Yesterday I began to get a significant amount of returned mail to addresses I never sent email to. So far, two email addresses have been affected.
From my limited knowledge, it does not appear that the spammers are sending mail through my server, rather they are just using my email address as the return path? Does that sound logical or possible? If so, what can I do about it?
I've been running this server for several years now and I have no open relay or email scripts that leave access to my qmail program. So, I don't THINK they have gained access to my system. Below is a copy of a header from one of the returned messages:
---------------------------------------------------------------------
Received: from 90.212.161.213 [90.212.161.213]
by sierramail.sierraselect.local
with XWall v3.41 ;
Sun, 23 Mar 2008 14:55:31 -0700
Message-ID: <000401c88d30$0369bb9e$4f65b4b5@vgrxsq>
From: "ken kyle" <info@thunderbillies.com>
To: "Everett Mccray" <jruloph@sierraselect.com>
Subject: Creative Gifts
Date: Sun, 23 Mar 2008 20:07:36 +0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
---------------------------------------------------------------------
In this case, info@thunderbillies.com is an email address on my server, but ken kyle is not a user.
Full Version: Lots of returned email- address spoofing?
Yeah, it looks like they're just spoofing you. This happens sometimes. You should just make sure you have an SPF Record installed so these spoofed emails can't be held against your server's IP, resulting in blacklisting.
If you're using WHM, this may (or may not) help.
If you're using WHM, this may (or may not) help.
QUOTE (markcausa @ Mar 24 2008, 01:33 PM) 
Yeah, it looks like they're just spoofing you. This happens sometimes. You should just make sure you have an SPF Record installed so these spoofed emails can't be held against your server's IP, resulting in blacklisting.
If you're using WHM, this may (or may not) help.
If you're using WHM, this may (or may not) help.
i'm having the same problem....tried your link and it didn't work....said server wasn't responding : (
ww : )
QUOTE (markcausa @ Mar 24 2008, 01:33 PM)
Yeah, it looks like they're just spoofing you. This happens sometimes. You should just make sure you have an SPF Record installed so these spoofed emails can't be held against your server's IP, resulting in blacklisting.
If you're using WHM, this may (or may not) help.
If you're using WHM, this may (or may not) help.
The link doesn't work for me and, forgive my extreme ignorance, not real sure what WHM is either!
At any rate, I'm pretty sure I do have an SPF record in place.
Thanks!
Matt
QUOTE (CCAP @ Apr 11 2008, 07:24 PM)
The link doesn't work for me and, forgive my extreme ignorance, not real sure what WHM is either!
At any rate, I'm pretty sure I do have an SPF record in place.
Thanks!
Matt
At any rate, I'm pretty sure I do have an SPF record in place.
Thanks!
Matt
i'm not sure what an SPF Record is...i searched these forums and also whm and could find out anything about it....
ww
QUOTE (warren0728 @ Apr 11 2008, 07:39 PM)
i'm not sure what an SPF Record is...i searched these forums and also whm and could find out anything about it....
ww
ww
An SPF record establishes which domains are allowed to send mail through your domain. So, if someone is spoofing your email address but the mail actually comes from some other domain then SPAM protection software can easily do a check to see if this is permissible by your SPF record. If not, it's a safe bet that the email is SPAM.
An SPF record will not stop people from spoofing your email address, it just stops the possible appearance that you are the one generating all the emails. So, unfortunately, it doesn't stop all the annoying return emails we're getting. Ugh.
Make sense? Here's another explanation: http://eol.init1.nl/content/view/40/38/
ok...i found this (below)....if i do the following procedure for each of my domains (zones) i should be good to go?
It is important to have an SPF record to protect your domain from email forgeries.
If you have correctly set all of your email users to use mail.yourdomain.co.za as their outgoing mail server then the following SPF record would be sufficient:
"v=spf1 a ~all"
Login to WHM and select "Edit DNS Zone" on the left hand menu.
Select the domain that you wish to load and SPF record for.
If there is an existing SPF record then edit it as required, otherwise;
Scroll down to "Add New Entries Below this Line"
In the first column add the domain name without the www part and including a '.' (period) at the end.
Second column should remain as the default.
Select "TXT" from the drop down in the third column.
Load your SPF record in the fourth column and the remaining columns should be left blank.
Click the "Save" button to save your changes.
It is important to have an SPF record to protect your domain from email forgeries.
If you have correctly set all of your email users to use mail.yourdomain.co.za as their outgoing mail server then the following SPF record would be sufficient:
"v=spf1 a ~all"
Login to WHM and select "Edit DNS Zone" on the left hand menu.
Select the domain that you wish to load and SPF record for.
If there is an existing SPF record then edit it as required, otherwise;
Scroll down to "Add New Entries Below this Line"
In the first column add the domain name without the www part and including a '.' (period) at the end.
Second column should remain as the default.
Select "TXT" from the drop down in the third column.
Load your SPF record in the fourth column and the remaining columns should be left blank.
Click the "Save" button to save your changes.
QUOTE (CCAP @ Apr 11 2008, 07:46 PM)
An SPF record establishes which domains are allowed to send mail through your domain. So, if someone is spoofing your email address but the mail actually comes from some other domain then SPAM protection software can easily do a check to see if this is permissible by your SPF record. If not, it's a safe bet that the email is SPAM.
An SPF record will not stop people from spoofing your email address, it just stops the possible appearance that you are the one generating all the emails. So, unfortunately, it doesn't stop all the annoying return emails we're getting. Ugh.
Make sense? Here's another explanation: http://eol.init1.nl/content/view/40/38/
An SPF record will not stop people from spoofing your email address, it just stops the possible appearance that you are the one generating all the emails. So, unfortunately, it doesn't stop all the annoying return emails we're getting. Ugh.
Make sense? Here's another explanation: http://eol.init1.nl/content/view/40/38/
Yep, looks sufficient to me. But again, this will NOT stop the spoofing.
QUOTE (warren0728 @ Apr 11 2008, 07:52 PM)
ok...i found this (below)....if i do the following procedure for each of my domains (zones) i should be good to go?
It is important to have an SPF record to protect your domain from email forgeries.
If you have correctly set all of your email users to use mail.yourdomain.co.za as their outgoing mail server then the following SPF record would be sufficient:
"v=spf1 a ~all"
Login to WHM and select "Edit DNS Zone" on the left hand menu.
Select the domain that you wish to load and SPF record for.
If there is an existing SPF record then edit it as required, otherwise;
Scroll down to "Add New Entries Below this Line"
In the first column add the domain name without the www part and including a '.' (period) at the end.
Second column should remain as the default.
Select "TXT" from the drop down in the third column.
Load your SPF record in the fourth column and the remaining columns should be left blank.
Click the "Save" button to save your changes.
It is important to have an SPF record to protect your domain from email forgeries.
If you have correctly set all of your email users to use mail.yourdomain.co.za as their outgoing mail server then the following SPF record would be sufficient:
"v=spf1 a ~all"
Login to WHM and select "Edit DNS Zone" on the left hand menu.
Select the domain that you wish to load and SPF record for.
If there is an existing SPF record then edit it as required, otherwise;
Scroll down to "Add New Entries Below this Line"
In the first column add the domain name without the www part and including a '.' (period) at the end.
Second column should remain as the default.
Select "TXT" from the drop down in the third column.
Load your SPF record in the fourth column and the remaining columns should be left blank.
Click the "Save" button to save your changes.
QUOTE (CCAP @ Apr 11 2008, 08:03 PM)
Yep, looks sufficient to me. But again, this will NOT stop the spoofing.
i hear you there...is there anyway to stop the spoofing (or at least stop the returned emails)
thanks for all the help,
ww : )
QUOTE (warren0728 @ Apr 11 2008, 08:25 PM)
i hear you there...is there anyway to stop the spoofing (or at least stop the returned emails)
thanks for all the help,
ww : )
thanks for all the help,
ww : )
I wish I knew! It's annoying the crap outta me!
QUOTE (CCAP @ Apr 11 2008, 09:18 PM)
I wish I knew! It's annoying the crap outta me!
me too!
one last question....when i enter this line in whm ---> "v=spf1 a ~all" do i include the quotation marks....i thought that is what the tutorial i found said but it doesn't seem to me like i should.
ww
QUOTE (warren0728 @ Apr 11 2008, 09:21 PM)
me too!
one last question....when i enter this line in whm ---> "v=spf1 a ~all" do i include the quotation marks....i thought that is what the tutorial i found said but it doesn't seem to me like i should.
ww
one last question....when i enter this line in whm ---> "v=spf1 a ~all" do i include the quotation marks....i thought that is what the tutorial i found said but it doesn't seem to me like i should.
ww
Yep, leave those in there.
QUOTE (CCAP @ Apr 11 2008, 10:05 PM)
Yep, leave those in there.
thanks for all the help!
ww : )
QUOTE (warren0728 @ Apr 11 2008, 10:08 PM)
thanks for all the help!
ww : )
ww : )
No problemo!
If you log into the domain's cpanel, you'll see there is a new "email authentication" icon under the mail section too that allows you to enable both domainkeys and spf for that domain.
QUOTE (Jeff @ Apr 12 2008, 06:51 AM)
If you log into the domain's cpanel, you'll see there is a new "email authentication" icon under the mail section too that allows you to enable both domainkeys and spf for that domain.
I have Plesk. It doesn't have that option that I know of. 'Course, I haven't moved to Plesk8 yet either.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.