patseguin Global Moderator Posted January 4, 2019 Global Moderator Share Posted January 4, 2019 At my business, we use hosted Exchange by Rackspace. I've been sending out bulk emails for marketing by emailing to myself and then BCC'ing my contacts. A couple of my customers said that they've been getting scam emails that look like they are from my email address. My email address somehow shows in the from field but when they try and reply, it is some other email address. There is usually a DOC attachment that is infected with a virus. Do I have any way to stop this from happening short of changing my email address? Also, one of my customers alluded to the fact that sending bulk emails using BCC like that actually allows scammers to do this. IS that somehow true? Link to comment Share on other sites More sharing options...
TheGhostPhantom Posted January 4, 2019 Share Posted January 4, 2019 6 minutes ago, patseguin said: Also, one of my customers alluded to the fact that sending bulk emails using BCC like that actually allows scammers to do this. IS that somehow true? Once the scammers harvested your email address, they were able to send out their own emails, and make it appear you were sending the emails out. By providing a list of email addresses within the BCC field, you made their job easier, when it came to finding potential victims. The reason the list was compromised, is due to the fact somebody who received your email, was likely compromised themselves. You really shouldn't expose who else is receiving your email anyways. Link to comment Share on other sites More sharing options...
shockz Posted January 4, 2019 Share Posted January 4, 2019 (edited) 27 minutes ago, TheGhostPhantom said: Once the scammers harvested your email address, they were able to send out their own emails, and make it appear you were sending the emails out. By providing a list of email addresses within the BCC field, you made their job easier, when it came to finding potential victims. The reason the list was compromised, is due to the fact somebody who received your email, was likely compromised themselves. How exactly would one harvest an email from BCC? There's a reason why it's called blind carbon copy. CC I get, BCC, no. Quote You really shouldn't expose who else is receiving your email anyways. um, we call that bcc. -- Chances are: a) your system is infected with malware that captured your address book and is spoofing your email, or directly sending sketchy email from your client as you. b) someone else system in your corp is infected with malware and copied their address books/email receipts and is spoofing your e-mail address, in which case I'd assume all sorts of other people in your company are also having their addresses spoofed c) a client is infected and their address book that happen to have your email along with other clients email addresses was harvested by malware and is now spoofing emails with your address. Sounds like option a or b is most likely, unless your clients are communicating with each other. Edited January 4, 2019 by shockz +Warwagon 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted January 4, 2019 MVC Share Posted January 4, 2019 25 minutes ago, TheGhostPhantom said: Once the scammers harvested your email address, they were able to send out their own emails, and make it appear you were sending the emails out. By providing a list of email addresses within the BCC field, you made their job easier, when it came to finding potential victims. The reason the list was compromised, is due to the fact somebody who received your email, was likely compromised themselves. You really shouldn't expose who else is receiving your email anyways. The entire purpose of BCC is to mask the email addresses of everyone for each person getting the email. If someone getting the email was compromised the only email address they would see, would be the email address on the to line. Not the entire list. Could your email account have been compromised? Could they have gotten access to your contact list? Do you have two-factor authentication turned on? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 4, 2019 Veteran Share Posted January 4, 2019 You cannot stop someone from spoofing your mail domain. you can request that the recipient that is getting messages from a spoofed domain to utilize DMARC and SPF to help stop the spammers from spoofing mail addresses. For your education: SPF : https://en.wikipedia.org/wiki/Sender_Policy_Framework DMARC: https://dmarc.org/ Can you stop a stranger from using a random number as a ss number from utilizing your name? No, you can't. They can ask for identification from that stranger so that they know who it is is the real person. If they aren't configured to ask for ID, that isn't your problem. If they allow anyone pretending to be anyone come in, also not your problem or anything you can do to fix it as you aren't the admin who can set that up. Link to comment Share on other sites More sharing options...
patseguin Global Moderator Posted January 4, 2019 Author Global Moderator Share Posted January 4, 2019 36 minutes ago, shockz said: How exactly would one harvest an email from BCC? There's a reason why it's called blind carbon copy. CC I get, BCC, no. um, we call that bcc. -- Chances are: a) your system is infected with malware that captured your address book and is spoofing your email, or directly sending sketchy email from your client as you. b) someone else system in your corp is infected with malware and copied their address books/email receipts and is spoofing your e-mail address, in which case I'd assume all sorts of other people in your company are also having their addresses spoofed c) a client is infected and their address book that happen to have your email along with other clients email addresses was harvested by malware and is now spoofing emails with your address. Sounds like option a or b is most likely, unless your clients are communicating with each other. Could be c maybe. Before any of this happened, I RECEIVED an email that looked like it was form one of my clients. It had the infected DOC file which I was smart enough to not even open. It happened 3-4 times before I let him know that he was getting spoofed. He is also in my BCC email list, so he must be infected and my email address was taken on his infected system. Does that sound about right? I ran Windows Defender on my workstation and it found nothing. @sc302point taken. I did some research and there appears to be no way to stop someone from spoofing my email address. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 4, 2019 Veteran Share Posted January 4, 2019 Pat, for what it is worth, people in my organization get messages from the CEO of the company asking for target cards or other cards via email. These emails aren't sourced from my domain nor are they from any domain we own. My CEO has a unique name and a few of them took it as it was actually him and responded to "him". There is nothing I can do from blocking you from setting up an email with his name and sending it to someone within my org. Only a few people have been stupid enough to respond, but one tried to wire money to another country because of it (thankfully the bank caught it). As an admin, there is little I can do about that and there could be another as there are a lot of John Smith's in the world. The immediate give away is lack of signature. email address is similar and can be spoofed easily. I dont allow spoofing from my domain so that gets caught, but I cannot stop someone from spoofing your domain. I can stop that someone from getting in utilizing SPF, DMARC, DKIM to verify and authenticate that information....a down side to that is that this is voluntary the hosting domain has to have this setup on their public dns. But being that you utilize rackspace they probably have those records already set up for you and it is up to your customer to utilize that, it get setup up on your dns servers. If you control the public dns servers for your site, you can verify it, or set it up if you haven't. you can't stop it any more than you can stop me from saying I am patseguin or changing my signature to say so (though you have gmod rights so you could change it back to say whatever you want, but that isn't usually the case). Link to comment Share on other sites More sharing options...
+mram Subscriber² Posted January 4, 2019 Subscriber² Share Posted January 4, 2019 SPF, DKIM, DMARC are your friends. Not every recipient system honors these frameworks, but most (good ones) do. The nutshell I'm getting at here is that you cannot prevent someone from spoofing your address, but you can definitely inform the recipient systems which emails from you are valid. Most recipient systems honor SPF, when set up correctly, and DKIM and DMARC are there to cover potential loopholes. Any system with all three fully enforced will have virtually no problems. Verify your domain has them set up. I recommend dmarcian : https://dmarcian.com/domain-checker/ Link to comment Share on other sites More sharing options...
Recommended Posts