Am I being spoofed or has my email been compromised?

Tweet

This can be determined by taking a look at the email headers. If you're not comfortable with this, please contact our support team and we can take a look for you. If you are familiar with headers, please refer to the additional information at the bottom of this article.

If your email account has been compromised, you should run a full system virus scan on your computer and then reset your email password.  Changing your email password will cut off any connection a third party may have to your email account.

There are two ways you can reset your password.

From Webmail:

https://sive.host/index.php/knowledgebase/7/How-to-Change-the-Password-of-An-E-mail-Account.html

Or by simply create a Sive.Host support ticket on the client area requesting we change your email account password:

https://sive.host/index.php/knowledgebase/115/How-to-create-a-support-ticket.html

Email spoofing is when the sender of an email, typically spam, forges (spoofs) the email header "From" address so the email being sent appears to have been sent from a legitimate email address that is not the spammers own address.

They do this for a couple of reasons:

1. To trick spam filters into allowing the email through by using a reputable email address. This would be one way your friends and family would see spam emails from you in their Inbox, rather than their spam folder.
2. To prevent the bounce back emails from being received in the spammer's own inbox. Spammers may send their spam out to thousands of email addresses, and inevitably a lot of those emails are going to bounce. Since spammers don't want to receive hundreds of bounce back messages, this prevents that from happening.

Email spoofing is more common with email accounts that are not actively used.  If the account is used on a daily basis, there's a higher chance that your account might have been compromised by malware or a virus.

While there is no fool-proof way to prevent either type of abuse to your email address, you could adopt some "best practices" when it comes to your email security:

• Change your password frequently.
• Always run full virus scans on your computer (at least once a week).
• Avoid including your email address in online blogs and posts. Try using (at) and (dot)co(dot)za instead of @ and .co.za to prevent malicious automations from harvesting your address.
• Avoid using your primary email account for everything online. If you are signing up for something like a mailing list, contest, application form, or something similar, use a free throwaway email account like Gmail or Hotmail, something you don't mind deleting if it gets abused.
• Only use your primary email to communicate with people you know or trust.

The short answer is, not much. There are no definitive ways to prevent someone from harvesting your email address from the internet somewhere and using it for spam.

Here are a few places spammers may acquire your email address. There are programs and software designed to do nothing else but scavenge the internet for email addresses:

• On a website contact page
• Domain WHOIS records (Sive.Host offers ID Protect on all domains that support this feature.  We recommend using it whenever possible)
• Mailing lists.  Some of them are legitimate, but others may sell your information
• Anything you post online with your email address in it.
• One of your contact's computers may become compromised and your information is taken from their contact list

If the spoofing is recurring and causing a lot of inconveniences, the best thing to do would be to delete the account and start over with a new email account. Since this isn't always possible, you could create a temporary filter in webmail to keep the bounce back emails out of your inbox until the spammer moves on. They usually only last for a week or two, sometimes less.

What to look for in Email Headers to determine if your account has been compromised. In the headers, you should be looking for something like this:

Received: from [11.22.33.44] (11.22.33.44.servername.com [11.22.33.44])
(Authenticated sender: sender@senderdomain.com)
by something.servername.com (Postfix) with ESMTPA;
Fri,  23 Oct 2020 19:28:23 +0000 (UTC)

This is just an example using fake information, but the key thing to note here is "Authenticated sender". This means the email was sent after authenticating the sender by means of username and password, therefore, it was actually sent through the outgoing mail servers using the email account login credentials. This is when you should run a full system virus scan and change your password as mentioned above.

If you're being spoofed, here are a couple of things you can do to stop the spoofing activity.  Keep in mind, there is nothing you can really do to stop it once it's started. The bounced emails you receive may contain some information that could be used to try to track down the original source of the email.  They often come from infected computers, so the chances of finding the exact location of the spammer are pretty slim. You may be able to find the IP address of where the message originated, find out which ISP it belongs to, and see if they would be willing to place that IP address on a blocklist, however, they may not be willing to do that, and if they do, the spammer could simply move to another computer with a different IP address.

Also, please avoid clicking on dot doc word documents from spammers or email senders you do not know based on the email headers discussed above, they may contain serious viruses.