184.108.40.206. Letters from oneself
There may be situations when suspicious letters arrive in mailboxes, where the same mailbox is specified as the sender where the letter came. In such letters, most often it is reported that the mailbox is allegedly hacked, and money is being extorted. The most common reasons for such situations:
To determine the most probable and suitable cause, you should check all the points in turn.
Attention!All checks should be carried out, regardless of what exactly suits the situation that has arisen.
Substitution of the FROM header in the letter
Sender spoofing is a very common situation, the solution to which is quite simple. For the domain name, within which you send and receive letters, you need to configure SPF and DMARCto protect yourself and other recipients from spoofing emails.
To determine exactly who sent the letter, check its headers... The email headers contain all the information you need to analyze. Pay attention to the servers indicated in the first block
Received: in line
by, they are listed from bottom to top, starting from the sender and ending with the recipient. It is important that sending from our servers will always be made from one of the domains
default-host.net, and if there is none, then the letters were sent with the substitution of the sender.
Be sure to check the exact match of characters in the name of the recipient and the sender. Sometimes there may be situations with the substitution of some characters that are visually similar to each other. For example, these symbols include:
l, etc. It is also worth checking for the presence of characters from other languages, for example, Latin characters can be replaced with Cyrillic ones, that is:
O etc. If there are any changes, use WebMail filters or blacklisted to block such senders.
Unauthorized access to mailbox
Unauthorized access to the mailbox is a pretty big problem. To fix it, do the following:
- Change your password to the hacked mailbox and to all available ones. You should change the password for all mailboxes, since due to hacking of one mailbox it is likely that there may be access to the rest, and changing the password for all mailboxes will be a preventive measure.
- Run an antivirus scan the entire account. If the sites have been configured to send mail via SMTP, then when the site is hacked, it is quite likely that the password from the mailbox will leak. It should also be borne in mind that the antivirus only finds previously found virus signatures. If the site was hacked with the help of new, previously not found viruses, then the antivirus may not solve the problem. Also, the site may have security problems, due to which the hacking could occur without visible consequences. Such situations should be checked by the site developer by analyzing access logs to him.
- Check authorization log in the mailbox. Authorizations in the mailbox can be performed from the hosting IP addresses, as well as from the IP addresses where mail clients are configured to connect to them. But it is important to understand that if the emails were sent using site scripts, then this method will not help determine such a problem.
If it was noticed that access to the mailbox was obtained, then it is important to check all devices for viruses, as well as use completely different passwords, since the password to the mailbox was like–it is obtained by intruders. We also recommend that you familiarize yourself with useful tips for protecting against hacking.
Unauthorized access to the control panel
When you get access to the hosting control panel, you will also get access to mailboxes. To understand if access was obtained, check for suspicious attempts to log into your account in log of authorizations... Account security should be respected even if no attempts to login from third-party addresses were noticed. We advise you to read and follow the recommendations for account protection.
If you suspect that someone else may have gained access to your account, you should take appropriate action:
- Turn on 2-Step Verificationif not configured yet.
- Reset or disable concurrent sessionsif they were included.
- Change all possible passwords that exist:
- All passwords within existing sites, as there is a high probability that the data could have been stolen.