I got an email in one of my accounts, it appear to come from me. I don't know if they really hacked or it's spoofed... and if so, how do I stop it.
This is the metadata of the email:
: (qmail 142280 invoked by uid 30297); 29 Mar 2019 05:46:33 -0000
Received: from unknown (HELO p3plibsmtp03-15.prod.phx3.secureserver.net) ([126.96.36.199])
by p3plsmtp01-03-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <firstname.lastname@example.org>; 29 Mar 2019 05:46:33 -0000
Received: from mail.alec-sys.co.jp ([188.8.131.52])
by CMGW with ESMTP
id 9kLThmXoXULhR9kLThXfCI; Thu, 28 Mar 2019 22:46:32 -0700
Received: from [82-117-234-189.gpon.sta.kh.velton.ua] [184.108.40.206] by mail.alec-sys.co.jp with ESMTP
(SMTPD-11.03) id 324e0000034f07cb; Fri, 29 Mar 2019 14:49:36 +0900
Date: Fri, 29 Mar 2019 06:46:13 +0100
List-Subscribe: 3/29/2019 06:46:11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre)
X-Spam: Ironport 50%
This is a multi-part message in MIME format
Content-Type: text/plain; charset=UTF-8
Content-Type: text/html; charset=UTF-8
In my opinion, it's a spoofed email. Having said that, since you posted your email address I checked it at https://monitor.firefox.com and it does bring up one hit on a data breach back in February 2019. So I would hope you have changed your password anywhere you use that email account. But that's not the main reason why I am replying. I receive one spam message a day on my account even though I have completely disabled the MX records in DNS. The message header is very similar to yours. The first similarity is the following line:
by CMGW with ESMTP
I'm not certain what CMGW is, but I think it has something to do with SMS texting. I'm still researching this, because this must be how it's sneaking into my inbox.
The other thing that is similar is the names of Godaddy's SMTP servers. They must all be mirror servers, as a ping -a to their IP addresses returns only the stated name. Here is a brief list of the servers from which I have received this spam message:
This is just a small sample. Each of the messages uses a different permutation of SMTP server names. And they ALL have the "by CMGW with ESMTP" line in the header. It is my hope someone on Godaddy's SMTP team sees this message. My domain is digital-plumber.com and you will see my only MX record (which I have temporarily changed 2 weeks ago) points to tar.junkemailfilter.com which should make it impossible for me to receive SMTP email to my catch-all account. Yet this one message still gets through every day. I suppose I can try deleting some of the other CNAMES in my DNS, but I hate doing things blindly. Hopefully someone from Godaddy will reply to this thread.
Welcome to the Community!
It's likely you were spoofed. Check out this article for what it means and how you can prevent it in the future. There are links at the bottom of the article to help you create an SPF record in the DNS of your domain. Here's the basics: