Solved

email spoofing?

Posted on 2015-01-27
13
147 Views
Last Modified: 2015-02-15
a customer has been receiving numerous emails saying that his outgoing email have bounced. However, he didn't send any of the emails. I suspected he might have been infected with a bot that was spamming from his computer, but we have run scans and found nothing. There are about a dozen users at his office and he is the only one with this problem.
I now suspect that someone external is spoofing using his email address as the return/sending email address and he is receiving the bounced messages. All the destination addresses end in '.de'
Is there any way to stop this from happening? Yesterday morning (after the long week-end) he had over 50 of these emails.
Any suggestions would be appreciated.
Cheers,
Greg
0
Comment
Question by:gregmiller4it
  • 4
  • 2
  • 2
  • +4
13 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 167 total points
ID: 40574484
theoretically you have no way to stop an external party from sending you such kind of spoofing emails but technically you simply block them from your local email client by giving proper email signatures to filter them out.
0
 
LVL 23

Assisted Solution

by:Michael74
Michael74 earned 167 total points
ID: 40574487
Have a look in the header of these emails to see if you can identify where they are being sent from and if you can, then contact the ISP to register a complaint
http://compnetworking.about.com/od/workingwithipaddresses/qt/ipaddressemail.htm
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 166 total points
ID: 40574535
Honestly there's not much you can do when a spammer decides to spoof your email address. I usually use this analogy when explaining this sort of thing to my clients:

Email spoofing is similar to a spammer writing your name and address on the back of an envelope in the Return to/From: section before they send it off. The letter may be addressed to a non-existent address in which case the Post Office will eventually return the letter to you, as your name and address are on the back of the letter. The only way to stop the spammer from doing this is to physically be there when they forge your details on the back of the letter.

Best practice is to never use your company email account when signing up for online newsletters or any sort of public forum, and use a throwaway email account such as a Gmail, Hotmail, etc. account instead.

Hope the above clears things up.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40574718
A common spam technique is to use 'your' email address as the return address and send to a non-existent email address so the email will bounce.  When it bounces, it will come back to 'you' as a legitimate bounce email.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40574760
you can certainly attempt to use SPF, and optionally also DKIM / DMARC but there are significant overheads involved in digitally signing outbound mail, and poor adoption of the technology (adoption of SPF is not much better, but at least that's low overhead, just adding a dns record)

On the whole though, email is not a strongly authenticated system and there isn't much that can be done to prevent mail being sent in "your" name.
0
 

Author Comment

by:gregmiller4it
ID: 40583225
I've passed the info on to my customer and also advised him to talk to his ISP to see if they can offer any help. I'll report back when I talk to the customer again.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 25

Expert Comment

by:madunix
ID: 40588001
SPF prevents spammers from using YOUR domain name; a good email security gateway product in front of your email server should prevent spoofed email; you could check Hexamail Guard
http://www.hexamail.com/hexamailguard/
http://www.altn.com/Products/SecurityGateway-Email-Firewall/Security-Features/#AntiSpoofing
0
 

Author Comment

by:gregmiller4it
ID: 40588089
The customer doesn't host their own email; they use pop accounts host by their ISP. Not sure if that makes a difference.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40588195
Only really matters if they have their own email domain or not - if it's just a generic mailbox domain, they may not have access to set up the required dns records.

But on the whole, there is little you can do to avoid people faking emails.
0
 

Author Comment

by:gregmiller4it
ID: 40596344
I will check with the customer again tomorrow if I can.
0
 

Author Comment

by:gregmiller4it
ID: 40611634
I've just spoken to the customer again; he said that it has now stopped (i.e. the problem has gone away) but he didn't do anything specific that he is aware of to fix it....
...so, I'm not sure what I should do with this question to close it now????
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40611643
That's probably because the spammer has chosen not to use his email address to send out spam yet. There's no guarantee they won't do it again down the track though. As stated earlier, there's not much you can do to prevent someone from spoofing your email address.

The best thing to do to avoid a repeat of this is to never use your business address when signing up to any sort of online forum or newsletter, Facebook, etc. - use an account from a free email provider (such as Hotmail or Gmail) for these purposes instead. The more you use your email address on the web for these sort of things, the more chances you have of a spammer spoofing your email address.
0
 
LVL 23

Expert Comment

by:Michael74
ID: 40611657
The spammer probably got shut down by the ISP they were using and so have moved to a new account somewhere else and are using a new FROM address so that they cannot be tracked by this information and making harder to use rules to shut them down permanently. As modern Spam filters do not use the From address for blocking because of this issue then there should be no ongoing problems.

I will also second the comments above by @VB ITS, it is very good advice to follow.

As for this question: Just pick the response(s) that you feel assisted you and assign the points
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Dmarc DKIM 4 60
Norton antivirus 11 66
dma locker 3 query 7 108
internet traffic 2 53
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Being able to change email signatures is made really simple with email signature software and services.
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now