cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

Go Daddy Email Compromised?

Someone posted about this earlier and it was prematurely marked as solved.  They were talking about the mass of emails that look like the below screenshots.  They are not emails that were actually sent from the email address as is assumed in the solution.  They are mass random failures.  They are accompanied by emails from GoDaddy support to the admin account saying that the account's password may be compromised and to change it as soon as possible and that sending from 3rd party clients will be suspended until the password has been changed.

 

Here's the thing, this has happened on 4 of the email accounts in my domain and I have already changed the password on one of them and it's still occurring.  These are all different passwords used by different people and the passwords are of the very strong variety.

 

What's the likely hood of this happening outside of an issue with GoDaddy itself?  It appears many others hosted by GoDaddy are experiencing the same situation.

 

Capture.JPGCapture2.JPG

 

 

44 REPLIES 44

Re: Go Daddy Email Compromised?

I received the same message from GoDaddy and went immediately to change my password, as they suggested. Now, I can't get into my email AT ALL. 

Re: Go Daddy Email Compromised?

I am suspicious too about the godaddy servers. one email acct is sending me tons of these even though the send file shows no one has sent from inside the acct. changed passwords just in case.

You cant contact godaddy on this,all we have is this board. I think there is a godaddy email compromise somewhere as well. Please let me know if you find out anything. It has happened before but stops. I think a robot mimics or creates a fake email camo'ing as your email. Just like a robo call but these are robo emails.....idea? here is one of mine, but they all basically look the same and are generated in Asian.
* 270560558@qq.com

Reason: There was an error while attempting to deliver your message with [Subject: "270560558"] to 270560558@qq.com. MTA p3plsmtpa06-07.prod.phx3.secureserver.net received this response from the destination host IP - 203.205.176.240 - 550 , 550 Mail content denied [N/rJhc+WcLEC4Q0iLDi4uQNnHL7c3ozBzfTCHn3NZ3QdMLFfZzqobMw=]. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726

Re: Go Daddy Email Compromised?

After going through the process of changing my password THREE TIMES, I am finally back in my email account. There were a ton of returned/undeliverable email messages which I never sent, so I'm not sure what happened. It would be nice to know what gives here. SMH

Re: Go Daddy Email Compromised?

Oh, and I also keep getting the message that my account needs to be "validated," but there is nothing else - no link, no info, nada. *shrug* 

New

Re: Go Daddy Email Compromised?

I'm having the exact same issue and followed the same steps of changing all passwords. As there are no other actionable step that we can take, will someone from GoDaddy please investigate the servers to confirm that nothing has been compromised?

Re: Go Daddy Email Compromised?

Go to this topic: Unauthorized email useage

https://www.godaddy.com/community/Managing-Email/Unauthorized-email-useage/m-p/30527

 

This explains what happened and how to address it

Re: Go Daddy Email Compromised?

That doesn't explain whats happening in the slightest.  

 

You're saying that different accounts used by different people across the country, that have changed their own passwords from their own locations, were all compromised by a key logger or malware of some sort? So the same malware on all those machines that are not co-located.  On top of that there is an account that is idle, it's never been used and only accessed via the control panel is getting them as well.  Did you even read my original post?

Re: Go Daddy Email Compromised?

Did you read the whole thing I referenced?  - Obviously not.

 

I guessed you missed the spoofing part.  That was what happened in my case and fixing the DNS solved the problem.  

Re: Go Daddy Email Compromised?

Yes I read the entire article you referenced.  I have long had an SPF statement in the hosts file to prevent this.  Next you can explain how accounts that have never been used and don't exist outside of the control panel are being spoofed.

Re: Go Daddy Email Compromised?

While I suspect GoDaddy has issues, fixing the DNS zone worked for me.

 

As far as your spoofing question, any email (existing or not) can be spoofed.  

Re: Go Daddy Email Compromised?

I am having the exact same issue on two of my four email accounts. I, too, have changed my passwords a number of times, and yet, this morning, it has happened again. The email relay usage shows the increase in usage on one account of 233 and 0 on the other. Neither account have a password that is used anywhere else. 

Helper I

Re: Go Daddy Email Compromised?

I've called now at least four times and spoken to them on online chat a few more. This issue is NOT solved. I've changed the password on the account in question five times and am still receiving DOZENS OF these emails every day. I'm going to take my email accounts and put them with Liquid Web. This is ridiculous.

Re: Go Daddy Email Compromised?

You have it worse than I do. Since I don't use these emails to send from, I set the relay to 0. I will leave it there until godaddy gets their situation squared away. 

