Spoofed email from domain -- how to stop?
September 8, 2015 1:15 PM   Subscribe

Somehow, someone/thing is spoofing emails from my domain. Such as Xerox.Device8@domain.com. We only have a handful of authentic email accounts on the domain. This appears to be redflagging all of our emails, so many legit emails are being sent to spam folders... how can I deduce what the actual problem is, and how to stop it?

One recent email from the server:

"The message "Scanned Image from a Xerox WorkCentre" from Xerox WorkCentre (Xerox.Device8@domain.com) contained a virus or a suspicious attachment. It was therefore not fetched from your account david@domain.com and has been left on the server."

Previously, a virus/bug from an outdated Gravity Forms plugin was sending out tons of emails from our server, but we have since removed the plugin and wiped/reset all of our files, which seemed to eliminate most problems (that one was sending emails from our legitimate accounts).

(note: I switched my domain name with "domain.com")
posted by Unsomnambulist to Computers & Internet (9 answers total) 3 users marked this as a favorite
 
Email was built back in the days of a very trusting Internet. I can type any "From" address I want to into any email. There are some checks that attempt to slow this down, but these are server by server, and nothing is perfect.

In order to help you track this better, what we really need to see are the "Received" lines in the headers of one of the spoofed messages. If you can get the recipient to "view headers" in their email client (this varies from client to client) and copy the Received lines, that'll give us a better idea of what's happening and how to work around it.
posted by straw at 1:23 PM on September 8, 2015 [2 favorites]


The first thing I'd do is make sure you've got SPF records set up for your domain (and add them if you don't) - note that you may need to contact whoever's hosting your email to do this if you're not hosting it yourself. That will at least let other mail servers know that legitimate emails coming from your domain are indeed legit. If these addresses are used by anything that's not just residing on the server, it wouldn't be a bad idea to do virus and malware scans on those machines as well, if you can (including the server itself), just to make sure nothing got hit with anything.

If you do the virus checking and all that and there are still messages coming back, there's also the distinct possibility that someone is, whether on purpose or not, using your domain name elsewhere to send forged emails. While it's gotten somewhat better over time, it's still pretty easy to drop an email with whatever address you want on it into a random mail server that someone's probably not sure they've got running. So, in essence, it might not be you or anything you're running at all. SPF will help your actual email get through, however.
posted by mrg at 1:25 PM on September 8, 2015 [3 favorites]


Can you look at the headers of a couple of those emails to determine origin? You can copy and paste the header info to here to get a source if it's not something you figure out yourself by looking at the headers (it will show a source IP which, ideally, won't be your IP address).

You can enter your domain here to see if you're on any email blacklists to see if it's really your domain getting blocked or if it's just the emails themselves being blocked based on content.

It sounds more like it's a virus elsewhere that's using your domain info (see Joe Job).

That scanner email has been a known trojan for years.
posted by schnee at 1:26 PM on September 8, 2015


Response by poster: Thanks. Here is one such header:

MIME-Version: 1.0
x-gmail-fetch-message-id: <7>
x-gmail-fetch-pop-uid: UID72714-1367311627
Reply-To: Incoming Fax
Received: by 10.50.77.225; Wed, 19 Aug 2015 07:17:06 -0700 (PDT)
Date: Wed, 19 Aug 2015 07:17:06 -0700
Message-ID:
Subject: Scanned Image from a Xerox WorkCentre
From: Gmail Team
To: David Markland
Content-Type: multipart/alternative; boundary=f46d04289b09828164051daab0d4
posted by Unsomnambulist at 1:34 PM on September 8, 2015


I would recommend a strict SPF setup and potentially a DMARC policy on your domain.
posted by sleeping bear at 2:24 PM on September 8, 2015 [1 favorite]


We also need to see *all* the lines that start with "Received:" in them. The one line there:
Received: by 10.50.77.225; Wed, 19 Aug 2015 07:17:06 -0700 (PDT)
Basically says that a machine internal to some network (10.*.*.* addresses are reserved for internal networks) claims to have gotten the message at that time. It doesn't say what machine that machine got the message from, and could very well be totally made up (because mail servers just add those lines as they process them, they don't check previous lines for validity).

(You can leave off all of the other lines, they don't tell us much)
posted by straw at 2:33 PM on September 8, 2015


Just in passing, this is known as a "Joe job".
posted by Chocolate Pickle at 2:41 PM on September 8, 2015 [1 favorite]


SMTP is an insecure mechanism. Sender address can be spoofed. SPF should help assuming receiving email servers pay attention to SPF.
posted by LoveHam at 7:11 PM on September 8, 2015


This isn't necessarily a Joe Job. With a Joe Job, someone else is using your domain as their return address but sending the e-mail from their own servers. It's possible that your server has been compromised and is sending out the e-mails. You haven't given us enough information to rule that out. You previously had a problem that you characterized as a "virus/bug". It's possible that there's still something bogus on your server causing this problem.
posted by alms at 7:56 AM on September 9, 2015


« Older Simple cheap device for galvanic skin response...   |   Saddlepack that converts to daypack, do you... Newer »
This thread is closed to new comments.


Tags

Share