Email Spoofing is the term used to describe a technique that both viruses and spammers have begun using to fool antiviral programs and spam filters alike. It involves corrupting the header of an email message so that when the message arrives at it's destination, the return address is faked.

The worst form of this is when the fake email address is in fact from your own domain name or your own email address! For example,

My email address is jamie@hostmysite.com. Today I recieved a notice from abuse@hostmysite.com that my email account is over limit and will be deleted soon. Of course, this was a fake email (especially since I am the HostMySite postmaster and I don't remember sending it to myself) but the faked return address was a little misleading at first.

We have had many clients complain when their email address is used as a spoof and they recieve tons of undeliverable messages as a result. In other words, the virus/spammer uses 'jamie@hostmysite.com' as the return address and sends out 10,000,000,000 emails, of which 99% bounce back to the sender - which in this case is me!

Unfortunately, there's nothing that can be done for this. I can't block the original email from going out because it's not originating from our servers, and though I could track down the original sender from the headers I get in the bounced messages, chances are it would be wasted time since I'd only find a virus infected computer at the end of my search (which could take several hours).

I see from digging around your support area that your spam filter can be set to check spf records.

Do you support SPF records or domain keys for the domains you host?

We support SFP records - simply send us the record and we can add it to your domains DNS zone file (if you're using our nameservers). I'm not familiar with Domain Keys offhand...can you clarify that?

thanks- we have been getting terrible service from datapipe (aka hi speed hosting) and are looking for a new web host / email provider. Basically they seem to get blacklisted all the time- I see from poking around here that you folks try hard to keep from getting blacklisted with your outgoing spam checks and all. So I was curious if you were using spf or domain keys yourself. We figure anything is better than nothing to try and stop the jerk spoofers

Domain keys are another type of spoof buster thing. Honestly I'm just an idiot end user and sort of rely on our providers to know all this so forgive me if I'm wrong. Basically if I understand it correctly Domain keys is a way that the individual message gets signed, so instead of the incoming mail server looking for an spf record to see if the mail was permitted to be send from the server it originated like with spf, the signature of the email is checked against a public key. It was invented by yahoo- all their legit outgoing email has it, plus other major free email places too. Gmail uses it (with spf), earthlink, among others.

I looked into it a while ago, and their are flaws with both spf and domain keys. (I think the forwarding issue that you have problems with needing to filter outgoing spam trips one or the other up as an example.

here's the wiki
http://en.wikipedia.org/wiki/Domain_keys

Might be something to look into for incoming mail checks too- again just a dumb user, but i think you can catch all bogus email from gmail, earthlink (and all their hosted domains), and yahoo (and all their hosted domains) using domain keys. I think you need an appliance to do it though- like the barracuda one of you guys mentioned int he other thread- it needs something to compare the public and private keys.

DISCLAIMER-again just a dumb user so anyone reading the above should confirm on their own before trusting my ignorant interpretation.



Back to you guys and SPF records-

DO you guys know how to help create them? Datapipe has been totally hostile. They aimed us to the spf.org wizard we ran it and told them what it said and asked them to please confirm we weren't doing anythign stupid (again - I know I'm a stupid end user-LOL). They put something totally different in the record that basically forces all our email to fail the spf check. From investigating it seems my outgoing mail doesn't really come from mail.mydomain.com but rather that's an alias for datapipeXX.yymail.com- but the dumb _______'s set the SPF that all our mail should come from mail.mydomain.com. When I question them they give me some bs about loadbalancing and cant figure out how to change the spf record to fix it. The spf.org wizard seemed to come up with a record that just said check the mx record and since the load balancing server was listed there all would be well if they would have done what the wizard said.

We can run the wizard but would love someone who knows to double check and make sure we are correct.

thanks
Mike

Jamie,

There actually are some things you can do about this with Content Filtering. For example, you could create a rule that says essentailly, any mail from abuse@hostmysite.com AND has certain text or header parts that are (really) always in your mail is ok and to just add something to the header(remember only 1 content filter is applied).

Below that rule, a rule that says that any mail from abuse@hostmysite.com that has (insert common text of the offending email (will have to be updated to block differnet offenders)or leave blank to filter all email that makes it here)made it this fatr should be delt with as you wish (deleted, forwarded to spam box for review).

