none
Avoiding spoof e-mail

    Question

  • So we have a pretty decent spam filter.  The problem now seems to be that someone out there is impersonating one of our e-mail addresses, and is sending out spam claiming to be us.  Our mail server then floods one of our executives (andy@domain.com) with a ton of bounce-back message. 

    I don't know how they're doing this, all our SPF records are up and I'm passing all the tests at mxtoolbox.com.  Any ideas where I can go to troubleshoot?  I'm including one of the bounce-backs... domain.com is an alias for our own domain. 

    Delivery has failed to these recipients or groups:

    yourclockmos@mail.ru
    The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

    The following organization rejected your message: mxs.mail.ru (94.100.176.20).

    Diagnostic information for administrators:

    Generating server: eastrmfepo103.cox.net

    yourclockmos@mail.ru
    mxs.mail.ru (94.100.176.20) #<mxs.mail.ru (94.100.176.20) #5.1.1 smtp; 550 spam message rejected. Please visit http://mail.ru/notspam/abuse?c=nOdYxNquUBQ_8E4O1iBrOL3otqOsTdgyy4UAdwLK9PI_Zy3JN8QaPVVnPNBIJOrjLx1z62Ha1TUPAAAAhywAAFEruTU~ or report details to abuse@corp.mail.ru. Error code: C458E79C1450AEDA0E4EF03F386B20D6A3B6E8BD32D84DAC770085CBF2F4CA02C92D673F3D1AC437D03C6755E3EA2448EB731D2F35D5DA61. ID: 0000000F00002C8735B92B51. > #SMTP#

    Original message headers:

    Received: from eastrmimpo109 ([68.230.241.222]) by eastrmfepo103.cox.net
              (InterMail vM.8.01.04.00 201-2260-137-20101110) with ESMTP
              id <20121002200717.EMXF8874.eastrmfepo103.cox.net@eastrmimpo109>
              for <yourclockmos@mail.ru>; Tue, 2 Oct 2012 16:07:17 -0400
    Received: from Unknown ([75.137.254.176])       by eastrmimpo109 with cox         id
     6L6j1k00H3p7Z8T01L6ve0; Tue, 02 Oct 2012 16:07:15 -0400
    X-CT-Class: Bulk
    X-CT-Score: 5.00
    X-CT-RefID: str=0001.0A02020B.506B1C28.00B0,ss=3,sh,re=0.000,fgs=0
    X-CT-Spam: 0
    X-Authority-Analysis: v=2.0 cv=EM+EIilC c=1 sm=1
     a=ir+z6u1b1/JQc7vbQ7T55Q==:17 a=ST9hmjiC9vQA:10 a=jPJDawAOAc8A:10
     a=ZsaOob9sAAAA:8 a=z3kLCph82IkA:10 a=WBlk6YtE7Aog8KVTONEA:9 a=Ft8UYL4EG9YA:10
     a=YREmD7smRYyc0Eb9l-QA:9 a=_W_S_7VecoQA:10 a=9Q615Muq5jIeIMxe:21
     a=ir+z6u1b1/JQc7vbQ7T55Q==:117
    X-CM-Score: 0.00
    Authentication-Results: cox.net; auth=pass (CRAM-MD5)
     smtp.auth=sidmel07@cox.net
    Message-ID: <E3240A8BB5724607B563D80DDAAC2215@uvikjcf>
    Reply-To: =?windows-1251?B?zejq6PLg?= <srvolrplr@qip.ru>
    From: =?windows-1251?B?zejq6PLg?= andy@domain.com
    To: =?windows-1251?B?zuLo5OjpIMjr/Oj3?= <banks2@supanet.com>
    Subject: =?windows-1251?B?wuD46CDt7uL75SDq6+jl7fL7Lg==?=
    Date: Wed, 3 Oct 2012 02:06:25 +0600
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
                boundary="----=_NextPart_000_25BA_01CDA10B.B1540C40"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 14.0.8089.726
    X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726


    ----------- Ron E Biggs Network Administrator Entertainment Studios

    Tuesday, October 02, 2012 10:50 PM

Answers

  • At any rate, looks like we figured it out.  The issue is needing to fine-tune the public SPF record.  Basically, the SPF records we have say:

    v=spf1 a mx ~all

    They should say:

    v=spf1 mx ptr mx:<mailserver FQDN> ip4:<mailserver public IP> -all 


    ----------- Ron E Biggs Network Administrator Entertainment Studios

    • Marked as answer by Ron E Biggs Tuesday, October 09, 2012 5:42 PM
    Tuesday, October 09, 2012 5:42 PM