Just something I bumped into this morning and decided to quickly write a post.
Woke up this morning and first thing I saw is a bunch of spam emails in my Gmail account. I kept getting these spam emails that are said to be sent by me but are sent via telus.com. These emails are also in my sent items. I do not use telus.com and I never even heard of them.
I immediately checked my mobile, my desktop, my network. Searched google for why this could happen.The same thing was happening to another person at home. I thought that either my home network been pwned or something really bad happened.
I went through Google Security Checklist and
- Changed my password,
- Removed all app access
- Checked last account activity
So far I have received about 6 emails in the past 45 minutes, and they all have different content. I exported the contents to check the header. The emails didn’t stop when I changed my password or removed app access, WiFi password, restart or shutdown devices. Here’s a sample Header contents (some details altered to hide emails etc.)
Delivered-To: not-my-real-email@gmail.com Received: by 10.176.89.43 with SMTP id n40csp26329ASDAad; Sat, 21 Apr 2018 19:33:46 -0700 (PDT) X-Google-Smtp-Source: AIpAS4/ASDASDASDASD+iIW6bk6kVfmBL3knH+7kH6P4dZN50Gsd46lWPCwG2C X-Received: by 2002:adf:e312:: with SMTP id b18-v6mr12085687wrj.247.1524364426822; Sat, 21 Apr 2018 19:33:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524364426; cv=none; d=google.com; s=arc-20160816; b=DvMTwNoeZhkodo5ViSPrXr2jJm5fLYl7gxGun748hbAs5CbmItDXOScYd0hnY07etw KTfiak8jRyOPlk9gggn76DNw0QFmd55HaGtt0AguWWibKc0YvA2xLAIuNg5hVAbV3u3j bTHKlX2ezlOlZgegX7Rme/h4Qf/ASDASDSADASDSAD+q9fF9ZpuQXHcNtqqU3 LmpSHUs08M4VRdIvJLLb635fOd3NfQOXyjQZZ4d0YxIuXLML7oP1LmMlMc0IeFs5RCvq N0b2aK8IeDZYxcmFPw+xwFdtRulfd5qKfniaGRK2cSiWCNxdygOxtm+mzUQih/47dZrP 7tXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:message-id:subject:to:from:arc-authentication-results; bh=GdQ0BONMitFUr2nm+0rqQnlDo1x9OaDbSlse34fDEWg=; b=NAzWmgu87A6+i77xyVPUAq8Sr5iy9ZLUer2HcX1O+SyX+XJ/hV/O944ht8zbDKMGdc zah5VgPO+39zB1SaP6KBOcbfU+RLela4cLpDNUqFGRU1f4nMhDI5HNzt8p6SKH4H8Etw hFPAx0YZOx/vVvJ8IhYqnlFSmE3i/ASDASDASDASD+cfc47IzesMCSUspdUhDz4KWj4L kubExOyoSegeWEAquoJ2tIQkzTDoBmhzO9YV9Hf63s6vsmi4tLkThZJtievcEJRegMEv FsbwWiMPAXGDxCpUMZQdTHxzMSrH6lS6Ow3yBGOzrV1e6g+kD1wV8Otqdjd95eCxpCat BCQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: <return@telus.com> Received: from deep.ukriminode.com (static-ip-188-138-79-170.inaddr.ip-pool.com. [188.138.79.170]) by mx.google.com with ESMTP id j191si3483971wmd.61.2018.04.21.19.33.46 for <not-my-real-email@gmail.com>; Sat, 21 Apr 2018 19:33:46 -0700 (PDT) Received-SPF: pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) client-ip=188.138.79.170; Authentication-Results: mx.google.com; spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate not-my-real-email@gmail.com as permitted sender) client-ip=not-my-real-email@gmail.com; from: --Profit System <not-my-real-email@gmail.com> To: <noreplya@travellstore.REMOVED>, <returny@tinyurl.REMOVED>, <subsys@nytimes.REMOVED>, <hallo@webwiz.REMOVED>, <norply@mxtoolbox.REMOVED>, <not-my-real-email@salesforce.REMOVED>, <mostafa6863@aol.REMOVED>, <jonykrash@gmx.REMOVED> Subject: The most effective way to make money with Bitcoin Message-ID: <NkhPw@google.com=Mx.google.com> Date: Sat, 21 Apr 2018 22:32:11 -0400 Content-Type: multipart/report; boundary="f4f5e80f07d80f9ASDASD56a2936a0"; report-type=delivery-status X-EMMAIL: <@googlemail.fr not-my-real-email@gmail.com> --f4f5e80f07d80f991b056a2936a0 Content-Type: text/html; charset="UTF-8"
I’ve tested some URL’s that were embedded in these email (https://tinyurl.com/y93bqnl6).. See VirusTotal scan restults . Nothing. The Header was interesting as it was showing as SPF=pass. Some interesting bits below:
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from deep.ukriminode.com (static-ip-188-138-79-170.inaddr.ip-pool.com. [188.138.79.170]) by mx.google.com with ESMTP id j191si3483971wmd.61.2018.04.21.19.33.46 for <not-my-real-email@gmail.com>; Sat, 21 Apr 2018 19:33:46 -0700 (PDT) Received-SPF: pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) client-ip=188.138.79.170; Authentication-Results: mx.google.com; spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
So obvisouly it’s passing SPF.
There’s quite a few Google Forums page regarding this issue where people are already complaining about it.:
- why did i get an email email from my self vai telus.com
- Getting absurd emails from “me”
- Blocking Spoof Emails from a Source
- I have just received spam email from myself via telus.com How do I stop this type of activity?
I wouldn’t worry about it too much, fix you stuff Telus and back to you Google.
Update:
I twitted the following message and Telus.com Support responded back
Thank you for sharing with us. We are aware of the issue and can confirm that the emails are not being sent from a TELUS server. We are currently working with 3rd party email vendors to have this resolved. Please do not respond to any suspicious emails. https://t.co/uFl4Zm0Tv9
— TELUS Support (@TELUSsupport) April 22, 2018
Must be horrible working at Telus IT Support right now trying to sort this out. Hope it gets sorted quickly and no client data is compromised.
same problem 2me
they all have ?
“Message-ID: ”
rfc822msgid:
Can I filter by this field?
Yo, I got the same spamming email from “me”
It’s so annoying.
What I did was do a filter in my gmail, but I want a permanent fix.