Seeing more spoofed emails from "our domain"
Question asked by Jason Wilhelm - 8/24/2021 at 12:39 PM
Unanswered
Hey all,
 We seem to have had more and more of the spoofed emails showing it is coming from our domain (noreply@OURDOMAIN.com). Does anyone have any suggestions on how to squish these bad boys?

HEADER INFORMATION & SCREENSHOT BELOW

Return-Path: <hotel.school@telkomsa.net>
Received: from vps213.idc3.adatacenter.net (vps213.idc3.adatacenter.net [78.47.67.66]) by mail.OURDOMAIN.com with SMTP;
Mon, 16 Aug 2021 20:46:23 -0800
Received: from [::1] (port=59916 helo=telkomsa.net)
by vps213.idc3.adatacenter.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94.2)
(envelope-from <hotel.school@telkomsa.net>)
id 1mFqzV-0006fu-Lv
for danielb@OURDOMAIN.com; Tue, 17 Aug 2021 06:46:20 +0200
From: Email Admin <noreply@OURDOMAIN.com>
To: danielb@OURDOMAIN.com
Subject: =?UTF-8?B?4oS577iPIE1BSUxCT1ggVVBEQVRFIC0g?=danielb@OURDOMAIN.com have Pending 6 undelivered emails
Date: 16 Aug 2021 21:46:11 -0700
Message-ID: <20210816214610.D669C9B40DFC689E@OURDOMAIN.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps213.idc3.adatacenter.net
X-AntiAbuse: Original Domain - OURDOMAIN.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - telkomsa.net
X-Get-Message-Sender-Via: vps213.idc3.adatacenter.net: acl_c_authenticated_local_user: root
X-Authenticated-Sender: vps213.idc3.adatacenter.net: root
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Jason Wilhelm Replied
Ron,
 Thanks for the reply. Looking at our settings the SPF rule is at the default setting of 5 fail weight. Maybe I will jack that up and see if that helps. Thanks for pointing me in the right direction.
Kyle Kerst Replied
Employee Post
@Jason - As Ron noted these types of spoofs (From address is spoofed, return-path is not) are usually handled/blocked by a combination of SPF checks, DMARC checks, RDNS checks, etc.

I recommend making sure you have SPF/RDNS, DKIM, and DMARC deployed for these domains, and that those same spam checks are enabled on the SmarterMail side.

That should allow your instance to recognize these spoofed messages and put a stop to them. That will also better enable third-party users/mail servers to better handle any spoofed messages they are getting from your domains as well. 
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
Jason Wilhelm Replied
Thank you both Ron and Kyle, I am going to look into our SPF DKIM & DMARC settings. I really appreciate the help.
Kyle Kerst Replied
Employee Post
Very welcome! Thanks to Ron as well :)
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com

Reply to Thread

Enter the verification text