B
B
bigdogsru2011-09-23 21:23:49
Google Workspace
bigdogsru, 2011-09-23 21:23:49

Email hacked? How?

I received a letter with the following content (in the text my IP and domains are replaced by Russian texts):

Delivered-To: [email protected]тут_мой_домен.ru<br/>
Received: by 10.142.246.6 with SMTP id t6cs32301wfh;<br/>
 Fri, 23 Sep 2011 10:59:36 -0700 (PDT)<br/>
Received: by 10.204.4.213 with SMTP id 21mr2554071bks.408.1316800774751;<br/>
 Fri, 23 Sep 2011 10:59:34 -0700 (PDT)<br/>
Return-Path: &lt;[email protected]тут_мой_домен.ru&gt;<br/>
Received: from mail.тут_мой_домен.ru (тут_мой_домен.ru. [тут.мой.адрес.IP])<br/>
 by mx.google.com with ESMTPS id z8si7895067bkd.133.2011.09.23.10.59.33<br/>
 (version=TLSv1/SSLv3 cipher=OTHER);<br/>
 Fri, 23 Sep 2011 10:59:34 -0700 (PDT)<br/>
Received-SPF: pass (google.com: domain of [email protected]тут_мой_домен.ru designates тут.мой.адрес.IP as permitted sender) client-ip=тут.мой.адрес.IP;<br/>
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected]тут_мой_домен.ru designates тут.мой.адрес.IP as permitted sender) [email protected]тут_мой_домен.ru<br/>
Received: from 175-107-rev-placeholder.reverse.ntc.net.pk (175-107-rev-placeholder.reverse.ntc.net.pk [175.107.48.112] (may be forged))<br/>
 by mail.тут_мой_домен.ru (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id p8NHxTSF032216<br/>
 for &lt;[email protected]тут_другой_мой_домен.ru&gt;; Fri, 23 Sep 2011 21:59:31 +0400<br/>
To: [email protected]тут_другой_мой_домен.ru<br/>
Subject: =?koi8-r?B?1MXT1CAyICjXzyDXzM/Wxc7JySAyKQ==?=<br/>
Date: Fri, 23 Sep 2011 10:59:31 -0800<br/>
From: =?koi8-r?B?cnVuYW1l?= &lt;[email protected]тут_мой_домен.ru&gt;<br/>
Reply-to: [email protected]тут_мой_домен.ru<br/>
Message-ID: &lt;[email protected]&gt;<br/>
X-Priority: 3Reply-to: =?koi8-r?B?cnVuYW1l?= &lt;[email protected]&gt;<br/>
X-Mailer: xmailer<br/>
MIME-Version: 1.0<br/>
Content-Type: text/plain; charset=koi8-r<br/>
Content-Transfer-Encoding: 8bit<br/>
<br/>
mas<br/>
<br/>
mas<br/>
<br/>
telefon<br/>
icqnazv icqvse

My mail is on Google Apps. here_my_domain.ru and here_other_my_domain.ru are synonyms in Google Apps. Both of these domains are on the same IP - here.my.address.IP
How could such a letter be sent? What needs to be done to prevent this from happening again?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Dubrovin, 2011-09-23
@bigdogsru

In general, I do not see any oddities and hacks in this letter, the usual spam.
mail.here_my_domain.ru received mail for [email protected]_other_my_domain.ru and delivered it to Google. I suspect that this was a completely correct action. Checking the sender's domain by SPF was implemented only by Google, he received a letter from mail.here_my_domain.ru and therefore the SPF check was successful. The ability to use an arbitrary return address in SMTP and email headers, including addresses from your domain, should not confuse you, because. it has always been there, the SMTP protocol itself does not provide any mechanisms for checking the sender's address.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question