How can an email appear in a users mailbox without being sent??

Question asked by Karl Jones - 11/18/2021 at 8:46 PM

Answered

I have a CFO client who received an email in his inbox, according to the headers it was from the CEO asking to pay a $35k invoice (NOW) the email appeared to quote a previous email that had never been sent or received by those on it and included a pdf invoice with information that was accurate about a customer/vendor and product details.

The email has a header that shows it came through Smartermail from the CEO to the CFO. the previous quoted email is not in the mailboxes of those listed, neither does it show in the gateway SMTP logs or Smartermail SMTP or administrative logs. The message ID on the email is not found when doing a Smartermail message ID search??

Can anyone explain how an email can show up in a users mailbox when the message ID cannot be found and the sender does not have it in their sent items..??

7 Replies

Reply to Thread

Gabriele Maoret - SERSIS Replied

11/19/2021 at 1:01 AM

It's seems that it's a PHISHING e-mail...

It's difficult to understand why you have this, because phishing may vary in techniques...

It may be:

usenrname spoofing
SPF not well configured
User hackered
and so on...

You need to verify your logs.

If you aren't able to analize it and find the issue, you can hire an expert that can do that for you.

Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

Karl Jones Replied

11/19/2021 at 8:39 AM

Gabriele, My first thought was it was a phishing email too but i have checked my SMTP gateway logs before emails even reach the Smartermail server and the email was never sent via SMTP so now i am looking at logs in Smartermail only to try to identify how this email showed up.

Stefano Replied

11/19/2021 at 8:54 AM

Are you sure that the domain is the same?

Sometimes I've seen some hacked mail from a veeeeery similar domain.

Could you past here the headers?

Karl Jones Replied

11/19/2021 at 10:07 AM

Marked As Answer

Name is correct... I dug around all the logs and found the entry... it was indeed sent from the CEO's account via webmail login and the sent mail was deleted from the mailbox. the offending IP was 192.210.184.21 which comes back to a OrgName: ColoCrossing OrgId: VGS-9 Address: 325 Delaware Avenue Suite 300 Buffalo NY 14202. Some server being used to hack others i guess. The hacker wanted payment into a Singapore bank account.
I guess i will have to start reporting to the relevant authorities.
Edit... found 3 others total.... just in case anyone else wants to search for hacking IP addresses. [102.165.16.55][102.165.16.221][197.253.58.228]

Gabriele Maoret - SERSIS Replied

11/19/2021 at 10:38 AM

If it's so, then your CEO email account has been hacked.

Change the password with one as strong as possible

Jay Dubb Replied

11/19/2021 at 1:09 PM

We have null-routed a large swath of ColoCrossing's prefixes because of the quantity of garbage spewing from their network toward ours. Spammers, script kiddies, bots, you name it.

Karl Jones Replied

11/19/2021 at 1:38 PM

Jay,
No point hitting up their abuse email address then as it looks like it designed for all those script kiddies and spambots etc.

Gabriele,
As soon as i found the offending IP's and the point of entry i disabled the webmail access and have spoken with the CEO and changed his password to a stronger multi character one.

Back to Community Threads

Please leave this box unchecked

7 Replies

Reply to Thread

Tags

Related Knowledge Base Articles