Topic: SPAM Question
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Ubuntu 16.04.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes 2.8.0
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
So to avoid our own emails from ending up as SPAM, I whitelisted our own domain for incoming email. However recently, our users have been receiving emails that look like they are from themselves (demanding bitcoin claiming to have our info, and emails requesting us to change our passwords). What is the proper way for me to combat this? When looking at the source you can eventually see that it comes from a different IP address... See below.....Any help appreciated...
Return-Path: <smsmith@mydomain.com>
Delivered-To: smsmith@mydomain.com
Received: from mail.mydomain.com (mail.mydomain.com [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 166861F81241
for <smsmith@mydomain.com>; Mon, 29 Oct 2018 03:50:35 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-100 required=1.5 WHITELISTED tests=[]
autolearn=unavailable
Received: from mail.mydomain.com ([127.0.0.1])
by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pe2Mp5mlM33U for <smsmith@mydomain.com>;
Mon, 29 Oct 2018 03:50:34 -0400 (EDT)
Received: from [103.71.77.175] (unknown [103.71.77.175]) <------------This is the foreign IP address
by mail.mydomain.com (Postfix) with ESMTP id 874831F80500
for <smsmith@mydomain.com>; Mon, 29 Oct 2018 03:50:33 -0400 (EDT)
From: <smsmith@mydomain.com>
To: <smsmith@mydomain.com>
Subject: smsmith@mydomain.com is compromised. Password must be changed
Date: 29 Oct 2018 16:59:48 +0400
Message-ID: <004401d46f8a$04c41686$9a9380b2$@sbcjolley.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acy3r9771dnhc3u5y3r9771dnhc3u5==
Content-Language: en
x-cr-hashedpuzzle: 2D4= r977 1dnh c3u5 y3r9 771d nhc3 u5y3 r977 1dnh c3u5 y3r9 771d nhc3 u5y3 r977;1;1dnhc3u5y3r9771dnhc3u5y3r9771dnhc3u5y3r9771dnhc3;Sosha1_v1;7;\{A5874389-A361-4D69-4B8F-456FAD81A587\};ZQB3AGUAZgr9771dnhc3u5y3r9771dnhc3u5y3r9771dnhc3;29 Oct 2018 16:59:48 +0400;u5y3r9771dnhc3u5
x-cr-puzzleid: \{A5874389-A361-4D69-4B8F-456FAD81A587\}
Hello!
I'm a programmer who cracked your email account and device about half year ago.
You entered a password on one of the insecure site you visited, and I catched it.
Of course you can will change your password, or already made it.
But it doesn't matter, my rat software update it every time.
Please don't try to contact me or find me, it is impossible, since I sent you an email from your email account.
Through your e-mail, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a rat software on your device and long tome spying for you.
You are not my only victim, I usually lock devices and ask for a ransom.
But I was struck by the sites of intimate content that you very often visit.
I am in shock of your reach fantasies! Wow! I've never seen anything like this!
I did not even know that SUCH content could be so exciting!
So, when you had fun on intime sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I jointed them to the content of the currently viewed site.
Will be funny when I send these photos to your contacts! And if your relatives see it?
BUT I'm sure you don't want it. I definitely would not want to ...
I will not do this if you pay me a little amount.
I think $845 is a nice price for it!
I accept only Bitcoins.
My BTC wallet: 17XHRucfd4kx3W5ty7ySLGiKHqmPUUdpus
If you have difficulty with this - Ask Google "how to make a payment on a bitcoin wallet". It's easy.
After receiving the above amount, all your data will be immediately removed automatically.
My virus will also will be destroy itself from your operating system.
My Trojan have auto alert, after this email is looked, I will be know it!
You have 2 days (48 hours) for make a payment.
If this does not happen - all your contacts will get crazy shots with your dirty life!
And so that you do not obstruct me, your device will be locked (also after 48 hours)
Do not take this frivolously! This is the last warning!
Various security services or antiviruses won't help you for sure (I have already collected all your data).
Here are the recommendations of a professional:
Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!
I hope you will be prudent.
Bye.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.