Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Xtramail account receiving scam emails from spoofed sender. How do I tell if Xtramail account has been compromised?

RC

RC

19 posts

Geek


#303336 2-Feb-2023 11:16
Send private message

A client who uses Xtramail has recently received half a dozen emails with a display name of a mutual contact. The mutual contact has a Gmail account and I haven't received anything dodgy related to the mutual contact.

 

I speculate that either:

 

 

 

1. The mutual contact's gmail account or other data has been compromised allowing the scammer(s) to obtain his email contact list.  I.e. My client's Xtramail account has not been hacked.

 

2. The client's Xtramail account has been hacked.

 

 

 

Are there any clues in the email header / properties?

 

 

 

Is it possible to identify which ISPs, domains, etc are being used by the scammer from the email properties?

 

 

 

(client and mutual contact details removed for privacy reasons)

 

 

 

Email (as seen by client when email is opened)

 

From: [MUTUAL CONTACT NAME] <ts-1515@thestudylecole.edu.in>

 

Subject: Fwd: Message from [MUTUAL CONTACT NAME] 

 

Message body text:

 

-----Original Message-----

 

 

 

Should have emailed them a little earlier - anyway here are these photos

 

now: http://www.tztvl.rteprro.com/ 

 

 

 

**********************

 

 

 

Header / Properties:

 

Received: from IND01-BMX-obe.outbound.protection.outlook.com ([40.107.239.129])
    by mx.xtra.co.nz with ESMTP (using TLSv1.2
    with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    id 63A5E5C2-98D12344@mta2301; Fri, 23 Dec 2022 17:30:43 +0000
Received: from xtra.co.nz ([10.23.30.21])
    by 10.23.30.101 with LMTP
    id IK/ZKcPlpWNoOAAAxkc+lQ:T4
    (envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
 ([fe80::6539:120a:d6ae:6d82]) by PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
 ([fe80::6539:120a:d6ae:6d82%8]) with mapi id 15.20.5924.016; Fri, 23 Dec 2022
 17:30:38 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM (2603:1096:c01:d8::8) by
 MA0P287MB0515.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:b9::5) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5924.16; Fri, 23 Dec 2022 17:30:38 +0000
Received: from 10.23.30.101 ([10.23.30.21])
    by 10.23.40.143 with LMTP
    id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1
    (envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from 10.23.40.143 ([10.23.30.21])
    by 10.23.40.60 with LMTP
    id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1:P1
    (envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Return-Path: <TS-1515@thestudylecole.edu.in>
From: "MUTUAL CONTACT NAME" <ts-1515@thestudylecole.edu.in>
To: <CLIENT NAME@xtra.co.nz>
Subject: Fwd: Message from [MUTUAL CONTACT NAME]
Date: Sat, 24 Dec 2022 06:30:36 +1300
Message-ID: <PN3P287MB0129A49EDD351EDB6471B8D4B9E99@PN3P287MB0129.INDP287.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdkW9EiZAlrFz3qBSNaeQTybpbHhjQ==

 

 

 

 

Create new topic
snnet
1410 posts

Uber Geek


  #3031485 3-Feb-2023 21:03
Send private message

The headers suggest the xtra mail account isn't compromised, as for the other address a giveaway would be if that organisation uses Microsoft for it's mail service



yitz
2074 posts

Uber Geek


  #3031539 3-Feb-2023 21:36
Send private message

It's possible the mutual contact's contact list has been stolen but the e-mail filtering solution you use has rejected the message before it hits your inbox whereas your client's Xtra Mail filtering has let it through. Or they are targeting xtra.co.nz address because they know the filtering is bad and people who use xtra are suckers 🤣

RC

RC

19 posts

Geek


  #3031775 4-Feb-2023 15:51
Send private message

My client who uses XtraMail received the dodgy emails.

 

The mutual contact's genuine email address is a gmail account & our organisation uses a MS Exchange Server, Outlook, etc.  My client thoughtfully sent the dodgy emails she received as attachments to an email she composed and sent to me, so the email header / properties which I copied out of one of the dodgy emails has not been processed through our email system. 

 

From the replies to my question, I gather that my client's XtraMail does not appear to be hacked. That suggests one of the following:

 

1. that the mutual contact has had his Gmail account hacked (unlikely but possible, esp. if he isn't using 2FA); or

 

2. that either my client or the mutual contact has had a device hacked with the result that an email contact list has been stolen.

 

I suppose there's also the possibility that a 3rd party who has been privy to emails sent or received between client and mutual contact has been hacked (email account or device).

 

Result: Advise both mutual contact and client to change their email account and device passwords and perform a full virus / spyware scan on their devices?  



yitz
2074 posts

Uber Geek


  #3031837 4-Feb-2023 18:38
Send private message

The information could be from multiple historical Yahoo! and Xtra mass breaches around 2013-2014, so the situation might depend on how long you and your client have had the mutual contact. I believe password resets were mandated when the Xtra Mail system was moved back in-house/SMX back in 2017. I don't believe there have been any wide scale breaches since then.

tdgeek
29743 posts

Uber Geek

Trusted
Lifetime subscriber

  #3031886 4-Feb-2023 19:11
Send private message

Mark as spam, that trains the filters

RC

RC

19 posts

Geek


  #3032937 7-Feb-2023 16:38
Send private message

yitz:

 

The information could be from multiple historical Yahoo! and Xtra mass breaches around 2013-2014, so the situation might depend on how long you and your client have had the mutual contact. I believe password resets were mandated when the Xtra Mail system was moved back in-house/SMX back in 2017. I don't believe there have been any wide scale breaches since then.

 

 

 

 

Yes, I remember when Yahoo left the back door open and allowed anyone who could access a yahoo mail active session cookie to gain access to the account linked to that cookie. It affected 1000s of Spark customers and led to Spark engaging a new (local I believe) external email provider - which in turn led to about a year of unending problems trying to send email to clients with XtraMail with our emails getting blocked as spam or fraudulent due to the aggressive filtering (no doubt because Xtra's user base is NZ's no.1 target for online fraud). 

 

 

 

I though this had all settled down, but it transpires the warning email I sent my client last Thursday did not hit her inbox (or junk / spam folder) and nor did the 2 emails I sent by forwarding the original email when I with her on the phone today. She was receiving other emails from me, so I copied the text out of the original warning email into a new email and substituted all instances of the mutual contact's name with his profession and viola, she received that email within seconds of me hitting send.    As a result, I now suspect that Xtra Mail's filter is now flagging up emails with text containing the mutual reference's name.   Good one Spark!

 

 

 

I wish my friends, family and clients would bid Xtra Mail farewell & suspect that Spark would dearly love that too.

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright