Print

Print


One more thing to add (if it is gmail) is to check what 3rd party
services/apps have been authorized to use the account.  You can revoke them
from the Google admin console if there are any that look suspect.

Jeff

Jeff Wallis
Chief Network Engineer
Chittenden East Supervisory Union
802-858-1727
http://www.cesuvt.org


On Fri, Feb 10, 2017 at 9:55 AM, Diane Stacy <[log in to unmask]> wrote:

> Another resource to use to troubleshoot email problems and determine if
> the account is compromised or being spoofed is to use the Email log search
> in the Reports section of the Google Admin Console.
>
> You can change the search parameters so you could search for email sent
> from that account during a time period you set.
>
> If the account really has been compromised sometimes it can be next to
> impossible to reclaim it unless Google has changed something since last
> summer...
>
> We had a compromised acct - we changed the password, turned off pop and
> imap,  reset the cookies,and suspended the account yet the email log
> reports (and looking at the "original" of received emails) indicated mail
> was still being sent from that account from various IP addresses in eastern
> Europe, usually at 3 or 3 am... Google tech support tried to help, but
> ended up saying they could not fix it!
> After trying to fix this for a couple of months we finally created a new
> account and forwarded/transferred all the mail and data and completely
> deleted the old account.
>
> So far this has only happened once!
>
>
>
> On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <
> [log in to unmask]> wrote:
>
>> Not to discount the possibility of the account being compromised, but I'm
>> with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd be
>> willing to bet the address was spoofed. Maybe have the recipients of the
>> email forward it back to you to see what you can in the headers?
>>
>> Good luck,
>>
>> On Thu, Feb 9, 2017, 18:23 Bill Fitzgerald <[log in to unmask]> wrote:
>>
>> Also, just so the email address can't be spoofed, make sure that you have
>> SPF, DKIM, and DMARC records set up.
>>
>> Cheers,
>>
>> Bill
>>
>> On Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote:
>>
>> Most of these suggestions assume Google email accounts.  Here's what I'd
>> suggest to summarize:
>>
>> Disable the account first! (already done)
>> Review where the account had been logged into.  Get screen captures of
>> the data.
>> Change the password.
>> Consider having the user leverage a second-factor for authentication.
>> Reset sign in cookies as per another suggestion.
>> Run AV on the user's computer(s).
>> Ensure a level of password complexity for the new password.
>> Re-enable the account.
>> Review their Sent messages and ALL Mail views.  Also ensure they are
>> receiving emails correctly.  Sometimes hackers will add a rule to GMail to
>> archive all inbound messages.  This way, the owner doesn't see the delivery
>> failures, etc.
>>
>> Verify where they access their email from.  Is it from home as well on a
>> different computer?  Suggest they run AV there as well.
>>
>> That's the basics.
>>
>>
>>
>> On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]>
>> wrote:
>>
>> I would also suggest that you reset the sign-in cookies.  This will kick
>> out anyone who may have been signed into the account.  Simply changing the
>> password does not terminate all current sessions.  You can find the switch
>> to reset the sign-in cookies under Account in the Google Admin Console.
>>
>>
>> *Christine Gibson*
>> *PowerSchool Data Manager*
>> <https://mail.google.com/mail/u/0/#inbox>
>> 49 Charles Avenue
>> Middlebury, VT 05753
>> *[log in to unmask]* <[log in to unmask]>
>> 802-382-1720 <(802)%20382-1720>
>>
>> On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]>
>> wrote:
>>
>> Edith
>>
>> Not sure why it doesn't list change password, but here are the
>> suggestions from Google.
>>
>> https://support.google.com/a/answer/2984349?hl=en
>>
>>
>> R
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>> --
>> David McClellan
>> Technology Support Specialist
>> Chittenden East Supervisory Union
>> Mobile: (802) 458 - 7327 <(802)%20458-7327>
>> Backup Mobile: (802) 448 - 0329 <(802)%20448-0329>
>>
>> This e-mail may contain information protected under the Family
>> Educational Rights and Privacy Act (FERPA). If this e-mail contains student
>> information and you are not entitled to access such information under
>> FERPA, please notify the sender. Federal regulations require that you
>> destroy this e-mail without reviewing it and you may not forward it to
>> anyone.
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>
>
>
> --
> Diane Stacy
> Director of Technology
> Barre Supervisory Union
>
> 802-476-5011
> http://bsu.zendesk.com
>
> “Supporting the mission of BSU schools by enabling the integration and
> utilization of  technology resources to support and enhance the teaching
> and learning of 21st Century skills. "
>
>
> CONFIDENTIAL COMMUNICATION
>
> The information contained in this communication, including any
> attachments, is confidential, constitutes privileged communication, and is
> intended only for the use of the addressee. This message may not be
> forwarded without prior consent from the sender. The information in this
> e-mail may also be protected by the rights afforded under Family
> Educational Rights and Privacy Act (FERPA) and school district policies.
> Any unauthorized use, forwarding, distribution, disclosure, printing or
> copying is strictly prohibited and may be unlawful.  If you have received
> this communication in error, please notify us immediately at 802-476-5011 or
> return e-mail, and delete any copies of this message immediately.  Any
> inadvertent disclosure of this communication shall not compromise the
> confidential nature of the communication.
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>

-- 


This e-mail may contain information protected under the Family Educational 
Rights and Privacy Act (FERPA). If this e-mail contains student information 
and you are not entitled to access such information under FERPA, please 
notify the sender. Federal regulations require that you destroy this e-mail 
without reviewing it and you may not forward it to anyone.