cancel
Showing results for 
Search instead for 
Did you mean: 

Is this a spoofed email? or did someone really hacked my account?

I got an email in one of my accounts, it appear to come from me. I don't know if they really hacked or it's spoofed... and if so, how do I stop it.

 

This is the metadata of the email:

: (qmail 142280 invoked by uid 30297); 29 Mar 2019 05:46:33 -0000
Received: from unknown (HELO p3plibsmtp03-15.prod.phx3.secureserver.net) ([68.178.213.112])
(envelope-sender <minatoya@miso.ne.jp>)
by p3plsmtp01-03-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <studio@franciscomoreno.net>; 29 Mar 2019 05:46:33 -0000
Received: from mail.alec-sys.co.jp ([210.172.87.226])
by CMGW with ESMTP
id 9kLThmXoXULhR9kLThXfCI; Thu, 28 Mar 2019 22:46:32 -0700
X-IP-SPAM: Suspect
Received: from [82-117-234-189.gpon.sta.kh.velton.ua] [82.117.234.189] by mail.alec-sys.co.jp with ESMTP
(SMTPD-11.03) id 324e0000034f07cb; Fri, 29 Mar 2019 14:49:36 +0900
X-Abuse-Reports-To: abuse@mail.miso.ne.jp
Date: Fri, 29 Mar 2019 06:46:13 +0100
Content-Type: multipart/related;
boundary="lizlzsrg-87CEBC51308"
MIME-Version: 1.0
Subject: studio
List-ID: 87yvrzzpp5jlu72uq3okuwv0zywtd7gz4256imw1ycjr4iy
Feedback-ID: 2433872:870588.24597:c46:li
From: <studio@franciscomoreno.net>
X-CSA-Complaints: complaints@miso.ne.jp
To: studio@franciscomoreno.net
List-Subscribe: 3/29/2019 06:46:11
X-aid: 1815318600
Errors-To: update+ye9hfv74tpaexc7plrtg@miso.ne.jp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre)
Gecko/2008050715 Thunderbird/3.0a1
Message-ID: <3833.9832.789.8D04@miso.ne.jp>
X-Sender-Info: minatoya@miso.ne.jp
X-CMAE-Envelope: MS4wfPLGdnzNsejCSYVQxJ0oySLic25dso1F6739LtVxAj/tjCLg9xg+uU6+fsABtF3LbJfm/qXykOeLf0dgObsTCo1Svas7cFP/G4RvEqiJn4cXRAUEt7sb
UlwVxEBEzCqbMDqRwoMiE9Rqtb/ukesuVIyxk2Q3ghsmqM6LLse1SUudiZO/TQZm8LqredweMMWPpA==
X-Spam: Ironport 50%

This is a multi-part message in MIME format

--lizlzsrg-87CEBC51308
Content-Type: multipart/alternative;
boundary="qkyiykcdo-28F2BCEF719A"

--qkyiykcdo-28F2BCEF719A
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64


--qkyiykcdo-28F2BCEF719A
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

PGh0bWw+PGJvZHk+PGltZyBzcmM9ImNpZDphdHRfaW1nXzkxMDg2MCI+PC9ib2R5PjwvaHRtbD4N
Cg==

2 REPLIES 2

Re: Is this a spoofed email? or did someone really hacked my account?

In my opinion, it's a spoofed email. Having said that, since you posted your email address I checked it at https://monitor.firefox.com and it does bring up one hit on a data breach back in February 2019. So I would hope you have changed your password anywhere you use that email account. But that's not the main reason why I am replying. I receive one spam message a day on my account even though I have completely disabled the MX records in DNS. The message header is very similar to yours. The first similarity is the following line:

by CMGW with ESMTP

 

I'm not certain what CMGW is, but I think it has something to do with SMS texting. I'm still researching this, because this must be how it's sneaking into my inbox.

 

The other thing that is similar is the names of Godaddy's SMTP servers. They must all be mirror servers, as a ping -a to their IP addresses returns only the stated name. Here is a brief list of the servers from which I have received this spam message:

 

p3plibsmtp03-03.prod.phx3.secureserver.net

p3plsmtp24-06-26.prod.phx3.secureserver.net

p3plibsmtp01-05.prod.phx3.secureserver.net

p3plsmtp24-04-26.prod.phx3.secureserver.net

p3plibsmtp03-07.prod.phx3.secureserver.net

p3plsmtp24-01-25.prod.phx3.secureserver.net

 

This is just a small sample. Each of the messages uses a different permutation of SMTP server names. And they ALL have the "by CMGW with ESMTP" line in the header. It is my hope someone on Godaddy's SMTP team sees this message. My domain is digital-plumber.com and you will see my only MX record (which I have temporarily changed 2 weeks ago) points to tar.junkemailfilter.com which should make it impossible for me to receive SMTP email to my catch-all account. Yet this one message still gets through every day. I suppose I can try deleting some of the other CNAMES in my DNS, but I hate doing things blindly. Hopefully someone from Godaddy will reply to this thread.

Moderator
Moderator

Re: Is this a spoofed email? or did someone really hacked my account?

Hi @morenoa0922,

 

Welcome to the Community!

It's likely you were spoofed. Check out this article for what it means and how you can prevent it in the future. There are links at the bottom of the article to help you create an SPF record in the DNS of your domain. Here's the basics:

 

  1. don't reply to the email
  2. update your password
  3. create the SPF record

 

 

TLH - GoDaddy | Community Moderator
Supporting you at x.co/247support