Hope I did at least a decent job of explaing whayt I mean.
Its kink of hard to explain on the message board but it can be done.
I have created LOTS of filters.......

Jeff

We've recently (last couple weeks) noticed a huge increase in spam with spoofed return addresses using our domain coming in to our email. It's obvious the remote user is somehow spoofing the return address because the mail is originating from a different server.

Is there any method at all in SmarterMail that can slam the door on this stuff?

We're on a VPS box and have several mailservers running- have notice the same increase in spoofing on some of our other domains.

I scanned something on the new SmarterMail 4.0 product -- just skimmed a description of enhanced spam and other tools. Does anyone have any info on those new features.

Lastly - is there a good overview here or somewhere with a list of tips on how to secure a mailserver properly against this and other issues.

Thanks.

Always remember that content filtering runs top to bottom and only one rule takes affect (Once one rule applies there are no more rules run for that message). With that in mind you can make a rule that has all you legit addresses in it and say that if the address is present just add a line to the header. Below that put a rule that has *.yourdomain as the address and sends all messages to a spam box or deletes them if you wish. this has worked well for me.

our first rule is a white list rule-

says add a line to the header for anyone on the whitelist.

then make sure your whiteleist contains all your sites good addressess

later on down the line make another rule to do what you want with any other mail from *@yourdomain.com


that filters pretty good- BUT you still get beat with stuff that are "from" goodaddress@yourdomain.com to goodaddress@yourdomain.com

myself I filter those on my personal rules list- too much effort to do everyone but i tell them what to do. Basically we use firsnamelastinitial@ourdomain.com - so the rules say anymail that comes from myfirstlastintial@mydomain.com also must have my full last name in the header or it gets deleted. So as suggested above- find something that will exist in all your good emails that a spammer wouldn't know and use that to pass stuff.

I'm glad I found this thread... same thing is happening with me. I noticed too there are always attachments but I've never dared open one.

I think the only solution is to have a death penalty for spamming.

Make sure it includes death for people that have nothing better to do than make fake users and post porn spam links on message boards.

If you do need help with SPF records I can help you with it. However I do understand DataPipes stance on this. If an SPF record is created inaccurately then it could cause your potential legitimate messages to bounce and cause a huge headach.

Basically our infrastructure works like this:

1. You send your mail to the mailserver via like Outlook, or use webmail.
2. Mailserver connects to a loadbalancer
3. Loadbalancer then distributes the connections to 1 of 8 outbound servers.
4. The outbound servers send the messages to the recipients MX record's IP.

So since the receiving mail servers see the connecting IP as our outbound gateways your SPF records would have to contain those IP's, and not your actual mailservers IP. This is where the problem lyes. Our outbound gateways rotate IP addresses every hour, not to get around blacklists but because were basically sending 2 million emails a day from 8 servers. Many ISP's will block due to the sheer volume of emails coming from only 8 servers. So we rotate them to make the outbound mail network look larger. 80 or so mailservers send through these 8 boxes. So now that the IP's rotate we have to find a way to include all of these IP addresses.

I believe there are 45 outbound IP addresses for our mail gateways. These IP's are usually in groups of 5 or so all from different ranges. We can add ip's into an SPF record via IPV4:x.x.x.x/x however when you get all 45 of them and even aggregate them its simply too large for the TXT record to hold. We have tossed around a few ideas such as using the PTR:*.domain.com as all of our outbound IP's have a reverse DNS record with safesecureweb.com in it. However the problem with this is if a spammer is spoofing your domain, and sending millions of emails saying they are you, think of how many DNS queries are going to be made. First its going to query the servers for the FQDN of the IP's PTR record. It will then query the FQDN from the PTR for its A record. This is a huge huge load which is why we cannot use the PTR record. Our name servers would go down daily.

I am still working with one of the guys from our networking department to try and come up with a good SPF record to apply to our shared customers that will work.

Another reason SPF records are usually a hands off situation for hosting providers is its frequent that users have their ISP as an outbound server. If we create the SPF record for our servers, we wont know if your users have their ISP as an outbound server instead. This could potentially cause their mail to not be accepted by the sending server.

So I can see why this is a sticky subject with datapipe. If you want you can send be a PM and we can try and work on a good valid SPF record for you.

-Ray