email spoofing?
a customer has been receiving numerous emails saying that his outgoing email have bounced. However, he didn't send any of the emails. I suspected he might have been infected with a bot that was spamming from his computer, but we have run scans and found nothing. There are about a dozen users at his office and he is the only one with this problem.
I now suspect that someone external is spoofing using his email address as the return/sending email address and he is receiving the bounced messages. All the destination addresses end in '.de'
Is there any way to stop this from happening? Yesterday morning (after the long week-end) he had over 50 of these emails.
Any suggestions would be appreciated.
Cheers,
Greg
I now suspect that someone external is spoofing using his email address as the return/sending email address and he is receiving the bounced messages. All the destination addresses end in '.de'
Is there any way to stop this from happening? Yesterday morning (after the long week-end) he had over 50 of these emails.
Any suggestions would be appreciated.
Cheers,
Greg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dave Baldwin
A common spam technique is to use 'your' email address as the return address and send to a non-existent email address so the email will bounce. When it bounces, it will come back to 'you' as a legitimate bounce email.
you can certainly attempt to use SPF, and optionally also DKIM / DMARC but there are significant overheads involved in digitally signing outbound mail, and poor adoption of the technology (adoption of SPF is not much better, but at least that's low overhead, just adding a dns record)
On the whole though, email is not a strongly authenticated system and there isn't much that can be done to prevent mail being sent in "your" name.
On the whole though, email is not a strongly authenticated system and there isn't much that can be done to prevent mail being sent in "your" name.
ASKER
I've passed the info on to my customer and also advised him to talk to his ISP to see if they can offer any help. I'll report back when I talk to the customer again.
SPF prevents spammers from using YOUR domain name; a good email security gateway product in front of your email server should prevent spoofed email; you could check Hexamail Guard
http://www.hexamail.com/hexamailguard/
http://www.altn.com/Products/SecurityGateway-Email-Firewall/Security-Features/#AntiSpoofing
http://www.hexamail.com/hexamailguard/
http://www.altn.com/Products/SecurityGateway-Email-Firewall/Security-Features/#AntiSpoofing
ASKER
The customer doesn't host their own email; they use pop accounts host by their ISP. Not sure if that makes a difference.
Only really matters if they have their own email domain or not - if it's just a generic mailbox domain, they may not have access to set up the required dns records.
But on the whole, there is little you can do to avoid people faking emails.
But on the whole, there is little you can do to avoid people faking emails.
ASKER
I will check with the customer again tomorrow if I can.
ASKER
I've just spoken to the customer again; he said that it has now stopped (i.e. the problem has gone away) but he didn't do anything specific that he is aware of to fix it....
...so, I'm not sure what I should do with this question to close it now????
...so, I'm not sure what I should do with this question to close it now????
That's probably because the spammer has chosen not to use his email address to send out spam yet. There's no guarantee they won't do it again down the track though. As stated earlier, there's not much you can do to prevent someone from spoofing your email address.
The best thing to do to avoid a repeat of this is to never use your business address when signing up to any sort of online forum or newsletter, Facebook, etc. - use an account from a free email provider (such as Hotmail or Gmail) for these purposes instead. The more you use your email address on the web for these sort of things, the more chances you have of a spammer spoofing your email address.
The best thing to do to avoid a repeat of this is to never use your business address when signing up to any sort of online forum or newsletter, Facebook, etc. - use an account from a free email provider (such as Hotmail or Gmail) for these purposes instead. The more you use your email address on the web for these sort of things, the more chances you have of a spammer spoofing your email address.
The spammer probably got shut down by the ISP they were using and so have moved to a new account somewhere else and are using a new FROM address so that they cannot be tracked by this information and making harder to use rules to shut them down permanently. As modern Spam filters do not use the From address for blocking because of this issue then there should be no ongoing problems.
I will also second the comments above by @VB ITS, it is very good advice to follow.
As for this question: Just pick the response(s) that you feel assisted you and assign the points
I will also second the comments above by @VB ITS, it is very good advice to follow.
As for this question: Just pick the response(s) that you feel assisted you and assign the points