cancel
Showing results for 
Show  only  | would you rather see results for 
Did you mean: 
Need help?

Email account hacked, password changed but still generating draft emails

ANSWERED
Reply
25 REPLIES 25
kazziebear1
Popular Poster

I believe my email account has been hacked. I've changed the password but it's still generating draft emails with no recipients and no text in the email body. It generated 2 this morning at 4am after the password was changed. Can anyone please help or advise what to do next?

Gondola
Community Star
Solution

Hi @kazziebear1 

 

To link this topic to your TalkTalk Mail service, in preparation for direct help from TalkTalk support, please check your Community Profile includes in Personal Information (Click here):


Your name, current TalkTalk landline 'phone and alternate number (mobile preferred). Add your full address with postcode (location). Then scroll down to Private notes to add email address(es), notes and references etc and then save changes.

 

The implication is that a hacker still has control of your mailbox / access to your mailbox. So disconnect all devices that you use to view your emails / sign out of email and then scan your devices and remove viruses, remote access trojans and other malware that could either have control of a device or be capturing passwords so a hacker still has access.

 

Then change the password once more. I recommend basing a 12 - 15 character password on multi-word, multicase letters and numbers and a symbol.

 

Just, for the moment, login only to TalkTalk Mail (webmail). Is your mailbox on the TalkTalk Mail platform?

Compose and send the same mailbox a mail message. Check that the message sends without error, is copied into the Sent objects folder and arrives and stays in the Inbox. Mail not reaching the Inbox could mean there's a Filter rule, including Auto forwarding which is a special filter rule, that's diverting, discarding or blocking mail.

 

Let us know of any error message, or if mail does not arrive in the Inbox or disappears from the Inbox.

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


kazziebear1
Popular Poster

Thank you. I've found six rules in the mail forwarding section which I've deleted. 2 were diverting emails to another mail box that were from Amazon, 4 were deleting emails from things like maildeamon, postmaster. I've got screen shots of them all. The email sent correctly, is in the sent folder and arrived in the inbox. The only thing that's worrying me is the draft emails that I haven't written. 2 were written on Monday evening, 5 on Tuesday evening and 2 at 4am this morning. I'm at work at the moment so will have to update personal details tonight. Only thing currently connected to the mail server is my iphone and through webmail on a different pc. Password was changed yesterday afternoon.

 

Really appreciate the help.

Gondola
Community Star

Hi kazziebear1 

 

This is classic hijacking of a mailbox to try and hide the activity of obtaining access to your other online logins like Amazon.

 

So, having deleted Auto forward and unauthorised Filter rules you're well on the way to recovering. Just ensure the Reset Details are yours and haven't been changed to allow the hacker the ability to change the password and lock you out.

 

Menu options - Update your reset details

 

If the former email password was used anywhere else or simply was easily cracked then you'll need to review your other online logins. Don't forget, only use a scanned and clean device to change passwords. Changing your email password 

 

You may be able to find out about other online data breaches at www.haveibeenpwned.com

 

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


kazziebear1
Popular Poster

Yes my mail box is on the talk talk platform. It's an "@tiscali.co.uk" one. I've updated my personal details.

kazziebear1
Popular Poster

If I click on update reset details, nothing happens

Gondola
Community Star

Hi kazziebear1 

 

You should see a modal window overlaid on the TalkTalk Mail page that gets greyed out.

 

If you don't see that pop-up window then maybe your browser or add-on(s) are blocking it from appearing. Try running the browser in safe mode / all add-ons or extensions disabled.  Or try a different browser.

 

Update your reset details pop-up

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


kazziebear1
Popular Poster

Thank you, changed to Firefox and the pop up window came up. The recovery details were correct. So I've found the email diverts and cancelled them, changed my password, is there anything else I should do (apart from change all my passwords of course). I'm still not clear how it seems to be sending automatic emails though?

Gondola
Community Star

Hi kazziebear1 

 

I'm not clear either on how a hacker can be signed in unless it's via one of your devices.  In 2014/15 when the first appearance of these 'unfinished drafts' was noted in Yahoo Mail and then gMail it was determined that they were part of a Remote Access Trojan's command and control setup. 

 

The strange drafts appearing even after a mailbox password change has been noted by others so it's a key issue to be investigated further so definitive guidance can be offered.

 

The session authentication cookies should prevent continued access after a password change. But if a hacker has remote access to a device then it's still possible to view saved passwords and get access to a mailbox.

 

Let us know if you find anything conclusive from the security scans or other observations.

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


OCE_Ady
Community Team - TT Staff

Hi kazziebear1, Gondola will help you get this sorted. Please let us know how you get on. 

 

Ady


Please log in to My Account if you need to view or pay your bill, manage boosts and track your usage. From My Account you can also check your connection and test your line for any issues in the Service Centre.


kazziebear1
Popular Poster

Hi again, to confirm, I am only accessing emails at the moment through an iphone and a friends pc that hasn't been involved until now. Therefore I'm not sure what scans can be done. Anyway, password changed twice and still getting draft emails generated, 7 in the last 24 hours, all with no body text, all with no recipients and all with the same subject. I deleted all rules in the filters section, 2 were diverting Amazon emails, they were labelled "." and "..". There were also 4 other rules labelled rule0, rule 1, rule 2 and rule 3. These rules were set to discard emails that contain "postmaster@", "mailer-daemon@", "mail-daemon@"  & "Mail Delivery". All 6 rules were deleted on the 3rd September. The rules 0-3 have reappeared today. Could these be genuine system generated filters from Talk Talk or are they more likely the work of a hacker please? The rules to divert Amazon emails have not reappeared. I have deleted these new rules as well for now. Hope you can help.

Gondola
Community Star

Hi kazziebear1 

 

Just to confirm that TalkTalk do not set up Filter rules to operate within customer mailboxes.

 

So, the indication is that a hacker still has access to your mailbox and is continuing to make the changes to Filter rules.  Could also have changed Auto forward and Reset details so check these out as well.

 

Scan devices to remove viruses, Remote Access Trojans and other password capturing malware.

 

Via the TalkTalk Mail sign in and the main Settings menu, please check your Reset Details are correct and available to you.

Sign out all devices and then set about Changing your email password using a 12-15 character multi word password using multicase letters, numbers and a symbol.

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


kazziebear1
Popular Poster

There are no connections that I have to email apart from my phone which is running email via the iphone installed app. I have deleted that account. The problem is still happening. I have been told that the emails are being generated from a web based client, the originating clinet is open-xchange-appsuite with the X-Mailer Open-Xchange Mailer v7.8.4-Rev71. I have been advised to ask if there is any way of terminated all connections to my email.

kazziebear1
Popular Poster

kazziebear1_0-1599236616725.png

I've also just noticed these three emails in the trash. I've blanked out where my name is.

Gondola
Community Star

Hi kazziebear1 

 

Open-Xchange Mailer v7.8.4-Rev71 is the TalkTalk Mail platform. It's what would be seen if a hacker was signed in to your mailbox via webmail because the originating client is open-xchange-appsuite. 

 

The key thing is the originating IP address.

 

Is that also your public IP address?  Go to Google search and key in What's my IP.  The originating IP address will tell TalkTalk whether that's a hacker accessing via your device / your broadband connection or from their own IP address.

 

The trash items appear to indicate a date of 22nd of last month.

 

Now that we know the drafts are originated via webmail you could set TalkTalk Mail for automatic sign out after 5 minutes.  

  • Main Settings Menu triple line icon top right header
  • Settings menu item
  • Basic Settings
  • Automatic sign out - 5 minutes

Sign out of webmail using the Sign out icon extreme top right header and then delete the apps.talktalk.co.uk cookies.

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


kazziebear1
Popular Poster

The IP address for those mails is 134.0.204.190 Oman telecommunications company. Domain name I134.0.204.190.omantel.net.om. 

I changed my password last night on a pc. I had viewed my mails on a friends iPhone previously and was able to view my emails on his phone this morning without the new password but couldn’t compose mail or access settings on his phone until I logged out and back in with the new password. 

Gondola
Community Star

Hi kazziebear1 

 

The originating IP address and webmail sign in is pointing to a compromised password being used to sign in to webmail by a hacker probably in Muscat, Oman.

 

So as far as the creation of the drafts is concerned that wasn't remote access via your device just a remote login.  The system's unique session ID should prevent concurrent webmail sign ins from different IP addresses.

 

Did you set the Automatic sign out to 5 minutes?  You should see a count-down to sign out whenever the webmail has been idle for 5 minutes.

 

The key thing going forward is to determine that the unauthorised activity has ceased  and your password is secure.

Gondola - Volunteer 2017-2021

To appreciate my help . . . If I offered a solution Best Answer


kazziebear1
Popular Poster

I did set up the 5 minute log out. However what I've found is that of course, you can override that every five minutes by pressing cancel at the countdown prompt. What is more concerning is that if you close the window and come back to it on a pc after 15 minutes you still have access. So to retain access, all you have to do is press cancel at each prompt or close the window during periods of inactivity.

 

The draft emails were generated after password change. This is the same for the reintroduction of the filter rules, again they were done after 2 password changes.

 

Something doesn't seem that secure to me regarding the webmail platform but then I'm not an IT expert.

 

With regards the draft emails, are you saying the system has generated those emails as a result of someone trying to log in?

kazziebear1
Popular Poster

Here's what's listed in the view source of the header of the draft email

 

From: Kxxxx Mxxxxxx <xxxxxxxxx@tiscali.co.uk>
Reply-To: Kxxxx Mxxxxxx <xxxxxxxxx@tiscali.co.uk>
Message-ID: <2056196879.449257.1599199574572@app-8.app.tt.ham.xion.oxcs.net>
Subject: =?UTF-8?Q?=EF=BB=BFRe:Kaxxx_Mxxxxxxx?=
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.8.4-Rev71
X-Originating-IP: 185.214.14.235
X-Originating-Client: open-xchange-appsuite
X-OX-Marker: 9ef8be02-b40c-46c9-99d2-6477e74ffb35

<!doctype html>
<html>

<head>
<meta charset="UTF-8">
</head>
<body>
<p style="font-size: 12pt; font-family: helvetica,arial,sans-serif; color: rgb(51, 51, 51);"><br></p>
</body>
</html>

kazziebear1
Popular Poster