Receiving Phishing Mails - Stating that this is from smartertools

Problem reported by Rene Eisenmann - 3/6/2024 at 6:19 AM

Submitted

Since some days we and our customers receive spam and phishing mails that state that it is from smarter tools - sure it’s a scam and yes I know this but what about the not so used to it custoLet which thinks that this is a true mail?

Any idea how to filter such mails or etc? Smarter mail could not really help?

Bye

Rene

IMG_8480.jpeg

15 Replies

Reply to Thread

Kyle Kerst Replied

3/6/2024 at 6:29 AM

Employee Post

Hello Rene! We've been looking into these types of reports, so I wanted to reach out on this to ask if we can get a sample of the raw content of this message. I'll start a ticket with more information on what we need to track those down and I can provide you guidance on hardening your server against these types of attacks. Thanks Rene!

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

Jade B Replied

3/6/2024 at 8:19 AM

You're not alone and its most definitely a targeted attack. We're seeing the same across multiple smartermail servers, how ever very low numbers.

I have reported the phishing url to google safe search and alerted godaddy

kevind Replied

3/6/2024 at 8:27 AM

Yes, we're seeing this phishing message as well. The email looks the same as what's posted above and it came from same do-not-reply@ionos.com.

We've reported it too, but the phishing link in the message is still working:

https://www.adurigroup.com/1/index.php

Kevin

Jade B Replied

3/6/2024 at 8:32 AM

Very nice of you not to manipulate the query string in the url :)

Jade B Replied

3/6/2024 at 8:52 AM

@Kyle - Ticket 08A-2D7B4DAB-0B25 created with some info for you.

Jerry Heinz Replied

3/6/2024 at 10:48 AM

we got hit with this exact spam early this morning as well, all users over multiple domains. Clearly the scammers are targeting smartermail installs and are able to send inbound emails to all users across all domains on the server.

ScottF Replied

3/6/2024 at 12:06 PM

This would be a nice feature to have in this situation:

Find and Delete Malicious Emails

https://portal.smartertools.com/community/a93997/find-and-delete-malicious-emails.aspx

J. LaDow Replied

3/6/2024 at 12:19 PM

Can anyone share some header data from these messages?

It would be nice to at least be able to setup some filters for them. We haven't had any reports and I can't find anything in our logs based on what this thread reveals so far.

MailEnable survivor / convert --

Jerry Heinz Replied

3/6/2024 at 12:34 PM

here is a copy of the header from the one we received this morning -

(actual user email address & domain omitted)

------------------------------------------------------------------------------------------------------------------------------------------

Return-Path: <do-not-reply@ionos.com>

Received: from nlaredo.globalpc.net (nlaredo.globalpc.net [216.251.80.10]) by (DOMAIN) with SMTP;

Wed, 6 Mar 2024 01:59:12 -0600

Received: from nlaredo.globalpc.net (localhost [127.0.0.1])

by nlaredo.globalpc.net (Postfix) with ESMTP id 54F671B0334

for (USER); Wed, 6 Mar 2024 01:59:05 -0600 (CST)

Received: from nlaredo.globalpc.net ([127.0.0.1])

by nlaredo.globalpc.net (nlaredo.globalpc.net [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id J2IVxICglzf2 for (USER);

Wed, 6 Mar 2024 01:59:04 -0600 (CST)

Received: from ionos.com (unknown [216.24.219.74])

(Authenticated sender: quique73@globalpc.net)

by nlaredo.globalpc.net (Postfix) with ESMTPA id 100381B032A

for (USER); Wed, 6 Mar 2024 01:59:02 -0600 (CST)

X-Virus-Scanned: amavisd-new at globalpc.net

From: SmarterMail Support <do-not-reply@ionos.com>

To: (USER)

Subject: Email error

Date: 6 Mar 2024 08:58:59 +0100

Message-Id: <20240306085859.37E11132B3F9F19F@ionos.com>

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-MessageSniffer-ResultCode: 0

X-SmarterMail-Spam: SORBS-DUL: 0, ZEN10, ZEN11, ZEN2, ZEN3, ZEN4, ZEN5, ZEN6, ZEN7, ZEN9: 0, SORBS-NOMAIL: 0, GBUDB: 0, SPAMCOP: 0, SORBS-RECENT: 0, BARRACUDA: 0, SORBS-NEW: 0, SURRIEL: 0, MAILSPIKE-L3, MAILSPIKE-L4, MAILSPIKE-L5: 0, DMARC [failed]: 10, Reverse DNS Lookup [Passed]: 0, Message Sniffer [code:0]: 0, ISpamAssassin [raw:1.4]: 2, SPF [None]: 0, DKIM [None]: 0, UCEPROTECT-2: 0, SEM-BS: 0, UBL: 0, IX: 0, CBL: 0, HOSTKARMA-BLACK: 0, BONDEDSENDER: 0, SEM-BL: 0, UCEPROTECT-1: 0, SPAMRATS: 0, HOSTKARMA-YELLOW: 0

X-SmarterMail-TotalSpamWeight: 12

X-SmarterMail-SpamAction: Low | NoAction

------------------------------------------------------------------------------------------------------------------------------------------

hope this helps, not sure if filtering will prevent future attempts as we have seen previous variants to this phishing attempt.

J. LaDow Replied

3/6/2024 at 3:10 PM

Fair enough in the notation about variance between previous attempts -- and thank you VERY MUCH for the data!

MailEnable survivor / convert --

Jade B Replied

3/6/2024 at 10:47 PM

Some additional context for Smartertools support, I've looked through the logs on our linux servers and there have been no similar emails.

