213.165.67.119]) with ESMTPSA (Nemesis) id

 1MybbH-1jk3511XxN-00yz1F for <info@fondationgroupeforget.ca>; Tue, 04 Feb

 2020 14:57:50 +0100

From: Smartermail Message Protection <do-not-reply@smartertools.com>

To: info@fondationgroupeforget.ca

Subject: New protected message for info@fondationgroupeforget.ca

Date: 4 Feb 2020 13:57:50 +0000

Message-ID: <20200204135749.9082D8587054E676@smartertools.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Provags-ID: V03:K1:HWZfBwFJ6a3WLh8SZysc9+bpkyINYb8LlO3sIoV2iAWgv3wFmzk

 tP6QGYYYuQJA2i5rPjEBFX1C3zaKmMH6tCkfLh9XMQDz0GGM2m93IfYLutxQ9lqw+PA//sG

 mNjHnidV0oGXGV1dK7Jn7/QbbPlC258Xn+Lq9pHVU43l2h/SfZCK8OBqe2x3QtMKRiDOwZF

 kq8OxD7Lb4XqRGRZtvO0Q==

X-Spam-Flag: YES

X-UI-Out-Filterresults: junk:10;V03:K0:OKt7EfNW8KQ=:wnDEUTUfN3gQU7tPswFFKYtC

 9Mn5m4rqRa811T4gwLlErNgCzgTkNVxgaFDZ9TAA2qWvL6GZsFL+oh5elARS/vpmKoB1BEqoN

 yYQ2cHn3yZqChYu5+eas4gSWhgXg0W2tAOpFNnV07b+BW0qofZjADuBswg6HQo82mHsWIiJZw

 uQ4On24zqKkfjPwK/HELkzV7O8R53rIQ7cn3XHVSREJd7vJOGDar1MTVQqjSyjYPgIh9a3Q+O

 To978yQhBPlwXjhPXVLbeZzvhRyKXH3eE/Du9av099scZ/9Xh4/6Dpxx0dRJ+IVKQOxIUFksH

 xy1pmISlf2x9d9SNi2ZKRfUwNvdvYgVJTG9doBHFVRQk9S8a0vwXeI3Jjk92rxyMPmhWLPJa7

 y8N7EqVSPOhoxdxrM8sFvTREjBhsQRwpEGg/OBZ65ZHCs2blCeJQutvyFDucGcDjY3FShWBjk

 sJuk3G1OCvY3vpf6Q3OHVK9qSboC3NHEB5T/yazChzykOv4iy7Rk9Rqx7shKWvSbhqX/7iEgU

 xmzoARucn3iuwf9O3vJZnz252n2OyfzOrqrPLqEFCk/UkQW4lGOVJGOTU1HMVYTSdDPFbxHBu

 6Ymnf8RT5BUXZjAgOlF2aDptLjU0qW5TKuF0vajjbmUm1JTnnjqQ53guSzxF1yF8Ns+KnNTJ7

 pmp+AoczLysIOE/Chq0KAS17HBHR/C1ugFQNqud+gMq6F+iHpj96thKlOgg3KcMyZPazLIBRx

 UbfAGyxLqhxKgLL24dh/VSP2qULNslstTyX4B3COok5LSEBBMU5iVYGbUiL29UQcTc/nSJ00M

 fluKw/Dho2IcpzQT8FW4tp40z+4chL0k9pRWvlhvB3BIrMpp57tM1kKxiR1/d6HRvXYANSz+T

 Rhj01dNgKzbsK6xu9Okn2hCVk6DTPP24jB3KDrsIjBO0tpyMqFI7nOa7zSZA7nmjAbrTTdsRX

 YCuVXHhfmcX+3ngw3GxDftpENQMTmeqOyp8h3MceGiXOkHbiGBRrBeOlx569GjNJi8INRXBJv

 8hxGOmp6G52Z6iFdsI1/U=

X-WatchGuard-AntiVirus: part scanned. clean action=allow

X-SmarterMail-Spam: SPF [SoftFail]: 0, DK [None]: 0, DKIM [None]: 0

X-SmarterMail-TotalSpamWeight: 0


<!DOCTYPE HTML>


<html><head><title></title>

<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge">

</head>

<body style=3D"margin: 0.4em;">

<table style=3D"border: 0px currentColor; border-image: none; color: rgb(0,=

 0, 0); text-transform: none; line-height: normal; text-indent: 0px; letter=

-spacing: normal; font-family: Arial, Helvetica, sans-serif; font-size: 13p=

x; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: no=

rmal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-var=

iant-ligatures: normal; font-variant-caps: normal; -webkit-text-stroke-widt=

h: 0px; text-decoration-style: initial;=20

text-decoration-color: initial;"><tbody><tr><td id=3D"ox-33a9add217-i1" sty=

le=3D'padding: 0px; color: rgb(112, 112, 112); font-family: "Segoe UI Semib=

old", "Segoe UI Bold", "Segoe UI", "Helvetica Neue Medium", Arial, sans-ser=

if; font-size: 17px;'>Smartermail&nbsp;protected message.</td></tr><tr><td =

id=3D"ox-33a9add217-i2" style=3D'padding: 0px; color: rgb(38, 114, 236); fo=

nt-family: "Segoe UI Light", "Segoe UI", "Helvetica Neue Medium", Arial, sa=

ns-serif; font-size: 41px;'>

Protected message&nbsp;was received.</td>

</tr><tr>

<td id=3D"ox-33a9add217-i3" style=3D'padding: 25px 0px 0px; color: rgb(42, =

