0

We experienced something weird. We've got A LOT of mails send with our domain but not by us.

We've got DMARC, DKIM, SPF, etc., all set up and working but the issue still persists. Changing API keys and SMTP keys won't solve this issue.

What can we do?

Example of the log of a mail:

{
  "Type" : "Notification",
  "MessageId" : "d9c91074-7f57-5a86-8322-49393f02821a",
  "TopicArn" : "arn:aws:sns:eu-west-1:718401892325:Bounce",
  "Message" : "{\"notificationType\":\"Bounce\",\"bounce\":{\"feedbackId\":\"0102017a392a81a4-57668ac5-61a5-4648-9dc4-74c1b3c687c7-000000\",\"bounceType\":\"Permanent\",\"bounceSubType\":\"General\",\"bouncedRecipients\":[{\"emailAddress\":\"[REDACTED RECEIVER]\",\"action\":\"failed\",\"status\":\"5.3.0\",\"diagnosticCode\":\"smtp; 550 Invalid Recipient - https://community.mimecast.com/docs/DOC-1369#550 [aKgfXeZYNwGH2GQxUFKDHA.us425]\"}],\"timestamp\":\"2021-06-23T13:58:44.000Z\",\"remoteMtaIp\":\"207.211.30.242\",\"reportingMTA\":\"dns; a7-36.smtp-out.eu-west-1.amazonses.com\"},\"mail\":{\"timestamp\":\"2021-06-23T13:58:44.246Z\",\"source\":\"[OUR MAIL ADRESS]\",\"sourceArn\":\"arn:aws:ses:eu-west-1:718401892325:identity/[OURDOMAIN]\",\"sourceIp\":\"185.29.10.120\",\"sendingAccountId\":\"718401892325\",\"messageId\":\"0102017a392a7f16-fe0921c4-319b-4565-a621-999132fc4ded-000000\",\"destination\":[\"[REDACTED RECEIVER]\"],\"headersTruncated\":false,\"headers\":[{\"name\":\"Received\",\"value\":\"from [OURDOMAIN] ([185.29.10.120]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-ETSXZ9WDB) id jsSf6D7p1SM4Tbekxdmr for [REDACTED RECEIVER]; Wed, 23 Jun 2021 13:58:44 +0000 (UTC)\"},{\"name\":\"From\",\"value\":\"[REDACTED RECEIVER DOMAIN] <[OURDOMAIN]>\"},{\"name\":\"To\",\"value\":\"[REDACTED RECEIVER]\"},{\"name\":\"Subject\",\"value\":\"Pending E-mail Message Released / REF: [REDACTED RECEIVER] / Priority: High\"},{\"name\":\"Date\",\"value\":\"23 Jun 2021 16:57:44 +0300\"},{\"name\":\"Message-ID\",\"value\":\"<20210623164053.3484CFB902B9822F@[OURDOMAIN]>\"},{\"name\":\"MIME-Version\",\"value\":\"1.0\"},{\"name\":\"Content-Type\",\"value\":\"text/html\"},{\"name\":\"Content-Transfer-Encoding\",\"value\":\"quoted-printable\"}],\"commonHeaders\":{\"from\":[\"\\\"[REDACTED RECEIVER DOMAIN]\\\" <[REDACTED RECEIVER]>\"],\"date\":\"23 Jun 2021 16:57:44 +0300\",\"to\":[\"[REDACTED RECEIVER]\"],\"messageId\":\"<20210623164053.3484CFB902B9822F@[OURDOMAIN]>\",\"subject\":\"Pending E-mail Message Released / REF: [REDACTED RECEIVER] / Priority: High\"}}}",
  "Timestamp" : "2021-06-23T13:58:45.045Z",
  "SignatureVersion" : "1",
  "Signature" : "....jetiO8rzyuzM1dc5FCVHt7UAqHIjahA0fmXnLxKn9L5KwOlSlFvYaWBcYkEgCG1F7m+z1qDRaYqaU80Z+YY+exR7nw==",
  "SigningCertURL" : ".......",
  "UnsubscribeURL" : "......-4f97-82a3-3bf1b9e107bc"
}

It looks someone is spamming from a Server and uses the FROM: ebay.com info@ourdomain.com --> Using email-smtp.amazonaws.com SMTP --> and sending via our Amazon SES account to: ceo@ebay.com (for example)

can anybody guide me in the right directions since I don't know what to do and Amazon isn't that helpful either.

ps. added [redacted...] in the JSON response for the privacy of the receiver.

Ps2. Removed signature and signing URL and unsubscribe

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Jan
  • 1
  • 1
  • SO is a coding site. You might try one of the other network sites dedicated to security and server administration. – isherwood Jun 23 '21 at 16:40
  • 2
    I think its likely your website itself has been compromised, or there is a vulnerability in whatever code you used to send email that allows a 3rd party to inject their own data and send email. Check your webservers access logs and error logs for suspicious requests and update your question with what you find. Based on the info provided so far its impossible to answer this question. – MisterSmith Jun 23 '21 at 17:03

0 Answers0