How to Prevent Spoofing
Question asked by Bob Bell - November 11, 2014 at 7:07 AM
Unanswered
Return-Path: <"www-data@alipgloss"@sbcglobal.net>
Received: from dinheironamao77.dinheironamao77.d4.internal.cloudapp.net (UnknownHost [191.239.35.27]) by mail.mydomain.com with SMTP;
   Sun, 9 Nov 2014 22:45:25 -0800
Received: by dinheironamao77.dinheironamao77.d4.internal.cloudapp.net (Postfix, from userid 33)
    id 960DE24BCC; Mon, 10 Nov 2014 06:09:25 +0000 (UTC)
To: bob@mydomain.com
Subject: FACEBOOK Beatris Mendonsa enviou um comentario de voz. - [ 809896287042  ]
X-PHP-Originating-Script: 0:nmiqer.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: <bob@mydomain.com
Message-Id: <20141110060925.960DE24BCC@dinheironamao77.dinheironamao77.d4.internal.cloudapp.net>
Date: Mon, 10 Nov 2014 06:09:25 +0000 (UTC)
X-SmarterMail-Spam: SPF_None, UCEProtect Lev1, Bayesian Filtering, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, Custom Rules [], SURBL - Phishing:1
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
X-Antivirus: avast! (VPS 141109-1, 11/09/2014), Inbound message
X-Antivirus-Status: Clean
 
-------------------------------------------
 
Even though I have an SPF record for my domain, these emails FROM ME,  TO ME (sent by someone else) are still getting through. I think the problem is the line in red above -  (Trusted Sender - Domain)
 
How can I turn that off so Smartermail will reject the message based on the SPF record?
 
My AntiSpam settings are as follows.
 
+30 for SPF fail.
 
Filtering
 
10 = prefix with ***SPAM***
15 = move to junk folder
25 = delete message
 
Any help would be appreciated. Thanks!
 
Web Engineer
http://www.fullblownwebdesign.com

5 Replies

Reply to Thread
0
There are several things to check here:
 
1. Make certain you have SETTINGS ===> PROTOCOL SETTINGS ===> SMTP IN set to ALLOW RELAY = NOBODY
 
 
2, Make certain that all of your hosted domains are set to REQUIRE SMTP AUTHENTICATION under DOMAIN NAME ===> TECHNICAL:
 
 
3, Make certain your SMTP LOGS are set to DETAILED and then search for the e-mail address which is being spoofed in the SMTP LOGS.  Validate those which are found against the headers from the messages.
 
4. If the account is running on a desktop, run a virus scan on the user's computer using HOUSECALL from TREND MICRO.  Make certain you scan the entire machine and allow several hours for the scan to run.  If there are viruses, it will find them and remove them.
 
5. Make certain the user's machine's IP ADDRESS is not SMTP BYPASSED or WHITELISTED.  There is no reason to every whitelist an IP address any longer.  It's a backdoor waiting to be found by hackers and it will be found - it's only a question of time.
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
What do your SMTP LOGS show?
 
Is "www-data@alipgloss"@sbcglobal.net in your SMTP logs?
 
As an FYI, you should really set wordpress to SMTP authenticate.  Allowing it to be sent without authentication may block the delivery of some of those messages.  YAHOO! has the tools to do so and will soon begin implementing them for everyone.  Right now they only implement SMTP authentications checks against complaints.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Is is coming from the same IP address that your Outlook uses, of has your password been compromised?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
The sending server in the log, 191.239.35.27, isn't a Yahoo/SBCGlobal server.  It's a Microsoft hosted IP address. 
 

General IP Information

IP: 191.239.35.27
Decimal: 3220120347
Hostname: 191.239.35.27
ISP: Microsoft Corporation
Organization: Microsoft Hosting
Services: None detected
Type:  
Assignment: Static IP
1
I had my email address whitelisted. When I removed my email address from the whitelist, I have not received any more fraudulent emails sent by other people using my email address. I assume the SPF record is doing it's job now. 
Web Engineer
http://www.fullblownwebdesign.com

Reply to Thread