Domain facing massive e-mail spoofing attacks: Can something be done?
Hello,
I am running my own mailserver using Mailcow and I noticed, since mid-January, a huge rise of e-mail address spoofing attacks, in three ways:
(1) a lot of spam ends up in the inbox despite having rspamd.
(2) a few undelivered e-mail errors
(3) some e-mails with rubbish content sent to public administrations, with my e-mail address mentioned in the “via” field, but different sender address (possibly from a third hacked mailserver), end up in my inbox as well.
My mailserver doesn’t seem to have been hacked BTW, as e-mails were sent today and the last connection to the SMTP service was 2 days ago according to Mailcow admin UI.
Here are my questions:
(1) Does the address spoofing make that rubbish mail end up in the recipients’ inbox?
(2) Is it shown as being sent by me or by the third hacked mailserver?
(3) Is there a way to block the incoming spam using that technique in rspamd?
(4) Can this spoofing attack impact my domain name’s reputation (blacklist, …?)
(5) Last but not least, do you think I could get in legal trouble given the fact attackers seem to spoof my e-mail to target public administrations of my country (France, in case that matters)? If so, what could prove neither me nor my mailserver are faulty?
I am respecting all the good practices for e-mail security (SPF, DKIM, DMARC, and even signing my emails with an S/MIME cert). Oh and my server isn’t an open relay _
Thank you!
When it says the email is “from” server 1 “via” server 2, the From address is an email that isn’t yours, and the Reply-To address on the mail has been rewritten to yours. Mail client software is supposed to display the Reply-To, but obviously doing that leads to a rise in spam fooling people, so I understand why spec isn’t followed there.
Your last sentence stitches the whole thing up: you’re doing everything right. Nothing can stop someone trying to impersonate you and sending emails professing to be from your email address. Your SPF, DKIM, and DMARC records will prevent them from being delivered most of the time, and even if it goes to spam the recipient mail client should put a warning on it to the effect that it failed verification. Not having an open relay prevents anyone from abusing your mail server itself, meaning anyone trying to impersonate you will fail verification, as they cannot send an email from your server’s IP or with your valid DKIM signature.
Your emails going to spam isn’t something you can readily stop, I’m afraid. All your security we’ve talked about so far is aimed at preventing fake emails from being delivered; going to the spam folder is a result of secondary sorting after delivery. I believe some systems take the verification into account, but who knows what other logic they apply. Most systems will skip secondary sorting for emails in the address book, so as '90s as it sounds: get yourself added to the address book. And make sure nobody reports your legitimate emails as spam; those reports do actually work.
Speaking of, when you get a bounce notice, it should say why. It might not be useful, but then again it might. Remember as well that your email may have bounced just because “Big Email Said No”: https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html
Other people sending spam shouldn’t affect your domain’s reputation; a lot of that is the IP the email is sent from, rather than the domain itself. Lists like SORBS and HostKarma work solely off the IP, to my understanding.
Tools I use regularly are https://mail-tester.com (3 free tests a day, don’t send attachments) to check for how deliverable your emails are, and https://senderscore.org for checking your reputation.
Finally, don’t worry about spammers targeting authorities while spoofing your email, if the French government’s IT security departments can’t tell it’s spam and not from you just by looking at the email headers, France as a whole has bigger problems 😋
I hope that helps! Sorry I can’t help with spam filtering in your own inbox, I’m mostly focused on deliverability to other inboxes. I also hope someone with more experience than me can chime in, because I’m sure there’s a lot I’m missing 😅
@voracitude Thank you very much! This confirms my worries, not much can be done…
You’re welcome! But honestly it’s not much of a worry, the methods you have in place are pretty effective. It’s just hard running your own mail server, all the big kids wanna push us around 😂
Do you have DKIM, SPF configured? If not, start there. Once that’s done, enable DMARC, and your problem will be solved. Be careful with DMARC, though - if the first two aren’t correct, legitimate emails will get blocked.
@intelisense
Those are properly configured, I get a 10/10 on mail-tester dot com, as well as everything validated on mxtoolbox.Then you need to seriously consider if your mail server is compromised or a user’s credentials have been leaked. What does your DMARC record look like? Could be that DMARC is not blocking delivery yet.
@intelisense
Hello, thank you for your answer and sorry for the late reply.I took some time analyzing my SMTP server logs, and it contains 100% legit outgoing traffic. And no successful SSH connection for weeks on the server so it can’t have been erased.
u/voracity confirms my thoughts as well. I think the issue is outside and unrelated to my server. And the e-mail address in question seems to have leaked from several places according to haveibeenpwned (the password is safe though).If SPF, DKIM and DMARC are properly configured, emails sent by any server other than your own will be rejected by the receiving server. Have you had complaints or is this just showing up in DMARC logs?
Are you sure it’s spoofing and not a relay attack? It’s doubtful anyone would spoof you. More likely you left a relay open.
@wintermute_oregon
I tested on Mxtoolbox, it shows my server isn’t an open relay.Check logs to verify you’re not sending the messages. It’s highly unusual for them to use a small domain for spoofing. The idea behind spoofing is you are using a name people would identify with.
Hi, thank you for the answer, and sorry for the late reply :( …
I analysed the logs thoroughly, and I can confirm my SMTP server hasn’t sent any email aside the legitimate ones.
And u/voracitude 's answer confirmed my thoughts, being that the emails were sent from somewhere else.I don’t think it’s that much unusual to use a “small” domain for spoofing: SMEs are “easy targets” usually, and if the recipient’s anti-spam isn’t configured properly then the attackers could benefit from a domain which may be small but has a good reputation.
If you’re small you won’t have a reputation. It’s why they are not targeted. By default they’ll go to junk.
Dkim/spf will help you out. You’ll end up being blacklisted over it. You don’t send enough email to have a true reputation.
Most spam filters for companies like Microsoft/proofpoint/mimecast will just end up adding your IP to the email firewall. That’ll be dropped on delivery.