Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spam is being sent using my domain, what can I do?

Since it was released I've been using Google Apps FYD for stackednotion.com. All of the email I send goes through Google's servers and I use Gmail to view my email. I haven't had any issues before, however recently I've been seeing weird bouncebacks ending up in the catch all account. It looks like somebody is using my domain to send spam. I don't really want my domain getting marked with a bad reputation, so how can I stop this?

I have setup SPF, DMARC and DKIM on the domain by following the guides on Google Apps, here is my zone file:

; stackednotion.com [9548]
$TTL 86400
@   IN  SOA ns1.linode.com. luca.stackednotion.com. 2012072633 7200 7200 1209600 86400
@       NS  ns1.linode.com.
@       NS  ns2.linode.com.
@       NS  ns3.linode.com.
@       NS  ns4.linode.com.
@       NS  ns5.linode.com.
@           MX  1   ASPMX.L.GOOGLE.COM.
@           MX  5   ALT1.ASPMX.L.GOOGLE.COM.
@           MX  5   ALT2.ASPMX.L.GOOGLE.COM.
@           MX  10  ASPMX2.GOOGLEMAIL.COM.
@           MX  10  ASPMX3.GOOGLEMAIL.COM.
@           MX  30  ASPMX4.GOOGLEMAIL.COM.
@           MX  30  ASPMX5.GOOGLEMAIL.COM.
@           TXT "v=spf1 include:_spf.google.com ~all"
google._domainkey           TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi19ipSdqDEpnJEWrVF7MarSLnlzXi0wPOHws2BY6oMQInbY5OHzdw9LcFr1biVvipErm4odyJfjZAIp5s8r6z50ZxQdW5Uwdy9krA1A9HMPaqVN+fm2xpntU//uXn0wD8sGc9CljYQIl+MusxQ690PfVGnAz/QeLqaZFxpHHmmQIDAQAB"
_dmarc          TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"
@           A   178.79.164.64
*           A   178.79.164.64
_xmpp-server._tcp       SRV 5 0 5269 xmpp-server.l.google.com.
_xmpp-server._tcp       SRV 20 0 5269 alt1.xmpp-server.l.google.com.

Also here are the headers of a spam message (somebody tried to susbscribe me to a Zend mailing list, what kind of sick people are they?!?):

Return-Path: <[email protected]>
Received: (qmail 20117 invoked from network); 27 Jul 2012 06:51:01 -0000
Received: from exprod7mx200.postini.com (HELO psmtp.com) (64.18.2.92)
  by rsmx2.zend.com with SMTP; 27 Jul 2012 06:51:01 -0000
Received: from source ([188.51.41.223]) by exprod7mx200.postini.com ([64.18.6.13]) with SMTP;
        Fri, 27 Jul 2012 02:51:00 EDT
To: <[email protected]>
Subject: Invoice #48469883494
From: "Order" <[email protected]>
Date: Sat, 28 Jul 2012 09:40:03 +0300
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: IPS PHP Mailer
MIME-Version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <20120728094003.9312B884F9D66F02CE7C@DELL-PC>
X-pstn-neptune: 500/484/0.97/100
X-pstn-levels:     (S: 0.00346/89.11253 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 0 skipp
like image 701
Luca Spiller Avatar asked Jul 27 '12 07:07

Luca Spiller


People also ask

Can a spam email be sent from my domain name?

Most SPAM is sent using #2 above. So a quick line of code and they can send an email that looks like it was sent from your domain, but had nothing to do with your domain. WHY WOULD SPAMMERS SEND EMAIL FROM MY DOMAIN?

How does spam email work?

This is how most spam is sent. Any server can send emails and code can make the reply address say anything. A few lines of code could send an email from [email protected].

Is there a way to stop spam from using my domain?

No one's using your domain to send spam. They're using spoofed sender data to generate an email that looks like it's from your domain. It's about as easy as putting a fake return address on a piece of postal mail, so no, there's really no way to stop it.

Do you need a domain to send an email address?

