Is this legit? Or Spoofing?
Question asked by Bob Bell - 2/4/2020 at 10:52 PM
Answered
Me and my clients just started receiving emails that look like this (below). Are these legit? Or spam? 

I have removed the links in the message because I think they could be malicious. 

The reason I think this is "spoofing" is because the link takes me to the following URL.


Thanks, Bob

Smartermail protected message.

Protected message was received.

The following protected message was recently received in your bob@ account.

  • Subject:- Overdue Invoice
  • Time:- 2/4/2020 6:48:02 a.m.
  • Recipient:- bob@

What do you need to do now?

Please click on the blue button below and follow the instructions to read and reply your messages and print them and any attachments that you'd like paper copies of. Some messages may have important documents attached for you to read.

Click here to read message

To opt out or change where you receive security notifications, click here.

Thanks,

The Smartermail account team

Web Engineer
http://www.fullblownwebdesign.com

10 Replies

Reply to Thread
0
echoDreamz Replied
0
echoDreamz Replied
I am quite curious though how they were able to send an email to my business account, my personal account and a test account that all had SM licenses attached to them... Where exactly did they get the email addresses from?
0
Jack. Replied
Hi echoDreamz, great question!!!
0
Bob Bell Replied
yeah they sent the same message to multiple people on my mail server
Web Engineer
http://www.fullblownwebdesign.com
0
Christopher Hiatt Replied
What was the source IP? I didn't get any of these but curious to check my logs and see it there were any attempts to deliver it.

-edit- Never mind. I found it.

Two attempted deliveries on my system but none passed through. Both attempts were on very old, deleted accounts. One of the two accounts was deleted over five years ago.
0
Bob Bell Replied
Below is the HEADER info from the email. That should help.


Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75]) by mail....com with SMTP    (version=TLS\Tls12    cipher=Aes256 bits=256);   Mon, 3 Feb 2020 22:48:12 -0800 Received: from smartertools.com ([77.68.93.180]) by mrelayeu.kundenserver.de (mreue108 [213.165.67.119]) with ESMTPSA (Nemesis) id 1N79ly-1jbbTz0tPI-017TS0 for ; Tue, 04 Feb 2020 07:48:03 +0100 From: Smartermail Message Protection To: bob@....com Subject: New protected message for bob@....com Date: 4 Feb 2020 06:48:02 +0000 Message-ID: <20200204064802.E3DA1C52CCB2BE36@smartertools.com> MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:BJ+c9kMd0d87gcnwMfYnYkQMyAHFeycw2jQhm/CsLKEtCOW3kKs zXwNgAuz5p+jNixBUv+NH6XcbZ4IHvD1/TCYknJUV1H3D0MZYeenetDZeoMvm5KoXyhSJH6 QffE6V1pCuxPbHCLxL/F1+LW7ZLodzGedj4EfhClmTYAGLDZk31p0HGcvx0GOCqR+B26VgH HV+RoLgAKlxrljj9ChROA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:ORM17s7AS58=:UNExaYc5umbK1ZKGq8ZeAg qGEY3HV5l6PG38KYHNkCOM6lH+yJu5gOCAF+njsjvld76QaKYn72QgysPWL5EnKqbh1c7ndZR TDeXWZZ6nf7HKZROyeNyM1mPEzvCCGT7UsM/5tTWpu+5rKcUAkTMljnPFsU+Gfcz8vWd82MDF 5G49lkPCrov1k0TTtZn37XEXTG/thF+cny6MYiUU/7SSZ9ZVSI1vrIlwP/67l937UWfGe73n+ 0XSZq5a2Pag2eYt/jK2e1n3mrkAqSsa1FMDjVO/kz7Cou+//LhJvEAAT/s3lqN2S8gPkQObIy XBcBIoPW+y+vOvTXA5abGWu6epPI5s64EOzhHmZmrA9zpTYOp/KgpzfoBxPyOLDj9HLfMtJ/B 9NWOV6lpukM0dJbCtxZCmR7qioRa2k+eIL/hRCx+kg7as1LZw1E8KHPo6t1w6dz7VuffP3YRj FzyQpkmZhmfXVLjk3Rh1CaSV4AvP9RhlxhyjX/2WC/sDwTCpE/sOvT9XmFEyLcqBsmKFY7FPl UbQ7DemCy/nh2OraHQ3lhlBJtm1H0Mzh2BKtl6WeBY1g91CLEE2hLmzoQjCFrVJoxbhqgyqUK 10FqPE7rL/8uVTg4lC5YgswAH/7/+7FrPgidkVTrWTlW+ESkmtBOUypPATII58eIAFJ95cvMP r0aIV++66lTIOIaaC0cLKXPHr7yAQjbl+y+P3Ja4KmQn7+UWHg0rhO9C7WA0yl4gyYM3Csgj4 taY0i+LWe9OT1EolQSTktzmb6vs2NYthf2kJtQC0WjizvIsGMS9fLJx7mhRWmE0bJE0cdjWrb oLu+p2wcX/f3lpv3QulauoJq/Q6C9dboIZwnYobu43jNIWz/PJOZx9Gx2zVIRaZdfAgsr2fHQ ukv11SnUp9zqYPNYCAGmUJZv95zfxY00rRYSlTPirZOGnUTuGHnToChxtnldCP/7ppNUFNlxE VyHW5zYO1evIT3u2qcORUxksv4YeLA84I7O26w6u0OEIgcMdzJBKiBf2NxGDpzTK4zxIahXKV QafnQrRWicQWtfAGCpP2/4i+424NPzB9n1WWlcObjR4a X-SmarterMail-Spam: SPF_SoftFail, Reverse DNS Lookup [Passed], Message Sniffer 0 [code:0], ISpamAssassin 0 [raw: 0], DK_None, DKIM_None X-MessageSniffer-ResultCode: 0 X-SmarterMail-TotalSpamWeight: 3 X-Antivirus: Avast (VPS 200203-2, 02/03/2020), Inbound message X-Antivirus-Status: Clean
Web Engineer
http://www.fullblownwebdesign.com
0
Andrea Rogers Replied
Employee Post Marked As Answer
Hello everyone,

Thanks for getting this reported. This appears to be a spoofed message campaign and is best handled by implementing SPF checks on your server. This will allow your SmarterMail installation to check our SPF record the next time it receives one of these messages, and will then determine the message is spoofed and should not allow it through. We've also restricted our domain's SPF record to help prevent these attacks from getting through.

As to how your email addresses have been obtained, we unfortunately can't say. One option you have is to utilize the available online databases of compromised accounts to determine if your accounts have recently been found to be compromised. Companies are constantly getting compromised these days. In fact, Windows recently released a critical security update, and we'd recommend you verify that was implemented on your servers where SmarterMail is installed. On our end, we are not aware of any security vulnerabilities within SmarterMail itself, and we're not aware of any security breaches of our internal systems. We have a number of security practices in place and a variety measures to alert of this possibility. For example, our billing system has a number of accounts that are used as honeypots. Along with our other alerts, we look from time to time to see if these accounts have been compromised and take an overall look at our security. This might be a security measure you take within your own systems as well.

Kind regards,

Andrea Rogers
Customer Operations Manager
SmarterTools Inc.
877-357-6278

www.smartertools.com

0
Bob Bell Replied
Thanks, Andrea. That's encouraging. 

Regarding the SPF spam settings. Here are my settings. The problem is, the score must be 15 or higher to be marked Spam. Would you recommend adjusting my settings so these types of spoofing emails do not get through?

Web Engineer
http://www.fullblownwebdesign.com
0
echoDreamz Replied
For us, we block on SPF failures and give spam weight to soft fails.
0
Bob Bell Replied
OK thanks. I will try that.
Web Engineer
http://www.fullblownwebdesign.com

Reply to Thread