"Your Account Was Hacked" - spoofed email address?
-
Hi experts,
few of users started to receive a "standard" email informing them that "their account was hacked and the sender demands some money or will share videos and pictures, etc.)
Now, I'm 99% sure it is just a scam... however I'm wondering how MDaemon could deal with these emails... I've tried to have a look at "all" logs, whether I could see any insight that the email was spoofed etc...
- Checked FROM adrress and it shows that the email was sent to the user from his own account....
- virus scan skipped because from trusted source
- return path looks like "Message return-path: prvs=1613692212=user_email_address"
How should I deal with it? Why MDaemon doesnt block/filter these messages? Again,very new with MDaemon so any advise would help :)
NOTE1: From what I can see, MDaemon is running ClamAV and IKARUS AV plugins
NOTE2: As I read that SPF is enabled by default in MDaemon, I see that in Security->Security Manager->Sender Authentication->SPF VErification, the Enable SPF verification is not "checked". Would enabling this help to filter those scam emails? As they are showing the mail was sent from "trusted source" so not sure whether SPF will check it when enabled...?
-
Hi Michal, Im not an expert but can you post the email header infromation?
also you might want to look at this, just to make sure Mdaemon spam fiterning is working.
-
Arron Staff
With the information provided, we cannot tell if the sender authenticated when sending the message, I'm guessing they did not, but just in case, if they did the first thing you need to do is change the passwords for the account. I'd also suggest enabling the requirement for local accounts to authenticate when sending mail. Security / Security Manager / Sender Authentication / SMTP Authentication.
It is possible for the sender to have used an external address in the MAIL FROM value during the SMTP session and the recipient email address in the From header. This is a pretty common tactic. MDaemon can be configured to reject these emails by setting up SPF, DKIM, and DMARC. This requires enabling the features in MDaemon as well as adding some DNS records. By enabling and using these features MDaemon can detect these mesages.
Here are KB articles on setting up SPF, DKIM, and DMARC.
https://knowledge.mdaemon.com/spf-verification-record-creation
https://knowledge.mdaemon.com/configure-dkim-signing
https://knowledge.mdaemon.com/how-to-enable-dmarc-and-configure-records
To get the best performance you will want to configure all of these features so that MDaemon is verifying SPF on inbound mail, DKIM signing your mail, verifying DKIM signatures on inbound mail, verifying DMARC results on inbound mail.