Manage cookies that are used for advertising, such as ad personalization, remarketing, and ad effectiveness analysis.
4.4.10. Emails from myself
There may be situations when suspicious emails arrive in mailboxes with the same mailbox as the sender. Such messages most often inform that the mailbox has been allegedly hacked and extort money.
The most common causes of these situations are:
To determine the most likely cause, check all items in turn. To be sure, it is best to check all items, not just the one that best fits the situation.
Spoofing the "From" header
Email address spoofing is a common situation that can be solved quite easily. You should configure SPF and DMARC for the domain within which messages are sent and received. This will protect the owner of this domain and other recipients from sender spoofing emails.
To determine who exactly sent the message, check the headers. The headers contain all the necessary information for analysis. Pay attention to the servers listed in the first block of Received: in the by line, they are listed from bottom to top, starting with the sender and ending with the recipient. It is important that sending from our servers will always be done from one of the default-host.net domains, and if there is no such domain, the messages were sent with sender spoofing.
Be sure to check the exact match between the characters in the recipient's name and the sender's name. Sometimes you may encounter situations when some characters that are visually similar to each other are substituted, for example: 0 and O, I and l, etc. It is also worth checking for characters from other languages, e.g. Latin characters may be replaced by Cyrillic characters: o and о, etc. If such spoofing is detected, use blacklist or filtering emails in WebMail.Online and WebMail classic for blocking such senders.
Unauthorized access
Mailbox
In case of unauthorized access to the mailbox, do the following:
- Change the password for the hacked mailbox and all other mailboxes. It is best to change the password for all mailboxes, as the hacking of one mailbox may well have given access to the others. Changing the password for all mailboxes is a preventative measure.
- Run an antivirus scan of the entire contents of the hosting account. If the sites have been configured to send mail via SMTP, it is very likely that if the site is hacked, the mailbox password will be leaked. It should be taken into account that antivirus finds only those viruses whose signatures are in its database. If the hacker used new viruses that the antivirus does not know about yet, the scan may not detect the threat. In addition, the site itself may have security problems, which may have caused the hack to occur without visible consequences. It is up to the site developer to resolve such situations. The site access logs can help in the analysis.
- Check the mailbox connections log. Mailbox authorizations can be made from hosting IP addresses, as well as from IP addresses where mail clients are configured to connect to them. But it is important to realize that if the emails were sent with the help of site scripts, this method will not help to determine the source of the problem.
If you begin to suspect that someone else may have accessed your mailbox, we recommend checking all your devices for viruses and changing your passwords. See also Recommendations for hacking protection.
Control panel
In case of unauthorized access to the control panel, all mailboxes in the account can be accessed by an unauthorized person. We recommend that you regularly check the authorization log for suspicious login attempts. Account security should be maintained even if no login attempts from third-party addresses have been observed.
If you suspect that your account may have been accessed by unauthorized persons, you should take appropriate action:
- Set up two-step authentication (if not already set up).
- Terminate all active sessions except the current one.
- Change all passwords you use:
- All passwords that are used on sites, as there is a good chance that the data could have been stolen.