The sending email address doesn’t have to even be a working email address. This ease of misrepresenting the actual sender of email messages is why Mailchimp, Google G Suite and other high quality email sending services ask you to verify your ownership of your sending domain before you may send email messages using a particular domain.


2 Answers

At present, the way to reduce miscreants ability to send spam purportedly from your domain is to inform other mail servers what servers are allowed to send mail on your domains behalf. The mechanism is SPF and you already have a SPF record:

TXT "v=spf1 include:_spf.google.com ~all"

If blocking forgery attempts is your desire, this can be improved upon. Read the SPF Record Syntax page that describes what your SPF policy should be. If you have other mail servers sending mail on behalf of your domain, add them to the SPF record and change your policy to fail:

TXT "v=spf1 include:_spf.google.com -all"

Because SPF is so widely deployed, this will make a difference. But SPF has edge cases (forwards, email lists, etc.) where SPF policy fails, so most sites choose to be more liberal with SPF policy than you request. For example, if your policy is set to reject, and the message appears to be from an email list, most servers notate it somehow (the Authentication-Results header is defined for this purpose) and allow it to pass.

This is where DMARC comes in. You have already added a DMARC record:

_dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

Your policy is only to quarantine failing DMARC messages. If the DMARC reports do not indicate any valid messages being blocked, and/or you are willing to live with some edge cases where valid messages are rejected, then you can improve upon this with p=reject.

Not surprisingly, getting bounces from mail servers for spam purporting to be from one of my domains is exactly what compelled me to start DKIM signing my messages, so that I could deploy DMARC. DMARC is a policy mechanism that combines SPF and DKIM, so that domain owners can assert to other mail servers that, "If it's not from this list of IPs (SPF) and it's not DKIM signed, then [reject|quarantine|allow] it."

DMARC works brilliantly. Instead of getting bounce messages, now I get DMARC reports. I use Mail::DMARC to parse the reports and put the summaries into a database.

DMARC is still an IETF draft and it's not widely deployed. However, most large email providers have implemented it and coverage is surprisingly good. After deploying DMARC for my domain, I wrote a DMARC plugin for Qpsmtpd, so I could validate incoming messages against DMARC policy. I published some of my findings as a DMARC operator in a DMARC FAQ.

I mentioned edge cases earlier, so I feel compelled to share one.

Google handles misaligned messages (those that fail both SPF and DKIM alignment) by dropping them into the users Spam folder. I have become familiar with this because emails sent from my domain are generally treated well by gmail. The exception is for messages relayed through some email lists such as [email protected]. Messages I sent to that list get modified by the list processing software, invalidating my DKIM signature. When the message is forwarded to gmail recipients, those messages are marked as spam because a) I have published a reject DMARC policy, and b) that email list isn't a valid SPF sender of email from tnpi.net, and c) the DKIM signature bearing my domain fails validation.

There are workarounds, besides fixing the list software, such as adding the offending mailing list server to my SPF record. Some DMARC implementations will detect messages from mailing lists and reduce the policy severity (ie, Google quarantines my list messages rather than rejecting).

At present, there is no better way to inhibit phishing and spoofing attempts using your domain than a well implemented DMARC policy.

like image 175
Matt Simerson Avatar answered Nov 03 '22 08:11

Matt Simerson


I've noticed an increase in this kind of spoofing in the last few weeks as well.

The Google support page on this issue notes:

"Because these messages originate outside of Gmail, we aren't able to stop spammers from spoofing your address. However, Google helps protect your Gmail address's reputation by designing our systems to authenticate all the mail that really comes from you. When another domain receives an unauthenticated message from Gmail, it can tell that you didn't really send the mail, and it is unlikely that your email address will be blocked. For our part, we are concerned about spoofing and bouncebacks. We ask you to report these messages by checking the box next to the unwanted message and clicking Report Spam at the top of your inbox, or by opening the message and clicking Report Spam at the top of the message."

"You can help stop spammers by also sending the full headers of these unlawful messages to the Federal Trade Commission at [email protected]."

like image 23
charliepark Avatar answered Nov 03 '22 09:11

charliepark