Determining If Your Email Account Has Been Compromised:
Here are some easy questions to determine if your hosted email account with us may have been compromised or hacked.
1. Have you suddenly been receiving allot of bounce back emails that you did not send?
2. Have some of the emails you send being getting rejected and within the rejection indicating the words BLOCKED, SPAM, or similar?
If you answered yes to either of these questions then chances are your email account has been compromised by someone who is using it to send out tons of spam emails.
How did this person get into my email account – aren’t your hosting servers secure?
This is a very common misconception that the hosting server is not secure when its discovered an email has been compromised. Years ago hackers / spammers would get ahold of an email account and run it through a script with every possible password combination they could to hope they get lucky and if they do, use it to send out spam. These days email hosting servers are setup much more secure and makes that type of hack impossible, whereby after X number of failed login attempts, it will permanently block that users IP address from accessing emails, your website, or the server again.
The modern method used by these spammers / hackers these days is by compromising your computer which the email address is accessed from using a virus or malware type “keystroke logger”. That in turn allows them to get your actual logins to your email account, website logins, banking account logins, or other private information direct from your computer. Then when they login using the proper logins, they are seen as a authenticated user and can from there do what they desire. So it isn’t a security issue with your website / email hosting service, but rather with a compromised computer(s) you use to access email accounts / website / etc. from.
How do I resolve this?
To resolve this type of issue, follow these steps entirely.
1. REPAIR AND CLEANUP ON YOUR COMPUTER(S):
The first step is to do a complete repair and cleanup on ALL computers that have accessed the email account in question with the current password at ANY time. Follow these easy steps below under the SUGGESTED CLIENT ACTIONS section, which apply for both compromised emails and websites.
https://tppwebsolutions.com/knowledge-base/faq/a-hacker-got-a-hold-of-my-hosting-logins-how-did-this-happen-and-how-can-i-protect-myself/
2. CHECK TO SEE IF YOU ARE ON BLACKLISTS:
A “blacklist” or “blocklist” is a spam offenders database. There are roughly 50 globally used spam databases that most hosting providers and internet service providers use to both:
a. Report excessive amounts of spam email from.
b. When an email is received, check against one or more of these to see if the location it is coming from has been flagged for excessive spam, and if so block it and send a rejection email notification to the original sender.
In addition there are some companies that keep their own private spam databases like AT&T, AOL, Comcast, and other companies. If enough spam was sent out from your email address, then chances are you are on one or more of these blacklists and until you can get your website removed from them, noone who uses those email hosts will be able to receive your emails.
– STEP 1: Examining a rejection email from an ISP that shows you were rejected for spam or similar.
If you are unsure how to interpret these emails, send a copy of 1-2 of these to our support staff via a ticket, or email your web specialist rep. You can see an example of these type of emails below:
https://tppwebsolutions.com/knowledge-base/faq/why-do-i-keep-getting-mail-delivery-failed-returning-message-to-sender-bounce-back-emails-from-my-website/
– STEP 2: Determining your website IP address:
There are multiple ways to do this. In addition with the IP address being sent over when your hosting account was first setup, here are a few other methods you can use. Check out the following fantastic FAQ which gives instructions on doing it from your PC / MAC, and more.
http://www.wikihow.com/Find-a-Website’s-IP-Address
Alternatively you can use a website like http://websiteipaddress.com/ to determine your website IP address.
– STEP 3: Determining if your website IP address is on blocklists:
a. Go to the following website and click on the BLOCKLISTS link at the top: www.mxtoolbox.com
b. Enter your website IP address with no spaces or http://, strictly the numbers, i.e. 67.123.123.123 and click enter.
This will return you a list of the major blacklist databases. If you see any of them in RED with a message like “We noticed you are on a blacklist”, then you are on one or more blacklists.
3. REMOVAL FROM BLACKLISTS:
Getting your website removed from blacklists can either be done by us for a small fee (contact us for a quote – price depends upon how many), or you can attempt this yourself following these instructions:
a. After getting the blacklists your site is on from www.mxtoolbox.com STEP 3 above, each one that you are listed for has a DETAILS button listed there. Click on it.
b. On the following page near the bottom you will see a SUMMARY section, which includes a URL at the bottom that takes you to that particular blacklist website. Click on it.
c. Each spam database site is different, so look for a link that says any of the following or similar: IP LOOKUP, REQUEST REMOVAL, or similar. Click on it.
*note: some spam sites do not have a tool for you to request removal of your IP address. Those type of sites will usually drop your IP address from their systems if there are no further incidents for anywhere from 1 day to 12 days later.
d. Fill in your IP address to verify it is on the blacklist for their system, then it should list specific instructions for how to get yourself removed.
This request process typically will be anything from just clicking a button, to filling out some information and answering some questions (i.e. cause? is it resolved now? etc.). After filling this out for each spam list site, you can expect to receive a confirmation email from them indicating they have received your request. Some companies will also send a second email once it has been removed, most do not so you will just have to rerun the check in a few days on mxtoolbox.com.
IMPORTANT: Some ISPs like AT&T, AOL, or Comcast have their own spam databases and don’t use the global ones. In those cases the only way to get yourself removed would be to look closely at any rejection emails from them, which will include some sort of a link to FIND OUT MORE, or GET REMOVED, etc. As per instructions above, follow the provided link and fill out whatever form they give you. AT&T is known to be very challenging to get yourself removed from their blacklist, as their forms are not easy to follow and do not ask the important questions, and response time is very slow using their forms. As such we suggest if you discover you have been blocked by AT&T to follow the instructions in the article below:
https://tppwebsolutions.com/knowledge-base/faq/why-do-i-keep-getting-mail-delivery-failed-returning-message-to-sender-bounce-back-emails-from-my-website/
If you have any additional questions, or wish for us to resolve this for you for a small fee, please contact us today.
