IMPORTANT INFORMATION -- Please read!

1. The "search..." box above searches the Docs & Forum Posts. The "Search" tab above just searches the Forum Posts.

Please use these to search for your issue *before* creating a new message topic, as your issue may have been previously solved.
2. Please put your Club # and Club Web Address in your Forum Signature (best) OR in each post to get faster support from us.
Click here to edit your signature at the bottom of the Profile Information tab.
3. Our user and admin docs are available at: support.toastmastersclubs.org/doc "There's a doc for that!"
4. There is an "Opt In" Feature for newly added members. The Opt In document explains the ~~strikethrough~~ member information. Click Here to View the Post
5. When posting a New Topic , please include all relevant details and be specific. When did your issue 1st occur? What operating system, browser, & browser version are you using? Did you refresh your browser cache? Are your cookies enabled? Lastly, a screen shot is often helpful.
6. Please abide by the Terms of Use . We are volunteers contributing our spare time. We are happy to assist you, so long as you are respectful and courteous.
7. We are always looking for new FreeToastHost Ambassadors to join our team and support fellow Toastmasters in their use of the FreeToastHost website system. If you are familiar with the system and have some interest, send a Send Us a Private Message.

TOPIC:

Potential email hack 6 years 6 months ago #73162

mogarry
Topic Author
Offline
New Member
Posts: 2
Thank you received: 1

The admin email listed on our club website was sent a spam email that appears to have gone through the toastmastersclubs.org mail server. Here are the message headers:

[WTM] Promote your branding
To: [redacted personal email]
Reply-To: sales.30@toppexa.com.org 
Content-Type: ⁨multipart/alternative; boundary="----=_NextPart_000_0033_01D49E87.80D40860"⁩
Mime-Version: ⁨1.0⁩
X-Mailer: ⁨Microsoft Outlook 16.0⁩
⁨<2018120022192300500187@toppexa.com>⁩
Thread-Index: ⁨AQJfuJXx3W+tg/rdavNPHoAfQs/U9w==⁩
Received: ⁨from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4) with ESMTP id wBMBNvjx008133	for <redacted>; Sat, 22 Dec 2018 11:23:57 GMT⁩
Received: ⁨from toastmastersclubs.org (toastmastersclubs.org [50.19.253.65]) by ms11p00im-qufv17080701.me.com (Postfix) with ESMTPS id A1D95BC006D for <redacted>; Sat, 22 Dec 2018 11:23:58 +0000 (UTC)⁩
Received: ⁨from 2013-20170428CN[127.0.0.1] by 2013-20170428CN[127.0.0.1] (SMTPD32); Sat, 22 Dec 2018 19:23:51 +0800⁩
Received: ⁨from toppexa.com ([27.37.80.123]) by toastmastersclubs.org (8.14.4/8.14.4) with SMTP id wBMBNrM9008112 for <admin@waimeatoastmasters.org>; Sat, 22 Dec 2018 11:23:54 GMT⁩
Received: ⁨from ms11p00im-qufv17080701.me.com ([17.58.36.61]) by ms38024.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017)) with ESMTP id <0PK4000M8YBZH700@ms38024.mac.com> for [redacted] Sat, 22 Dec 2018 11:23:59 +0000 (GMT)⁩
⁨<201812221123.wBMBNvjx008133@toastmastersclubs.org>⁩
Sender: ⁨<sales.30@toppexa.com.org>⁩

It doesn't appear that it was sent through the website, as messages sent that way have

Received: ⁨from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4)

as the first relay entry (i.e. at the bottom of the header). Regardless, we've changed our admin password for the FreeToastHost site.

I'd be curious to know if something has indeed been compromised and, if so, what.

Sincerely,

Maureen
Club 4431485

The topic has been locked.

Potential email hack 6 years 6 months ago #73163

Brian Offline Administrator Posts: 10481 Thank you received: 3869	1) we do not filter the officer individual email alias or the admin alias. 2) the source of the email was Received: ⁨from the emaill server at ms11p00im-qufv17080701.me.com ([17.58.36.61])
	The topic has been locked.

Potential email hack 6 years 6 months ago #73164

SteveTheTechie
Offline
Administrator
Posts: 11526
Thank you received: 3795

It is important to understand that *all* club email addresses go through the FTH server. That how the system forwards email lists and officer emails to the correct people. People send an email to a club email address which is handled by the FTH server, and it figures out the correct person to forward the email to from your website settings and membership management info. This is why the emails look to come from the FTH server (because they were forwarded from it)--we cannot change this because email clients would flag the emails as phishing emails otherwise.

This is how the system has always worked (and likely always will). We limit the amount of spam by designating some email addresses as publicly accessible and some as only accessible by club members (or officers in some cases). Most publicly accessible email addresses can be disabled, but the admin email address cannot be disabled or made "members only".

We designate the admin email address as *always* publicly accessible so that there is at least one publicly accessible email address for each and every club. However, this can create a problem with this email address being targeted for spam, particularly since it is a documented email address.

In your situation, it looks like someone is trying to spam you via the admin email address. If you have enabled the "Is this SPAM?" links in emails to public email addresses, you should just be able to click the link at the bottom of the email body to block the senders email address (listed in the Reply-To section) in the future. If you did *not* enable the "Is this SPAM?" links, then you can add the senders email address (This email address is being protected from spambots. You need JavaScript enabled to view it.) to your club email Black List (in the Email and Contact Forms module).

Reference the following doc: support.toastmastersclubs.org/doc/item/email-and-contact-forms

The following user(s) said Thank You: mogarry

Last edit: by SteveTheTechie.

The topic has been locked.

Potential email hack 6 years 6 months ago #73170

mogarry Topic Author Offline New Member Posts: 2 Thank you received: 1	OK, I understand now. For some reason I didn't think of the fact that using the alias would necessitate going through the mail server. Sorry for the false alarm, but thank you for the responses! The following user(s) said Thank You: SteveTheTechie
	The topic has been locked.

Forum

Support Requests

Public Forums