Someone is sending spam using my domain name

Lets call my domain name mdn.com for simplicity.
Every day (last 5 days), I am getting bounced mail delivery errors in my spam folder (I have catchall enabled for mdn.com).
The bounced mail is due to spam messages being sent 'supposedly' from [email protected] and all of them are in Japanese (something about iphone).
So could this cause mdn.com's reputation for email delivery to be affected ?
Also is there anyway to 'restrict' this sender from using mdn.com ?
I already have SPF, DKIM setup for mdn.com

Tagged:
«1

Comments

  • You set up SPF/DKIM records for your domain, and set DMARC policy to reject or quarantine the emails.
    You will still receive bounce mails, but won’t affect your relations with the email giants

    Thanked by (3)msatt bdl bikegremlin
  • Domain-based Message Authentication, Reporting and Conformance (DMARC)

    Thanked by (2)msatt skhron

    vps9 hostname is available. affbrr

  • bdlbdl OG

    When setting up DMARC, you can use this for free weekly reports: https://dmarc.postmarkapp.com/

    Thanked by (1)msatt
  • Thanks everyone, DMARC now setup and hopefully weekly reports being produced.
    Will tighten restrictions after a couple of weeks when I know everything is working.

  • A mail server sending bounces is unlikely to care about your DMARC records - so I wouldn't expect this to change anything.

    Thanked by (3)msatt yoursunny bdl
  • did you check with @imok , he fingers mailers all the time.

  • skhronskhron Hosting Provider

    @msatt said: So could this cause mdn.com's reputation for email delivery to be affected ?

    Yes

    I would also recommend you to add rua (addresses to which aggregate feedback is to be sent) and ruf (addresses to which message-specific failure information is be reported) in your DMARC record. Configure a separate mailbox for them (ideally something like dmarc-reports@mdn[dot]com). You can later automate parse of the received reports using parsedmarc.

    Thanked by (1)toor

    Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden

  • ViveHostingViveHosting Hosting Provider

    I'd also keep a close eye on blacklists in case your IP has been flagged. Certainly not impossible to get yourself removed but it can sometimes be a bit of a pain. IP reputation for email sending is definitely something you want to try to manage.

    I'd also look at rate limiting so that outgoing emails can only happen at a certain speed e.g. 30 emails per minute (or whatever works for you). This gives you more time to react in case a script or your server has been compromised somehow and it's sending out massive emails

  • bdlbdl OG

    @ehab said:
    did you check with @imok , he fingers mailers all the time.

    postie pokes

  • Some of those bounced emails could be SPAM as well, as the bounced emails gets to skip the spam folder and gets delivered to your inbox... I was receiving them as well since I setup my own mail servers. Tweaking the spamassassin settings helped to flag those bounces as spam as well.

    Thanked by (1)wankel

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • :open_mouth:

    Thanked by (1)bdl
  • Also don't forget to put "-" on SPF record.

    See: https://proton.me/blog/what-is-sender-policy-framework-spf

    SPF record example
    Here’s an example of an SPF record with an explanation of what it means below:

    v=spf1 ip4:185.70.40.111 include:_spf.protonmail.ch mx ~all

    v=spf1: The SPF version number. Every SPF record must begin with this tag.
    ip4: The IP address(es) of the servers authorized to send email from your domain. They can be IPv4 or IPv6 addresses(new window); IPv6 addresses use the tag ip6.
    include: Instructs the server to check the SPF records of the additional domain mentioned. In this example, the server would look up _spf.protonmail.ch and add the IP addresses found there to the list of authorized addresses.
    mx: Any IP addresses that match the mail servers listed in the MX records(new window) of the sending domain. For example, Proton Mail uses mail.protonmail.ch and mailsec.protonmail.ch.
    ~all: Tells receiving email servers what to do if an email doesn’t pass SPF. The three most common all tags are:
    ~all: Mark the message as suspicious
    –all: Reject the message
    ?all: Receiving email server decides (neutral recommendation)

    Thanked by (1)wankel
  • I also got one domain that was sending to the same domain spam and I opened a ticket to MXRoute and they told me to do that so..

  • Thanks once again - all very useful info.
    Email is not originating from my domain, it is just someone spoofing it, so I assume IP reputation is not an issue?
    I have setup rua and as @bdl suggested I am also using https://dmarc.postmarkapp.com/

    Thanked by (1)bdl
  • skhronskhron Hosting Provider

    @msatt said: Email is not originating from my domain, it is just someone spoofing it, so I assume IP reputation is not an issue?

    Once you implement DMARC on top of both SPF and DKIM, then receiving party can confirm it is actually spoofed and you shouldn't be punished.

    Without DMARC, receiving party can't know that it must expect either DKIM or SPF (or even both), hence reputation risk is possible.

    Thanked by (2)msatt toor

    Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden

  • As far a IP reputation, mdn.com was originally using gmail when the problems started (MX records pointing to them). So does that mean it would be gmails IP reputation effected =)
    I have now moved the domain to NameCrane with the appropriate MX, DKIM, SPF and DMARK configured accordingly. Email sent via NameCrane is being delivered with 3 PASSes (DKIM, SPF & DMARK) to giants, so things are (I assume) looking good.
    So far have had NO bounced spam messages to mdn.com catchall :)

    Thanked by (1)bdl
  • @sanvit said: You will still receive bounce mails, but won’t affect your relations with the email giants

    I have setup
    _dmarc.XXX.com. 300 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;"
    but as you say, still getting bounced messages back in my spam folder.
    Is there anyway these could also be stopped ?

  • @msatt said:

    @sanvit said: You will still receive bounce mails, but won’t affect your relations with the email giants

    I have setup
    _dmarc.XXX.com. 300 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;"
    but as you say, still getting bounced messages back in my spam folder.
    Is there anyway these could also be stopped ?

    Complain to those mail servers that are sending bounced spam mails (and maybe block them if they don't fix it) - those mail severs are part of the problem by enabling that abuse and need to be fixed.

    Thanked by (2)msatt toor
  • ^ Totally agree - absolutely stupid and just creating more junk.

  • skhronskhron Hosting Provider

    @msatt said: sp=none

    I see no reason for you to not enforce reject policy for any subdomain of your domain.

    Thanked by (1)msatt

    Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden

  • @msatt said:

    @sanvit said: You will still receive bounce mails, but won’t affect your relations with the email giants

    I have setup
    _dmarc.XXX.com. 300 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;"
    but as you say, still getting bounced messages back in my spam folder.
    Is there anyway these could also be stopped ?

    I don't think there's any way to completely remove the bounce mails. Just ignore those. Maybe @jarland or @Francisco can prove me wrong though

    Thanked by (1)msatt
  • @sanvit - Thanks for the confirmation.
    Just to mention as per @skhron I have changed the dmarc to
    v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=reject; aspf=r;

    Thanked by (1)skhron
  • @msatt said:
    @sanvit - Thanks for the confirmation.
    Just to mention as per @skhron I have changed the dmarc to
    v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; sp=reject; aspf=r;

    FYI, just setting up a TXT record with the domain pointing to your IP address is usually enough...

    So just a TXT record with v=spf1 a:mydomain.com -all
    This says reject all emails not sent with the IP address that mydomain.com is pointing to.

    Also, I am surprised no one asked you to setup DKIM certificate... That way all your mail are signed and the receiving party can validate that the email was sent from the correct mail server.
    So another TXT record like v=DKIM1; k=rsa; t=s; p=LONG_STRING_CONTAINING_PUBLIC_KEY_GOES_HERE

    Ever since I set it up, my emails are no loner rejected by big providers like google, live, yahoo and etc.

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • skhronskhron Hosting Provider

    @somik said: FYI, just setting up a TXT record with the domain pointing to your IP address is usually enough...

    DMARC enforces the policy, while SPF is only applicable for Envelope From (SMTP).

    Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden

  • @skhron said:

    @somik said: FYI, just setting up a TXT record with the domain pointing to your IP address is usually enough...

