microsoft office 365 – How are these spammers getting through?

So we’ve been a bit of an indirect target of spammers recently… my company has gotten a lot of complaints from customers that they are getting a lot of spam from our sales people. Normally (considering the nature of sales) I’d just smack the sales staff and move on… but this isn’t us!

Some spammer has been sending emails… to OUR customers… using OUR email addresses. doing a quick message trace and sure enough, these emails appear to be coming from our account. At first I thought it was a hacked account or two so I had everyone change their passwords and set 2fa… but the next day, a batch more emails went out. I ran an audit on the affected accounts and there were no failed logins and no attempts to reset passwords (we disabled password reset because of this).

Normally, I’d say this was just normal spoofing… but these emails are passing THROUGH our exchange online account, the message header even shows our dkim and dmarc. As far as I can tell, Microsoft honestly thinks they are coming from US!

I’ve added the x-originating-ip to the block list under threat-management. hopefully that will help, but it wont take long for the spammers to update their IP and if that happens while I’m off the clock… well our customers get another massive load of spammy spam… I’d add our IP’s to the allow list and block all others, but most of our sales staff are working from home with dynamic IPs so that’s not really possible right now. How do I fight this?

applications – Stop receiving text messages in my Samsung Note 8 that are sent from spammers email address

I have been getting unwanted text messages on my Samsung Note 8 coming from a spammers email account.

I have not found a way to block these text messages coming from email accounts. The feature that I use to block phone numbers is not available.

Any help will be appreciated.

Michael

spam – Zendesk Spammers – Information Security Stack Exchange

Iv’e been having an issue and was wondering if anyone has an idea. I use the zendesk chat widget on my website, and there has been someone with an unknown motive who is sending all kinds of obscene text. He uses a dynamic IP so blocking the IP won’t help. I suspect he is using a VPN or proxy or the like. Blocking the cookie doesn’t fully take care of the issue as he can just open a new browser window… Do you have an idea how to block him?

Spam – Who should prevent spammers from attacking Mailenable with external domain names?

We have a problem with our Mailenable, in which the MTA is activated in the MXSCAN software. Everything worked perfectly. Today, however, we found that we can only send emails but cannot receive them. We checked the logs in MxScan message logs when a stranger with an external IP and post office (null) and sender email (not from local domains) tries to send random emails every millisecond, and of course are blocked, we have blocked the IP for the incoming firewall rules as well, but still no impact that makes our mail activation so busy.Log screenshot

Spammers with Contact | Forum promotion

@Lammchen I wanted to recommend the OzzModz add-on for the Spaminator if you don't already have it. Although it is practically impossible to prevent anyone from using the contact form, in just a week of installing it it has prevented well over 100 bots from logging into my website. Not a single bot has signed up since I installed it, and I was hit hard before I had the add-on. There are loads of 5 star ratings. The add-on costs $ 24, but it's worth it in my opinion. Now I can focus on legitimate registrations instead of worrying about bots logging into my website.

I didn't try to redirect this thread because I assume you're talking about real people sending spam. I only had the need to suggest the add-on. As with normal spammers, there is nothing you can really do unless you can somehow get their IP address. Then you could see if they had a suitable account and block their IP address. If emails are sent to your administrator account and not to an external provider, it may be possible to get the IP address. Although you should have a look around.

Sort out spammers | Web Hosting Talk

What procedures / guidelines do you use (other data centers) to sort out spammers?

We already stop access when we see spam evidence and do not offer a refund. But it's pretty obvious that people just come back under new names.

I have half the wisdom of asking for a deposit in advance because spammers will be separated within a few days at most. But that would deter legitimate customers.

What is free with the 12th month or free with the 6th month? Spammer accounts would never last that long.

What about discounts for a WHT account that has been open for more than a year and we would have the user link their WHT or other forum account to their account with us when they signed up to receive this discount.

It cannot be a recurring discount because the utility company does not offer this. But I can take a small hit if I don't have to turn around and destroy the box a day later.

Phishing – How often do spammers, phishers, etc. change e-mail addresses?

Their only goal is to deliver the selected text block to the victim. Whether and how often they change a (fake) e-mail address is unclear, as individuals or marketing groups all work independently.

If an e-mail address is blacklisted, it is usually helpful to change an e-mail address, because in this case the message is not transmitted to the victim (spammers are stupid).

Spam – Are you preventing spammers from forging e-mails that you send to another person or yourself?

I have received the following email with the following headers. How do spammers use this method to trick users into hacking their account?

How can you stop spammers with our e-mail? For non-techies like my grandma, it can be scary to receive an e-mail like this one that says her account is hacked.

What is the spammer doing right in the headers below? Does it show which application you are using for it?

The way back: 
X-Original To: xxx@xxx.com
Submitted to: xxx@xxx.com
Obtained: from gateway5.unifiedlayer.com (gateway5.unifiedlayer.com) [69.89.21.189])
(Using TLSv1.2 with encryption ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
Certificate requested) from mail17i.protonmail.ch (Postfix) with ESMTPS ID 420623000080
to the ; Marry,
6 Mar 2019 19:25:57 +0000 (UTC)
Obtained: from cm4.websitewelcome.com (unknown [108.167.139.16]) by
gateway5.unifiedlayer.com (Postfix) with the ESMTP ID AF51A20196C14 for ;
Marry,
6 Mar 2019 13:25:55 -0600 (CST)
Obtained: from uscentral427.accountservergroup.com ([174.136.12.171]) of cmsmtp with
ESMTP ID 1cAth7PiS5rNM1cAthzAVL; Wed, 06. March 2019 13:25:55 - 600
Received from [87.252.183.184] (port = 51959 helo =[184-183-252-87.filibe.net]) by
uscentral427.accountservergroup.com with esmtpsa (TLSv1: ECDHE-RSA-AES256-SHA: 256) (Exim
4.91) (cover off ) id 1h1cAr-0024QG-EJ for xxx@xxxx.com;
Wed, 06. March 2019 14:25:55 - 500
Authentication results: mail17i.protonmail.ch; dmarc = none (p = no dis = none)
header.from = xcubicle.com
Authentication results: mail17i.protonmail.ch; spf = no smtp.mailfrom=film@zeroplusbd.com
Authentication results: mail17i.protonmail.ch; dkim = fail reason = "Key not found in DNS"
(0-bit key) header.d = zeroplusbd.com header.i=@zeroplusbd.com header.b = "kBI6UFVj"
X-Authority reason: nr = 8
Dkim signature: v = 1; a = rsa-sha256; q = dns / txt; c = relaxed / relaxed; d = zeroplusbd.com;
s = default; h = From: MIME Version: Content Type: Message ID:
List ID: Date: Subject: To: Sender: Reply To: Cc: Content-Transfer-Encoding:
Content ID: Content-Description: Date resent: Resent-From: Resent Sender:
Resent-To: Resent-Cc: Resent-Message-ID: In-Reply-To: References: List-Help:
List Unsubscribe: List Subscribe: List Post: List Owner: List Archive;
bh = oj1E + Py8RM4SW8xpzCQWMyx9GodmBpw8HrVQgEtGCkw =; b = kBI6UFVjOJ6gguimz80GscFl2T
OLPs8fsRExWixOejYw4T4 + itDQNQPEy7NT + RBH + D055aCgf2clk8w44DauK2Lye1uw9ZFP6tlwQ3F
2kKxi3ea3Vaeo1ojR3yshBjGaj2Yit / 5mas9dAQLKOlXfd7dVSthXl2hiza9XbMbP6WSUw2g / zdek
/ jnxnN410aiy7vES / sbKi4v5PyDPTe8kYSkcHVZrFIP9XpNLjrzXiw18lo97osS1pl3Oe9ySv3DVF
WXOfdIxAhvZCqq0o4329IO3oT + O8GGwiY2BAvH1L4JCrRK0y8An6I2ZAhii6XTEaoViKt3FVhESz 1PvGPDMA ==;
To: xxx@xxx.com
X-Abuse Reports To: 
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
Subject: pat
X-Aid: 3931138227
Date: Wed, 6th March 2019 20:25:52 +0100
List ID: y2znb9cxhdkkp12r9ojihcp70vn50etc23e368dl
Message ID: <0arrxg.5b0ydll3eiwf2wi@mail.zeroplusbd.com>
X complaints to: 
Content Type: Text / HTML
MIME version: 1.0
From: 
X-channel: film@zeroplusbd.com
X Anti-Abuse: This header has been added to track abuse. Please attach it to the abuse report
X Anti-Abuse: Primary Host Name - uscentral427.accountservergroup.com
X Anti-Abuse: Original Domain - xcubicle.com
X-Anti-Abuse: Sender / Caller UID / GID - [47 12] / [47 12]
X Anti-Abuse: sender address domain - zeroplusbd.com
X-Bwhitelist: no
X-Source IP: 87,252,183,184
X-Source-L: No.