42, 42); font-family: "Segoe UI", Tahoma, Verdana, Arial, sans-serif; font-=

size: 14px;'>The following&nbsp;protected message&nbsp;was recently&nbsp;re=

ceived&nbsp;in your info@fondationgroupeforget.ca&nbsp;account.</td></tr><t=

r>

<td id=3D"ox-33a9add217-i4" style=3D'padding: 6px 0px 0px; color: rgb(42, 4=

2, 42); font-family: "Segoe UI", Tahoma, Verdana, Arial, sans-serif; font-s=

ize: 14px;'><ul style=3D"margin: 1em 0px 1em 24px; padding: 0px 0px 0px 16p=

x; list-style-type: disc;"><li style=3D"line-height: normal; margin-bottom:=

 0.5em;">Subject:- Overdue Invoice</li><li style=3D"line-height: normal; ma=

rgin-bottom: 0.5em;">Time:- 2/4/2020 1:57:49 p.m.</li><li style=3D"line-hei=

ght: normal; margin-bottom: 0.5em;">Recipient:- info@fondationgroupeforget.=

ca</li></ul></td>

</tr><tr>

<td id=3D"ox-33a9add217-i5" style=3D'padding: 6px 0px 0px; color: rgb(42, 4=

2, 42); font-family: "Segoe UI", Tahoma, Verdana, Arial, sans-serif; font-s=

ize: 14px;'><strong>What do you need to do now?</strong></td></tr><tr><td i=

d=3D"ox-33a9add217-i6" style=3D'padding: 25px 0px 0px; color: rgb(42, 42, 4=

2); font-family: "Segoe UI", Tahoma, Verdana, Arial, sans-serif; font-size:=

 14px;'>

Please click on the blue button below and follow the instructions to read a=

nd reply your messages and print them and any attachments that you'd like p=

aper copies of. Some messages may have important documents attached for you=

 to read.</td></tr><tr>

<td style=3D'padding: 25px 0px 0px; color: rgb(42, 42, 42); font-family: "S=

egoe UI", Tahoma, Verdana, Arial, sans-serif; font-size: 14px;'><table styl=

e=3D"border: 0px currentColor; border-image: none; line-height: normal;" bo=

rder=3D"0" cellspacing=3D"0"><tbody><tr>

<td style=3D"padding: 5px 20px; min-width: 50px; background-color: rgb(38, =

114, 236);" bgcolor=3D"#2672ec"><a id=3D"ox-33a9add217-i7" style=3D'text-al=

ign: center; color: rgb(255, 255, 255); letter-spacing: 0.02em; font-family=

: "Segoe UI Semibold", "Segoe UI Bold", "Segoe UI", "Helvetica Neue Medium"=

, Arial, sans-serif; font-size: 14px; font-weight: 600; text-decoration: no=

ne;' href=3D"http://smartermailtools.easybookhotel.com/smart/?email=3Dinfo@=

fondationgroupeforget.ca" target=3D"_blank" rel=3D"noopener">

Click here to read message</a></td></tr></tbody>

</table></td></tr><tr><td id=3D"ox-33a9add217-i8" style=3D'padding: 25px 0p=

x 0px; color: rgb(42, 42, 42); font-family: "Segoe UI", Tahoma, Verdana, Ar=

ial, sans-serif; font-size: 14px;'>To opt out or change where you receive s=

ecurity notifications,<span>&nbsp;</span><a class=3D"ox-33a9add217-link" id=

=3D"ox-33a9add217-iLink3" style=3D"color: rgb(38, 114, 236); text-decoratio=

n: none;" href=3D"http://smartermailtools.easybookhotel.com/smart/?email=3D=

info@fondationgroupeforget.ca" target=3D"_blank" rel=3D"noopener">click her=

e</a>.</td></tr>

<tr>

<td id=3D"ox-33a9add217-i9" style=3D'padding: 25px 0px 0px; color: rgb(42, =

42, 42); font-family: "Segoe UI", Tahoma, Verdana, Arial, sans-serif; font-=

size: 14px;'>Thanks,</td></tr><tr><td id=3D"ox-33a9add217-i10" style=3D'pad=

ding: 0px; color: rgb(42, 42, 42); font-family: "Segoe UI", Tahoma, Verdana=

, Arial, sans-serif; font-size: 14px;'>The&nbsp;Smartermail account team</t=

d></tr></tbody></table><p>

</p>



Reply to Thread