How can an email appear in a users mailbox without being sent??
Question asked by Karl Jones - 11/18/2021 at 8:46 PM
I have a CFO client who received an email in his inbox, according to the headers it was from the CEO asking to pay a $35k invoice (NOW) the email appeared to quote a previous email that had never been sent or received by those on it and included a pdf invoice with information that was accurate about a customer/vendor and product details.

The email has a header that shows it came through Smartermail from the CEO to the CFO. the previous quoted email is not in the mailboxes of those listed, neither does it show in the gateway SMTP logs or Smartermail SMTP or administrative logs. The message ID on the email is not found when doing a Smartermail message ID search??

Can anyone explain how an email can show up in a users mailbox when the message ID cannot be found and the sender does not have it in their sent items..??

7 Replies

Reply to Thread
It's seems that it's a PHISHING e-mail...

It's difficult to understand why you have this, because phishing may vary in techniques...

It may be:

  • usenrname spoofing
  • SPF not well configured
  • User hackered
  • and so on...
You need to verify your logs.

If you aren't able to analize it and find the issue, you can hire an expert that can do that for you.
Karl Jones Replied
Gabriele, My first thought was it was a phishing email too but i have checked my SMTP gateway logs before emails even reach the Smartermail server and the email was never sent via SMTP so now i am looking at logs in Smartermail only to try to identify how this email showed up.
Stefano Replied
Are you sure that the domain is the same?
Sometimes I've seen some hacked mail from a veeeeery similar domain.
Could you past here the headers?
Karl Jones Replied
Marked As Answer
Name is correct... I dug around all the logs and found the entry... it was indeed sent from the CEO's account via webmail login and the sent mail was deleted from the mailbox. the offending IP was which comes back to a OrgName:        ColoCrossing OrgId: VGS-9 Address: 325 Delaware Avenue Suite 300 Buffalo NY 14202. Some server being used to hack others i guess. The hacker wanted payment into a Singapore bank account.
I guess i will have to start reporting to the relevant authorities.
Edit... found 3 others total.... just in case anyone else wants to search for hacking IP addresses. [][][]
If it's so, then your CEO email account has been hacked.

Change the password with one as strong as possible
Jay Dubb Replied
We have null-routed a large swath of ColoCrossing's prefixes because of the quantity of garbage spewing from their network toward ours.  Spammers, script kiddies, bots, you name it.
Karl Jones Replied
No point hitting up their abuse email address then as it looks like it designed for all those script kiddies and spambots etc.

As soon as i found the offending IP's and the point of entry i disabled the webmail access and have spoken with the CEO and changed his password to a stronger multi character one.

Reply to Thread