Email hacked? How?

B

bigdogsru2011-09-23 21:23:49

Google Workspace

bigdogsru, 2011-09-23 21:23:49

Email hacked? How?

I received a letter with the following content (in the text my IP and domains are replaced by Russian texts):

Received-SPF: pass (google.com: domain of [email protected]тут_мой_домен.ru designates тут.мой.адрес.IP as permitted sender) client-ip=тут.мой.адрес.IP;<br/>
To: [email protected]тут_другой_мой_домен.ru<br/>
Subject: =?koi8-r?B?1MXT1CAyICjXzyDXzM/Wxc7JySAyKQ==?=<br/>
Date: Fri, 23 Sep 2011 10:59:31 -0800<br/>
From: =?koi8-r?B?cnVuYW1l?= &lt;[email protected]тут_мой_домен.ru&gt;<br/>
Reply-to: [email protected]тут_мой_домен.ru<br/>
Message-ID: &lt;[email protected]&gt;<br/>
MIME-Version: 1.0<br/>
Content-Type: text/plain; charset=koi8-r<br/>
Content-Transfer-Encoding: 8bit<br/>
<br/>
mas<br/>
<br/>
mas<br/>
<br/>
telefon<br/>
icqnazv icqvse

My mail is on Google Apps. here_my_domain.ru and here_other_my_domain.ru are synonyms in Google Apps. Both of these domains are on the same IP - here.my.address.IP
How could such a letter be sent? What needs to be done to prevent this from happening again?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vladimir Dubrovin, 2011-09-23
@bigdogsru

In general, I do not see any oddities and hacks in this letter, the usual spam.
mail.here_my_domain.ru received mail for [email protected]_other_my_domain.ru and delivered it to Google. I suspect that this was a completely correct action. Checking the sender's domain by SPF was implemented only by Google, he received a letter from mail.here_my_domain.ru and therefore the SPF check was successful. The ability to use an arbitrary return address in SMTP and email headers, including addresses from your domain, should not confuse you, because. it has always been there, the SMTP protocol itself does not provide any mechanisms for checking the sender's address.