Re: Go Daddy Email Compromised?

Having the same issues for a couple of weeks.  Ran virus scans 100 times.... Changed passwords 2-3 times a day and still having the issue. Today I could not download any files. 

 

Finally resolved and figured it out.   

Go to add and remove programs. 

Uninstall your Google Chrome. 

Do not reinstall it when asked to.

Go to internet explorer or another browser and search for Chrome. 

reinstall Google Chrome from there. 

Then log in and once again change your password thru Godaddy. 

This has worked for me and hoping it might resolve someone elses problem in here. I still feel this is a Godaddy issue and a virus. 

Re: Go Daddy Email Compromised?

Thanks for your input even though I know this isn't the case in my situation.

Re: Go Daddy Email Compromised?

Im pretty sure you are right... I think its a combination of a few issues. Good luck!! 

Helper I

Re: Go Daddy Email Compromised?

My webmaster went in and changed the DNS record (My site is not hosted on godaddy) and I thought that the issue was resolved. But it's not. I awoke to dozens more *spoofing* emails. And this is clearly a GoDaddy issue. I'm moving my email accounts to a company that values my business and keeps me safe.

Highlighted

Re: Go Daddy Email Compromised?

Thank you AlbertaArchery.   I have the same issue this week again even after changing my password.

First I enabled two step verification in my go daddy account just in case someone had access.  But I think this is a case of spoofing.  So....I went on the chat with GoDaddy and the rep added the SPF text into my DNS domain that was mentioned in the link someone shared.  I hope that fixes it.  I will try to update this after I see if there are more failed messages.......

Helper I

Re: Go Daddy Email Compromised?

I've done all that and then some. Talked to GoDaddy support four or five times. And still...

Re: Go Daddy Email Compromised?

Update on my case - the SPF (or whatever it is) file change in the DNS apparently has not worked.  Still getting about 20 bounced fake emails a day.   GoDaddy said it would take a few days for the change to be effective but its been 4 days so far.

 

Next step is to uninstall and re-install the browser as was suggested (going to the browser download site to get the exec file).  I am using firefox and chrome so I will have to do both  I guess, but I will start with Chrome first as the poster did.

Helper I

Re: Go Daddy Email Compromised?

Same experience here.

 

Clearly this is a GoDaddy issue. One that they are refusing to acknowledge and fix.

Helper I

Re: Go Daddy Email Compromised?

Their email is definitely compromised and they're not doing anything about it. I'm moving.

Helper I

Re: Go Daddy Email Compromised?

I've got five email accounts through GoDaddy and for weeks now two of them have been experiencing huge amounts of bounce-back emails from emails I NEVER SENT (see below): 

 

Message Delivery Failure
mailer-daemon@secureserver.net [mailer-daemon@secureserver.net]
Sent: Wed, 2:23 pm
To: my email address
Attachments: untitled-[2]untitled-[3]???????????????????????554758?C0M?????188?18?0?,??Q8115 13 237???.eml
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed permanently:

* 2228322698@qq.com

Reason: There was an error while attempting to deliver your message with [Subject: "措核舅押厕霜舸迎锚讴摩垦逻切澳菛威尼斯人554758点C0M邀您紸冊拿188盈18⒏0提,专员Q8115 13 237拿行为"] to 2228322698@qq.com. MTA p3plsmtpa11-08.prod.phx3.secureserver.net received this response from the destination host IP - 184.105.206.30 - 550 , 550 Mailbox not found. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000728
.==================

 

Godaddy tells me to:

 

Change the password. DONE. Several times.

Change the DNS record for my domain/s. DONE.

Run a malware scan. DONE. No malware on MY end.

 

Every time I write or call they give me the runaround. This is NOT a Godaddy problem they say. Then why are so many others having the same exact problem? Why are you repeatedly sending me these emails:

 

Dear Pamela Grow,

GoDaddy understands that email is a vital part of business today and we take our commitment to customer security seriously. We have reason to believe that your email account pamela@pamelagrow.com may have been compromised.

For your protection, and the protection of others, we have suspended the ability for this address to send mail through third-party clients such as Outlook, Thunderbird, etc.

What's the next step?

As soon as possible, please update your password using these instructions (more info). We encourage you to use a strong password and to change your previous password (or any variations) anywhere else you may have used it.

Once your password has been updated, we will lift the suspension and the email account will be able to send mail through third party clients again.

Please keep in mind that this email account can still send and receive messages through web-based email, provided the storage quota has not been exceeded.

