6

I received an email earlier today on my work email address. The email came from the same address—mine—but I didn't send it.

It was an email claiming that he was a professional hacker who had hacked my operating system and planted harmful spyware. The email also asked for 1300 USD worth of Bitcoin.

My questions are

  • How does someone send an email from my email address if they have no access?

  • Is there anything I can do to check if this is a legitimate threat or purely a spoof?

    I have checked my sent items and this email is not showing.

  • If this is a spoof, is there anything I can do to the DKIM/SPF to ensure that this doesn't happen again?

I use DKIM verifier on Thunderbird and the DKIM is showing as Valid

the Sourcecode

Return-Path: <me@mydomain.co.uk>
X-Original-To: me@mydomain.co.uk
Delivered-To: me@mydomain.co.uk
Received: from server.mydomain.co.uk (localhost.localdomain [127.0.0.1])
    by server.mydomain.co.uk (Postfix) with ESMTP id DCC6821C7E
    for <me@mydomain.co.uk>; Sun, 29 Oct 2023 12:12:33 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.co.uk;
    s=default; t=1698577954;
    bh=Ue3SNVXUWP06yh1TNGhtM2RiGpERU2gP6dRB6x/zLoc=;
    h=Received:Received:From:To:Subject;
    b=cHVVe/7qk3ychmYuvRPwETZfCY07NpvX7Rj9aGJsv7sYzvykjChnDL5fJ2qaajY+g
 i/Hebqs1LIIAQvlLnpZDuUVQAECzS28Xc9UM+DTtccWyyP+eziWOSCnLmOETY67BzB
 /5z30iIFFKYxIgVVgRUYpHnJMvR4SktsxW7G0I7A=
Authentication-Results: server.mydomain.co.uk;
    dmarc=pass (p=REJECT sp=NONE) smtp.from=mydomain.co.uk header.from=mydomain.co.uk;
    dkim=pass header.d=mydomain.co.uk;
    spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=me@mydomain.co.uk 
smtp.helo=server.mydomain.co.uk
Received-SPF: pass (server.mydomain.co.uk: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=me@mydomain.co.uk; helo=server.mydomain.co.uk;
X-Spam-Flag: YES
X-Spam-Score: 23.363
X-Spam-Level: ***********************
X-Spam-Status: Yes, score=23.363 tagged_above=-9999 required=5
    tests=[BAYES_00=-1.9, BITCOIN_DEADLINE=1.033, BITCOIN_MALF_HTML=3.185,
    BITCOIN_TOEQFM=0.835, BITCOIN_YOUR_INFO=2.999,
    DATE_IN_FUTURE_03_06=3.027, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DOS_OE_TO_MX=2.523,
    HDR_ORDER_FTSDMCXX_DIRECT=0.001, HDR_ORDER_FTSDMCXX_NORDNS=0.01,
    HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001, NO_FM_NAME_IP_HOSTN=0.001,
    PDS_BTC_ID=0.329, PDS_BTC_MSGID=0.001, RATWARE_NO_RDNS=1.018,
    RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_BL=0.001,
    RCVD_IN_MSPIKE_L5=0.001, RCVD_IN_PBL=3.335, RCVD_IN_SBL_CSS=3.335,
    RCVD_IN_VALIDITY_RPBL=1.31, RCVD_IN_XBL=0.375, RDNS_NONE=0.793,
    TO_EQ_FM_DIRECT_MX=0.001, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no
Authentication-Results: server.mydomain.co.uk (amavisd-new);
    dkim=pass (1024-bit key) header.d=mydomain.co.uk
Received: from server.mydomain.co.uk ([127.0.0.1])
    by server.mydomain.co.uk (server.mydomain.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id jfa2mS26E3LW for <me@mydomain.co.uk>;
    Sun, 29 Oct 2023 12:12:32 +0100 (CET)
Received: from [119.159.249.73] (unknown [119.159.249.73])
    by server.mydomain.co.uk (Postfix) with ESMTP id 6EECD21BC5
    for <me@mydomain.co.uk>; Sun, 29 Oct 2023 12:12:28 +0100 (CET)
Received-SPF: softfail (server.mydomain.co.uk: transitioning domain of mydomain.co.uk 
does not designate 119.159.249.73 as permitted sender) client-ip=119.159.249.73; 
envelope-from=me@mydomain.co.uk; helo=[119.159.249.73];
Message-ID: <004f01da0a82$05d50e82$38d14498@atfjhd>
From: <me@mydomain.co.uk>
To: <me@mydomain.co.uk>
Subject: Your personal data has leaked due to suspected harmful
activities.
Date: 29 Oct 2023 19:46:17 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_004C_01DA0A82.05D24C90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.2466
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.2466
Michael come lately
  • 2,630
  • 2
  • 23
  • 39
PaulMcF87
  • 161
  • 3

1 Answers1

13

TL;DR: this does not look like a hack but like a broken mail setup for your domain. The DKIM pass and SPF pass are the result of your mail setup accepting the original mail and then forwarding it to itself while adding a correct DKIM signature which it then checks.

The trace of the mail looks strange for me. It looks like the mail was received from 119.159.249.73 by your server which did not match your SPF policy. But the (unknown) policy seems to be weak so this mismatch only results in a SoftFail:

Received-SPF: softfail (server.mydomain.co.uk: transitioning domain of mydomain.co.uk does not designate 119.159.249.73 as permitted sender) client-ip=119.159.249.73; envelope-from=me@mydomain.co.uk; helo=[119.159.249.73];

At this time there is likely no DKIM signature in the mail yet. Then based on the next Received header it looks like that your mail server forwards this mail to itself (127.0.0.1):

Received: from server.mydomain.co.uk ([127.0.0.1]) by server.mydomain.co.uk (server.mydomain.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jfa2mS26E3LW for me@mydomain.co.uk; Sun, 29 Oct 2023 12:12:32 +0100 (CET)

This internal delivery makes SPF pass (since it comes from 127.0.0.1) and likely creates a DKIM signature which then gets checked at the next step of internal delivery and makes DKIM pass.

In other words: this does not look like a hack but like a broken mail setup for your domain

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • 2
    This. I was trying to come up with a way of explaining the 127.0.0.1 path, but this makes the most sense. There's a HELO from the external client, so it came from outside but somehow loops internally. – schroeder Oct 30 '23 at 13:14
  • Is there anything I should be looking to do to toughen up my email server?

    I have set up DKIM, SPF and DMARC DNS Records on the server... I am a bit confused as to why the server would have received the email and then looped it to me amending the DKIM etc.

    Could there be something which the spammer added to the headers to make the email look legit to my server?

     – PaulMcF87 Oct 30 '23 at 16:36
  • @PaulMcF87: "Could there be something which the spammer added to the headers " - unlikely. It is just a broken setup where you accept a mail and then pass it through your system in multiple steps. You need to make sure that DKIM is only added as the last step for outgoing mails - not for mails staying inside the system. And SPF should only be checked as the first step of incoming mails (because only then the source IP is known) - not mails which get processed inside the system. But this is not the place to fix your specific (unknown) setup. – Steffen Ullrich Oct 30 '23 at 17:16
  • It looks the 197.159.249.73 is an end-user client using Outlook Express who should be authenticating to send via your server. If that's the case, hardening the login requirements to send mail would seem a fairly straightforward mitigation here. – Andrew Leach Oct 30 '23 at 19:54