Author Topic: Help! Spam is being faked from my domain  (Read 1960 times)

SoreTween

  • Most of me survived the Pennine Bridleway.
Help! Spam is being faked from my domain
« on: 04 April, 2021, 03:13:20 pm »
I've just received this mail delivery failure:
Code: [Select]
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  nc-strahlca@netcologne.de
    (generated from carsten.strahl@koeln.de)
    host cc-mx3.netcologne.de [2001:4dd0:100:1062:25:3:0:3]
    SMTP error from remote mail server after end of data:
    550 Sorry your message looks like a spam and we don't want it. If you believe this is wrong, contact spfb@netcologne.de and mention id=153929::1616948557-0000784D-0F2C2CC3/10/38376054500


______________________________________________       
This email has been scanned by Netintelligence       
http://www.netintelligence.com/email
Reporting-MTA: dns; manhattan.snafu.de

Action: failed
Final-Recipient: rfc822;carsten.strahl@koeln.de
Status: 5.0.0
Remote-MTA: dns; cc-mx3.netcologne.de
Diagnostic-Code: smtp; 550 Sorry your message looks like a spam and we don't want it. If you believe this is wrong, contact spfb@netcologne.de and mention id=153929::1616948557-0000784D-0F2C2CC3/10/38376054500
Return-path: <v>
Received: from net-93-147-239-161.cust.vodafonedsl.it ([93.147.239.161])
    by manhattan.snafu.de with esmtp (Exim 4.94)
    id 1lQYBQ-00008x-As
    for carsten.strahl@koeln.de; Sun, 28 Mar 2021 18:22:36 +0200
Date: 28 Mar 2021 18:55:36 +0100
From: "carsten.strahl@koeln.de" <USER@MYDOMAIN>
X-Priority: 3
Message-ID: <098207061.202103281922@MYDOMAIN>
To: <carsten.strahl@koeln.de>
Subject: Re:Bitcoin Investment
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 93.147.239.161
X-SA-Exim-Mail-From: USER@MYDOMAIN
X-SA-Exim-Scanned: No (on manhattan.snafu.de); SAEximRunCond expanded to false

USER is a valid alias, I can't remember what it was set up for.  Some one-time shopping thing probably, I'll be able to look it up when I'm home.
MYDOMAIN is my .co.uk domain

I'm pretty confident I don't have interlopers in or relaying through my mail server, it's been shut down for 4 weeks.  More likely someone has guessed/rainbowed/bruteforced my ISP passwords.  There could be a nasty in our network but remote use is more likely.

I've suspected something like this might be going on for a while, lots of domains, e.g. road.cc refuse to send emails to me as if I'm on a naughty list.  Is there anything I can do other than phase out using the domain and start another?
2023 targets: Survive. Maybe.
There is only one infinite resource in this universe; human stupidity.

Davef

Re: Help! Spam is being faked from my domain
« Reply #1 on: 04 April, 2021, 04:43:17 pm »
For someone to generate an email pretending to come from a particular email address on your domain it does not require a breach of your security. Any one can claim to be sending from that domain.

It is important to set up DNS SPF records so that smtp servers can sport illegitimate emails pretending to come from you and just delete them.

Kim

  • Timelord
    • Fediverse
Re: Help! Spam is being faked from my domain
« Reply #2 on: 04 April, 2021, 04:54:36 pm »
This.  Anyone can generate an email with whatever they like in the 'from' field.  That's how email works.  The only thing you can do is help the recipeints' spam filters recognise when it isn't coming from you, using DKIM, SPF and DMARC.

Morat

  • I tried to HTFU but something went ping :(
Re: Help! Spam is being faked from my domain
« Reply #3 on: 05 April, 2021, 12:57:33 pm »
And welcome to the DKIM rabbit hole. It's worth it in the end.
Everyone's favourite windbreak

SoreTween

  • Most of me survived the Pennine Bridleway.
Re: Help! Spam is being faked from my domain
« Reply #4 on: 05 April, 2021, 04:51:55 pm »
Thanks. If I can take this one acronym at a time I might just get through without my head exploding.

No SPF records set for my domains. I'll see if I can do anything about that next Sunday.
2023 targets: Survive. Maybe.
There is only one infinite resource in this universe; human stupidity.

Kim

  • Timelord
    • Fediverse
Re: Help! Spam is being faked from my domain
« Reply #5 on: 05 April, 2021, 11:00:34 pm »
That said, in this instance, the recipient's spam filter has correctly identified the message as spam and rejected it, which is why you're getting a bounce.

Tomorrow's lesson is backscatter and how to avoid it...

Davef

Help! Spam is being faked from my domain
« Reply #6 on: 06 April, 2021, 01:50:38 pm »
That is true - it does not prevent the spammer trying, but knowing they are likely to fail means they will look elsewhere. (At least in my experience and I have a domain that became a bit of a target).

I suppose it is like visible burglar alarms. They are a great deterrent until everyone on the street has one.

Re: Help! Spam is being faked from my domain
« Reply #7 on: 06 April, 2021, 03:08:25 pm »
That is true - it does not prevent the spammer trying, but knowing they are likely to fail means they will look elsewhere. (At least in my experience and I have a domain that became a bit of a target).

I find it hard to believe that spammers who can send out emails by the million at virtually zero cost bother to take the time to check out any of the spoofed origin addresses that they use for each mailshot.

Davef

Re: Help! Spam is being faked from my domain
« Reply #8 on: 06 April, 2021, 03:24:43 pm »
That is true - it does not prevent the spammer trying, but knowing they are likely to fail means they will look elsewhere. (At least in my experience and I have a domain that became a bit of a target).

I find it hard to believe that spammers who can send out emails by the million at virtually zero cost bother to take the time to check out any of the spoofed origin addresses that they use for each mailshot.
I suppose not if they are picking random domains and sending a few emails from each. If they are sending several million allegedly from one domain I suppose it is worth the extra couple of lines of code.

All I can say it solved the problem for us (and it was quite major)

Re: Help! Spam is being faked from my domain
« Reply #9 on: 06 April, 2021, 11:53:33 pm »
This.  Anyone can generate an email with whatever they like in the 'from' field.  That's how email works.
If the postman delivered a letter claiming to be from a friend, but that obviously wasn't, I would not assume that someone had broken into my friend's house to send it.

Email was, in many respects, modelled on the postal service. There's even a Post Office Protocol. And the evidence in email that it came from where it says it came from is approximately as strong as that in the post.

Morat

  • I tried to HTFU but something went ping :(
Re: Help! Spam is being faked from my domain
« Reply #10 on: 09 April, 2021, 09:58:26 pm »
soretween

This is a decent and concise explanation of the whole process
https://www.endpoint.com/blog/2014/04/15/spf-dkim-and-dmarc-brief-explanation
It's a little out of date now in the DMARC is more accepted now.

I'm at the stage the DMARC is now configured but still in test mode due to an annoying third party.
Everyone's favourite windbreak

SoreTween

  • Most of me survived the Pennine Bridleway.
Re: Help! Spam is being faked from my domain
« Reply #11 on: 11 April, 2021, 02:23:22 pm »
Thank you Morat, very useful.

I've set spf on one domain, once it propagates I'll run some tests and if nothing breaks do the others next weekend.
2023 targets: Survive. Maybe.
There is only one infinite resource in this universe; human stupidity.