telus.com spam emails to gmail account

Just something I bumped into this morning and decided to quickly write a post.

Woke up this morning and first thing I saw is a bunch of spam emails in my Gmail account. I kept getting these spam emails that are said to be sent by me but are sent via telus.com. These emails are also in my sent items. I do not use telus.com and I never even heard of them.

I immediately checked my mobile, my desktop, my network. Searched google for why this could happen.The same thing was happening to another person at home. I thought that either my home network been pwned or something really bad happened.

I went through Google Security Checklist and

  1. Changed my password,
  2. Removed all app access
  3. Checked last account activity

So far I have received about 6 emails in the past 45 minutes, and they all have different content. I exported the contents to check the header. The emails didn’t stop when I changed my password or removed app access, WiFi password, restart or shutdown devices. Here’s a sample Header contents (some details altered to hide emails etc.)

Delivered-To: not-my-real-email@gmail.com
Received: by 10.176.89.43 with SMTP id n40csp26329ASDAad;
Sat, 21 Apr 2018 19:33:46 -0700 (PDT)
X-Google-Smtp-Source: AIpAS4/ASDASDASDASD+iIW6bk6kVfmBL3knH+7kH6P4dZN50Gsd46lWPCwG2C
X-Received: by 2002:adf:e312:: with SMTP id b18-v6mr12085687wrj.247.1524364426822;
Sat, 21 Apr 2018 19:33:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524364426; cv=none;
d=google.com; s=arc-20160816;
b=DvMTwNoeZhkodo5ViSPrXr2jJm5fLYl7gxGun748hbAs5CbmItDXOScYd0hnY07etw
KTfiak8jRyOPlk9gggn76DNw0QFmd55HaGtt0AguWWibKc0YvA2xLAIuNg5hVAbV3u3j
bTHKlX2ezlOlZgegX7Rme/h4Qf/ASDASDSADASDSAD+q9fF9ZpuQXHcNtqqU3
LmpSHUs08M4VRdIvJLLb635fOd3NfQOXyjQZZ4d0YxIuXLML7oP1LmMlMc0IeFs5RCvq
N0b2aK8IeDZYxcmFPw+xwFdtRulfd5qKfniaGRK2cSiWCNxdygOxtm+mzUQih/47dZrP
7tXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:subject:to:from:arc-authentication-results;
bh=GdQ0BONMitFUr2nm+0rqQnlDo1x9OaDbSlse34fDEWg=;
b=NAzWmgu87A6+i77xyVPUAq8Sr5iy9ZLUer2HcX1O+SyX+XJ/hV/O944ht8zbDKMGdc
zah5VgPO+39zB1SaP6KBOcbfU+RLela4cLpDNUqFGRU1f4nMhDI5HNzt8p6SKH4H8Etw
hFPAx0YZOx/vVvJ8IhYqnlFSmE3i/ASDASDASDASD+cfc47IzesMCSUspdUhDz4KWj4L
kubExOyoSegeWEAquoJ2tIQkzTDoBmhzO9YV9Hf63s6vsmi4tLkThZJtievcEJRegMEv
FsbwWiMPAXGDxCpUMZQdTHxzMSrH6lS6Ow3yBGOzrV1e6g+kD1wV8Otqdjd95eCxpCat
BCQw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <return@telus.com>
Received: from deep.ukriminode.com (static-ip-188-138-79-170.inaddr.ip-pool.com. [188.138.79.170])
by mx.google.com with ESMTP id j191si3483971wmd.61.2018.04.21.19.33.46
for <not-my-real-email@gmail.com>;
Sat, 21 Apr 2018 19:33:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) client-ip=188.138.79.170;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received-SPF: softfail (google.com: domain of transitioning nkhpw@google.com does not designate not-my-real-email@gmail.com as permitted sender) client-ip=not-my-real-email@gmail.com;
from: --Profit System <not-my-real-email@gmail.com>
To: <noreplya@travellstore.REMOVED>, <returny@tinyurl.REMOVED>, <subsys@nytimes.REMOVED>, <hallo@webwiz.REMOVED>, <norply@mxtoolbox.REMOVED>, <not-my-real-email@salesforce.REMOVED>, <mostafa6863@aol.REMOVED>, <jonykrash@gmx.REMOVED>
Subject: The most effective way to make money with Bitcoin
Message-ID: <NkhPw@google.com=Mx.google.com>
Date: Sat, 21 Apr 2018 22:32:11 -0400
Content-Type: multipart/report; boundary="f4f5e80f07d80f9ASDASD56a2936a0"; report-type=delivery-status
X-EMMAIL: <@googlemail.fr not-my-real-email@gmail.com>
--f4f5e80f07d80f991b056a2936a0
Content-Type: text/html; charset="UTF-8"

I’ve tested some URL’s that were embedded in these email (https://tinyurl.com/y93bqnl6).. See VirusTotal scan restults .  Nothing. The Header was interesting as it was showing as SPF=pass. Some interesting bits below:

ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from deep.ukriminode.com (static-ip-188-138-79-170.inaddr.ip-pool.com. [188.138.79.170])
by mx.google.com with ESMTP id j191si3483971wmd.61.2018.04.21.19.33.46
for <not-my-real-email@gmail.com>;
Sat, 21 Apr 2018 19:33:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) client-ip=188.138.79.170;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of return@telus.com designates 188.138.79.170 as permitted sender) smtp.mailfrom=return@telus.com;

dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

So obvisouly it’s passing SPF.

There’s quite a few Google Forums page regarding this issue where people are already complaining about it.:

  1. why did i get an email email from my self vai telus.com
  2. Getting absurd emails from “me”
  3. Blocking Spoof Emails from a Source
  4. I have just received spam email from myself via telus.com How do I stop this type of activity?

I wouldn’t worry about it too much, fix you stuff Telus and back to you Google.

Update:

I twitted the following message and Telus.com Support responded back


Must be horrible working at Telus IT Support right now trying to sort this out. Hope it gets sorted quickly and no client data is compromised.

Check Also

Whispers: A Powerful Static Code Analysis Tool for Credential Detection

“My little birds are everywhere, even in the North, they whisper to me the strangest …

Nyxt The Hacker's Browser Unleashing Power and Flexibility

Nyxt: Hacker’s Dream Browser

In the ever-evolving digital landscape, the demand for specialized tools and platforms has grown exponentially. …

2 comments

  1. same problem 2me
    they all have ?

    “Message-ID: ”

    rfc822msgid:

    Can I filter by this field?

  2. Yo, I got the same spamming email from “me”
    It’s so annoying.
    What I did was do a filter in my gmail, but I want a permanent fix.

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading