cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Getting Started

Go Daddy Email Compromised?

Someone posted about this earlier and it was prematurely marked as solved.  They were talking about the mass of emails that look like the below screenshots.  They are not emails that were actually sent from the email address as is assumed in the solution.  They are mass random failures.  They are accompanied by emails from GoDaddy support to the admin account saying that the account's password may be compromised and to change it as soon as possible and that sending from 3rd party clients will be suspended until the password has been changed.

 

Here's the thing, this has happened on 4 of the email accounts in my domain and I have already changed the password on one of them and it's still occurring.  These are all different passwords used by different people and the passwords are of the very strong variety.

 

What's the likely hood of this happening outside of an issue with GoDaddy itself?  It appears many others hosted by GoDaddy are experiencing the same situation.

 

Capture.JPGCapture2.JPG

 

 

1 ACCEPTED SOLUTION

My Emails to Gmail were bouncing with the following error: Delivery to the following recipients was aborted after 20.6 hour(s)

 

I struggled with this issue for over two months now. The solution, and the only solution that worked for me, is to add

1. SPF to your server
2. DKIM
3. And [maybe] optional DMARC
 
If any of the above fails, then emails to gmail will NOT go through.
You can do a google search on how to add SPF DKIM and DMARC to your server. The following settings worked for me: I use godaddy VPS with email set up. On the back end I use WHM the latest version with Enable DKIM/SPF Globally Enabled under features.
 
SPF
1. Login to your CPANEL.
2. Go to Zone Editor - (under Domains category)
3. Select your domain and press Manage
4. Select All under filter. Go through the list checking the Value Column to ensure that NO record starts with v=spf1. If there is such an entry delete it.
5. Near the top there is an "Add Record" button. Click the arrow next to it and Select Add TXT Record.
6 Enter the following:
 Name: YourDomainName.com (E.g. example.com)
 TTL: 1400
 Class: IN
 Type: T
 Record: v=spf1 a mx include:secureserver.net -all
 
7. Save. It will take up to 24 hrs for details to propergate. To test your SPF use the following sites:
 
 
 
 
DKIM/DMARC
1. Enable this feature in the WHM features if not enabled already.
2. Set up global DKIM
3. Login to the CPANEL 
4. Click on Authentication (Under Email Category)
5. Ensure DKIM is Enabled and press UPDATE
 
6. And this is important as found here:
 
Go to:
WHM > Exim Configuration Manager > Advanced Editor 
Modify the ROUTERSTART section from remote_smtp to dkim_remote_smtp, as follows:
 
send_to_smart_host:
driver = manualroute
route_list = !+local_domains dedrelay.secureserver.net
transport = dkim_remote_smtp 
 
Save the Changes.
 
To test your DKIM Settings, send an email to your Yahoo or any other provider. In Yahoo, open the email and click the three horizontal dots ... at the top of the email. Next click on View Raw Message. Check the raw message for the section dkim=pass (ok)
If it says OK then it successful. If it says Fail then there is a problem with the DKIM. Check also for SPF to see if it passed.
 
Note that GMAIL will NOT go through unless SPF and DKIM pass.
 
Hope this helps.

View solution in original post

44 REPLIES 44

I received the same message from GoDaddy and went immediately to change my password, as they suggested. Now, I can't get into my email AT ALL. 

I am suspicious too about the godaddy servers. one email acct is sending me tons of these even though the send file shows no one has sent from inside the acct. changed passwords just in case.

You cant contact godaddy on this,all we have is this board. I think there is a godaddy email compromise somewhere as well. Please let me know if you find out anything. It has happened before but stops. I think a robot mimics or creates a fake email camo'ing as your email. Just like a robo call but these are robo emails.....idea? here is one of mine, but they all basically look the same and are generated in Asian.
* 270560558@qq.com

Reason: There was an error while attempting to deliver your message with [Subject: "270560558"] to 270560558@qq.com. MTA p3plsmtpa06-07.prod.phx3.secureserver.net received this response from the destination host IP - 203.205.176.240 - 550 , 550 Mail content denied [N/rJhc+WcLEC4Q0iLDi4uQNnHL7c3ozBzfTCHn3NZ3QdMLFfZzqobMw=]. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000726

After going through the process of changing my password THREE TIMES, I am finally back in my email account. There were a ton of returned/undeliverable email messages which I never sent, so I'm not sure what happened. It would be nice to know what gives here. SMH

Oh, and I also keep getting the message that my account needs to be "validated," but there is nothing else - no link, no info, nada. *shrug* 

I'm having the exact same issue and followed the same steps of changing all passwords. As there are no other actionable step that we can take, will someone from GoDaddy please investigate the servers to confirm that nothing has been compromised?

