Important: when posting, please provide your Club Number at a minimum, and as many details as possible.
For further info, please read This page before posting.

Potential email hack

  • mogarry
  • mogarry's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 2
  • Thanks: 1

Potential email hack

7 years 2 months ago
#73162
The admin email listed on our club website was sent a spam email that appears to have gone through the toastmastersclubs.org mail server. Here are the message headers:
Code:
[WTM] Promote your branding To: [redacted personal email] Reply-To: sales.30@toppexa.com.org Content-Type: ⁨multipart/alternative; boundary="----=_NextPart_000_0033_01D49E87.80D40860"⁩ Mime-Version: ⁨1.0⁩ X-Mailer: ⁨Microsoft Outlook 16.0⁩ ⁨<2018120022192300500187@toppexa.com>⁩ Thread-Index: ⁨AQJfuJXx3W+tg/rdavNPHoAfQs/U9w==⁩ Received: ⁨from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4) with ESMTP id wBMBNvjx008133 for <redacted>; Sat, 22 Dec 2018 11:23:57 GMT⁩ Received: ⁨from toastmastersclubs.org (toastmastersclubs.org [50.19.253.65]) by ms11p00im-qufv17080701.me.com (Postfix) with ESMTPS id A1D95BC006D for <redacted>; Sat, 22 Dec 2018 11:23:58 +0000 (UTC)⁩ Received: ⁨from 2013-20170428CN[127.0.0.1] by 2013-20170428CN[127.0.0.1] (SMTPD32); Sat, 22 Dec 2018 19:23:51 +0800⁩ Received: ⁨from toppexa.com ([27.37.80.123]) by toastmastersclubs.org (8.14.4/8.14.4) with SMTP id wBMBNrM9008112 for <admin@waimeatoastmasters.org>; Sat, 22 Dec 2018 11:23:54 GMT⁩ Received: ⁨from ms11p00im-qufv17080701.me.com ([17.58.36.61]) by ms38024.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with ESMTP id <0PK4000M8YBZH700@ms38024.mac.com> for [redacted] Sat, 22 Dec 2018 11:23:59 +0000 (GMT)⁩ ⁨<201812221123.wBMBNvjx008133@toastmastersclubs.org>⁩ Sender: ⁨<sales.30@toppexa.com.org>⁩

It doesn't appear that it was sent through the website, as messages sent that way have
Code:
Received: ⁨from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4)
as the first relay entry (i.e. at the bottom of the header). Regardless, we've changed our admin password for the FreeToastHost site.

I'd be curious to know if something has indeed been compromised and, if so, what.

Sincerely,

Maureen
Club 4431485
The topic has been locked.
  • Brian
  • Brian's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 11377
  • Thanks: 3723

Re: Potential email hack

7 years 2 months ago
#73163
1) we do not filter the officer individual email alias or the admin alias.
2) the source of the email was Received: ⁨from the emaill server at ms11p00im-qufv17080701.me.com ([17.58.36.61])
Thank you,

Brian McDonald DTM
Silver and Wiser Online Toastmasters Club #777940

Technical Support Consultant for FreeToastHost
The topic has been locked.
  • SteveTheTechie
  • SteveTheTechie's Avatar
  • Offline
  • Emeritus
  • Emeritus
  • Posts: 11492
  • Thanks: 3057

Re: Potential email hack

7 years 2 months ago - 7 years 2 months ago
#73164
It is important to understand that *all* club email addresses go through the FTH server. That how the system forwards email lists and officer emails to the correct people. People send an email to a club email address which is handled by the FTH server, and it figures out the correct person to forward the email to from your website settings and membership management info. This is why the emails look to come from the FTH server (because they were forwarded from it)--we cannot change this because email clients would flag the emails as phishing emails otherwise.

This is how the system has always worked (and likely always will). We limit the amount of spam by designating some email addresses as publicly accessible and some as only accessible by club members (or officers in some cases). Most publicly accessible email addresses can be disabled, but the admin email address cannot be disabled or made "members only".

We designate the admin email address as *always* publicly accessible so that there is at least one publicly accessible email address for each and every club. However, this can create a problem with this email address being targeted for spam, particularly since it is a documented email address.

In your situation, it looks like someone is trying to spam you via the admin email address. If you have enabled the "Is this SPAM?" links in emails to public email addresses, you should just be able to click the link at the bottom of the email body to block the senders email address (listed in the Reply-To section) in the future. If you did *not* enable the "Is this SPAM?" links, then you can add the senders email address (sales.30@toppexa.com.org) to your club email Black List (in the Email and Contact Forms module).

Reference the following doc: support.toastmastersclubs.org/doc/item/email-and-contact-forms
Last edit: 7 years 2 months ago by SteveTheTechie.
The following user(s) said Thank You: mogarry
The topic has been locked.
  • mogarry
  • mogarry's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 2
  • Thanks: 1

Re: Potential email hack

7 years 2 months ago
#73170
OK, I understand now. For some reason I didn't think of the fact that using the alias would necessitate going through the mail server. Sorry for the false alarm, but thank you for the responses!
The following user(s) said Thank You: SteveTheTechie
The topic has been locked.
Moderators: BrianHeniPamrhtaylor3marc33NotLiableNSBjgavinLcala305peterb323DebbieT
Time to create page: 0.145 seconds

Latest Forum Posts

Copyright © 2025 FreeToastHost 3 Support. All Rights Reserved.