I recently received a bogus email that used the Bitdefender domain. noreply_community@bitdefender.com
How is this possible ? I would expect BD to be very secure.
Most likely, they spoofed the email. See this article:
https://www.bitdefender.com/en-us/blog/hotforsecurity/security-tips-for-spotting-and-protecting-against-a-spoofed-email
Only looking through the email header would tell for sure.
Hi Thanks. I get the Spoofing thing, but my question is how these guys get hold of someone's domain - or do they have the ability for the email to only appear as if it is from that domain ?
The normal "easy" spoofing is possible because the SMTP protocol used to send email allows the sending client to enter any sender it wants. In the old days, you could send email as anyone from any server. Nowadays, major email services perform more checks, so this isn't possible in many cases (Google would just reject the email); however, if your email provider is not a good/major one, this isn't guaranteed.
Another normal "easy" way is to manipulate the "From:" line in the header so that when shown in abbreviated form, like on a mobile email client, only the spoofing part is apparent, and the actual email isn't displayed.
The "hard" way requires security compromises on the domain owner. Attackers can breach email system security, allowing them to send emails from the owner's own email system. They can also take control of the DNS of the domain owner, allowing them to reconfigure emails sent from unauthorized systems as legitimate.
To tell for sure, you may need to analyze the email header, which is often not that straightforward nowadays if you use email aliases, etc.
I just had a conversation with Bitdefender Support via chat. They have created a ticket and escalated the query to their backend department. As soon as I receive an update via email, I will update this post. Below is the chat transcript for reference.
Regards
Thank you for the help. Let's see what comes out.
I think that one of the prime contributors is that there are unscrupulous email service providers out there - they do not question the obvious use of other users' domains.
Below is the reply I received from Bitdefender Support via email.
These guys (Symantec) screen my incoming mails before they land in my mailbox. I then googled (see below) and that made me concerned.
However, I accept that you say this is ok. Thank you.
@Alexandru_BD, do you have anything to say here?
Hey,
Thanks for sharing the info. You actual email address is in the first image, so you (or the mods) might want to redact that.
Hey @Flexx ,
According to @CMW's image above, they are receiving the "spoofed" email from 208.117.49.186, which appears to be a LEGITIMATE Bitdefender email infrastructure. It's the same one I received for this thread's email notification; mine is tagged as being from o1.smtp.vanillaforums.com (208.117.49.186). Symantec, the email security software the OP uses, also appears to tag the address noreply_community@….com as a possible scam or illegitimate email address. If this is a problem on Bitdefender's or the third-party provider's end, Bitdefender probably wouldn't want Symantec to report on the issue.
The third-party forum software provider, vanillaforums.com or higherlogic.com, may have vulnerabilities or compromises. If so, Bitdefender may want to get on it, or investigate this in more detail.
ps: More info:
mxtoolbox.com tagged the IP address to SendGrid.inc, in Colorado.
Thank you so much for the replies - these are all extremely helpful.
As far as redacting my email address, I would appreciate it if someone could do that (I don't know how)
I guess that the bottom line is to be alert all the time. Having Bitdefender is a great comfort.
Thanks again, Community.
Hello,
@CMW can you share what was the actual content of the email you received from that email address? Make sure to blur any sensitive personal information, if any, as this is still a public forum.. I'm asking because the domain is indeed legitimate, it's being used in various forum communications such as the weekly email digest / community newsletter, email notifications (for those who have expressed this preference) and automated onboarding emails. @Bonfire9911 I will further investigate this with vanillaforums as well. By all means, there shouldn't be any invoices or other types of content delivered through that domain, except from the purposes I've enumerated above, so if anything like that comes up, that's a scam.
Thank you for the due diligence and feedback. 👍️
Good day.
The email was intercepted and quarantined by the system put in place by the entity that manages my domain. Consequently, I did not seek to open the mail and can indeed not do so.
In the latter part my screenshot above, there are some details of subject, message ID etc. (all of which do not make sense to me, a mere mortal).
if you are really committed to the task, I can engage with the service provider and try to get hold of the actual email.
thank you for your support and interest.
Hi and thanks for getting back.
Yes, I'm committed to get to the bottom of this because I manage this forum and that's one of the noreply domains we use, so I need to investigate this further with our supplier as well. Now, if the email bears the title "Trending Topics in Bitdefender Community", that's our Email Digest option, so kind of a weekly forum newsletter including the most active discussions and you can subscribe or unsubscribe using the Notification Preferences under the Account & Privacy settings of your community profile. The checkbox looks like this:
I think there are two possibilities here: either a false positive from symantec, since their verdict seems inconclusive, case in which they need to update their records to reflect this more accurately, or a scam is circulating, but in order to confirm this, I'll need to see the content that was delivered.. Thanks!
Hi. OK
let me give it a shot.
While this does obviously happen, it's low on the list of ways that scammers/spammers use to send their junk. Unscrupulous email providers very quickly go out of business, because the scoring mechanisms for identifying scam/spam quickly identify the source IP addresses as 'compromised', and they quickly become blocked globally, at a high level in the overall internet networking.
The much more common mechanism is finding poorly maintained websites - very frequently Wordpress sites that aren't kept up with current software - and hijacking them to send out their junk. A server that isn't correctly firewalled is like catnip for a cat. That doesn't last long either - again, the scoring mechanisms on the net relatively quickly identify the source and they are blocked - but the scam/spammers don't care, it's not their server, so they just jump to another one (while the oblivious website owner struggles to figure out why their site is down and nothing is working).
For the most part, scam/spammers just bounce from exploited server to exploited server, and there's an endless supply of them.
The next best thing is for the spam/scammer - if they aren't technologically niave - is to spin up a small server with a hosting provider, and send the email through that. That requires paying for a service, and some technical abilities, and the same thing will happen - the server is quickly blocked, their costs for creating the server aren't refunded, and they have to move on. It's much farther down the list than exploiting other site. Actually hacking into a large, reputable site and exploiting it is way farther down the list from that.
The base protocol of email - SMTP - was created in 1981, back when the internet was primarily a tool of universities and research centers, and there was no such thing as 'spam'. It's a very open protocol. Over the decades, in response to the malefactors out there, many layers of authentication and 'proofing' have been created to stem the tide of junk - DMARC, SPF, ARC, DKIM, DANE, TLS for the otherwise cleartext transmission of messages, and more.
It's exceedingly unlikely that Bitdefender's servers have been compromised.
Sendgrid is a massive third-party email provider, not part of Bitdefender's actual, formal email infrastructure. I get junk emanating from Sendgrid regularly, but it's a matter of volume with sendgrid - gigantic providers can't stop malefactors from dive bombing into their system for fifteen minutes until the systems see that spam is emanating from an account and disabling it.
Importantly though, sendgrid is used only for forum emails - a crucial distinction. Bitdefender's actual antivirus/security infrastructure is separate - physically - from the forums or these emails. I engaged with Bitdefender support earlier this year, as well getting the periodic 'Protection review' emails, and they do not come through sendgrid, but actual separate Bitdefender email infrastructure for formal communications.
All that to say that your Bitdefender protection is unlikely (in the extreme) to have been compromised, and that the shortcoming is likely in vanillaforums as Bonfire9911 suggests.
Thank you everyone for your very helpful feedback (latterly, Clay Miles). It is indeed encouraging to know that there is this solid structure in the immediate background - there are so many scammers out there. That said, I cannot understand why the millions of dollars that I win every other day, do not end up in my bank account 😉
I will explore options to enable some sort of sender authentication. My theory is that symantec "sees" that noreply email address as being sent by vanillaforums instead of Bitdefender directly. So, it finds that one entity is sending emails on behalf of someone else, hence the red flag. The sender authentication will allow the outgoing emails to be signed by the client's domain, in this case Bitdefender's domain instead of vanilla's and this should help resolve the issue, theoretically.
Thank you Alexandru_BD. That seems to make sense.
I must add that, daily, I receive numerous warning-type mails from Symantec, but this is the only time they have flagged one from Bitdefender. That said, the community forum mails I do receive do not have the "no reply" in the title of the problematic mail.
I am still trying to get the original mail released by Symantec.
Hi @CMW, any chance we can get the email header and more info from symantec soon, as this is currently a blocker and we can't proceed with the changes without having this piece of information? Thanks!
Greetings.
I have reached out to Symantec again (this time via a logged ticket) and am hoping for a response.
thank you for sticking with this matter.
Dear all,
I have engaged with the service provider and my understanding is that the Symantec system screens my incoming mails, and if the mail is found to be suspect, it is quarantined. If the body of the email contains links, each link is checked. It appears that, in my case, one of the links was suspect and the email remained in quarantine and was not delivered to me.
Below are two screenshots sent by the service provider for the experts out there, to peruse. I hope this makes sense.
Thank you so much for the support and input.
Thank you for sharing the above details. It's clear to me now that this was a false positive on Symantec's end, since it checks links and the Email Digest does include a few, it saw something there it did not like, hence the flag and quarantine. Therefore, this doesn't really have anything to do with the DNS records and domain setup on our end, as the email delivery was not blocked because of this..
Now, I no longer have the email that was sent on January 5th, according to the records, so I can't really check the links included, but these are always links to the most recent and active discussions on the forum, so I doubt there was anything harmful there.
All good - as long as you are satisfied. From my side, I will flag the matter as closed, unless there is further info you need.
Thanks again
Yeah I think we can close the matter and thank you once again for helping us clarify this.
