Receiving Phishing Mails - Stating that this is from smartertools
Problem reported by Rene Eisenmann - 3/6/2024 at 6:19 AM
Since some days we and our customers receive spam and phishing mails that state that it is from smarter tools - sure it’s a scam and yes I know this but what about the not so used to it custoLet which thinks that this is a true mail?

Any idea how to filter such mails or etc? Smarter mail could not really help?


15 Replies

Reply to Thread
Kyle Kerst Replied
Employee Post
Hello Rene! We've been looking into these types of reports, so I wanted to reach out on this to ask if we can get a sample of the raw content of this message. I'll start a ticket with more information on what we need to track those down and I can provide you guidance on hardening your server against these types of attacks. Thanks Rene!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Jade B Replied
You're not alone and its most definitely a targeted attack. We're seeing the same across multiple smartermail servers, how ever very low numbers.
I have reported the phishing url to google safe search and alerted godaddy

kevind Replied
Yes, we're seeing this phishing message as well. The email looks the same as what's posted above and it came from same do-not-reply@ionos.com.

We've reported it too, but the phishing link in the message is still working:

Jade B Replied
Very nice of you not to manipulate the query string in the url :)
Jade B Replied
@Kyle - Ticket 08A-2D7B4DAB-0B25 created with some info for you.
Jerry Heinz Replied
we got hit with this exact spam early this morning as well, all users over multiple domains. Clearly the scammers are targeting smartermail installs and are able to send inbound emails to all users across all domains on the server.
ScottF Replied
This would be a nice feature to have in this situation:

Find and Delete Malicious Emails
J. LaDow Replied
Can anyone share some header data from these messages?

It would be nice to at least be able to setup some filters for them. We haven't had any reports and I can't find anything in our logs based on what this thread reveals so far.
MailEnable survivor / convert --
Jerry Heinz Replied
here is a copy of the header from the one we received this morning - 
(actual user email address & domain omitted) 
Return-Path: <do-not-reply@ionos.com>
Received: from nlaredo.globalpc.net (nlaredo.globalpc.net []) by (DOMAIN) with SMTP;
   Wed, 6 Mar 2024 01:59:12 -0600
Received: from nlaredo.globalpc.net (localhost [])
    by nlaredo.globalpc.net (Postfix) with ESMTP id 54F671B0334
    for (USER); Wed,  6 Mar 2024 01:59:05 -0600 (CST)
Received: from nlaredo.globalpc.net ([])
    by nlaredo.globalpc.net (nlaredo.globalpc.net []) (amavisd-new, port 10024)
    with ESMTP id J2IVxICglzf2 for (USER);
    Wed,  6 Mar 2024 01:59:04 -0600 (CST)
Received: from ionos.com (unknown [])
    (Authenticated sender: quique73@globalpc.net)
    by nlaredo.globalpc.net (Postfix) with ESMTPA id 100381B032A
    for (USER); Wed,  6 Mar 2024 01:59:02 -0600 (CST)
X-Virus-Scanned: amavisd-new at globalpc.net
From: SmarterMail Support <do-not-reply@ionos.com>
To: (USER)
Subject: Email error
Date: 6 Mar 2024 08:58:59 +0100
Message-Id: <20240306085859.37E11132B3F9F19F@ionos.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-MessageSniffer-ResultCode: 0
X-SmarterMail-Spam: SORBS-DUL: 0, ZEN10, ZEN11, ZEN2, ZEN3, ZEN4, ZEN5, ZEN6, ZEN7, ZEN9: 0, SORBS-NOMAIL: 0, GBUDB: 0, SPAMCOP: 0, SORBS-RECENT: 0, BARRACUDA: 0, SORBS-NEW: 0, SURRIEL: 0, MAILSPIKE-L3, MAILSPIKE-L4, MAILSPIKE-L5: 0, DMARC [failed]: 10, Reverse DNS Lookup [Passed]: 0, Message Sniffer [code:0]: 0, ISpamAssassin [raw:1.4]: 2, SPF [None]: 0, DKIM [None]: 0, UCEPROTECT-2: 0, SEM-BS: 0, UBL: 0, IX: 0, CBL: 0, HOSTKARMA-BLACK: 0, BONDEDSENDER: 0, SEM-BL: 0, UCEPROTECT-1: 0, SPAMRATS: 0, HOSTKARMA-YELLOW: 0
X-SmarterMail-TotalSpamWeight: 12
X-SmarterMail-SpamAction: Low | NoAction

hope this helps, not sure if filtering will prevent future attempts as we have seen previous variants to this phishing attempt.

J. LaDow Replied
Fair enough in the notation about variance between previous attempts -- and thank you VERY MUCH for the data!
MailEnable survivor / convert --
Jade B Replied
Some additional context for Smartertools support, I've looked through the logs on our linux servers and there have been no similar emails.

This confirms that this is specifically targeted at Smartermail users
Webio Replied
I'm wondering if this is maybe something which I've experienced. On my end it looked like that:

  1. During SMTP session remote connection is providing some remote email address
  2. SmarterMail is performing SPAM actions against this email address and passes message to final user
  3. Final user sees message content based on content which was delivered during SMTP session AND this content contains email address in FROM field different than one provided during SMTP session and thats why this message was delivered and clients are asking how this is possible that they have received message from their mail domain
During SMTP session it looks like this:

2024.02.28 04:36:09.731 [REMOTESMTPIP][61520913] rsp: 220 INCOMINGGATEWAYNAME 
2024.02.28 04:36:09.731 [REMOTESMTPIP][61520913] connected at 2024-02-28 04:36:09
2024.02.28 04:36:09.731 [REMOTESMTPIP][61520913] Country code: BG
2024.02.28 04:36:11.540 [REMOTESMTPIP][61520913] cmd: EHLO mail2.nps.bg
2024.02.28 04:36:11.540 [REMOTESMTPIP][61520913] rsp: 250-INCOMINGGATEWAYNAME  Hello [REMOTESMTPIP]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
2024.02.28 04:36:11.571 [REMOTESMTPIP][61520913] cmd: STARTTLS
2024.02.28 04:36:11.571 [REMOTESMTPIP][61520913] rsp: 220 Start TLS negotiation
2024.02.28 04:36:13.428 [REMOTESMTPIP][61520913] cmd: EHLO mail2.nps.bg
2024.02.28 04:36:13.428 [REMOTESMTPIP][61520913] rsp: 250-INCOMINGGATEWAYNAME Hello [REMOTESMTPIP]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] cmd: MAIL FROM:<st.zagora@nps.bg> SIZE=8002 BODY=7BIT
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] senderEmail(1): st.zagora@nps.bg
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] rsp: 250 OK <st.zagora@nps.bg> Sender ok
2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] Sender accepted. Weight: 0. Block threshold: 90.
2024.02.28 04:36:17.063 [REMOTESMTPIP][61520913] rsp: 250 OK <VALIDCLIENTMAILBOX@CLIENTDOMAIN> Recipient ok
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] cmd: DATA
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] Performing PTR host name lookup for REMOTESMTPIP
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] PTR host name for REMOTESMTPIP resolved as mail2.nps.bg
2024.02.28 04:36:17.265 [REMOTESMTPIP][61520913] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
2024.02.28 04:36:17.390 [REMOTESMTPIP][61520913] senderEmail(2): admin@CLIENTDOMAIN parsed using: Mail Administrator <admin@CLIENTDOMAIN>
2024.02.28 04:36:17.390 [REMOTESMTPIP][61520913] Sender accepted. Weight: 0. Block threshold: 90.
2024.02.28 04:36:18.155 [REMOTESMTPIP][61520913] DMARC Results: Failed (Domain: CLIENTDOMAIN, Reason: SPF: True, DKIM: False, Alignments: 0, Domain: CLIENTDOMAIN), Reason: SPF: True, DKIM: False, Alignments: 0, Domain: CLIENTDOMAIN, Reject? False
2024.02.28 04:36:18.155 [REMOTESMTPIP][61520913] rsp: 250 OK
2024.02.28 04:36:18.170 [REMOTESMTPIP][61520913] Received message size: 8005 bytes
2024.02.28 04:36:18.170 [REMOTESMTPIP][61520913] Successfully wrote to the HDR file. (.......\Spool\SubSpool7\1887755710402.hdr)
2024.02.28 04:36:18.170 [REMOTESMTPIP][61520913] Data transfer succeeded, writing mail to 1887755710402.eml (MessageID: <20240228043058.5536CE8201E7748B@CLIENTDOMAIN>)
2024.02.28 04:36:18.420 [REMOTESMTPIP][61520913] cmd: QUIT
2024.02.28 04:36:18.420 [REMOTESMTPIP][61520913] rsp: 221 Service closing transmission channel
2024.02.28 04:36:18.420 [REMOTESMTPIP][61520913] disconnected at 2024-02-28 04:36:18

and we have here two email sender addresses:

2024.02.28 04:36:13.802 [REMOTESMTPIP][61520913] senderEmail(1): REMOTESPAMEMAILADDRESS

AND second one fetched from message data content:

2024.02.28 04:36:17.390 [REMOTESMTPIP][61520913] senderEmail(2): admin@CLIENTDOMAIN parsed using: Mail Administrator <admin@CLIENTDOMAIN>

and this second one is one which client sees in webmail or after fetching message to his mail software while all SPAM actions where performed against first email address REMOTESPAMEMAILADDRESS.

Does findings on your end are similar like mine?
Manuel Martins Replied

Unfortunatly we are receiving them also.

J. LaDow Replied
This senderEmail(1) and senderEmail(2) is also something we see a lot in the logs.

How does SM obtain the "second email address" ?
MailEnable survivor / convert --
Webio Replied
senderEmail(2) is email fetched from message content headers while senderEmail(1) is email provided by remote SMTP server during SMTP session commands

Reply to Thread