Back to Community Threads
2
Seeing more spoofed emails from "our domain"
Question asked by Jason Wilhelm - 8/24/2021 at 12:39 PM
Unanswered
Hey all,
 We seem to have had more and more of the spoofed emails showing it is coming from our domain (noreply@OURDOMAIN.com). Does anyone have any suggestions on how to squish these bad boys?

HEADER INFORMATION & SCREENSHOT BELOW

Return-Path: <hotel.school@telkomsa.net>
Received: from vps213.idc3.adatacenter.net (vps213.idc3.adatacenter.net [78.47.67.66]) by mail.OURDOMAIN.com with SMTP;
Mon, 16 Aug 2021 20:46:23 -0800
Received: from [::1] (port=59916 helo=telkomsa.net)
by vps213.idc3.adatacenter.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <hotel.school@telkomsa.net>)
id 1mFqzV-0006fu-Lv
for danielb@OURDOMAIN.com; Tue, 17 Aug 2021 06:46:20 +0200
From: Email Admin <noreply@OURDOMAIN.com>
To: danielb@OURDOMAIN.com
Subject: =?UTF-8?B?4oS577iPIE1BSUxCT1ggVVBEQVRFIC0g?=danielb@OURDOMAIN.com have Pending 6 undelivered emails
Date: 16 Aug 2021 21:46:11 -0700
Message-ID: <20210816214610.D669C9B40DFC689E@OURDOMAIN.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps213.idc3.adatacenter.net
X-AntiAbuse: Original Domain - OURDOMAIN.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - telkomsa.net
X-Get-Message-Sender-Via: vps213.idc3.adatacenter.net: acl_c_authenticated_local_user: root
X-Authenticated-Sender: vps213.idc3.adatacenter.net: root
X-Source: 
X-Source-Args: 
X-Source-Dir: 

4 Replies

Reply to Thread
0
Jason Wilhelm Replied
8/24/2021 at 3:39 PM
Ron,
 Thanks for the reply. Looking at our settings the SPF rule is at the default setting of 5 fail weight. Maybe I will jack that up and see if that helps. Thanks for pointing me in the right direction.
0
Kyle Kerst Replied
8/24/2021 at 4:28 PM
Employee Post
@Jason - As Ron noted these types of spoofs (From address is spoofed, return-path is not) are usually handled/blocked by a combination of SPF checks, DMARC checks, RDNS checks, etc.

I recommend making sure you have SPF/RDNS, DKIM, and DMARC deployed for these domains, and that those same spam checks are enabled on the SmarterMail side.

That should allow your instance to recognize these spoofed messages and put a stop to them. That will also better enable third-party users/mail servers to better handle any spoofed messages they are getting from your domains as well. 
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
1
Jason Wilhelm Replied
8/25/2021 at 8:20 AM
Thank you both Ron and Kyle, I am going to look into our SPF DKIM & DMARC settings. I really appreciate the help.
0
Kyle Kerst Replied
8/25/2021 at 10:01 AM
Employee Post
Very welcome! Thanks to Ron as well :)
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Messages to Yahoo! Emails are Temporarily DeferredSmarterMail > Troubleshooting
Legal Holds and LitigationSmarterMail > Installation and Configuration