~~~~~~~~~~~~ IMPORTANT INFORMATION -- Please read! ~~~~~~~~~~~~

1. The "search..." box above searches the Docs & Forum Posts. The "Search" tab above just searches the Forum Posts. :side:
Please use these to search for your issue *before* creating a new message topic, as your issue may have been previously solved.
2. Please put your Club # and Club Web Address in your Forum Signature (best) OR in each post to get faster support from us.
Click here to edit your signature at the bottom of the Profile Information tab.
3. Our user and admin docs are available at: support.toastmastersclubs.org/doc "There's a doc for that!" ;)
4. There is an "Opt In" Feature for newly added members. The Opt In document explains the strikethrough member information. Click Here to View the Post
5. When posting a New Topic , please include all relevant details and be specific. When did your issue 1st occur? What operating system, browser, & browser version are you using? Did you refresh your browser cache? Are your cookies enabled? Lastly, a screen shot is often helpful.
6. Please abide by the Terms of Use . We are volunteers contributing our spare time. We are happy to assist you, so long as you are respectful and courteous.
7. We are always looking for new FreeToastHost Ambassadors to join our team and support fellow Toastmasters in their use of the FreeToastHost website system. If you are familiar with the system and have some interest, send a Send Us a Private Message.

Potential email hack

More
6 years 7 months ago #73162 by mogarry
Potential email hack was created by mogarry
The admin email listed on our club website was sent a spam email that appears to have gone through the toastmastersclubs.org mail server. Here are the message headers:
Code:
[WTM] Promote your branding To: [redacted personal email] Reply-To: sales.30@toppexa.com.org Content-Type: ⁨multipart/alternative; boundary="----=_NextPart_000_0033_01D49E87.80D40860"⁩ Mime-Version: ⁨1.0⁩ X-Mailer: ⁨Microsoft Outlook 16.0⁩ ⁨<2018120022192300500187@toppexa.com>⁩ Thread-Index: ⁨AQJfuJXx3W+tg/rdavNPHoAfQs/U9w==⁩ Received: ⁨from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4) with ESMTP id wBMBNvjx008133 for <redacted>; Sat, 22 Dec 2018 11:23:57 GMT⁩ Received: ⁨from toastmastersclubs.org (toastmastersclubs.org [50.19.253.65]) by ms11p00im-qufv17080701.me.com (Postfix) with ESMTPS id A1D95BC006D for <redacted>; Sat, 22 Dec 2018 11:23:58 +0000 (UTC)⁩ Received: ⁨from 2013-20170428CN[127.0.0.1] by 2013-20170428CN[127.0.0.1] (SMTPD32); Sat, 22 Dec 2018 19:23:51 +0800⁩ Received: ⁨from toppexa.com ([27.37.80.123]) by toastmastersclubs.org (8.14.4/8.14.4) with SMTP id wBMBNrM9008112 for <admin@waimeatoastmasters.org>; Sat, 22 Dec 2018 11:23:54 GMT⁩ Received: ⁨from ms11p00im-qufv17080701.me.com ([17.58.36.61]) by ms38024.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with ESMTP id <0PK4000M8YBZH700@ms38024.mac.com> for [redacted] Sat, 22 Dec 2018 11:23:59 +0000 (GMT)⁩ ⁨<201812221123.wBMBNvjx008133@toastmastersclubs.org>⁩ Sender: ⁨<sales.30@toppexa.com.org>⁩

It doesn't appear that it was sent through the website, as messages sent that way have
Code:
Received: ⁨from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4)
as the first relay entry (i.e. at the bottom of the header). Regardless, we've changed our admin password for the FreeToastHost site.

I'd be curious to know if something has indeed been compromised and, if so, what.

Sincerely,

Maureen
Club 4431485
The topic has been locked.
More
6 years 7 months ago #73163 by Brian
Replied by Brian on topic Potential email hack
1) we do not filter the officer individual email alias or the admin alias.
2) the source of the email was Received: ⁨from the emaill server at ms11p00im-qufv17080701.me.com ([17.58.36.61])
The topic has been locked.
More
6 years 7 months ago - 6 years 7 months ago #73164 by SteveTheTechie
Replied by SteveTheTechie on topic Potential email hack
It is important to understand that *all* club email addresses go through the FTH server. That how the system forwards email lists and officer emails to the correct people. People send an email to a club email address which is handled by the FTH server, and it figures out the correct person to forward the email to from your website settings and membership management info. This is why the emails look to come from the FTH server (because they were forwarded from it)--we cannot change this because email clients would flag the emails as phishing emails otherwise.

This is how the system has always worked (and likely always will). We limit the amount of spam by designating some email addresses as publicly accessible and some as only accessible by club members (or officers in some cases). Most publicly accessible email addresses can be disabled, but the admin email address cannot be disabled or made "members only".

We designate the admin email address as *always* publicly accessible so that there is at least one publicly accessible email address for each and every club. However, this can create a problem with this email address being targeted for spam, particularly since it is a documented email address.

In your situation, it looks like someone is trying to spam you via the admin email address. If you have enabled the "Is this SPAM?" links in emails to public email addresses, you should just be able to click the link at the bottom of the email body to block the senders email address (listed in the Reply-To section) in the future. If you did *not* enable the "Is this SPAM?" links, then you can add the senders email address (sales.30@toppexa.com.org) to your club email Black List (in the Email and Contact Forms module).

Reference the following doc: support.toastmastersclubs.org/doc/item/email-and-contact-forms
Last edit: 6 years 7 months ago by SteveTheTechie.
The following user(s) said Thank You: mogarry
The topic has been locked.
More
6 years 7 months ago #73170 by mogarry
Replied by mogarry on topic Potential email hack
OK, I understand now. For some reason I didn't think of the fact that using the alias would necessitate going through the mail server. Sorry for the false alarm, but thank you for the responses!
The following user(s) said Thank You: SteveTheTechie
The topic has been locked.
Time to create page: 0.345 seconds

Copyright © 2025 FreeToastHost 3 Support. All Rights Reserved.