How to Prevent Spoofing
Question asked by Bob Bell - 11/11/2014 at 7:07 AM
Unanswered
Return-Path: <"www-data@alipgloss"@sbcglobal.net>
Received: from dinheironamao77.dinheironamao77.d4.internal.cloudapp.net (UnknownHost [191.239.35.27]) by mail.mydomain.com with SMTP;
   Sun, 9 Nov 2014 22:45:25 -0800
Received: by dinheironamao77.dinheironamao77.d4.internal.cloudapp.net (Postfix, from userid 33)
    id 960DE24BCC; Mon, 10 Nov 2014 06:09:25 +0000 (UTC)
To: bob@mydomain.com
Subject: FACEBOOK Beatris Mendonsa enviou um comentario de voz. - [ 809896287042  ]
X-PHP-Originating-Script: 0:nmiqer.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: <bob@mydomain.com
Message-Id: <20141110060925.960DE24BCC@dinheironamao77.dinheironamao77.d4.internal.cloudapp.net>
Date: Mon, 10 Nov 2014 06:09:25 +0000 (UTC)
X-SmarterMail-Spam: SPF_None, UCEProtect Lev1, Bayesian Filtering, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, Custom Rules [], SURBL - Phishing:1
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
X-Antivirus: avast! (VPS 141109-1, 11/09/2014), Inbound message
X-Antivirus-Status: Clean
 
-------------------------------------------
 
Even though I have an SPF record for my domain, these emails FROM ME,  TO ME (sent by someone else) are still getting through. I think the problem is the line in red above -  (Trusted Sender - Domain)
 
How can I turn that off so Smartermail will reject the message based on the SPF record?
 
My AntiSpam settings are as follows.
 
+30 for SPF fail.
 
Filtering
 
10 = prefix with ***SPAM***
15 = move to junk folder
25 = delete message
 
Any help would be appreciated. Thanks!
 
Web Engineer
http://www.fullblownwebdesign.com

9 Replies

Reply to Thread
0
Bruce Barnes Replied
There are several things to check here:
 
1. Make certain you have SETTINGS ===> PROTOCOL SETTINGS ===> SMTP IN set to ALLOW RELAY = NOBODY
 
 
2, Make certain that all of your hosted domains are set to REQUIRE SMTP AUTHENTICATION under DOMAIN NAME ===> TECHNICAL:
 
 
3, Make certain your SMTP LOGS are set to DETAILED and then search for the e-mail address which is being spoofed in the SMTP LOGS.  Validate those which are found against the headers from the messages.
 
4. If the account is running on a desktop, run a virus scan on the user's computer using HOUSECALL from TREND MICRO.  Make certain you scan the entire machine and allow several hours for the scan to run.  If there are viruses, it will find them and remove them.
 
5. Make certain the user's machine's IP ADDRESS is not SMTP BYPASSED or WHITELISTED.  There is no reason to every whitelist an IP address any longer.  It's a backdoor waiting to be found by hackers and it will be found - it's only a question of time.
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bob Bell Replied
Thanks Bruce. Looks like my settings are set as you recommended.

The Spoof mail is being sent from.

Return-Path: <"www-data@alipgloss"@sbcglobal.net>
Received: from dinheironamao77.dinheironamao77.d4.internal.cloudapp.net (UnknownHost [191.239.35.27]) by mail.mydomain.com with SMTP;

With my email address as the FROM and TO.
But my SPF record is not rejecting it.

The spammer is
Sending from sbcglobal.net
Not sending from my SmarterMail server.
Not sending from my home computer, via Outlook.

The only whitelisted IP I have is 127.0.0.1 so Wordpress sites can send email originating from the server itself.

TXT record @ v=spf1 a mx ip4:158.85.XXX.XXX ~all

So why isn't SmarterMail rejecting the message?
Web Engineer
http://www.fullblownwebdesign.com
0
Bruce Barnes Replied
What do your SMTP LOGS show?
 
Is "www-data@alipgloss"@sbcglobal.net in your SMTP logs?
 
As an FYI, you should really set wordpress to SMTP authenticate.  Allowing it to be sent without authentication may block the delivery of some of those messages.  YAHOO! has the tools to do so and will soon begin implementing them for everyone.  Right now they only implement SMTP authentications checks against complaints.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bob Bell Replied
I found it in the logs...

First time it was Greylisted...

