Email Spoofing Or Something More Sinister? [closed]

I'm a software developer and my wife works at a small business. I'm not a security expert, but the story their IT contractor is giving her doesn't add up to me.

Lately some people who send email to "Jane," the person in charge of finances at her company, have been receiving bounce-back messages. According to their 3rd-party IT company, it's the result of someone spoofing Jane's email and there's nothing they can do about it.

But it doesn't sound like spoofing to me. My understanding of spoofing is that some malicious actor (probably a spam-bot) is sending emails claiming to be from Jane, and there's no actual security compromise. Therefore, Jane might receive bounce-back emails when the spam-bot sends to a bad email addresses.

That's not what's happening. Jane is not receiving bounce-backs. It's the people who email her who are receiving the bounce-backs. The bounce-back always says "[email protected]" is over quota, and includes their original email to Jane as an attachment.

In other words, if you send an email to [email protected] you might get a bounceback from [email protected]," and that bounceback does have your original email attached. Jane would have received your email normally and not seen anything odd.

So it seems to me what's going on is a copy of emails sent to Jane are somehow being forwarded to that gmail address, and at some point it got over-quota and started bouncing. In other words, someone is snooping on Jane.

This is happening even when it's user at Jane's company sending the email to her. Some people never get the bounces. Other people (like the owner of the company) always get bounce messages every time they send one.

Here's the bounceback message they're receiving:

The original message was received at Fri, 11 Jan 2019 08:36:54 -0500

from atl4qibmail03pod5.registeredsite.com [10.30.71.90]



*** ATTENTION ***



This email is being returned to you because the remote server would not

or could not accept the message. The registeredsite servers are just

reporting to you what happened and are not the source of the problem.



The address which was undeliverable is in the section labeled:

  "----- The following addresses had permanent fatal errors -----".



The reason your mail is being returned to you is in the section labeled:

  "----- Transcript of Session Follows -----".



This section describes the specific reason your e-mail could not be

delivered.



Please direct further questions regarding this message to your e-mail

administrator.



--Registeredsite Postmaster



   ----- The following addresses had permanent fatal errors -----

<[email protected]>

    (reason: 552-5.2.2 The email account that you tried to reach is over quota. Please direct)



   ----- Transcript of session follows -----

... while talking to gmail-smtp-in.l.google.com.:

>>> DATA

<<< 552-5.2.2 The email account that you tried to reach is over quota. Please direct

<<< 552-5.2.2 the recipient to

<<< 552 5.2.2  https://support.google.com/mail/?p=OverQuotaPerm u6si11420159ybg.477 - gsmtp

554 5.0.0 Service unavailable

<<< 503 5.5.1 RCPT first. u6si11420159ybg.477 - gsmtp

I'm with Ruscal on this.

If you send an email to Jane and you recieve this bounceback then it's clearly because a forward has been set up on Jane's email account, either intentionally or maliciously.


The only case I ever saw of spoofing was a fake domain sending "trash e-mails" asking for bitcoins and blackmailing (with a bitcoin link) some workers of this specific corporation with a generic menace text (for example, saying things like "I know the sites you have been visiting because I have a trojan installed in your home machine" "I took pictures of you by your webcam" et cetera). Your case doesn't sounds to me a spoofing attack, its better to make a new e-mail for Jane if the IT can't figure out what is the problem with her account, maybe its better to just start over (obviously, backuping her messages to the new account).