[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Has my e-mail account been hacked?

On Mon 12 Oct 2015 at 19:58:59 -0400, Stephen Powell wrote:

> On Mon, 12 Oct 2015 16:53:05 -0400 (EDT), Stuart Longland wrote:
> > 
> > I'd check the backscatter case, as this requires no skill on the part of
> > the attacker and is the most likely case.
> > ...
> > It's worth knowing how to read the headers of emails in this
> > circumstance as it can give you vital information for knowing what is
> > going on.
> 
> Unfortunately, I don't.  Attached below is one of the mail delivery
> failure notices, which includes the headers of the original message.
> But I don't understand what it all means.  Perhaps you or someone else
> out there can make some sense of it and advise me accordingly.
> Remember, I never sent the original e-mail.  I just got the delivery
> failure notice.
> 
> -----
> 
> This message was created automatically by the mail system (ecelerity).

ecelerity is a mail platform owned by Message Systems. It attempted to
send a mail to zerriells@aol.com which was rejected by AOL. It is now
informing you of the rejection. ecelerity does not run on your machine.

> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
> 
> >>> zerriells@aol.com (after RCPT TO): 550 5.1.1 <zerriells@aol.com>: Recipient address rejected: aol.com
> 
> ------ This is a copy of the headers of the original message. ------
> 
> Return-Path: <zlinuxman@wowway.com>
> X_CMAE_Category: , ,
> X-CNFS-Analysis: v=2.1 cv=eaKdB+wH c=1 sm=1 tr=0 a=FxXVyIFnAocEnA08ajU80w==:117 a=FxXVyIFnAocEnA08ajU80w==:17 a=K-v-2zaBAAAA:8 a=QP5IY3kgAAAA:8 a=ZhWb6TEzAAAA:8 a=kj9zAlcOel0A:10 a=op2l2dobe8TBvKaan4QA:9 a=qSf3gRf-E_nrW77P:21 a=Nputykdsa0hyqt36:21 a=CjuIK1q_8ugA:10
> X-CM-Score: 0
> X-Scanned-by: Cloudmark Authority Engine
> X-Authed-Username: dGhlY291Z2hpbmdjYW5hcnlAd293d2F5LmNvbQ==
> X_CMAE_Category: , ,
> X-CNFS-Analysis: 
> X-CM-Score: 
> X-Scanned-by: Cloudmark Authority Engine

Standard ecelerity stuff. It can be seen in the headers of the two mails
you have contributed to this thread. ecelerity attempted contact with
AOL using an envelope From of <zlinuxman@wowway.com>.

> Authentication-Results:  smtp02.wow.cmh.synacor.com smtp.user=thecoughingcanary; auth=pass (LOGIN)

ecelerity reckons someone from smtp02.wow.cmh.synacor.com has been
authenticated. Your mails to -user have

  Received: from [10.35.66.7] ([10.35.66.7:33229] helo=md20.wow.cmh.synacor.com)

in their headers so have been authenticated in the same way.

> Received: from [69.73.17.154] ([69.73.17.154:57886] helo=46MmPDFcgl13022)

ecelerity records receiving a mail from 69.73.17.154 on Wed 07 Oct.

> 	by smtp.mail.wowway.com (envelope-from <zlinuxman@wowway.com>)
> 	(ecelerity 3.6.1.42806 r(Platform:3.6.1.1)) with ESMTPA
> 	id 54/A2-15401-2D8D4165; Wed, 07 Oct 2015 04:33:28 -0400

Looks genuine and probably is.

[Message body snipped. It is of no consequence as it plays no part in
the transmission of the mail].

You could start by examining your Message Systems account with a fine
toothcomb.
Reply to: