Overclock.net › Forums › Software, Programming and Coding › Networking & Security › My email is being spoofed
New Posts  All Forums:Forum Nav:

My email is being spoofed - Page 2

post #11 of 13
First thing to look at here is who generated the message, and it looks to be simply Windows Live Mail:
Code:
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110 
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3522.110 

So we know the messages are probably coming from a regular user's PC somewhere in the world and this probably indicates they are infected with something.

It looks like the originating server is an SMTP directly sending or proxying mail for cityofmorrow.com. The address jcallaway@cityofmorrow.com is actually a user who has authenticated via SMTP to the cityofmorrow.com sending server (it would appear). This is probably the person in the company whose PC is infected (or intentionally sending spam).

The message then travels via their SMTP proxy at smtpauth03.mfg.siteprotect.com (looks like siteprotect.com offer some sort of mail routing service) on its way to the destination to your contact I assume at Hotmail. The receiving mail server for cityofmorrow.com is also with siteprotect.com so it looks like they are offering their mail server. Possibly some anti-spam filtering, however if that is correct, its not very good tongue.gif

Now, had Yahoo implemented SPF records, the message would have been stopped at Microsoft's destination for Hotmail messages because the last hop at 64.26.60.134 would NOT have been an authenticated sender for the yahoo.com domain. I'm glad you switched to gmail, because they get it right:
Code:
gmail.com: v=spf1 redirect=_spf.google.com
_spf.google.com: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all

Which basically says only email originating from Google's mail servers can be sent with the sender domain "gmail.com". SPF is not foolproof because it is not part of the SMTP requirement that mail servers adhere to it, but it goes a long way. Many anti-spam products look at SPF records and Hotmail is one of them.

Looks like cityofmorrow.com is a local government: http://www.cityofmorrow.com/

The IP address in the headers (186.129.18.207) is actually located in Argentina and the address belongs to Speedy.com.ar who are an ISP in Argentina. That is the fishy part, I have no idea what is happening there.

WHOIS lookup on ciytofmorrow.com domain is here: http://whois.domaintools.com/cityofmorrow.com

Your first point of contact is probably the technical contact on that WHOIS page.
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
post #12 of 13
Thread Starter 
Thank you very much. I just emailed the City of Morrow's administrator. I'll let you know what response I get.
    
CPUMotherboardGraphicsRAM
i7 920 C0 EVGA Classified 760 GeForce GTX 560 Ti Corsair Dominator-GT 6GB (3x2GB) 1866 
Hard DriveOptical DriveOSMonitor
Intel SSDSA2CW080G3, 3x7200.11 500GB, WD 1TB Pioneer 18x DVD+-R SATA Windows 7 Enterprise x64  28" Hanns-G LCD 1920x1200 
PowerCase
Kingwin Mach 1 800 Watt Thermaltake Armor - Black 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 920 C0 EVGA Classified 760 GeForce GTX 560 Ti Corsair Dominator-GT 6GB (3x2GB) 1866 
Hard DriveOptical DriveOSMonitor
Intel SSDSA2CW080G3, 3x7200.11 500GB, WD 1TB Pioneer 18x DVD+-R SATA Windows 7 Enterprise x64  28" Hanns-G LCD 1920x1200 
PowerCase
Kingwin Mach 1 800 Watt Thermaltake Armor - Black 
  hide details  
Reply
post #13 of 13
Quote:
Originally Posted by Dittoz View Post

Thank you very much. I just emailed the City of Morrow's administrator. I'll let you know what response I get.

No problem. I just realized, it is certainly possible the jcallaway@cityofmorrow.com user may be on holiday or other travel purpose perhaps in Argentina, using their emails from a potentially infected personal laptop connected to the corporate mail server back in the US via Windows Live Mail and that may explain the reason for the Argentinian IP address.
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › My email is being spoofed