Re: [qmailtoaster] handling email spoofing
Rajesh, SPF Definition: "Sender Policy Framework (SPF) SPF authenticates the envelope HELO and MAIL FROM identities by comparing the sending mail server's IP address to the list of authorized sending IP addresses published by the sender domain's owner in a "v=spf1" DNS record. SPF has succeeded several older envelope sender authentication protocols. Currently SPF is the only widely deployed envelope authentication protocol. For more info about this see the Statistics and Research pages. Envelope sender authentication protocols like SPF are typically used early during the SMTP transaction, before the bulk of the message (its header and body) is transmitted. All of the following protocols require that an entire message be received before it can be rejected, due to the rules of the SMTP protocol. As a result, SPF continues to be an essential front-line defense against sender address forgery when deploying protection for the header fields and body. By rejecting envelope forgeries early, not only network traffic can be saved but also computing power for further protection measures, thus making the entire process more efficient. One of the anticipated features of a future version of SPF is a way for domains to publish that they — or even just specific e-mail addresses of theirs — always use some content authentication protocol (see below) like DKIM, S/MIME, or PGP. This will allow receivers to automatically discard unsigned messages from such domains or addresses." --http://www.openspf.org/Related_Solutions As an example of SPF checking I'll use your email header sent to the qmailtoaster list that was sent to me as a list member, below: Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64) by pet105.whitehorsetc.com with SMTP; 30 Aug 2016 12:59:21 - Received-SPF: pass (pet105.whitehorsetc.com: SPF record at _spf.qmailtoaster.com designates 162.213.42.64 as permitted sender) Note especially these two lines: 1) Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64) and 2) pass (pet105.whitehorsetc.com: SPF record at _spf.qmailtoaster.com designates 162.213.42.64 as permitted sender. My original questions were "Are you saying that the spam sender is spoofing the originating IP address?" and "Do you have an spf text record set up for domain_on_my_server.com?" My first question was rhetorical. Your statement "but email is sent not from within my server but from some other external server," indicates the reason for my second question. An SPF record for "mycustomer.com" SHOULD take care of this according to how SPF works. Do you have one (an SPF text record) in the DNS settings for the spoofed domain (mycustomer.com or domain_on_my_server.com). Please let me know if I'm missing something. It must be clear to both of us WHAT SPF is checking before we can communicate rationally about it, and I'm not sure we're on the same page yet. To find out if you have an SPF record for 'mycustomer.com' or 'domain_on_my_server.com' run the following command: # dig txt mycustomer.com There should be a line in the output that resembles this mycustomer.com.3600IN TXT "v=spf1 mx a:mail.mycustomer.com -all" Eric On 8/30/2016 6:57 AM, Rajesh M wrote: eric spf checks the envelope sender (reply to) and not the "mailfrom" email id the spammer is sending an email with "mail from" as some user on my server example c...@mycustomer.com to emplo...@mycustomer.com but email is sent not from within my server but from some other external server. the scammer however has the envelope-sender / reply to as his legitimate email id and correctly configured. the qmailtoaster spf check is done not on the mailfrom but on the reply-to and the email gets delivered safely to the inbox of the employee. now what happens is that the employee sees that the email is from the ceo and immediately takes action which leads to a phishing scam. i wish to block emails where the mailfrom domain is on my server but the scam email is sent by a spammer from an external server posing as c...@mycustomer.com ... in other words email spoofing. thanks, rajesh - Original Message - From: Eric [mailto:ebr...@whitehorsetc.com] To: qmailtoaster-list@qmailtoaster.com Sent: Sun, 28 Aug 2016 13:03:16 -0600 Subject: Do you have an spf text record set up for domain_on_my_server.com? SPF should check the 'a' and 'mx' record for the domain, domain_on_my_server.com, against the sender IP address (the one that actually connected to you server). Are you saying that the spam sender is spoofing the originating IP address? On 8/28/2016 7:14 AM, Rajesh M wrote: hi facing issue with email spoofing example spammer sends an email with "mailfrom" as : user@domain_on_my_server.com and the envelope sender is the spammer's email id which has spf records correctly in place and hence spf is not able to catch such spammers. how do i handle this ? thank
Re: [qmailtoaster] handling email spoofing
Rajesh, Have you tested your SPF record setup? http://www.kitterman.com/spf/validate.html best wishes Tony White On 30/08/2016 22:57, Rajesh M wrote: eric spf checks the envelope sender (reply to) and not the "mailfrom" email id the spammer is sending an email with "mail from" as some user on my server example c...@mycustomer.com to emplo...@mycustomer.com but email is sent not from within my server but from some other external server. the scammer however has the envelope-sender / reply to as his legitimate email id and correctly configured. the qmailtoaster spf check is done not on the mailfrom but on the reply-to and the email gets delivered safely to the inbox of the employee. now what happens is that the employee sees that the email is from the ceo and immediately takes action which leads to a phishing scam. i wish to block emails where the mailfrom domain is on my server but the scam email is sent by a spammer from an external server posing as c...@mycustomer.com ... in other words email spoofing. thanks, rajesh - Original Message - From: Eric [mailto:ebr...@whitehorsetc.com] To: qmailtoaster-list@qmailtoaster.com Sent: Sun, 28 Aug 2016 13:03:16 -0600 Subject: Do you have an spf text record set up for domain_on_my_server.com? SPF should check the 'a' and 'mx' record for the domain, domain_on_my_server.com, against the sender IP address (the one that actually connected to you server). Are you saying that the spam sender is spoofing the originating IP address? On 8/28/2016 7:14 AM, Rajesh M wrote: hi facing issue with email spoofing example spammer sends an email with "mailfrom" as : user@domain_on_my_server.com and the envelope sender is the spammer's email id which has spf records correctly in place and hence spf is not able to catch such spammers. how do i handle this ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] handling email spoofing
Rajesh, Can you send the email header so we can see exactly what you are describing please? If you are not comfortable with this then I do not think we can do much to help. Maybe send a copy of a header directly to Eric at least? best wishes Tony White On 30/08/2016 22:57, Rajesh M wrote: eric spf checks the envelope sender (reply to) and not the "mailfrom" email id the spammer is sending an email with "mail from" as some user on my server example c...@mycustomer.com to emplo...@mycustomer.com but email is sent not from within my server but from some other external server. the scammer however has the envelope-sender / reply to as his legitimate email id and correctly configured. the qmailtoaster spf check is done not on the mailfrom but on the reply-to and the email gets delivered safely to the inbox of the employee. now what happens is that the employee sees that the email is from the ceo and immediately takes action which leads to a phishing scam. i wish to block emails where the mailfrom domain is on my server but the scam email is sent by a spammer from an external server posing as c...@mycustomer.com ... in other words email spoofing. thanks, rajesh - Original Message - From: Eric [mailto:ebr...@whitehorsetc.com] To: qmailtoaster-list@qmailtoaster.com Sent: Sun, 28 Aug 2016 13:03:16 -0600 Subject: Do you have an spf text record set up for domain_on_my_server.com? SPF should check the 'a' and 'mx' record for the domain, domain_on_my_server.com, against the sender IP address (the one that actually connected to you server). Are you saying that the spam sender is spoofing the originating IP address? On 8/28/2016 7:14 AM, Rajesh M wrote: hi facing issue with email spoofing example spammer sends an email with "mailfrom" as : user@domain_on_my_server.com and the envelope sender is the spammer's email id which has spf records correctly in place and hence spf is not able to catch such spammers. how do i handle this ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] handling email spoofing
eric spf checks the envelope sender (reply to) and not the "mailfrom" email id the spammer is sending an email with "mail from" as some user on my server example c...@mycustomer.com to emplo...@mycustomer.com but email is sent not from within my server but from some other external server. the scammer however has the envelope-sender / reply to as his legitimate email id and correctly configured. the qmailtoaster spf check is done not on the mailfrom but on the reply-to and the email gets delivered safely to the inbox of the employee. now what happens is that the employee sees that the email is from the ceo and immediately takes action which leads to a phishing scam. i wish to block emails where the mailfrom domain is on my server but the scam email is sent by a spammer from an external server posing as c...@mycustomer.com ... in other words email spoofing. thanks, rajesh - Original Message - From: Eric [mailto:ebr...@whitehorsetc.com] To: qmailtoaster-list@qmailtoaster.com Sent: Sun, 28 Aug 2016 13:03:16 -0600 Subject: Do you have an spf text record set up for domain_on_my_server.com? SPF should check the 'a' and 'mx' record for the domain, domain_on_my_server.com, against the sender IP address (the one that actually connected to you server). Are you saying that the spam sender is spoofing the originating IP address? On 8/28/2016 7:14 AM, Rajesh M wrote: > hi > > facing issue with email spoofing > > example spammer sends an email with "mailfrom" as : > user@domain_on_my_server.com > > and the envelope sender is the spammer's email id which has spf records > correctly in place > > and hence spf is not able to catch such spammers. > > how do i handle this ? > > thanks > rajesh > > > > > > > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] handling email spoofing
Do you have an spf text record set up for domain_on_my_server.com? SPF should check the 'a' and 'mx' record for the domain, domain_on_my_server.com, against the sender IP address (the one that actually connected to you server). Are you saying that the spam sender is spoofing the originating IP address? On 8/28/2016 7:14 AM, Rajesh M wrote: hi facing issue with email spoofing example spammer sends an email with "mailfrom" as : user@domain_on_my_server.com and the envelope sender is the spammer's email id which has spf records correctly in place and hence spf is not able to catch such spammers. how do i handle this ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] handling email spoofing
hi facing issue with email spoofing example spammer sends an email with "mailfrom" as : user@domain_on_my_server.com and the envelope sender is the spammer's email id which has spf records correctly in place and hence spf is not able to catch such spammers. how do i handle this ? thanks rajesh - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