Thank you for your understanding and cooperation. Please feel free to contact us if you need help or have questions.

The GoDaddy Email Team

 

============

WHEN WILL YOU FINALLY ADDRESS THIS PROBLEM AND FIX IT???

Re: Go Daddy Email Compromised?

Update - I havent reinstalled the browsers yet, but Go Daddy decided to block my email until I have changed my password.  I have already changed the password twice.  The third party emails continue through my address.  I will do it again and have another chat with Go Daddy. 

Helper II

Re: Go Daddy Email Compromised?

I too, received an email from GoDaddy yesterday afternoon to change my password. After it had already stopped. Today I figured OK, I'll do it. Even though in my case I doubt that that has anything to do with this spoofing issue. Nothing to win or lose by doing it, except that GoDaddy threatened to block the email address from sending or receiving.

Thanks GoDaddy. Not sure if you did anything, or you were just trying to aggravate me with more email.

OK I ended up getting about 6 that last day...(a few days ago)

I have not received any since. It was about 5 days since I added the SPF to the DNS and still haven't added the DKIM or DMARK, since I read somewhere that GoDaddy doesn't really support it anymore anyway. Will have to see if my clients need it. I read somewhere that it takes about 4 or 5 days for the SPF to propagate through the servers. 

I still don't see how if these spoofs (not coming from our email or servers) changing your passwords or browsers have anything to do with it. Ever case can be different, so I'll only speak to my situation.

 

I will update if anything else comes up.

Helper I

Re: Go Daddy Email Compromised?

Same. For two email accounts. And the spam had stopped. They have a problem, they've probably been hacked, and they're not acknowledging it. 

Helper II

Re: Go Daddy Email Compromised?

I don't believe that it is strictly a GoDaddy issue. Try googling the web and you'll see it on many different email servers (gmail, yahoo, etc.)

Re: Go Daddy Email Compromised?

Happening to me too on 2 email accts , called 9 times now over 2 weeks.

I have changed password on secure networks using a virtual key pad and still getting relays being used and bounce backs from qq.com. 

They updated spf records and still it doesnt stop.

Looks like is def a go daddy issue but what do we do ...uggg

Those that are switching , where are you going?

Re: Go Daddy Email Compromised?

Well, after doing what I had posted, I stopped getting the messages (for a while).  Today they came back.  

 

It is definitely a GoDaddy problem.  I a not sure why the have not addressed this problem.

Helper II

Re: Go Daddy Email Compromised?

Well the only thing I can say is what has worked for me so far to end this spoofing…

 

After reading this forum, googling it to read what others have done with this almost exact same issue with the qq.com emails on other mail servers (which leads me to believe that it is not strictly a GoDaddy issue)…

 

- Over a week of these spoofs, while I researched

I added and insured correct syntax (for my situation) the SPF to DNS Manager.

- first day the “bounce-backs” were about a third less

- second day about the same as before the SPF

- third day a few less

- fourth day about a 1/4 of them

- fifth day barely a handful

- sixth day maybe 2 and from then on Zero to date.

 

I had been planning on adding the DMIK and DMARK and haven’t. Checked out altering the htaccess in the site, haven’t done so.

 

I only changed my password after it had stopped and GD said to.

 

So after 2+ weeks of this nonsense on only one of the 22 email addresses, it has finished, That is my story.

 

Let us know if it continues...

Re: Go Daddy Email Compromised?

Still happening to me.  2.5 weeks and 11 calls to support so far. The last call they said only solution was to switch to Office 365 email, as it is more secure. At a pretty big price tag as well. 

Solution: P ay us more and we can fix it.

Helper I

Re: Go Daddy Email Compromised?

Mine has petered out after doing all these things repeatedly. I'm still planning on switching my email over to my hosting provider (not Godaddy) but am in the middle of too much stuff right now.

Re: Go Daddy Email Compromised?

Thanks Doug, it looks like for me this has finally petered out as well.  Today is the first day that none of the accounts have maxed out relay counts.

 

The idea that this had anything to do with passwords being compromised on our end is ridiculous.  I have accounts where I had changed the passwords (from several different machines on different networks), accounts where the user had changed their own password, and accounts that have never been even used, suffer this problem.  I've had notifications from GoDaddy about changing an account password up to 5 days after I had changed the password multiple times and the spoofing had ceased.  I no longer think that it has anything to do with passwords at all and is just an email vulnerability that GoDaddy and others suffer from for whatever reason.  It sure would be nice to have some actual support from GoDaddy other than just telling us to keep changing passwords. 

Helper II

Re: Go Daddy Email Compromised?

AlbertaArchery,

 

First, that is GREAT that it stopped!

 

Second, This spoofing should not have used a "relay" unless like me, I have my mail forwarded to another address on my computers email app. and then it is only the messages that are forwarded to me that use the "relay." The spoofers original email don't use my relays, they use their own smpt setup on their servers. 

 

The reason I'm saying this is if you are working out of Workspace only, there should not be any "relays" used, and so if there are "relays" being used it could have been that "someone" could have compromised you. Check you sent email box, it should not have any of these going out. So, I'll say that make sure you make password changes by going to the Workspace directly and not clicking on any link in any email to get you there.

 

Just saying...

Re: Go Daddy Email Compromised?

Thanks Doug, but no.  We are talking about numerous addresses all used by different people in different locations from different computers, some of which the users manage their own passwords.  It was happening to all the accounts before I became administrator and I changed the passwords via the Workspace control panel for the remaining accounts several times yet it still continued for weeks on all the accounts.  There were even a couple accounts that only exist in Workspace, that have never been accessed by a user and have no activity other than these bounce backs. They likely had the original passwords from when all the accounts were originally created a couple years ago, yet started getting the bouncebacks at the same time as all the other accounts. 

Helper II

Re: Go Daddy Email Compromised?

AlbertaArchery,

 

Sorry, I was really only referring to the "relays" in my last post. A "relay" is a message going out from the GD SMPT server to have it count against your usage. It also counts the cc and bcc's as separate "relays" out. 

 

Incoming or bounce-back email does not count as a "relay."

 

[Sometimes when I reread my posts, it seems that English and Grammar are foreign to me.]

Re: Go Daddy Email Compromised?

Update on my situation.    I got 26 of the bounced qq.com emails today.   This is after Godaddy did two changes to my DNS record.  Called them again and got the Office 365 sales pitch.  They graciously offered to waive the $100 per address migration fee (ugh) and offered Office 365 Business Premium for a starter of $7 a month.  Same from Microsoft would be $15 a month.  They explained that the Godaddy Web app is a old technology, vulnerable and basically they can't do anything with it to prevent the spoofing.  They used the 'someone is using your email to drag your name through the dirt' pressure tactic.   I appreciate having fees waived but, really, isnt that the least that could be done given the problems?

 

Obviously I am dissapointed that it will cost me more to utilize Go Daddy as my email host without this issue.  Like others I am wondering if there is a better option and hope someone will share if they find one.   I don't know why Doug was able to resolve his problem, given what Go Daddy told me today.

Re: Go Daddy Email Compromised?

I am looking at other hosts.   First search came up with this

 

https://webhostinggeeks.com/best-email-hosting

 

I have no idea yet whether these hosts/apps are more secure.  Please share if you find anything out

Helper I

Re: Go Daddy Email Compromised?

Honestly, mine stopped (it was occurring on two separate domain emails), so I'm not concerned about it right now since I'm in the midst of a lot of other stuff. 

 

However I've never used GoDaddy for hosting. I use Liquid Web and I'm DELIGHTED with them. Absolutely top notch. I will probably just transition over to them for my email as well. I liked the interface, which is the only reason I'm still with GoDaddy for email.

Re: Go Daddy Email Compromised?

I am pretty certain that what I was told today by godaddy is true...that the web app is old tech and vulnerable and they can only do so much with it.   So.......time to find a new app (besides office 365) if its possible.  I am looking at other hosts.  It has not petered out for me.....I just deleted the affected email address which luckily I could do without too much trouble.  So or later my main account may be affected and that will be a big problem.

 

https://www.reddit.com/r/sysadmin/comments/7ow0ap/anyone_else_getting_massive_amounts_of_spam_from/

 

I was reading reddit, and I wonder why godaddy hasnt just blocked qq,com like other providers.  I don't know but seems like it would stop the problem.....I may ask godaddy. 

Helper I

Re: Go Daddy Email Compromised?

Makes you wonder. Mine have varied between the qq.com and an .ru (mostly qq.com tho). That would be an easy enough fix, no?

Helper II

Re: Go Daddy Email Compromised?

barrilles,

 

I wish I could tell you more exactly what worked, I can only tell you my story and maybe you can find a clue for you… Mine was SPF text and Patience.

I have both standard Hosting w/12 websites and Workspace w/22 email addresses @ GoDaddy, since the ’90’s. Only one email address had the issue with (primarily) qq.com bounce-backs.

 

I found this post somewhat insightful. Showing my issue as spoofing in this case. (Give him kudos)

https://www.godaddy.com/community/Managing-Email/Unauthorized-email-useage/m-p/30666#M2868

 

After searching and reading this forum, googling it to read what others have done with this almost exact same issue with the qq.com emails on other mail servers (which lead me to believe that it is not strictly a GoDaddy issue). 

 

The bounce-backs also showed me that the original spoofing was done on servers outside of GoDaddy’s servers and most likely in China or close surrounding area. We have clients in Australia, New Zealand, the Philippines and surrounding areas, so blocking the countries there wasn’t a good idea for us. 

There were Zero of these emails in the Sent box and the only “relays” used were the forwarding on this address, which also showed me that it was spoofing. I believe it was in the above link that says there is little to nothing you can do about spoofing except the SPF text in your DNA no matter who you are Hosting with. I guess technically I have spoofed my own email to send out newsletters from other servers, which can be controlled via the SPF txt. which I didn’t have until this all came up.

 

- Over a week of these spoofs, while I researched

I added and insured correct syntax (for my situation = TXT @ v=spf1 a include:_spf.aol.com ~all )(this server as well as the aol servers in this example) SPF to DNS Manager.

- first day the “bounce-backs” were about a third less

- second day about the same as before the SPF

- third day a few less

- fourth day about a 1/4 of them

- fifth day barely a handful

- sixth day maybe 2 and from then on Zero to date.

 

Extraordinary Patience was about the only hallmark of what I did while the SPF propagated threw the servers to end this problem.

 

I had been planning on adding the DMIK and DMARK and didn’t, informed that GoDaddy doesn’t really support it anyway. So what you said about being told that their email system being outdated has to be correct. Checked out altering the htaccess in the site, haven’t done so.

 

I only changed my password after it had already stopped and GD said to.

 

So after 2+ weeks of this nonsense on only one of the 22 email addresses, it has finished, That is my extended story and I’m sticking with it.   ;-)

Solution

Re: Go Daddy Email Compromised?

My Emails to Gmail were bouncing with the following error: Delivery to the following recipients was aborted after 20.6 hour(s)

 

I struggled with this issue for over two months now. The solution, and the only solution that worked for me, is to add

1. SPF to your server
2. DKIM
3. And [maybe] optional DMARC
 
If any of the above fails, then emails to gmail will NOT go through.
You can do a google search on how to add SPF DKIM and DMARC to your server. The following settings worked for me: I use godaddy VPS with email set up. On the back end I use WHM the latest version with Enable DKIM/SPF Globally Enabled under features.
 
SPF
1. Login to your CPANEL.
2. Go to Zone Editor - (under Domains category)
3. Select your domain and press Manage
4. Select All under filter. Go through the list checking the Value Column to ensure that NO record starts with v=spf1. If there is such an entry delete it.
5. Near the top there is an "Add Record" button. Click the arrow next to it and Select Add TXT Record.
6 Enter the following:
 Name: YourDomainName.com (E.g. example.com)
 TTL: 1400
 Class: IN
 Type: T
 Record: v=spf1 a mx include:secureserver.net -all
 
7. Save. It will take up to 24 hrs for details to propergate. To test your SPF use the following sites:
 
 
 
 
DKIM/DMARC
1. Enable this feature in the WHM features if not enabled already.
2. Set up global DKIM
3. Login to the CPANEL 
4. Click on Authentication (Under Email Category)
5. Ensure DKIM is Enabled and press UPDATE
 
6. And this is important as found here:
 
Go to:
WHM > Exim Configuration Manager > Advanced Editor 
Modify the ROUTERSTART section from remote_smtp to dkim_remote_smtp, as follows:
 
send_to_smart_host:
driver = manualroute
route_list = !+local_domains dedrelay.secureserver.net
transport = dkim_remote_smtp 
 
Save the Changes.
 
To test your DKIM Settings, send an email to your Yahoo or any other provider. In Yahoo, open the email and click the three horizontal dots ... at the top of the email. Next click on View Raw Message. Check the raw message for the section dkim=pass (ok)
If it says OK then it successful. If it says Fail then there is a problem with the DKIM. Check also for SPF to see if it passed.
 
Note that GMAIL will NOT go through unless SPF and DKIM pass.
 
Hope this helps.

Re: Go Daddy Email Compromised?

Thanks for the detailed possible solution.

 

The problems we had when I originally submitted this post have mostly subsided but I'm going to have a go at your suggestion as there are a few straggling issues this might help with.

 

Thanks again,

 

C