    DMARC enforces the policy, while SPF is only applicable for Envelope From (SMTP).

    Erm, i am gonna need you to elaborate on that... (a mail noob here)

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • skhronskhron Hosting Provider

    @somik said:

    @skhron said:

    @somik said: FYI, just setting up a TXT record with the domain pointing to your IP address is usually enough...

    DMARC enforces the policy, while SPF is only applicable for Envelope From (SMTP).

    Erm, i am gonna need you to elaborate on that... (a mail noob here)

    Citing Wikipedia (sorry I am just lazy explaining it myself):

    Sender Policy Framework (SPF) is an email authentication method that ensures the sending mail server is authorized to originate mail from the email sender's domain.[1][2] This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address,[2] and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies, such as DMARC, must be used.

    You would ask me, why DKIM doesn't mentioned? Well the problem is that for spoofed email without DKIM you can't know if domain has DKIM unless you know selector (no one is going to bruteforce them, not feasible at all). Thus DMARC is required h it says that domain actually has SPF and DKIM and can define policies for both (relaxed or strict) and action (none, quarantine aka mark as spam and reject aka reject the email so that recipient doesn't see it but sending MTA seeing the problem - rejected letter)

    Thanked by (1)somik

    Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden

  • @skhron said:
    Citing Wikipedia (sorry I am just lazy explaining it myself):

    Sender Policy Framework (SPF) is an email authentication method that ensures the sending mail server is authorized to originate mail from the email sender's domain.[1][2] This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address,[2] and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies, such as DMARC, must be used.

    You would ask me, why DKIM doesn't mentioned? Well the problem is that for spoofed email without DKIM you can't know if domain has DKIM unless you know selector (no one is going to bruteforce them, not feasible at all). Thus DMARC is required h it says that domain actually has SPF and DKIM and can define policies for both (relaxed or strict) and action (none, quarantine aka mark as spam and reject aka reject the email so that recipient doesn't see it but sending MTA seeing the problem - rejected letter)

    So I am missing a step here... I setup spf and dkim but did not setup dmarc... lemme find some documentation on what needs to be done...

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • skhronskhron Hosting Provider

    @somik said:

    @skhron said:
    Citing Wikipedia (sorry I am just lazy explaining it myself):

    Sender Policy Framework (SPF) is an email authentication method that ensures the sending mail server is authorized to originate mail from the email sender's domain.[1][2] This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address,[2] and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies, such as DMARC, must be used.

    You would ask me, why DKIM doesn't mentioned? Well the problem is that for spoofed email without DKIM you can't know if domain has DKIM unless you know selector (no one is going to bruteforce them, not feasible at all). Thus DMARC is required h it says that domain actually has SPF and DKIM and can define policies for both (relaxed or strict) and action (none, quarantine aka mark as spam and reject aka reject the email so that recipient doesn't see it but sending MTA seeing the problem - rejected letter)

    So I am missing a step here... I setup spf and dkim but did not setup dmarc... lemme find some documentation on what needs to be done...

    Just do a TXT record _dmarc.example.com "v=DMARC1; p=reject; pct=100" this is bare required minimum. Policy can be different, but personally I see no reason why you would prefer quarantine and not reject. Do not go for "none", it is useless and some big ESPs dislike it as well

    For more advanced DMARC configuration there is nice tool at https://app.dmarcanalyzer.com/dns/setup

    Thanked by (1)somik

    Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden

  • @skhron said:
    Just do a TXT record _dmarc.example.com "v=DMARC1; p=reject; pct=100" this is bare required minimum. Policy can be different, but personally I see no reason why you would prefer quarantine and not reject. Do not go for "none", it is useless and some big ESPs dislike it as well

    For more advanced DMARC configuration there is nice tool at https://app.dmarcanalyzer.com/dns/setup

    Followed your instructions and added the basic bare minimum DMARC. So now got 3 txt records... DMARC, SPF and DKIM... just to send email... No wonder all the online platforms stopped with the emails and started their own app notifications...

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

Sign In or Register to comment.