At the end of last week, I got a message from my sister about a problem with her email account. It is a Google Apps for your Domain account and luckily, I don’t manage it! Around the same time I got her message, I received email from Google that her account was suspended. Turns out when I setup the Google account, I added an admin account for me and had email forwarded to my main email address. This turns out to be a good thing as I was able to reset her password and get her going again. My sister explained that she had checked her email from her work Windows machine and it had some type of virus/malware on it and that caused her account to be compromised. Ouch. Like a good brother, I helped get things going again and told her (and the rest of my family) to enable 2 factor/2 step authentication everywhere it was available. In addition, I told her never to check her Google email from her work computer and just use her phone. That’s probably good advice; don’t use machines that aren’t under your control if you can help it. Email can wait and with a smartphone, it is easy enough to check mail on the phone.
Her email address (not the account) was then used to send a bunch of spam. Unfortunately, there isn’t much that can done about it. However, since I have control over the DNS for her domain, I setup SPF and DKIM so that any service that implements either or both of these will mark any mail that doesn’t originate from Google servers as spam. Email that originates from a server not identified by SPF will have something like this in the header:
Received-SPF: fail (google.com: domain of person@example does not designate 220.127.116.11 as permitted sender) client-ip=18.104.22.168; Authentication Results: mx.google.com; spf=fail (google.com: domain of person@example does not designate 22.214.171.124 as permitted sender) firstname.lastname@example.org
Whereas legitimate email will look like this:
Received-SPF: pass (google.com: domain of email@example.com designates 2607:f8b0:400e:c03::232 as permitted sender) client-ip=2607:f8b0:400e:c03::232; Authentication-Results: mx.google.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 2607:f8b0:400e:c03::232 as permitted sender) email@example.com; dkim=pass firstname.lastname@example.org
(This SPF pass also shows a DKIM pass.)
Many providers (such as Gmail) use SPF and DKIM to mark messages as spam; Gmail doesn’t flat out refuse the email, but some providers will. For anyone that receives spoofed email from a person whose domain uses SPF and DKIM, I’d recommend letting the provider know about this. SPF has been around for years and takes just a few minutes to setup.
While email is still going out using my sister’s email address, there is absolutely nothing she (or I) can do about it.
- Turn on SPF and DKIM on domains.
- Use 2 factor/2 step authentication where available.
- Don’t use untrusted computers.
I backup my virtual server daily and then sync them to my laptop, so I started going through the backups to figure out when the code was modified. It appears that the code was modified right around when WordPress 4.3.1 came out. That is quite coincidental and scary. I couldn’t pinpoint the exact date or method of injection, but WordPress is a constant target for hacks and is patched all the time for security issues.
So now I’ve cleaned up this mess and disabled a bunch of plugins. While I hope this doesn’t happen again, I’m not sure what I can do to protect my site. I’ll keep a closer eye on the logs and see if I notice anything.
Dealing with this kind of thing keeps me up at night and gives me heartburn. It is too bad that criminals and miscreants don’t have better things to do than to cause problems for others. My wife believes in karma, and I’m sure that those that perpetrated these hacks will get what’s coming to them.