Solved

Setting up a legitimate mail server

Posted on 2006-12-01
8
258 Views
Last Modified: 2010-03-04
I have a video email software package.  I allow my clients to login and send out video emails.  However, when I sent out the email I bounce it of our server but I spoof it with their email addres.  When the video is received it will go back to the user's primary address.  For example, if their email address is name@yahoo.com then when the email show up in the recipients inbox it will show that it is coming from name@yahoo.com.  Obviously that is not really the case.  I need to be able to allow my customers to legitimately send out emails through my mailserver.  We are having difficulty with yahoo and hotmail specifically.  This is very urgent.  I have a lot of unhappy customers.   Any Ideas?

0
Comment
Question by:covideosystems
  • 4
  • 3
8 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 18058573
What a LOT of e-mail severs will do is when they receive email that says it from johndoe@somewhere.com, they will do a reverse lookup on the IP address that is sending the e-mail, then they do a forward lookup on what is returned.  If the two do not match they reject the e-mail.

In your case, you may think this is legitimate, but what you are doing is mis-representing where the e-mail is truly coming from, which is considered against the laws.
0
 

Author Comment

by:covideosystems
ID: 18058654
I do a lot of business with Auto Dealers.  Most dealerships incorporate a CRM tool that allows them to manage all of their customers and prospects.  They also use this tool to send emails.  There are thousands of dealers across that United States that use CRM's.  When they implement a CRM each employee will get a email address provided to them.  Let's say the CRM name is Dealerpeak.  Everyone will have a name@dealerpeak.com email account.  However when the sales rep from Joe's Honda sends out an email to his prospect it will say repname@joeshonda.com.  Now if you look at the email header you will see clearly that the email is orginating and tracing back to mail.dealerpeak.com.  Now they do this with all of their clients.  Every dealership has their own internal email account and the CRM's spoof their emails with the dealerships name and email address.  The emails are not coming from the dealerships mail server but the CRM shows that it does.  The CRM industry is a billion dollar business.  I find it hard to belive that they are all breaking the law.

I'm hoping that this isn't black and white.  I don't know if I'm breaking the law.  I sure hope i'm not because that would really screw up my software.  
Thoughts?

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 18058724
I am assuming that you mean Customer Relationship Management tool.  Not sure, our CRM tool is setup to say that it is coming from @mydomain.com, not @someotherdomain.com.  In fact ever CRM tool I have worked on was setup like this.  

However, I have only worked in enviroments where the company was actually running the CRM tool in-house.  I have not worked in any enviroments where a 3rd party was hosting it.  

When the CRM software you have dealt with issued the HELO/EHEL command to the remote SMTP server what domain name does it use?

Which header shows that it is actually coming from dealerpeak.com?
0
 

Author Comment

by:covideosystems
ID: 18060200
All the CRM's that I have dealt with are third party.

They EHLO would be outbound.dealerpeak.com.
They HELO would be fe1.mail.dealerpeak.com.

I can assure that they successfully do this.  All the traces go back to dealerpeak and their IP.  However when you receive the email unless you looked at the headers you would never know it was from dealerpeak.  It would show that it is coming directly from the dealership.

Also, dealerpeak is just one example.  There are many many CRM's that do this.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 57

Expert Comment

by:giltjr
ID: 18060534
I looked at Dealer Peak and it seems they are full hosting sevice: Web, CRM, and e-mail.  If they are hosting the dealers e-mail sevice, then they will be able to send e-mail as though it came from joeshonda.com, as they are the hosting sevice for joeshonda and so it is coming from joeshonda's e-mail sever.

This is not a issue you can solve, this is how some companies and ISP's hace setup their inbound e-mail severs work.   It is not a problem with your software, it is a issue with the fact that the IP address that the e-mail is coming from, does not map back to a domain name that matches where the e-mail is coming from.
0
 

Author Comment

by:covideosystems
ID: 18060549
Ok.  I'm with you.  Our set up is flawed.  There must be a way around this.  What if I set up a legitimate mail server and give everyone an email account from my server, name@myserver.com.  I send out all the emails from my server.  The only thing that I will need is the recipient to be able to reply back to the email and have it go to joeshonda.com.  Also, it would be nice if it looked like it came from joeshonda.com.

You've given me a lot of bad news.  Please tell me there is light at the end of the tunnel.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 480 total points
ID: 18060772
Well, think about it.  You even said it.  You want to spoof e-mail.  How do most spammers work?  Spoofing.  How do a lot of virus and malware get around? Spoofed e-mail.

How would you like it if I started sending out e-mail saying it was you?  Even if you "gave me permission", how can the person receiving the e-mail know this?  They can't.  This is why a lot of e-mail servers and most e-mail filtering products block e-mail that appears to be spoofed.

Some e-mail that is spam is sent though SMTP severs that are not properly configured and are open relays.  That is they send out e-mail from domains other than their own.  This is exactly what you are doing.  Sending e-mail out from a domain (joeshonda.com) that is not your domain.

You should be able to send the e-mail out as being from "joeshonda@mysever.com" and have the Replyto address be "salesperonsname@joeshonda.com".  That way when the person replies back, it will go to the salesperson.  

The only other thing I can think if is that you ask each customer to give you a host name within their domain and setup an CNAME in their DNS sever that points to a host name within your domain.  Then you add that host name to your PTR record for the IP address of the server you use to send the e-mail out.

Examples:

You have an A record for oemail.yourdomain.com pointing to x.x.x.x

joe's honda assigns you the host name crm.joeshonda.com.  They setup a CNAME that as crm.joeshonda.com -> oemail.yourdomain.com.

You add crm.joeshonda.com to the PTR record for x.x.x.x.

bill's toyota assigns you the host name crm.billstoyota.com.  They setup a CNAME that as crm.billstoyota.com -> oemail.yourdomain.com.

You add crm.billstoyota.com to the PTR record for x.x.x.x.

The reason for using a CNAME is that if you ever change your IP address, they don't have to do anything, you just update the A record for your sever's name.
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 20 total points
ID: 18069013
Try playing with the From and Sender headers.

For example, gmail lets you send email on behalf on another email address. They set headers like

From: "Co Video" <covideosystems@joeshonda.com>
Sender: covideosystems@gmail.com

covideosystems@gmail.com is the real gmail account, and covideosystems@joeshonda.com is the "spoofed" email.

Maybe this setup will work for you?

ShalomC



0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now