This confirms that this is specifically targeted at Smartermail users

Webio Replied

3/7/2024 at 3:16 AM

I'm wondering if this is maybe something which I've experienced. On my end it looked like that:

During SMTP session remote connection is providing some remote email address
SmarterMail is performing SPAM actions against this email address and passes message to final user
Final user sees message content based on content which was delivered during SMTP session AND this content contains email address in FROM field different than one provided during SMTP session and thats why this message was delivered and clients are asking how this is possible that they have received message from their mail domain

During SMTP session it looks like this:

2024.02.28 04:36:09.731 [REMOTESMTPIP][61520913] rsp: 220 INCOMINGGATEWAYNAME 
2024.02.28 04:36:09.731 [REMOTESMTPIP][61520913] connected at 2024-02-28 04:36:09
2024.02.28 04:36:09.731 [REMOTESMTPIP][61520913] Country code: BG
2024.02.28 04:36:11.540 [REMOTESMTPIP][61520913] cmd: EHLO mail2.nps.bg
2024.02.28 04:36:11.540 [REMOTESMTPIP][61520913] rsp: 250-INCOMINGGATEWAYNAME  Hello [REMOTESMTPIP]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
2024.02.28 04:36:11.571 [REMOTESMTPIP][61520913] cmd: STARTTLS
2024.02.28 04:36:11.571 [REMOTESMTPIP][61520913] rsp: 220 Start TLS negotiation
2024.02.28 04:36:13.428 [REMOTESMTPIP][61520913] cmd: EHLO mail2.nps.bg
2024.02.28 04:36:13.428 [REMOTESMTPIP][61520913] rsp: 250-INCOMINGGATEWAYNAME Hello [REMOTESMTPIP]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] cmd: MAIL FROM:<st.zagora@nps.bg> SIZE=8002 BODY=7BIT
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] senderEmail(1): st.zagora@nps.bg
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] rsp: 250 OK <st.zagora@nps.bg> Sender ok
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] Sender accepted. Weight: 0. Block threshold: 90.
2024.02.28 04:36:14.457 [REMOTESMTPIP][61520913] cmd: RCPT TO:<VALIDCLIENTMAILBOX@CLIENTDOMAIN> ORCPT=rfc822;VALIDCLIENTMAILBOX@CLIENTDOMAIN
2024.02.28 04:36:17.063 [REMOTESMTPIP][61520913] rsp: 250 OK <VALIDCLIENTMAILBOX@CLIENTDOMAIN> Recipient ok
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] cmd: DATA
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] Performing PTR host name lookup for REMOTESMTPIP
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] PTR host name for REMOTESMTPIP resolved as mail2.nps.bg
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
2024.02.28 04:36:17.390 [REMOTESMTPIP][61520913] senderEmail(2): admin@CLIENTDOMAIN parsed using: Mail Administrator <admin@CLIENTDOMAIN>
2024.02.28 04:36:17.390 [REMOTESMTPIP][61520913] Sender accepted. Weight: 0. Block threshold: 90.
2024.02.28 04:36:18.155 [REMOTESMTPIP][61520913] DMARC Results: Failed (Domain: CLIENTDOMAIN, Reason: SPF: True, DKIM: False, Alignments: 0, Domain: CLIENTDOMAIN), Reason: SPF: True, DKIM: False, Alignments: 0, Domain: CLIENTDOMAIN, Reject? False
2024.02.28 04:36:18.155 [REMOTESMTPIP][61520913] rsp: 250 OK
2024.02.28 04:36:18.170 [REMOTESMTPIP][61520913] Received message size: 8005 bytes
2024.02.28 04:36:18.170 [REMOTESMTPIP][61520913] Successfully wrote to the HDR file. (.......\Spool\SubSpool7\1887755710402.hdr)
2024.02.28 04:36:18.170 [REMOTESMTPIP][61520913] Data transfer succeeded, writing mail to 1887755710402.eml (MessageID: <20240228043058.5536CE8201E7748B@CLIENTDOMAIN>)
2024.02.28 04:36:18.420 [REMOTESMTPIP][61520913] cmd: QUIT
2024.02.28 04:36:18.420 [REMOTESMTPIP][61520913] rsp: 221 Service closing transmission channel
2024.02.28 04:36:18.420 [REMOTESMTPIP][61520913] disconnected at 2024-02-28 04:36:18

and we have here two email sender addresses:

2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] senderEmail(1): REMOTESPAMEMAILADDRESS

AND second one fetched from message data content:

2024.02.28 04:36:17.390 [REMOTESMTPIP][61520913] senderEmail(2): admin@CLIENTDOMAIN parsed using: Mail Administrator <admin@CLIENTDOMAIN>

and this second one is one which client sees in webmail or after fetching message to his mail software while all SPAM actions where performed against first email address REMOTESPAMEMAILADDRESS.

Does findings on your end are similar like mine?

Manuel Martins Replied

3/7/2024 at 9:42 AM

Hi,

Unfortunatly we are receiving them also.

Thanks.

J. LaDow Replied

3/7/2024 at 11:34 AM

This senderEmail(1) and senderEmail(2) is also something we see a lot in the logs.

How does SM obtain the "second email address" ?

MailEnable survivor / convert --

Webio Replied

3/7/2024 at 2:37 PM

senderEmail(2) is email fetched from message content headers while senderEmail(1) is email provided by remote SMTP server during SMTP session commands

Back to Community Threads

Please leave this box unchecked

15 Replies

Reply to Thread

Tags

Related Knowledge Base Articles