Someone is spoofing my email - help?

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: ArtAndNetLocation: USA PostPosted: Tue Dec 07, 2010 10:41 pm    Post subject: Someone is spoofing my email - help?
Hello, I hope you guys can help me. For several weeks now somebody is sending out spam emails and changes the header to have my email address instead of their own. I became aware of this after I received tons and tons of "delivery failure notice" emails in my inbox - emails that I didnt send out.

This email is associated with a domain I own so I contacted my host and they said there isn't much they can do except to set up the SPF record. So they did that but of course that doesnt stop the person sending out these spoofed emails. And I get more and more "bounced" emails back - so I guess the SPF is working in the sense that it alerts more email servers to block the emails. But how I can actually get the person to stop?? Isnt there a way to have those delivery failures be sent back to the actual IP the emails are from instead of my inbox? That way the person would know his emails are not arriving and hopefully stops using my address. Thanks for any suggestions!

Author: Fire AntLocation: London PostPosted: Wed Dec 08, 2010 2:59 pm    Post subject:
Hi ArtAndNet,

You have a really annoying problem here.

Isnt there a way to have those delivery failures be sent back to the actual IP the emails are from instead of my inbox?
No, they always bounce back to the sender email address.

You should be able to find out the IP of the original sender in the SMTP header however if this person is using a BotNet then there isn't much you can do. If all the emails come from a single friendly ISP you could notify the ISP using the Abuse email address. They may be able to do something about the customer. But that may move them on to more nefarious methods.

If this person is really stupid and is using their own internet connection you could potentially use some legal recourse such as the CANSPAM Act.

Beyond this there isn't a lot you can do. Maybe someone else has had experience of this and can comment.

Fire Ant

Author: georgec PostPosted: Mon Jul 25, 2011 4:42 pm    Post subject:
From the SMTP header you should be able to find the source email IP or better source email server and domain! Try to contact the source email server provider and if this guy is relaying through third-parties they should be able to block him!

Author: WHUK_BarbLocation: Leeds, UK PostPosted: Wed Oct 17, 2012 7:25 am    Post subject:
First of all you'd need to check with your host whether Open relay is enabled/disabled on the Mail server settings. If enabled, ask them to disable it.
Then you must check if SPF record is set for the mail domain.If the email account is hacked, make sure to reset its password.[/b]

Author: AdamVLocation: Leeds, UK PostPosted: Thu Oct 25, 2012 3:10 am    Post subject:
Sounds like standard spoofing to me and very little you can do about it.

Spammer wants to find valid target addresses at company X, so simply sends (via bot net), thousands or even hundreds of thousands of emails with plausible permutations of name to their email server. Most will get NDR, a few might reach the recipient and may have tracking in (eg images downloaded from a server) with enough to tell them which emails got through. Or maybe they don't even care to know which ones, just hope that if you throw enough mud, some of it sticks.

Of course, they may not be targeting any one company, but could be sending millions of emails hoping that even a small percentage get through.

Potentially they are trying to DDOS someone's email server - or possibly yours as they can send a thousand emails each from 100 places on a botnet, which does not overload any one connection. And if they direct these all at 1000 different email servers then they can each cope with the volume too, and then all 100.000 email NDRs come back to one place as a focal point - you! Scale this up by a coupld of zeroes and you can see how this can be fairly easy to do and hard to prevent. Maybe your host can implement some kind of firewall rule so you don't get these NDRs, based on something specific in the email header.
(incidentally, the codes for SPF refusals are different from a normal "recipient unknown" so they ought to be able to separate those out and drop them easily enough. Unfortunately very few people seem to bother checking SPF records so while it can help, it won't be a big proportion of the problem).

They could be trying to get your email blacklisted of course, although most systems for RBL are IP based rather than domain name, for exactly this reason.

Shame they are not spamming me - I don't send NDRs at all any more to try and alleviate this sort of problem of "backscatter". If you send me an email at the right domain but mis-spelled recipient name, it won't get through, I don't get a postmaster report and you don't get an NDR. (I do have lots of aliases of course, so various legitimate variations get through).

Within about a week of setting up my company 6 years ago and registering a domain I was receiving emails destined for kel_west, kelwest1 and other similar variations at my domain. My Exchange settings were to deliver unknown email to the postmaster, oh yeah, that's me. So I had to change that pretty quickly. At first I blacklisted these by assigning them to a user account to effectively dump them into a hole I could periodically clean out, but in the end I just opted to drop them silently (my server does not NDR or refuse the message, it allows it to be sent and then forgets it ever happened).

Networking/Security Forums -> Anonymity // Privacy // Spam

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group