Seeing more spoofed emails from "our domain"
Question asked by Jason Wilhelm - 8/24/2021 at 12:39 PM
Hey all,
 We seem to have had more and more of the spoofed emails showing it is coming from our domain (noreply@OURDOMAIN.com). Does anyone have any suggestions on how to squish these bad boys?


Return-Path: <hotel.school@telkomsa.net>
Received: from vps213.idc3.adatacenter.net (vps213.idc3.adatacenter.net []) by mail.OURDOMAIN.com with SMTP;
Mon, 16 Aug 2021 20:46:23 -0800
Received: from [::1] (port=59916 helo=telkomsa.net)
by vps213.idc3.adatacenter.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <hotel.school@telkomsa.net>)
id 1mFqzV-0006fu-Lv
for danielb@OURDOMAIN.com; Tue, 17 Aug 2021 06:46:20 +0200
From: Email Admin <noreply@OURDOMAIN.com>
To: danielb@OURDOMAIN.com
Subject: =?UTF-8?B?4oS577iPIE1BSUxCT1ggVVBEQVRFIC0g?=danielb@OURDOMAIN.com have Pending 6 undelivered emails
Date: 16 Aug 2021 21:46:11 -0700
Message-ID: <20210816214610.D669C9B40DFC689E@OURDOMAIN.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps213.idc3.adatacenter.net
X-AntiAbuse: Original Domain - OURDOMAIN.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - telkomsa.net
X-Get-Message-Sender-Via: vps213.idc3.adatacenter.net: acl_c_authenticated_local_user: root
X-Authenticated-Sender: vps213.idc3.adatacenter.net: root

6 Replies

Reply to Thread
Ron Raley Replied
This particular message should FAIL a SPF check.

What weight settings -or- what are you doing with SPF failures on your server under Spam Settings?

Jason Wilhelm Replied
 Thanks for the reply. Looking at our settings the SPF rule is at the default setting of 5 fail weight. Maybe I will jack that up and see if that helps. Thanks for pointing me in the right direction.
Kyle Kerst Replied
Employee Post
@Jason - As Ron noted these types of spoofs (From address is spoofed, return-path is not) are usually handled/blocked by a combination of SPF checks, DMARC checks, RDNS checks, etc.

I recommend making sure you have SPF/RDNS, DKIM, and DMARC deployed for these domains, and that those same spam checks are enabled on the SmarterMail side.

That should allow your instance to recognize these spoofed messages and put a stop to them. That will also better enable third-party users/mail servers to better handle any spoofed messages they are getting from your domains as well. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Ron Raley Replied
As a follow up, you might want to reject all SPF failures completely. It's pretty safe to do so in 2021, in my opinion.  We do.  So we have SPF Fail 30.

I agree with Kyle that SPF DKIM and DMARC be established (via DNS) for every domain on your SmarterMail Instance.

Jason Wilhelm Replied
Thank you both Ron and Kyle, I am going to look into our SPF DKIM & DMARC settings. I really appreciate the help.
Kyle Kerst Replied
Employee Post
Very welcome! Thanks to Ron as well :)
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread