Forum Activity for @strumelia

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

Thanks Michael. As hacking things go, it could have been something much worse I'm sure. I'm choosing to see it as a good learning experience, since no irreparable damage seems to have been done.

BTW just to be extra safe, I also changed my PW here in my jamroom account and also on my jr sites as Master Admin.
updated by @strumelia: 06/25/18 07:45:38AM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

I received this from the Mailgun Support:
"Last night after you mentioned completing the recommended steps, we re-enabled the domains and account for you so that you could resume sending. As such, the site notifications should indeed be working as we're no longer blocking any traffic on the account."
...So Mailgun had indeed disabled my domains and account from sending any emails out (not surprising, but they mentioned nothing about that, nor mentioned when they turned it back on). I guess they simply waited until I told them I had implemented the security suggestions to 'turn me back on'.
Good stuff to be aware of.

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

So- in retrospect, several RED FLAGS to look out for as a hacker is working their way into your mailgun account:

1- getting emails from a Mailgun support person saying your domain needs to be validated... even though your domains are already validated. I ignored these emails thinking they were from a spammer.. but they were perhaps indicative of the hacker being in the process of infiltrating my account.
2- getting a support email from Mailgun responding to a support ticket request that you supposedly made, asking for a new Dedicated IP on your account. Big red flag!! This support ticket was actually created in my mailgun account by the hacker, and you must immediately contact Mailgun support and report this as a hacker.
3- getting a friendly note from mailgun suggesting you might want to 'upgrade' your account to higher capacity... this was sent to me about a day after the 2 million spam emails had been sent out by the hacker. =8-o

And it's always wise to glance at your mailgun LOG each day for each domain, so that you can see within 24 hours whether a giant mountain of spam has been sent out. Note that these spam emails did not show up on my Jamroom email log... only in my Mailgun account Logs, on the MG site.

My notifications seem to be turned on again and working normally, so I'm going to mark this thread as a "User Tip". Hopefully it will be of some use to somebody else at some point.
updated by @strumelia: 06/24/18 11:31:54AM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

Thanks Patria,
BTW the mailgun support guy said that THE most important security measure we can take is to activate the "2FA" (2 factor authentication) for our Mailgun account. This I did on my Android phone by downloading an authenticator app.

-It looks like my normal site notifications are now pouring in from last night and this morning- the faucet has been turned back on by ...someone... Yay! :D
updated by @strumelia: 06/24/18 10:22:49AM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

OK, suddenly 10 minutes after this last post something kicked in and I see a few notifications going through.

Somebody did 'something' to fix it, either from the JR end or from the Mailgun guys whom I also wrote to again 20 minutes ago. Maybe my domain had been deactivated/blocked by MG?
So hold on.... it seems to be working again all of a sudden. Miracle!... keeping fingers crossed and will report back here again in an hour or so.

BTW the MG fellow said he applied a credit to my account for the cost of the spam messages. (whew, or else I'd be maybe posting to here from jail in the future)
updated by @strumelia: 06/24/18 09:43:47AM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

Hmm, my site notifications are still not working.
Is there a way to refresh my JR email log? it shows no mails sent since yesterday late afternoon. Or else it's just that nothing has been sent out since then, despite all kinds of site activity that should have triggered notifications and emails.

I should note that private messages are still functioning within the site, though not the notifications for them.
BTW...My other JR site domain on the same server, pennywhistleclub.com has all its notifications still working fine (that domain was not the one attacked by the hacker) -I just tested it.

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

Um, well I told the Mailgun fellow I was not going to be paying for those 2 million emails... =8-0 Gosh I hope they don't bill me!

OK, so I simply reset new PWs for those MG smtp credential settings.
Is there a way to refresh my JR email delivery log? I'm not seeing anything newer than like 7 hours ago on it. This despite my having done several actions on my site that should have triggered notifications. I also restarted my JR server and Apache, just in case.

And now I have to go to bed. :-\
updated by @strumelia: 06/23/18 08:50:29PM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

P.S. resetting the passwords for those mailgun "Manage SMTP credentials" domain areas (as in the screenshot) was the only thing I attempted to do but wasn't sure about what my pws HAD been (wouldn't let me see the prior pws) and how to coordinate them on the Jamroom side. Things seemed to be working ok until I messed with them. My JR System Check is all green. At this point my site mail/notifications are no longer being sent or received I believe. Everything seemed to be working until I tried to fuss with the smtp credentials in Mailgun.
updated by @strumelia: 06/23/18 07:46:50PM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

Thanks Michael. I've been spending a while now attending to a bunch of stuff the Mailgun guy recommended in his ticket response.
I've now done the following:
1) changed my Mailgun account password.
2) reset my Mailgun Private API key (and then filled the new one in on my JR server settings and then ran a test email which worked)
3) I enabled 2factor authentication in my mailgun account, using my current password program authenticator App for my android phone. (a total pain in the butt but I suppose now a necessary evil).
4) the mailgun guy also told me two IP addresses from which the spam was being sent and I banned the ranges of both.

================

The last suggestion from the mailgun support guy:
This is the one thing I may have screwed up: resetting my Mailgun domain "SMTP credentials" passwords. I wasn't quite sure what they WERE so I reset them with my main JR password. Now it seems I can no longer send or receive emails through my main ___@fotmd.com address, my JR email support "Test Email address" sending FROM my main @fotmd email is now no longer working since I did this it seems. (was still working still after I reset the API though)
Here's a screenshot from the Mailgun Help blog showing the SMTP settings area I'm talking about, and mine has a setting both for my main @fotmd.com email and also "postmaster@___". I'm not sure whether those PWs need to be the same as my Mailgun Account main PW, and/or do they need to be the same as _WHICH_ PWs on my Jamroom end? Do I find the PWs for those items on my Jamroom settings and need to update them?
Right now I'm no longer getting emails from OR to my fotmd.com email address aliases.. My JR mail log seems to confirm this stoppage as well... due to my messing 'something' up I think with the smtp MG passwords, or else by resetting those and not synching the new pws to something on the other end in JR. ?

updated by @strumelia: 06/23/18 07:48:44PM

Looks like my jr domain Mailgun acct was hacked

Using Jamroom

Went to my fotmd.com jamroom site Mailgun log today and saw this (see screenshot).
Looks like last night someone sent out almost 2 million spam emails from my Mailgun domain account associated with my jamroom network. GaaaCK! =8-0
I just opened a Mailgun ticket, hope I don't get my site mail shut down over this. And I hope they can help me! I have no idea who this was or how it happened.
All I know is that the day prior to this, I received a response from Mailgun about a ticket that I supposedly opened with them requesting a dedicated IP be added to my account. I did NOT request that, yet there was a real actual ticket open in MG requesting it. In the ticket, MG had responded to the person and asked for more info about how many and what kind of mail they were intending to send on the IP. I replied yesterday to the MG ticket saying that *I* did not request this.

Apparently MG must have gone ahead and granted it or something, and now the next day almost 2 million spam messages were sent out from my domain. Yikes.
Anyway, I just now opened a new ticket with MG telling them that was NOT me and asking for their help in un-hacking my account. I hope my MG account doesn't get blocked or dumped because of this!
I'm posting this here just in case another JR member is experiencing this or as a warning if they get a notice from MG about a ticket they supposedly opened asking for a dedicated IP... beware if that happens, contact MG immediately!
I just now changed my MG password, but am waiting to hear back from Mailgun with my new ticket.

updated by @strumelia: 10/01/18 06:38:51PM