22:16:24 [191.239.35.27][13589115] rsp: 220 mail.mydomain.com
22:16:24 [191.239.35.27][13589115] connected at 11/9/2014 10:16:24 PM
22:16:24 [191.239.35.27][13589115] cmd: EHLO dinheironamao77.dinheironamao77.d4.internal.cloudapp.net
22:16:24 [191.239.35.27][13589115] rsp: 250-mail.fullblown.com Hello [191.239.35.27]250-SIZE 26214400250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
22:16:24 [191.239.35.27][13589115] cmd: MAIL FROM:<"www-data@alipgloss"@sbcglobal.net> SIZE=906
22:16:31 [191.239.35.27][13589115] rsp: 250 OK <"www-data@alipgloss"@sbcglobal.net> Sender ok
22:16:31 [191.239.35.27][13589115] cmd: RCPT TO:<bob@mydomain.com>
22:16:35 [191.239.35.27][13589115] rsp: 451 Greylisted, please try again in 60 seconds
22:16:35 [191.239.35.27][13589115] cmd: RSET
22:16:35 [191.239.35.27][13589115] rsp: 250 OK
22:16:35 [191.239.35.27][13589115] cmd: QUIT
22:16:35 [191.239.35.27][13589115] rsp: 221 Service closing transmission channel
22:16:35 [191.239.35.27][13589115] disconnected at 11/9/2014 10:16:35 PM

------------------
30 min later they resent the greylisted message and it was delivered
-----------

22:45:10 [191.239.35.27][60294296] rsp: 220 mail.mydomain.com
22:45:10 [191.239.35.27][60294296] connected at 11/9/2014 10:45:10 PM
22:45:10 [191.239.35.27][60294296] cmd: EHLO dinheironamao77.dinheironamao77.d4.internal.cloudapp.net
22:45:10 [191.239.35.27][60294296] rsp: 250-mail.mydomain.com Hello [191.239.35.27]250-SIZE 26214400250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
22:45:10 [191.239.35.27][60294296] cmd: MAIL FROM:<"www-data@alipgloss"@sbcglobal.net> SIZE=906
22:45:20 [191.239.35.27][60294296] rsp: 250 OK <bob@mydomain.com> Recipient ok
22:45:20 [191.239.35.27][60294296] cmd: DATA
22:45:25 [191.239.35.27][60294296] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
22:45:25 [191.239.35.27][60294296] rsp: 250 OK
22:45:25 [191.239.35.27][60294296] Data transfer succeeded, writing mail to 390922577.eml
22:45:25 [191.239.35.27][60294296] cmd: QUIT
22:45:25 [191.239.35.27][60294296] rsp: 221 Service closing transmission channel
22:45:25 [191.239.35.27][60294296] disconnected at 11/9/2014 10:45:25 PM

-------------------------
Doesn't say anything about SPAM checking. Doesn't say it's FROM ME, but in outlook MY email is the FROM address. So I can't mark it as SPAM in Outlook, or it will essentially block all messages from ME.
Web Engineer
http://www.fullblownwebdesign.com
1
Bruce Barnes Replied
Is is coming from the same IP address that your Outlook uses, of has your password been compromised?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Joe Wolf Replied
Settings, Protocol Settings, SMTP In, make sure the box "Enable domain's SMTP auth setting for local deliveries" is checked.

That should solve the problem.

-Joe
Thanks,
-Joe
0
Bob Bell Replied
No, it looks like he's sending emails from his SBCGLOBAL.NET account - with my email address as the sender. And I have received some bounce-backs, which means he is sending spam to others using my email address as the sender. Just sucks! I was hoping my SPF record would prevent that, but it doesn't seem to be working.
Web Engineer
http://www.fullblownwebdesign.com
0
toby scott Replied
The sending server in the log, 191.239.35.27, isn't a Yahoo/SBCGlobal server.  It's a Microsoft hosted IP address. 
 

General IP Information

IP: 191.239.35.27
Decimal: 3220120347
Hostname: 191.239.35.27
ISP: Microsoft Corporation
Organization: Microsoft Hosting
Services: None detected
Type:  
Assignment: Static IP
1
Bob Bell Replied
I had my email address whitelisted. When I removed my email address from the whitelist, I have not received any more fraudulent emails sent by other people using my email address. I assume the SPF record is doing it's job now. 
Web Engineer
http://www.fullblownwebdesign.com

Reply to Thread