Spam being sent from my account?

[stryvya]

No, its
IObit Malware Fighter Pro
Detect and Eradicate Malware on Your PC

Also free today:- http://sharewareonsale.com/s/mcafee-antivirus-plus-giveaway-coupon-sale

 

[StewartR]

@Sharky Thanks for a very thorough and helpful post.

@StewartR you seem to have a very lax attitude towards security and doesn't present you or your business in a great light imo

I disagree. I don't think I'm lax. I have anti-virus and firewall protection everywhere, I use strong passwords everywhere that I care about (i.e. on all accounts where a compromise could hurt me), I always make sure OS patches and browser patches are installed promptly, I never open attachments on unsolicited emails, and my phone is secured. I don't know what more I could do. But that's the trouble - I freely admit to not being an expert, and the problem as ever is with the unknown unknowns - I don't know what I don't know.

For what it's worth the mail originated from Vietnam and was sent via PHPmailer so it's unlikely it came from any of your PCs. It was probably a test send to see if it got a good hit, it did and if you hadn't noticed i would of expected a lot more spam to of been sent the next time around.

That is REALLY useful. Thanks. I was hoping somebody would be able to look at what had actually happened and give me some relevant advice based on the characteristics of the attack, so I'm grateful that you have.

Precautionary scans / clean up of everything inside your network and any extra devices that you've used the gmail account on is a good first step.

Done. No malware found, no unauthorised devices used within the last 28 days.

When people mention your phone security they don't mean physical security, they are talking about compromised apps that may have been installed and leached information from your phone. They may be seemingly legit apps from the Play store or third party sources.

Hmm. Hard to know, isn't it? I pretty much only install apps that (i) I really need, (ii) have large numbers of users and good ratings. But even so I guess that's no guarantee. Is there any way of detecting compromised apps?

Or maybe you've just been caught out by a traditional e-mail borne threat. Opened any xls / xps / doc attached recently for invoices / quotes that you weren't expecting?

Absolutely impossible. Totally, utterly, no chance. Zero, zip.

My advice change all your passwords, invest in more robust security policies, don't just rely solely on Malwarebytes it does miss things but still a good layer of security. Norton doesn't do business / corporate grade products which suggests you're using home solutions to protection your business. You'll probably be breaking the EULA by doing do as well (Malwarebyte Free / Premium is not permitted for business use). Invest in something that is appropriate for your usage and level of protection.

Passwords ... sure, can do.

But what are "more robust security policies"? I've described above what I currently do - what else is there? (Unknown unknown!)

As for security software, again I'm floundering. Norton Small Business seems to me to be aimed at ... err ... small businesses. Malwarebytes Premium is advertised as "protection for your business". So I'd have thought, naively perhaps, that they would both seem to be appropriate. In any case, is there any real difference between the level of protection offered by "corporate grade" products and "home solutions" products? I strongly suspect not. Surely it simply wouldn't be acceptable for these companies to market "home solutions" products which they know have vulnerabilities? I expect the differences are to do with the ease of deployment, remote management and updating, that sort of thing. But I'd be happy to learn otherwise if you have any information.

Thanks again.

 

[dejongj]

One thing I find odd is the if the actual send domain, with php mailer is in the header (the domain being a parked domain), and as such it spoofed the actually address then how come they are in your email sent items list?

If they were truly send out via the google account then they would have been marked differently. And further more they wouldn't have had the spoof server details in the header.

I'm probably missing something, however as it stands it doesn't make sense they are in your sent items.

 

[Jannyfox]

A long time ago when I had an Orange dial up (!) account I had a period of a lot of spam mails being sent apparently from me. They never showed in my sent items - I only knew anything about it because a lot were sent to people's business email addresses where some obviously didn't work there any more and some had left 'out of office' return messages visible to external mails (something I never do), so I got all the bounced mail. It definitely wasn't something on my computer as they were sent when it was switched off and disconnected from the phone line. I never found out why or how - it just stopped. I also got a lot of spam mails sent apparently by legit people - people who were 'lending' their email addresses just like me, I would imagine. I changed ISP years ago and now get almost no spam It is weird that yours show in your sent items. You should probably be more worried than I was.

 

[TheGrew]

My personal suggestion Stewart would be to change your passwords and put them in a password manager like KeePass that encrypts them (you then only need to remember one preferably long password) . I use this at work where information security is critical.

 

[Sharky]

@Sharky
I disagree. I don't think I'm lax. I have anti-virus and firewall protection everywhere, I use strong passwords everywhere that I care about (i.e. on all accounts where a compromise could hurt me), I always make sure OS patches and browser patches are installed promptly, I never open attachments on unsolicited emails, and my phone is secured. I don't know what more I could do. But that's the trouble - I freely admit to not being an expert, and the problem as ever is with the unknown unknowns - I don't know what I don't know.

