locked
Email Spoofing how do I block it RRS feed

  • Question

  • Hello fellow emailers. I have a question that there is surely an answer to as I cannot be the only person who is facing this.

    Has anyone ever come across an issue where their emails are spoofed. My issue is the following. I have people outside of my domain who are getting emails from me but not from me. I have an SPF record in place but I can't understand how this is happening and how it can be stopped. We have an on prem Exchange server 2016 that has no issues, I have no viruses on my network, everything is clean. But it has been going on for a while now that people are telling me they receive these kinds of emails. Can someone perhaps help out or point me in the correct direction

    Thanks

    From: My Name <someone@anotherdomain.com>

    To: SomeoneOutsideMyDomain.com

    Body: Hello please see attached invoice

    Attachment: Something.doc

    Signature: Regards, My Name

    Random Phone Number

    Wednesday, December 5, 2018 6:41 PM

All replies

  • Hello fellow emailers. I have a question that there is surely an answer to as I cannot be the only person who is facing this.

    Has anyone ever come across an issue where their emails are spoofed. My issue is the following. I have people outside of my domain who are getting emails from me but not from me. I have an SPF record in place but I can't understand how this is happening and how it can be stopped. We have an on prem Exchange server 2016 that has no issues, I have no viruses on my network, everything is clean. But it has been going on for a while now that people are telling me they receive these kinds of emails. Can someone perhaps help out or point me in the correct direction

    Thanks

    From: My Name <someone@anotherdomain.com>

    To: SomeoneOutsideMyDomain.com

    Body: Hello please see attached invoice

    Attachment: Something.doc

    Signature: Regards, My Name

    Random Phone Number

    If you have a SPF record that is correct, then its their problem if they are accepting the messages from IPs that arent allowed. 

    Wednesday, December 5, 2018 7:19 PM
  • Hello, yes I agree that having the SPF record would help, and also I agree that it is the recepients problem for accepting emails but correct me if I'm wrong but doesn't EVERYONE who has any kind of mail server check against SPF records?

    Also, how does an SPF record understand that  "From" (which is just plain text) "Joe Blow" with the domain <someone at another domain that isn't related to the plain text Joe Blow> should be blocked.

    I'll give you a real life example of what I'm facing and here is what my SPF record looks like

    From: A User Name <random@domain.com>

    Date: December 4, 2018 at 5:10:25 PM GMT-5

    To: <someone@hotmail.com> Subject: A User Name October Invoice

    Good Afternoon,

    Please approve. http://www.missionhoperwanda.org/Dec2018/En_us/Service-Report-79818 It was nice working with you!

    Signature

    UserName

    Direct #: 843-928-8121 876-179-6302 x339

    EMail: MyRealEmail@domain.com

    This is what my SPF record looks like

    v=spf1 ip4:x.x.x.x ip4:x.x.x.x ip4:x.x.x.x -all

    Thursday, December 6, 2018 5:19 AM
  • Hi,

    For the first question “doesn't EVERYONE who has any kind of mail server check against SPF records”, every mail server can check the SPF records as long as the record is added in DNS. SPF records reside in DNS zone file. If there is no SPF record in recipient’s organization, they might receive spoof mails.

    For the second question “how does an SPF record understand … should be blocked”, SPF check the IP address. Each time an email message was sent, the receiving email server would compare the IP of origin for the message with the IP address listed in the SPF record for the email address’s host. If the two IP addresses match, then the email could pass through to the intended recipient. If the IP addresses did not match, then the email would be flagged as spam or rejected altogether.

    You can refer to the following article to see more details:

    Email spoofing best practices for Exchange users

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, December 6, 2018 10:21 AM
  • Hello, yes I agree that having the SPF record would help, and also I agree that it is the recepients problem for accepting emails but correct me if I'm wrong but doesn't EVERYONE who has any kind of mail server check against SPF records?

    Also, how does an SPF record understand that  "From" (which is just plain text) "Joe Blow" with the domain <someone at another domain that isn't related to the plain text Joe Blow> should be blocked.

    I'll give you a real life example of what I'm facing and here is what my SPF record looks like

    From: A User Name <random@domain.com>

    Date: December 4, 2018 at 5:10:25 PM GMT-5

    To: <someone@hotmail.com> Subject: A User Name October Invoice

    Good Afternoon,

    Please approve. http://www.missionhoperwanda.org/Dec2018/En_us/Service-Report-79818 It was nice working with you!

    Signature

    UserName

    Direct #: 843-928-8121 876-179-6302 x339

    EMail: MyRealEmail@domain.com

    This is what my SPF record looks like

    v=spf1 ip4:x.x.x.x ip4:x.x.x.x ip4:x.x.x.x -all

    Did those emails come from your IPs? If not, then its up to the recipient to handle them and mark as spam or drop according to their procedures. There isnt much you can do if this is the case.

    My point is that you can only block spoofed email being to *your* domain. 

    As long as you are a good citizen and using SPF/DMARC/DKIM, thats pretty much all you do

    Thursday, December 6, 2018 12:21 PM
  • Hello again, I have this DMARC record that is in place but I found that it was silently dropping emails to example GMAIL and I was getting back emails from GMAIL saying that I wasn't allowed to send email to them because of a permissions issue

    My DMARC record looked like this

    v=DMARC1; p=reject; pct=100; ri=600; rua=mailto:me@mydomain.com; ruf=mailto:me@mydomain.com; fo=1

    I don't have DKIM in place it was my next step. I will look at those how to articles

    Saturday, December 8, 2018 9:16 PM
  • Agree with Andy. The records you added in your DNS server will not stop the spoofed emails being sent to other domains. 

    If there is any update of your test, please feel free to post it here.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, December 10, 2018 11:21 AM
  • Hi again. So just some quick clarification

    i have these dns records set in my public dns (go daddy)

    do i need to put them in my local dns zone also?

    1) is my dmarc written correctly?

    2) is there a good how to on how to implement dkim

    3) today i was forwarded an email that someone claimed to have gotten from me but wasnt me. when i check the reciever they are using o365. is it possible o365 doesnt check the spf records of my domain or is it more likely my domain dns records are not working properly?

    just a side note when i was forwarded this message it was caught in my spam filter because it scored very high.

    thanks! :)

    Friday, December 14, 2018 9:13 AM
  • Hi,

    1. If you are using split DNS, you should add this TXT record to the DNS zones on internal DNS servers also in case SMTP relays are using these internal DNS servers for SPF record lookups. 

    2. DMARC enforces SPF and DKIM. DMARC is useful only if you have already set up SPF and DKIM records. Your DMARC record seems correct.

    3. You can refer to the following blog and see how to implement DKIM.

    DKIM in Exchange Server 2007/2010/2013/2016

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    4. It is abnormal that the email you forward is caught in your spam filter. Please investigate your DNS records and also check the Event Viewer for related logs.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, December 18, 2018 8:38 AM