Spoofed from/to from hacked accounts - how to deal with? - ORF Forums

Spoofed from/to from hacked accounts - how to deal with? RSS Back to forum



For the last month, we're noticing A LOT of emails claiming to be invoices, or having links because "our remittance address has changed", or asking to update an employees ACH payroll info...

As far as i can tell, some account in the world was hacked (not on our system) and the hacker is sending emails FROM those contacts TO other contacts, hoping they'll be more trusted since they probably know each other.

- the ip address is different every time (and not belonging to the FROM spoof)
- the smtp-envelope address, reply-to are all randomly different hacked accounts
- the DISPLAY NAMES are copied from the hacked contacts of the victim
- the body is never the same, nor are the links, or attachments

- i can't use SPF because the from address isn't the real from address
- i can't use sender-blacklist because the from address is always random
- i can't use keyword blacklists because the bodies are all different

here's an example:
relevent headers:
Received: from mailout1.dokom.net ( <-- not the real sender mx
envelope-from <-- not a known contact
From: [display name from contact] <- not a known email
to: [display name from another contact]
Return-Path: <-- not a known email

Please note our remittance has changed. Please send payment to [exact display name from contact]. Thank you for your business - we appreciate it very much.


Thank you for your business - we appreciate it very much.


[exact correct display name from contact]
Main: 628-056.6667 Fax: 628-056.6452 <-- both of these are made up
e:[correct email address from contact]

by Bryon 1 year ago

Hi Bryon,

I did recognize that too. I followed the advice to configure the clamAV external Agent and enabled the macroblocking in it. So no more malicious files are getting through to the users.


by NorbertFe 1 year ago

@Bryon: Hello Bryon,

Besides connecting ClamAV to ORF - as suggested by Norbert - I would recommend the following:

+ Make sure you have the recommended DNSBLs and SURBLs enabled: https://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents

+ Blacklist the email if the sending server does not identify itself (in the EHLO/HELO command) using a fully qualified domain name. Compromised servers and workstations tend to use their own hostname as is, which is often not an FQDN. (Blacklists > HELO Blacklist > "Is not a ... FQDN")

+ Blacklist the email if the sending server does not have an MX record or its IP address cannot be resolved into a domain name. Both of these are requirements for legitimate mail exchangers.(Blacklists > Reverse DNS Test > "The sender domain must have a DNS MX record (strict check)" + "Enable Sender IP Reverse Name Validation")

+ If you have not done so already, enable Greylisting (Blacklists > Greylisting) and change its default settings:

> Disable the “Accept delivery retries from the same /24 subnet” option; needs to be done to stop more sophisticated spammers

> Disable the “Skip Greylisting if the sender explicitly passes the SPF Test” option; this is crucial, as spammer too can publish valid SPF records for their domains.

> Add large organizations that are known for using load balancing for outbound emails (which breaks Greylisting) to the Sender/IP Exception list of Greylisting; Send us an email to to receive an up-to-date list that you can import into ORF.

> Increase the “Reject unknown senders for” value to 180 - 240 seconds; to fend off more persistent spammers

> Increase the “Record lifetime” value to 168 - 336 hours; this way ORF will “remember” legitimate senders much longer, so their emails will be delayed far less often.

+ Enable the Auto Sender Whitelist and assign it to both filtering points to mitigate the delay introduced to legitimate emails by Greylisting. (Whitelists > Auto Sender Whitelist)

I hope the above will prove helpful to you.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): Hi Daniel, this is great info. Most of these settings we already have in place but i have edited some based on your awesome list

We'll see how it goes!

by Bryon 1 year ago
(in reply to this post)


@Bryon: Here's an example that just came in... can you help me block these? The sender address is always different, as is the ip address, and the spam link inside... i guess clam didnt catch this url, nor did any of the subscribed dnsbl's

It looks very much like it was sent from an authenticated hacked account on eigbox

image: [IMG]http://i66.tinypic.com/24w9cts.png[/IMG]