To me it did not come across like that from your earlier posts. Your additional information in the above adds clarity but up to my comment it's how i personally read your posts.

E.g. Yes i'm cherry picking the quotes because to me they stood out. The reason i took notice of the tone / content of your posts was because you're an advertiser here and the owner / manager of a business i might potentially use so i pay attention. And i'll be very clear and say this, while my impression from the posts may be wildly different from the reality it's how they came across up to the time of my reply.

"But I use my email account on several computers. Running additional anti-virus measures on all of them is going to be a real pain if I don't actually have any malware."

Just comes across as a 'awwwww, do i have too /shrugs shoulders' attitude as it's going to be a real pain rather than a 'i know i've been compromised by some fashion, switch off the Internet we need to get this sorted".

"Yes I can check for malware on all the PCs I use, and yes I can change my passwords. And that will almost certainly stop the problem. But the problem has already stopped;
there was that one brief burst of activity several days ago and nothing since"

It reads as since the discovery you haven't changed passwords, you haven't run security scans. Those are the first things you do as a common sense approach to plug an obvious hole before heading to the Internet with screenshots in hand.

"So far I've downloaded and run Malwarebytes on my main office PC and it found absolutely nothing. I'll run it on the home PCs tomorrow morning. I've changed my Gmail password and I'll look at whether I need to change others"

This came later which was good

"Apparently I have 134 passwords saved in Google Chrome. Most of them I don't really care too much about: I'm not really bothered if someone hacks into my TP account, or accounts with various online retailers, because they couldn't really do any harm. But I'll change the really valuable ones."

This just shows an alarming attitude to me and by extension makes me (as potential customer) wonder what else you're not bothered about. Are you seriously not bothered about someone hacking into your TP account? You're an advertiser, i'm guessing (could be wrong) you'll have PM's on here from customers with possible personal information in them and have a legal duty under the DPA to take reasonable care of that data. Then the "various online retailers" portion, again just demonstrates a poor attitude imo.

"I didn't even know I had an Adobe account. It's nothing I care very much about so it probably has the same weak password that I use for all sites which I don't care about and which allow weak passwords. But it wouldn't have been the same password as Gmail: that's a strong one"

Again just comes across as a very poor attitude and you openly acknowledge you share a weak password across multiple sites which you don't care about.

"Yes to Android phone. Not sure about it being compromised. I've never lost it and it's protected with a join-the-dots PIN thing, so I very much doubt it's been compromised physically. Could it be compromised remotely? I have no idea. How would I tell?"

I know i'm repeating myself but again it comes across very lax attitude towards IT security, risk assessment, risk management and your business depends largely on IT / e-commerce to function.

Another thing i noticed immediately upon opening this thread was the legit headers screenshot you posted contained an e-mail and name of an internal contact (accounts supervisor) within Wex. Her e-mail isn't publicly available and because you hadn't obfuscated her details it shows a slap dash attitude to things. It's not your e-mail address to publicly broadcast to others, it shows no consideration.

Hmm. Hard to know, isn't it? I pretty much only install apps that (i) I really need, (ii) have large numbers of users and good ratings. But even so I guess that's no guarantee. Is there any way of detecting compromised apps?

If you are using Norton Small Business (forget that product even existed, my bad) then you should be licensed for the mobile AV application to add a layer of security to your mobile devices.

Absolutely impossible. Totally, utterly, no chance. Zero, zip.

Cool

But what are "more robust security policies"? I've described above what I currently do - what else is there? (Unknown unknown!)

Given what you've listed above i'd say you are well on the right track but considering what has happened then an IT audit / risk assessment would be beneficial. Review what you're doing, what data is contained where, your visibility of what is happening on devices especially those you don't personally use extensively on a day to day basis etc. If after all that you find no weaknesses or areas for improvement then you can sit back and smile smugly .

As for security software, again I'm floundering. Norton Small Business seems to me to be aimed at ... err ... small businesses.

As above my bad, forgot that even existed.

Malwarebytes Premium is advertised as "protection for your business".

Erm no it doesn't. It's very clear from their page that details Malwarebytes Premium:

https://www.malwarebytes.org/antimalware/premium/

"Need protection for your business? Get the power and simplicity of Malwarebytes Premium for your entire company" but importantly there is a big green image that says "learn more" which takes you to the business product equivalent edition called Malwarebytes for Business.

And if further clarity was required, read their "how can i legally use Malwarebytes in my business"

"To use Malwarebytes Anti-Malware in a business environment, you must purchase business licensing.

The use of Malwarebytes Anti-Malware Free, PRO, or Premium was designed for personal home use only.