Getting Started

Go to this topic: Unauthorized email useage

https://www.godaddy.com/community/Managing-Email/Unauthorized-email-useage/m-p/30527

 

This explains what happened and how to address it

That doesn't explain whats happening in the slightest.  

 

You're saying that different accounts used by different people across the country, that have changed their own passwords from their own locations, were all compromised by a key logger or malware of some sort? So the same malware on all those machines that are not co-located.  On top of that there is an account that is idle, it's never been used and only accessed via the control panel is getting them as well.  Did you even read my original post?

Did you read the whole thing I referenced?  - Obviously not.

 

I guessed you missed the spoofing part.  That was what happened in my case and fixing the DNS solved the problem.  

Yes I read the entire article you referenced.  I have long had an SPF statement in the hosts file to prevent this.  Next you can explain how accounts that have never been used and don't exist outside of the control panel are being spoofed.

While I suspect GoDaddy has issues, fixing the DNS zone worked for me.

 

As far as your spoofing question, any email (existing or not) can be spoofed.  

I am having the exact same issue on two of my four email accounts. I, too, have changed my passwords a number of times, and yet, this morning, it has happened again. The email relay usage shows the increase in usage on one account of 233 and 0 on the other. Neither account have a password that is used anywhere else. 

Helper I

I've called now at least four times and spoken to them on online chat a few more. This issue is NOT solved. I've changed the password on the account in question five times and am still receiving DOZENS OF these emails every day. I'm going to take my email accounts and put them with Liquid Web. This is ridiculous.

You have it worse than I do. Since I don't use these emails to send from, I set the relay to 0. I will leave it there until godaddy gets their situation squared away. 

Having the same issues for a couple of weeks.  Ran virus scans 100 times.... Changed passwords 2-3 times a day and still having the issue. Today I could not download any files. 

 

Finally resolved and figured it out.   

Go to add and remove programs. 

Uninstall your Google Chrome. 

Do not reinstall it when asked to.

Go to internet explorer or another browser and search for Chrome. 

reinstall Google Chrome from there. 

Then log in and once again change your password thru Godaddy. 

This has worked for me and hoping it might resolve someone elses problem in here. I still feel this is a Godaddy issue and a virus. 

Thanks for your input even though I know this isn't the case in my situation.

Im pretty sure you are right... I think its a combination of a few issues. Good luck!! 

My webmaster went in and changed the DNS record (My site is not hosted on godaddy) and I thought that the issue was resolved. But it's not. I awoke to dozens more *spoofing* emails. And this is clearly a GoDaddy issue. I'm moving my email accounts to a company that values my business and keeps me safe.

Getting Started

Thank you AlbertaArchery.   I have the same issue this week again even after changing my password.

First I enabled two step verification in my go daddy account just in case someone had access.  But I think this is a case of spoofing.  So....I went on the chat with GoDaddy and the rep added the SPF text into my DNS domain that was mentioned in the link someone shared.  I hope that fixes it.  I will try to update this after I see if there are more failed messages.......

I've done all that and then some. Talked to GoDaddy support four or five times. And still...

Getting Started

Update on my case - the SPF (or whatever it is) file change in the DNS apparently has not worked.  Still getting about 20 bounced fake emails a day.   GoDaddy said it would take a few days for the change to be effective but its been 4 days so far.

 

Next step is to uninstall and re-install the browser as was suggested (going to the browser download site to get the exec file).  I am using firefox and chrome so I will have to do both  I guess, but I will start with Chrome first as the poster did.