----------


X-Exim-Id: 1h1cAr-0024QG-EJ
X source transmitter: ([184-183-252-87.filibe.net]) [87.252.183.184]51959
X-Source Auth: film@zeroplusbd.com
X-Email Count: 244
X-Source-Cap: emVyb3BsdXM7aW1wbG9kZWk7dXNjZW50cmFsNDI3LmFjY291bnRzZXJ2ZXJncm91cC5jb20 =
X-Local-Domain: yes
X-Spam flag: YES
X-Spam Status: Yes, Rating = 11.7 Required = 4.0 Tests = BAYES_50, DKIM_INVALID,
DKIM_SIGNED, FORGED_MUA_OUTLOOK, FORGED_OUTLOOK_TAGS,
HEADER_FROM_DIFFERENT_DOMAINS, HTML_IMAGE_ONLY_04, HTML_MESSAGE,
LOCALPART_IN_SUBJECT, MIME_HTML_MOSTLY, MPART_ALT_DIFF, RCVD_IN_BRBL autolearn = no
autolearn_force = no version = 3.4.2
X-Spam Report: *
4.0 BAYES_50 BODY: The Bayesian spam probability is 40 to 60% *
      [score: 0.4999] *
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level *
Mail domains differ *
1.1 LOCALPART_IN_SUBJECT Local part of To: Address appears in *
Object *
0.4 MIME_HTML_MOSTLY BODY: Multi-part message, mostly text / HTML MIME *
0.0 HTML_MESSAGE BODY: HTML in the message *
0.8 MPART_ALT_DIFF BODY: HTML and text parts differ *
1.2 HTML_IMAGE_ONLY_04 BODY: HTML: Images with 0-400 bytes of words *
0.1 DKIM_SIGNED message has a DKIM or DK signature, not necessarily *
valid *
2.0 RCVD_IN_BRBL Received is listed in Barracuda RBL *
bb.barracudacentral.org *
0.1 FORGED_OUTLOOK_TAGS Outlook can not send HTML in this format. *
0.1 DKIM_INVALID DKIM or DK signature is present but invalid *
1.9 FORGED_MUA_OUTLOOK Fake mail purporting to be from MS Outlook
X-Spam Level: ***********
X-Spam Checker Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch
X-Attached: 1551903952102.jpg
X-Pm-Origin: external
X-Pm content encryption: on delivery
X-Pm transmission encryption: TLSv1.2 with encryption ECDHE-RSA-AES256-GCM-SHA384 (256/256 bit)


----- BEGIN PGP MESSAGE -----
Version: ProtonMail
Comment: https://protonmail.com

wcBMAwRosWm2Ti4BAQf / Ykwvv6atXqvoTqX + F4J6T2IriLr3Ol294QaLqwpZ
VRJuZ0g39DFmnWhHiZtPwo0WEr4Tvn4dg1g7wWTT8r / w5rJ7M2cukmKTdZR6
eRXtm0PDO2mWzoOo7ra6YsmrakB0asnTL1oA2DWi9u + TrXr / DyeYetnwqwQ1
TIrhG + HXuiFUTa8fxvvi3VHUNFI0fCIxxaZtHFGEH05wqGTxSgTiNYUJYeSE
cJcWpLm7X4cp / AiiJeFqmG0LrUB7qmJnonu / EbfxFIec2YBwcTDZmN1yw9BS