headers follow - i replaced our domain with DOMAIN.COM

( with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2 via Mailbox
Transport; Fri, 14 Dec 2018 11:02:43 -0500
( with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2; Fri, 14 Dec
2018 11:02:43 -0500
Received: from bosmailout06.eigbox.net ( by MAIL.DOMAIN.COM
( with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2 via Frontend
Transport; Fri, 14 Dec 2018 11:02:43 -0500
Received: from bosmailscan03.eigbox.net ([])
by bosmailout06.eigbox.net with esmtp (Exim)
id 1gXpvH-0005IM-Oq
for ; Fri, 14 Dec 2018 11:02:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=influxstudios.com; s=dkim; h=Sender:Content-Type:MIME-Version:Subject:
bh=p1wwRefdnYdqylFM8RVmLDIlLlG1bz2oqj0J+/emkS8=; b=jXK7yZsJ83Y1FtBVrQLSTmBXLQ
Received: from [] (helo=bosimpout11)
by bosmailscan03.eigbox.net with esmtp (Exim)
id 1gXpvH-0004id-LW
for ; Fri, 14 Dec 2018 11:02:43 -0500
Received: from bosauthsmtp10.yourhostingaccount.com ([])
by bosimpout11 with
id Bs2g1z00S0D2CUy01s2jVw; Fri, 14 Dec 2018 11:02:43 -0500
X-Authority-Analysis: v=2.2 cv=FsZ1xyjq c=1 sm=1 tr=0
a=Kpo39fPXdbgqDwiI3/AEUA==:117 a=OnwNedpwbEmQjfhdaadWyA==:17
a=2ur7OfE09M0A:10 a=DdkwvKWMyH8A:10 a=4f2JbuSVAAAA:8 a=6cidbXwNAAAA:8
a=Xr9l-omSUyeDwLqkOO8A:9 a=QEXdDO2ut3YA:10 a=fop_wKec13AA:10
a=5eW-U5RUVcAA:10 a=9ee4PZrlbecA:10 a=l3g7QsRNICkA:10
a=k08_IvnJdnjDs05Epclm:22 a=SFoW15EquUWVc-jo8gTH:22
Received: from [] (port=59391 helo=
by bosauthsmtp10.eigbox.net with esmtpa (Exim)
id 1gXpvE-0000p0-G8
for ; Fri, 14 Dec 2018 11:02:40 -0500
Date: Fri, 14 Dec 2018 10:02:42 -0600
From: Don Shadrake
Subject: 060272 Survey questions
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_45719_2118882677.5581344372213795066"
X-EN-UserInfo: fcc5039dbf79a75bed105a838f69c3ce:931c98230c6409dcc37fa7e93b490c27
Sender: Don Shadrake
X-EN-OrigHost: unknown
Return-Path: SRS0=0CjsjX=OX=influxstudios.com=
X-MS-Exchange-Organization-Network-Message-Id: 35ad7f32-e077-477a-2f5b-08d661dd94c4
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL.DOMAIN.COM
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.6411126
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1415.007

by Bryon 1 year ago
(in reply to this post)


Hello Bryon,

Could you send us (to ) your ORF configuration file (orfent.ini), the ORF log from today (i.e. orfee-2018-12-14.log) and a few spam samples (saved in .eml or .msg format) for analysis? I just want to make sure everything is set up properly and there are no technical issues before we try anything else. You can find the above mentioned files in the ORF program directory (default: \Program Files (x86)\ORF Fusion\)

Thank you.

by Daniel Novak (Vamsoft) 1 year ago

@Daniel Novak (Vamsoft): Sure thing, on the way in 5-10 mins

by Bryon 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): Do you use ORF for your email filter too? I sent this hours ago and just got the notice back, i think you're greylisting me

Diagnostic information for administrators:
Generating server: MAIL.domain.com
Receiving server: vamsoft.com (

Server at vamsoft.com ( returned '400 4.4.7 Message delayed'
12/14/2018 8:49:36 PM - Server at vamsoft.com ( returned '451 4.4.397 Error communicating with target host. -> 421 4.2.1 Unable to connect -> SocketTimedout: Socket error code 10060'

by Bryon 1 year ago
(in reply to this post)


@Bryon: We too use ORF, of course :) However, the SMTP error that you received is indicating an issue on your side, not ours. If you send us the original non-delivery report (unchanged) we may be able to help you resolve this problem. Use a third-party mail service provider (e.g. Gmail) to send us your email if necessary.

The diagnostics tool of MXToolbox.com can pinpoint the issue with your mail server (or DNS) as well: https://mxtoolbox.com/diagnostic.aspx

P.S. When ORF rejects an email due to Greylisting, it returns the following SMTP message: "4.7.1 Temporarily rejected. Try again later."

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): I sent these files again from a personal yahoo address on 16 Dec at 12:53pm eastern

by Bryon 1 year ago
(in reply to this post)


@Bryon: Hello Bryon,

Thank you, I have just finished reviewing them; I am going to send you a reply shortly. As for the phishing emails sent from the eigbox.net address, they were allowed to pass because an ORF administrator has explicitly whitelisted that domain - two years ago, on 11/23/2016, according to corresponding Sender Whitelist entry in the ORF configuration.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2