4

I'm a software developer and my wife works at a small business. I'm not a security expert, but the story their IT contractor is giving her doesn't add up to me.

Lately some people who send email to "Jane," the person in charge of finances at her company, have been receiving bounce-back messages. According to their 3rd-party IT company, it's the result of someone spoofing Jane's email and there's nothing they can do about it.

But it doesn't sound like spoofing to me. My understanding of spoofing is that some malicious actor (probably a spam-bot) is sending emails claiming to be from Jane, and there's no actual security compromise. Therefore, Jane might receive bounce-back emails when the spam-bot sends to a bad email addresses.

That's not what's happening. Jane is not receiving bounce-backs. It's the people who email her who are receiving the bounce-backs. The bounce-back always says "powerlinecornpany@gmail.com" is over quota, and includes their original email to Jane as an attachment.

In other words, if you send an email to jane@mycompany.com you might get a bounceback from powerlinecornpany@gmail.com," and that bounceback does have your original email attached. Jane would have received your email normally and not seen anything odd.

So it seems to me what's going on is a copy of emails sent to Jane are somehow being forwarded to that gmail address, and at some point it got over-quota and started bouncing. In other words, someone is snooping on Jane.

This is happening even when it's user at Jane's company sending the email to her. Some people never get the bounces. Other people (like the owner of the company) always get bounce messages every time they send one.

Here's the bounceback message they're receiving:

The original message was received at Fri, 11 Jan 2019 08:36:54 -0500

from atl4qibmail03pod5.registeredsite.com [10.30.71.90]



*** ATTENTION ***



This email is being returned to you because the remote server would not

or could not accept the message. The registeredsite servers are just

reporting to you what happened and are not the source of the problem.



The address which was undeliverable is in the section labeled:

  "----- The following addresses had permanent fatal errors -----".



The reason your mail is being returned to you is in the section labeled:

  "----- Transcript of Session Follows -----".



This section describes the specific reason your e-mail could not be

delivered.



Please direct further questions regarding this message to your e-mail

administrator.



--Registeredsite Postmaster



   ----- The following addresses had permanent fatal errors -----

<powerlinecornpany@gmail.com>

    (reason: 552-5.2.2 The email account that you tried to reach is over quota. Please direct)



   ----- Transcript of session follows -----

... while talking to gmail-smtp-in.l.google.com.:

>>> DATA

<<< 552-5.2.2 The email account that you tried to reach is over quota. Please direct

<<< 552-5.2.2 the recipient to

<<< 552 5.2.2  https://support.google.com/mail/?p=OverQuotaPerm u6si11420159ybg.477 - gsmtp

554 5.0.0 Service unavailable

<<< 503 5.5.1 RCPT first. u6si11420159ybg.477 - gsmtp
Pharylon
  • 141
  • 5
  • What did the IT company say when you raised these concerns with them? – ceejayoz Jan 17 '19 at 20:20
  • This honestly belongs more on the security SE site. – Davidw Jan 17 '19 at 20:25
  • 1
    Why do you think that "someone is snooping on Jane"? It's a bit difficult to understand what happened here. What were the original email headers? – Michael Hampton Jan 17 '19 at 20:27
  • @ceejayoz They kind of just reiterated it was spoofing and there wasn't anything to be done about it. They're in the middle of having a big disagreement about contract amounts and pay with the IT company right now, which could mean they're not trying hard to help or (tinfoil-hat applied) that's why the financial person is suddenly having this issue. – Pharylon Jan 17 '19 at 20:30
  • @MichaelHampton Because if you send an email to Jane, you get a bounceback from that random gmail address with a copy of your email attached. I don't know anything about email headers. I suppose I could brush up on it and dig into them, though. I also edited the post for a little more clarity, I hope. – Pharylon Jan 17 '19 at 20:32
  • 2
    It looks like there is a rule in place within either Jane's account (more likely) or at the company level (less likely, but possible) that is auto-forwarding messages to the @gmail.com address. Jane (or a company IT person) need to look at the settings on Jane's GSuite account and find that auto-forward rule. These could be due to the employee setting it up (Jane's fault) or due to Jane's password being compromised (the attacker logged in and set an auto-forward to easily exfil data from the company to a freemail they control) – Ruscal Jan 17 '19 at 20:54
  • Email address spoofing can be remarkably easy with older versions of MS Exchange when it’s not configured correctly (anonymous authentication/relay allowed), which in my experience as a SysAdmin in SMB, happens all the time. However, an MSP or IT Service Provider _should_ know better (not that they always do). – KidACrimson Jan 17 '19 at 21:52

2 Answers2

5

I'm with Ruscal on this.

If you send an email to Jane and you recieve this bounceback then it's clearly because a forward has been set up on Jane's email account, either intentionally or maliciously.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
2

The only case I ever saw of spoofing was a fake domain sending "trash e-mails" asking for bitcoins and blackmailing (with a bitcoin link) some workers of this specific corporation with a generic menace text (for example, saying things like "I know the sites you have been visiting because I have a trojan installed in your home machine" "I took pictures of you by your webcam" et cetera). Your case doesn't sounds to me a spoofing attack, its better to make a new e-mail for Jane if the IT can't figure out what is the problem with her account, maybe its better to just start over (obviously, backuping her messages to the new account).

Felipe Guimaraens
  • 54
  • 4