Home
Join
check
  • Fix your DNS records so the url actually goes to someplace you control, especially if it's your URL.

    Then fix your SPF records and think about a DMARC record as well to fix the email address spoofing.

    URL text is something you will never be able to control because of how the w3c standard was done.

    <a href="actual url" > whatever text you want </url >

    Spice (38) flagReport
    Was this post helpful? thumb_up thumb_down
  • View Best Answer in replies below

    34 Replies

    • Is the link in the email valid?  Do you have a web server under your control at that address?  Simply delete the file

      Spice (3) flagReport
      Was this post helpful? thumb_up thumb_down
    • The first thing you do is disable incoming connections and take down the malicious content, restore form backup before the file existed if needs be.
      The way to prevent it in future is patch, patch and patch, don't open ports not needed and don't allow logins over non secure sites (http)
       
      Spice (17) flagReport
      Was this post helpful? thumb_up thumb_down
    • We don't use the domain for anything, our web server only uses one address. If I forward that domain to my main domain/website will that fix it?

      Was this post helpful? thumb_up thumb_down
    • Rod-IT wrote:

      The first thing you do is disable incoming connections and take down the malicious content, restore form backup before the file existed if needs be.
      The way to prevent it in future is patch, patch and patch, don't open ports not needed and don't allow logins over non secure sites (http)
       
      We have no web servers for that domain
      • local_offer Tagged Items
      • Rod-ITRod-IT
      Was this post helpful? thumb_up thumb_down
    • How can it route to a domain that does not exist, are you sure it routes to you, hover over the link

      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • the email got sent to us from a target. The "apparent" link is for a delta ticket document, but the hover text is our domain "http://JOESBAITSHOP.COM/f.php?d=am9obi5nZW50bGVAYWRhbXNwcm9kdWNlLmNvbQ=="

      We only have a web server for www.joessportinggoods.com if you go to www.joesbaitshop.com it shows a 403 error.

      Was this post helpful? thumb_up thumb_down
    • But where does it go - do you own that domain, externally?

      Oh and you really shouldn't post a link that you know is bad, even though this is an IT forum, people can't help themselves and will still click it

      Spice (25) flagReport
      Was this post helpful? thumb_up thumb_down
    • To visit it, is even worse, you also added WWW to the link which doesn't show them (and don't got to it, if it's malicious you're doing what they want)

      Was this post helpful? thumb_up thumb_down
    • That site is hosted by GoDaddy, if no one is using it, block access to it or disable it, if you do use it, you need to patch and secure it, obviously it's vulnerable to something and now hijacked.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Yes make sure you do both port 80 and 443.

      Bweber93 wrote:

      We don't use the domain for anything, our web server only uses one address. If I forward that domain to my main domain/website will that fix it?


      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • you should get in touch with Go daddy and have them help you with adding some spoof protection onto that other domain. where you don't really use it. it should be fairly easy. where you own it. you may want it to redirect to the main website. that way it is not just flapping in the wind. 

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • I think I figured it out. GoDaddy is our registrar, and it seems someone got into the account (management makes bad passwords) and changed the DNS servers for some of the domains we own. I set them back, changed password and support Pin, and also made sure they all forwarded to the correct domain. Thanks everyone for your help.

      Spice (28) flagReport
      Was this post helpful? thumb_up thumb_down
    • If you are not hosting a website on this domain, why not disable all incom8ing connections - I see it runs IIS  7.5 so is a windows box - patch it.

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • They are all set to forward to our main domain now which is a web server. We are in the process of building a new website which will be hosted on a different host as well.

      • local_offer Tagged Items
      • Rod-ITRod-IT
      Was this post helpful? thumb_up thumb_down
    • You can do forwarding via DNS, you can still disable IIS/Apache on the GoDaddy side (or Amazon AWS as it shows) for this domain.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Fix your DNS records so the url actually goes to someplace you control, especially if it's your URL.

      Then fix your SPF records and think about a DMARC record as well to fix the email address spoofing.

      URL text is something you will never be able to control because of how the w3c standard was done.

      <a href="actual url" > whatever text you want </url >

      Spice (38) flagReport
      Was this post helpful? thumb_up thumb_down
    • The URL's are all redirecting now safely. Are SPF/DMARC records on the server, or on the DNS/Nameserver?

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Why aren't you just hosting your own websites via IaaS or even in house?  (╯°□°)╯︵ ┻━┻

      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • SPF records are in DNS, as are DMARC.  They're types of TXT record.

      Here's a handy resource on DMARC: https://support.google.com/a/answer/2466580?hl=en&ref_topic=2759254

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • zuphzuph wrote:

      Why aren't you just hosting your own websites via IaaS or even in house?  (╯°□°)╯︵ ┻━┻

      Inherited issues from before I came on. The new website will be hosted through Amazon when it launches, but for now our POS provider who built our current (and bad) website hosts it. I just love it gets featured after the issue already got fixed though, classic :)

      Spice (5) flagReport
      Was this post helpful? thumb_up thumb_down
    • Note it is totally worth fixing SPF and SPX records. You will need to also remember if you have any devices MFPs going to open relay you may have to adjust some settings. For record I recommend routing thru your spam filters trusted host senders. Even better if you have radar or other archiving program.  You really can't do anything about misleading hyperlink headers. No way to prevent that at all. Just hope the end user spam filter catches it,

      A couple things we notice from fixing the records.

      1. Some of your employees who were being e-mail spoofed with get some status undeliverable messages from random servers. These are more likely mails the spoofer sent out. Once they realize that the domain and mail is locked down they will stop sending it took less than a week for me. Some clients don't get these. I have not put my finger on why some do or some don't.

      Was this post helpful? thumb_up thumb_down
    • Bweber93 wrote:

      I think I figured it out. GoDaddy is our registrar, and it seems someone got into the account (management makes bad passwords) and changed the DNS servers for some of the domains we own. I set them back, changed password and support Pin, and also made sure they all forwarded to the correct domain. Thanks everyone for your help.

      Make sure you turn on 2-factor auth w/ GoDaddy as well (if you haven't already). I had heard there was a rash of GoDaddy brute-forcing/hacking going on lately, sorry you got bit by that.
      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • LOL @jcLambert! "He must be king, he hasn't got shit all over him"

      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • jcLAMBERT wrote:

      Help help... I'm being repressed!

      BLOODY PEASANT!!!!
      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • Bweber93 wrote:

      the email got sent to us from a target. The "apparent" link is for a delta ticket document, but the hover text is our domain "http://JOESBAITSHOP.COM/f.php?d=am9obi5nZW50bGVAYWRhbXNwcm9kdWNlLmNvbQ=="

      We only have a web server for www.joessportinggoods.com if you go to www.joesbaitshop.com it shows a 403 error.

      Oh neat, a bunch of us at my office got that email, too! Fortunately O365 marked it as spam and sent it to everyone's junk folders.
      Was this post helpful? thumb_up thumb_down
    • Ridge_Runner_5 wrote:

      Bweber93 wrote:

      the email got sent to us from a target. The "apparent" link is for a delta ticket document, but the hover text is our domain "http://JOESBAITSHOP.COM/f.php?d=am9obi5nZW50bGVAYWRhbXNwcm9kdWNlLmNvbQ=="

      We only have a web server for www.joessportinggoods.com if you go to www.joesbaitshop.com it shows a 403 error.

      Oh neat, a bunch of us at my office got that email, too! Fortunately O365 marked it as spam and sent it to everyone's junk folders.
      You're welcome for enabling that Spam for you :) I should get the box/motherboard of shame for allowing the owners to create any passwords that touch the internet.
      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • Hopefully this was some automated attack and no one was motivated to cause trouble. Oh, the stunning mischief one could pull off with 100% control of a domain's registrar! 
        If I were you I'd work with GoDaddy support to get the audit trail of EVERY account change for the past month.
      • WHOIS contact records still OK?
      • Was a domain ownership transfer request put in?
      • MX records changed at all?
      • Anyone register new domains under your name?

      ... and then I'd fire GoDaddy and move to Hover, but that's just me.

      Was this post helpful? thumb_up thumb_down
    • That's why everything we do is in house. We have absolute control. I know that's not practical for smaller business' but if you can swing it, you should. 

      Was this post helpful? thumb_up thumb_down
    • Troy Thompson wrote:

      Hopefully this was some automated attack and no one was motivated to cause trouble. Oh, the stunning mischief one could pull off with 100% control of a domain's registrar! 
        If I were you I'd work with GoDaddy support to get the audit trail of EVERY account change for the past month.
      • WHOIS contact records still OK?
      • Was a domain ownership transfer request put in?
      • MX records changed at all?
      • Anyone register new domains under your name?

      ... and then I'd fire GoDaddy and move to Hover, but that's just me.

      All contact information the same, WHOIS still shows up as us. I updated myself over the last IT guy on our main domain, changed password, support PIN, and enabled two-factor just to be safe. Nothing else pending that I saw, but i'll call them up to make sure.
      Was this post helpful? thumb_up thumb_down
    • You guys don't own "JOESGUNSHOP.COM" as well do you? We got a few from "DeltaAirlines..." to that one, too.

      Thank you for taking care of it ASAP. It happens to the best of us.

      Was this post helpful? thumb_up thumb_down
    •  That we do. I've only seen the ones for Bait shop, so thanks for informing me that the others were in fact used as well. If anyone clicks the link now it just redirects to our website with a page not found error. I don't have full control of the website, and not knowing all of the links they may have used I can't put up a page saying that it was a scam but nothing bad happened.

       I appreciate everyone's help on this and the lack of shaming :) Still learning a lot of web hosting stuff, so I'm probably not as a secure as I can/should be but they shouldn't be able to affect my DNS settings anymore.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • FYI: when our website was infected with links to Russian malware I cleaned the site, changed the password, etc. The infection was back the next day. It turns out the hosting provider had been compromised so there was no way we could maintain the security of our website. We changed providers at the earliest opportunity.

      Next lesson: hosting providers may have upwards of 100 different websites on the same IP address. If one of those is sending spam the domains of the others can get blacklisted. You can prevent this by separating your email domain from your web domains with a service like CloudFlare, but only if you intend the website to not send emails (which is pretty common.)

      HTH!

      Was this post helpful? thumb_up thumb_down
    • samuel smith wrote:

      FYI: when our website was infected with links to Russian malware I cleaned the site, changed the password, etc. The infection was back the next day. It turns out the hosting provider had been compromised so there was no way we could maintain the security of our website. We changed providers at the earliest opportunity.

      Next lesson: hosting providers may have upwards of 100 different websites on the same IP address. If one of those is sending spam the domains of the others can get blacklisted. You can prevent this by separating your email domain from your web domains with a service like CloudFlare, but only if you intend the website to not send emails (which is pretty common.)

      HTH!

      Good to know. Our email is already separate from our web hosting at least in terms of providers and IP addresses. I wish our website provider got hacked, then we could switch providers already :)
      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • I can't add much to some of the great insights provided by my fellow spiceheads above, but I would suggest (if you really really want to be certain):


      Cheers!,

      DD

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down

    Read these next...

    • Cloud storage to share video files 5TB and larger

      Cloud storage to share video files 5TB and larger

      Data Storage, Backup & Recovery

      I assisting a company that is looking for cloud storage for large video files so they can upload the videos at one site and download them at another.The current solution is manually shipping usb hard drives with the video files which are around 5TB or lar...

    • Spark! Pro Series - 28th September 2022

      Spark! Pro Series - 28th September 2022

      Water Cooler

      Today in History: 1980 Carl Sagan's 13 part "Cosmos" premieres on PBSAstronomer Carl Sagan's landmark 13-part science series takes you on an awe-inspiring cosmic journey to the edge of the Universe and back aboard the spaceship of the imagination.The seri...

    • Win 10 Lock screen showing wrong name, after name change

      Win 10 Lock screen showing wrong name, after name change

      Windows

      I have a strange thing happening with a remote laptop after I changed her name.So, everything is changed in AD and setup correctly.  So, I like to simplify things for my users so when i change names I do the following: change names in AD username email ...

    • Best Practice Enterprise Wiping Devices Before New User

      Best Practice Enterprise Wiping Devices Before New User

      Windows

      Hello all.As I am sitting here wiping laptops for one of my sites, in preparation for any new users that start.I got to thinking, what is the best practice for re-deploying previously used laptops in an enterprise environment? I was curious how ya'll hand...

    • Tech & End User Expectations

      Tech & End User Expectations

      Best Practices & General IT

      Hey all!We are an IT team of 10 in a school district, and there have been some recent (and not so recent) issues with techs being snarky, end users being snarky, etc.We are trying to turn a new leaf, and want to come up with a set of expectations for the ...