SM14, i am getting too many spam mails, especially from and to email id are same and they are talking about hacked passwords
Problem reported by Jaswanth Jain - 5/7/2024 at 12:47 AM
Not A Problem
SM14, i am getting too many spam mails, especially from and to email id are same and they are talking about hacked passwords, can anyone help me in this

6 Replies

Reply to Thread
Zach Sylvester Replied
Employee Post
Hey Jaswanth, 

Thanks for reaching out. I recommend that you open a support ticket so we can dig deeper into this issue. 
Having maintenance and support allows you to submit tickets for free. 
This kind of issue usually happens because of a configuration issue. So please open a ticket so we can investigate. 

Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Kyle Kerst Replied
Employee Post
Just on the off hand chance someone else finds their way here looking for guidance; spoofed email attacks are often targeted attacks and so can be combated with DMARC primarily. By having a valid SPF record, DKIM record, and DMARC record you allow your email server (and other's) to accurately determine if a sender is allowed to send on behalf of your domain. Getting those set up, and turning on those spam checks in your environment, are a great start to getting these types of problems resolved. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Jaswanth Jain Replied
Hi, but my support and updates are expired, any other way to work on this, please guide me.

Jaswanth Jain Replied
Is there any documentation? where i can check the setting up of DMARC and DKIM can u please guide me.
Douglas Foster Replied
Spoof defenses are complex, and only part of the spam filtering problem.   If you don't have budget for email product support and a spam filtering subscription, you might be better served to switch to a hosting service that provides some defenses as part of the base product.   Send me a private message if you want vendor suggestions.

To the specific question:
Divide the problem into these groups:
- incoming messages that impersonate of your own domain, and
- Incoming messages that impersonate some other organization, such as a bank.

Your own domain.
A lot of spoofed email will use your own domain, and this may be the easiest to block.  There may have some senders who impersonate your domain for legitimate reasons, but if not (or if you have exceptions for them), you can start by blocking incoming messages from your domain.    This needs to be done in the SMTP Filtering, and it will probably work only if (a) you have a separate incoming gateway server, or (b) you have no client connections using POP/SMTP or IMAP/SMTP to connect.

Other domains are more difficult because you need to figure out if the message is from the external domain, from a service bureau acting on behalf of the domain, a mailing list that relays messages for that domain, or a bad guy acting without authorization.   DMARC is only a tiny part of the solution.

To start your reading on DMARC, this is the official specification:
It also depends on DKIM signatures
and SPF
All of these are dependent on the specs for SMTP (RFC 5321) and Message Format (RFC 5322)

Even when you block a malicious impersonation, you have not solved the whole problem because you have not blocked the attacker.   If he switches from impersonation to a non-impersonation attack, you are still vulnerable.   So the best response to a malicious impersonation is to figure out the identifier which represents the attacker, and block that entity.   Depending on the amount of spoofing and the attack source, the block may be based on the SMTP Mail From domain, the host name, or the IP address.   You figure out which defense to use by reading the Raw Content version of the message.

RBLs and URIBLs are a way to benefit from data collected by others.

Good luck.
Jaswanth, Where are you located and where are those emails coming from (what country)
Do you know how to look at the SMTP logs and find the IP addresses for those emails ?

I think we discussed  this in another thread, about the SMTP blocking.
Another option / question - what type of firewall are you using in front of your email server ?
we are using pfSense as the firewall, and on it, we have pfBlockerNG installed as an add on package.  With this setup , you can tell the firewall to block all traffic from specific geographic areas and drastically limit your attacks. You can block all of africa, asia, china, south america, and in addition there are pre built lists of the most common scammers that can be blocked as well.  It has drastically reduced our attack traffic.
and the best part is it is free and can run on almost any type of hardware, or even as a virtual machine.
And there are plenty of videos on it and demonstrations on how it works.

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Reply to Thread