Avoiding spoof e-mail


  • So we have a pretty decent spam filter.  The problem now seems to be that someone out there is impersonating one of our e-mail addresses, and is sending out spam claiming to be us.  Our mail server then floods one of our executives ( with a ton of bounce-back message. 

    I don't know how they're doing this, all our SPF records are up and I'm passing all the tests at  Any ideas where I can go to troubleshoot?  I'm including one of the bounce-backs... is an alias for our own domain. 

    Delivery has failed to these recipients or groups:
    The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

    The following organization rejected your message: (

    Diagnostic information for administrators:

    Generating server: ( #< ( #5.1.1 smtp; 550 spam message rejected. Please visit or report details to Error code: C458E79C1450AEDA0E4EF03F386B20D6A3B6E8BD32D84DAC770085CBF2F4CA02C92D673F3D1AC437D03C6755E3EA2448EB731D2F35D5DA61. ID: 0000000F00002C8735B92B51. > #SMTP#

    Original message headers:

    Received: from eastrmimpo109 ([]) by
              (InterMail vM. 201-2260-137-20101110) with ESMTP
              id <>
              for <>; Tue, 2 Oct 2012 16:07:17 -0400
    Received: from Unknown ([])       by eastrmimpo109 with cox         id
     6L6j1k00H3p7Z8T01L6ve0; Tue, 02 Oct 2012 16:07:15 -0400
    X-CT-Class: Bulk
    X-CT-Score: 5.00
    X-CT-RefID: str=0001.0A02020B.506B1C28.00B0,ss=3,sh,re=0.000,fgs=0
    X-CT-Spam: 0
    X-Authority-Analysis: v=2.0 cv=EM+EIilC c=1 sm=1
     a=ir+z6u1b1/JQc7vbQ7T55Q==:17 a=ST9hmjiC9vQA:10 a=jPJDawAOAc8A:10
     a=ZsaOob9sAAAA:8 a=z3kLCph82IkA:10 a=WBlk6YtE7Aog8KVTONEA:9 a=Ft8UYL4EG9YA:10
     a=YREmD7smRYyc0Eb9l-QA:9 a=_W_S_7VecoQA:10 a=9Q615Muq5jIeIMxe:21
    X-CM-Score: 0.00
    Authentication-Results:; auth=pass (CRAM-MD5)
    Message-ID: <E3240A8BB5724607B563D80DDAAC2215@uvikjcf>
    Reply-To: =?windows-1251?B?zejq6PLg?= <>
    From: =?windows-1251?B?zejq6PLg?=
    To: =?windows-1251?B?zuLo5OjpIMjr/Oj3?= <>
    Subject: =?windows-1251?B?wuD46CDt7uL75SDq6+jl7fL7Lg==?=
    Date: Wed, 3 Oct 2012 02:06:25 +0600
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 14.0.8089.726
    X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726

    ----------- Ron E Biggs Network Administrator Entertainment Studios

    Tuesday, October 02, 2012 10:50 PM


  • At any rate, looks like we figured it out.  The issue is needing to fine-tune the public SPF record.  Basically, the SPF records we have say:

    v=spf1 a mx ~all

    They should say:

    v=spf1 mx ptr mx:<mailserver FQDN> ip4:<mailserver public IP> -all 

    ----------- Ron E Biggs Network Administrator Entertainment Studios

    • Marked as answer by Ron E Biggs Tuesday, October 09, 2012 5:42 PM
    Tuesday, October 09, 2012 5:42 PM