11

Domain facing massive e-mail spoofing attacks: Can something be done?

Hello,

I am running my own mailserver using Mailcow and I noticed, since mid-January, a huge rise of e-mail address spoofing attacks, in three ways:
(1) a lot of spam ends up in the inbox despite having rspamd.
(2) a few undelivered e-mail errors
(3) some e-mails with rubbish content sent to public administrations, with my e-mail address mentioned in the "via" field, but different sender address (possibly from a third hacked mailserver), end up in my inbox as well.

My mailserver doesn't seem to have been hacked BTW, as e-mails were sent today and the last connection to the SMTP service was 2 days ago according to Mailcow admin UI.

Here are my questions:
(1) Does the address spoofing make that rubbish mail end up in the recipients' inbox?
(2) Is it shown as being sent by me or by the third hacked mailserver?
(3) Is there a way to block the incoming spam using that technique in rspamd?
(4) Can this spoofing attack impact my domain name's reputation (blacklist, ...?)
(5) Last but not least, do you think I could get in legal trouble given the fact attackers seem to spoof my e-mail to target public administrations of my country (France, in case that matters)? If so, what could prove neither me nor my mailserver are faulty?

I am respecting all the good practices for e-mail security (SPF, DKIM, DMARC, and even signing my emails with an S/MIME cert). Oh and my server isn't an open relay ^_^

Thank you!

@email @techsupport

you are viewing a single comment's thread
view the rest of the comments
[-] voracitude@lemmy.world 4 points 9 months ago* (last edited 9 months ago)

When it says the email is "from" server 1 "via" server 2, the From address is an email that isn't yours, and the Reply-To address on the mail has been rewritten to yours. Mail client software is supposed to display the Reply-To, but obviously doing that leads to a rise in spam fooling people, so I understand why spec isn't followed there.

Your last sentence stitches the whole thing up: you're doing everything right. Nothing can stop someone trying to impersonate you and sending emails professing to be from your email address. Your SPF, DKIM, and DMARC records will prevent them from being delivered most of the time, and even if it goes to spam the recipient mail client should put a warning on it to the effect that it failed verification. Not having an open relay prevents anyone from abusing your mail server itself, meaning anyone trying to impersonate you will fail verification, as they cannot send an email from your server's IP or with your valid DKIM signature.

Your emails going to spam isn't something you can readily stop, I'm afraid. All your security we've talked about so far is aimed at preventing fake emails from being delivered; going to the spam folder is a result of secondary sorting after delivery. I believe some systems take the verification into account, but who knows what other logic they apply. Most systems will skip secondary sorting for emails in the address book, so as '90s as it sounds: get yourself added to the address book. And make sure nobody reports your legitimate emails as spam; those reports do actually work.

Speaking of, when you get a bounce notice, it should say why. It might not be useful, but then again it might. Remember as well that your email may have bounced just because "Big Email Said No": https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

Other people sending spam shouldn't affect your domain's reputation; a lot of that is the IP the email is sent from, rather than the domain itself. Lists like SORBS and HostKarma work solely off the IP, to my understanding.

Tools I use regularly are https://mail-tester.com (3 free tests a day, don't send attachments) to check for how deliverable your emails are, and https://senderscore.org for checking your reputation.

Finally, don't worry about spammers targeting authorities while spoofing your email, if the French government's IT security departments can't tell it's spam and not from you just by looking at the email headers, France as a whole has bigger problems ๐Ÿ˜‹

I hope that helps! Sorry I can't help with spam filtering in your own inbox, I'm mostly focused on deliverability to other inboxes. I also hope someone with more experience than me can chime in, because I'm sure there's a lot I'm missing ๐Ÿ˜…

[-] clement@ck.villisek.fr 4 points 9 months ago

@voracitude Thank you very much! This confirms my worries, not much can be done...

[-] voracitude@lemmy.world 4 points 9 months ago

You're welcome! But honestly it's not much of a worry, the methods you have in place are pretty effective. It's just hard running your own mail server, all the big kids wanna push us around ๐Ÿ˜‚

this post was submitted on 31 Jan 2024
11 points (100.0% liked)

techsupport

2451 readers
17 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 1 year ago
MODERATORS