Use of these products in any business, government, educational, or non-profit environment is against Malwarebytes Anti-Malware's EULA."

https://support.malwarebytes.org/cu...ng-government-education-non-profit-?b_id=6438

In any case, is there any real difference between the level of protection offered by "corporate grade" products and "home solutions" products? I strongly suspect not. Surely it simply wouldn't be acceptable for these companies to market "home solutions" products which they know have vulnerabilities? I expect the differences are to do with the ease of deployment, remote management and updating, that sort of thing. But I'd be happy to learn otherwise if you have any information.

You're absolutely correct. In terms of raw protection there is very little difference between real time home and business protection at it's core. Of old Symantec Corporate team used to react quicker and get updates out faster to threats vs their consumer productions but not sure that stands any more. The 'business' class element really comes as you've noted, policies, centralised management, visibility, reporting, support (key imo), lighter less consumer bloated clients and options etc. Also more functions applicable to business environments when moving more into endpoint protection such as content management and data control (so for example no one can e-mail out a file call payroll.xls or customerdatebase.dba). They are a different class of product to home versions.

Hope that helps and hope that explains why i felt you showed a lax attitude (up to the time of my posting).

 

[Sharky]

One thing I find odd is the if the actual send domain, with php mailer is in the header (the domain being a parked domain), and as such it spoofed the actually address then how come they are in your email sent items list?

If they were truly send out via the google account then they would have been marked differently. And further more they wouldn't have had the spoof server details in the header.

I'm probably missing something, however as it stands it doesn't make sense they are in your sent items.

Not really odd tbh. If (as likely) the gmail account password is compromised they've sent the mail remotely via scripts on a bot PC from the Vietnam IP. Anything sent via authenticated smtp ends up in your sent items with gmail, you don't actually need to login to gmail for that to occur. Gmail doesn't show logs for an extended period of time, it's only the last ten IPs so the chances are in the week since the original compromise @StewartR has shifted the rogue data off the list with his legit activity so it looks as though everything is ok.

My guess would be a fishing expedition on the part of the 'hackers' to establish if they were successful with the data they've processed and then revisit the known 'good' hacked accounts when they've got confirmation back. This might not happen any time soon because as you can imagine they'll probably be processing huge chunks of login / password combinations across multiple bots (otherwise Google will flag the mass attempts).

There are good reasons you don't change passwords on a hacked account but generally the hackers should cover their tracks better so their presence isn't felt (which was probably step no.2 once they knew it was successful). If someone realises their account is hacked they'll change the password, if the hacker does that then after a bit of faff you (genuine owner) can restore your account once you demonstrate it's really yours to the provider. Better to leave it as is and just siphon data and abuse as required.

 

[dejongj]

Yup good point and well made. I had a blonde moment there

 

[boyfalldown]

I had the problem a while ago. This is the message ( along with an offer to help) explaining why from my hosting provider

It would seem you are a victim of 'email spoofing' where a spammer sets an email account @yourdomain as the 'from' address. They are able to do this because you haven't set strict enough rules in the Sender Policy Framework (SPF) record for your domain. Spammers usually send mass mail to randomly/automatically generated recipients, so if the mailbox doesn't exist which they are trying to send to (which is often), a bounceback message is generated.

SPF records tell incoming mailservers who is allowed to send mail using your domain name. By setting one, you can establish that only mail is allowed to be sent from the mailservers set in your mail (MX) records (the cpanel server by default), so mail from any other location fails, by setting '-all' at the end. Currently your SPF record is set to '?all' which is a neutral rule and means it is up to the incoming server to decide if the sender is allowed to send mail or not.

 

[Sharky]

I had the problem a while ago. This is the message ( along with an offer to help) explaining why from my hosting provider

SPF records are a layer of protection but do not apply in this case. If an SPF record is setup correctly on the sending domain and if the recipient end has SPF checking enabled and some filtering / deletion rule then it will prevent a third party sending spurious mail from your domain to them. In this case the assumption is his password was compromised and spam mail sent from a legitimate location, SPF would of passed as it was sent from gmail servers (regardless of client location e.g. Vietnam).

 

[dejongj]

I had the problem a while ago. This is the message ( along with an offer to help) explaining why from my hosting provider

I did actually check Stewart domain for that. All is well in that department. Someone or something definitely has access to his account. It is spoofed, but also in his sent items.

 

[Keith W]

Get in touch with Google and ask them about it

 

[LongLensPhotography]

change password and enable dual authentication, then clean your PC from anything suspicious. Some bad guys know your login

 

[rich_]

Yes agreed with most of the above, no need to go into tech jargon, just change your password to something stronger and ensure you're running up to date antivirus software. in the reverse order. (just to also add some further unnecessary complication to a simple solution!)