Spam from myself?

[SamVilde]

How did I get a spam message from my own account? It contains a zip file (document2.zip). Scary or normal?

[janusz]

Scary. DO NOT OPEN.

Expanded: it is, unfortunately, trivial to forge the sender address in email. A .zip file in an unexpected message from an unknown source (you didn't actually send it to yourself, did you?) usually contains a virus or another very undesirable contents. Sending it as a zip makes automatic malware detection more difficult

[unlocktheinbox]

Look at the Headers of the Email and find the "Received:" line - Most likely it has a different email server and IP then they one you send from. That's where DMARC comes in.

If it's the same as the one you send from, then you might have an open relay.

[somdcomputerguy]

I was browsing thru my spam folder last night, and I saw a similar message (with that file, Document2.zip, attached). I looked at the raw message and the originating IP was in Mexico (and I have never been there..). It did appear to come from a Fastmail mail server though. I did intend to report the message, but I forgot. I will now probably, even though Fastmail's spam engine did catch it..

- Bruce

edit: I looked over the headers again, and I most probably mistakingly concluded the message to come from another Fastmail account.

[SamVilde]

See - I was wondering. I used to be able to view the full headers, and now I cannot. Why is that? When clicking "more details" I just get the sent from address, which is supposedly myself (#1 no I did not send this to myself, and #2 it's an alias I use for almost nothing!!)

#3 it was not identified as Spam.

What happened to my ability to view full headers?

Creepy spam.

[somdcomputerguy]

In the new/default web interface, once an email is opened, there is a More button on the far right (in the email, next to the Reply button). There a Show Raw Message option is displayed when the button is clicked. In the classic web interface, a Show Raw Message link is shown right away, all the time.

- Bruce

[n5bb]

I have received four of these messages sent from/to various addresses at different domains I use since March 16, 2016. They all have the subject and attached zip file "Document 2" or "Document2". Most (but not all) have a Message-ID ending in "@BORO-SBS.boro.local". Each one I have received is from a different IP and apparently different country. This is also happening to non-FastMail accounts, and appears to be a sophisticated attack:
https://social.technet.microsoft.com...ecuremessaging

Bill

[SamVilde]

Okay. I'll stop taking it personally. Thanks.

[jhollington]

If you're using a custom domain, setting up SPF and DMARC records in DNS for your domain may help prevent this. I also saw a couple slip through for me in the past couple of days, but they appear to have stopped again, and instead I'm seeing DMARC reports that show that they've been failing, since of course they're coming from a server that isn't authorized to send mail on behalf of my domain.

My SPF and DMARC records look like this:

SPF:

Code:

v=spf1 include:spf.messagingengine.com -all

DMARC (where "myemailaddress" is my actual email address, I've just removed it here for obvious reasons)

Code:

v=DMARC1; p=reject; rua=mailto:myemailaddress; ruf=mailto:myemailaddress

Of course you'll only want to do this if you don't use any other mail servers to send mail from your domain — the "-all" on the SPF record means that only FastMail's servers are authorized to send mail for that domain. If you send mail through other outbound SMTP servers, such as those of your ISP, you'll either need to change "-all" to "?all" (which may let things slip through), or add those servers to your SPF record as well, either using another "include" directive if they have their own SPF record, or by entering the addresses specifically with "ip4:" prefixes (e.g. "ip4:66.111.4.0/24").