Other domains are receiving spoofed emails from an account on our domain
We are using Google Apps for Business and we are running into a problem where one of our email addresses is being spoofed to multiple clients of ours. I have implemented Google DKIM, an SPF record with a -all hard failure, and DMARC, all of which have not helped. I have verified that no has logged directly into the Gmail account in question to send these emails, and log files from the remote servers that I could access show that the IP addresses that these spoofed emails come from are indeed coming from random locations (China, Russia, etc. Not Gmail's servers).
I believe the problem started when a year or two ago one of our computers was compromised and someone probably had access to our contact list. That computer is gone, but my guess is the address list is still floating around the internet. The spoofed emails seem targeted to companies in that contact list. I believe the problem is that the companies receiving these spoofed emails have the spoofed email address (and possibly the entire domain) in their whitelist filter, thus bypassing the SPF and other spam checks. But I can't be 100% sure. As far as I can tell and have been told, all of the spoofed emails come from the one single email address of the computer that was compromised over a year ago.
What can be done to remedy this? Are there any other methods we can use to force remote mail servers to check that the emails are from Gmail's servers?
Thank you
I believe the problem started when a year or two ago one of our computers was compromised and someone probably had access to our contact list. That computer is gone, but my guess is the address list is still floating around the internet. The spoofed emails seem targeted to companies in that contact list. I believe the problem is that the companies receiving these spoofed emails have the spoofed email address (and possibly the entire domain) in their whitelist filter, thus bypassing the SPF and other spam checks. But I can't be 100% sure. As far as I can tell and have been told, all of the spoofed emails come from the one single email address of the computer that was compromised over a year ago.
What can be done to remedy this? Are there any other methods we can use to force remote mail servers to check that the emails are from Gmail's servers?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you know from what account email is coming you can remove this account, or rename it then no one will be able to authenticating.
DKIM is a best option so If you did implement it It is not possible to send email from different server.
Make sure that you have single IP in IPv4: section in SPF record.
DKIM is a best option so If you did implement it It is not possible to send email from different server.
Make sure that you have single IP in IPv4: section in SPF record.
ASKER
Tom, I have DKIM enabled with Google Apps and Google shows that the status is good and that DKIM is authenticating emails. However, this is still happening from random IP's. The SPF record is as follows: "v=spf1 include:_spf.google.com -all". My DMARC is as follows: "v=DMARC1; p=reject". I have re-verified my DKIM in DNS and ensured that the key is proper.
Even with DKIM enabled, DMARC setup, and SPF included, we're still 100% dependent on the receiving end to figure out that the message is spam?
Even with DKIM enabled, DMARC setup, and SPF included, we're still 100% dependent on the receiving end to figure out that the message is spam?
we're still 100% dependent on the receiving end to figure out that the message is spam? <-- That is pretty much what you have to do because you have zero control over who uses your email address.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A few questions based on your response, Tom:
You mentioned there's not much we can do since we're on Google services. Would something like Office 365 or an on-premise Exchange server fix this? If so, how?
Also, with DKIM, wouldn't the remote server still need to actually CHECK for DKIM with its spam filter? What if they don't check for DKIM or if our domain is in their whitelist (which it is)? How would that work?
I do see DKIM in the email headers. Though I noticed the headers say DKIM c=relaxed/relaxed. Is this an issue? Is there a way to change it to "strict" like with SPF? Would that even have any effect?
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Thank you!
You mentioned there's not much we can do since we're on Google services. Would something like Office 365 or an on-premise Exchange server fix this? If so, how?
Also, with DKIM, wouldn't the remote server still need to actually CHECK for DKIM with its spam filter? What if they don't check for DKIM or if our domain is in their whitelist (which it is)? How would that work?
I do see DKIM in the email headers. Though I noticed the headers say DKIM c=relaxed/relaxed. Is this an issue? Is there a way to change it to "strict" like with SPF? Would that even have any effect?
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Thank you!
Check header from email you'll send to recipient outside your domain
Office 365 on premises will work better if you going to be able get privet IP assigned to your domain or administrator on premises will be able setup separate network VLAN for your domain.
DKIM is like digital signature. Your server is putting digital STAMP on your email so recipients server see STAMP and checking it against you public DNS record TXT field. If signature is the same then recipient know that email was send from your server. This will has nothing to do it with spam. You still can send spam from your server with DKIM installed.
If I send email to my private address on comcast then header has info about DKIM and it said PASS
Authentication-Results: resimta-ch2-16v.sys.comcas
dkim=pass header.d=xxxxxx.com header.b=EGBgFp7M
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
s=s1024; d=xxxxxxxxx.com;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
s=s1024; d=xxxxxxxxx.com;
h=from:to:subject:date:mes
bh=fTpwcEh4VIG4ucd3LbJJavS
b=EGBgFp7MY2fJ9bihnFqLGNTQ
yOuIhuXR82jaaaaaqqqw1/QA7Z
mOAyxdj6b42cfJYrt8kqVT1Iyg
Send test email from your domain server to your private and compare
Office 365 on premises will work better if you going to be able get privet IP assigned to your domain or administrator on premises will be able setup separate network VLAN for your domain.
DKIM is like digital signature. Your server is putting digital STAMP on your email so recipients server see STAMP and checking it against you public DNS record TXT field. If signature is the same then recipient know that email was send from your server. This will has nothing to do it with spam. You still can send spam from your server with DKIM installed.
If I send email to my private address on comcast then header has info about DKIM and it said PASS
Authentication-Results: resimta-ch2-16v.sys.comcas
dkim=pass header.d=xxxxxx.com header.b=EGBgFp7M
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
s=s1024; d=xxxxxxxxx.com;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
s=s1024; d=xxxxxxxxx.com;
h=from:to:subject:date:mes
bh=fTpwcEh4VIG4ucd3LbJJavS
b=EGBgFp7MY2fJ9bihnFqLGNTQ
yOuIhuXR82jaaaaaqqqw1/QA7Z
mOAyxdj6b42cfJYrt8kqVT1Iyg
Send test email from your domain server to your private and compare
ASKER
I sent an email to outside of our organization and the DKIM headers are there and pass. It looks like we're running into the same issue of "this has to be controlled on the receiving server's spam filter." Anything else you can think of trying?
The receivers need to filter / whitelist emails. I have been at this for a long time and senders cannot do much.
ASKER
What other steps can we take to resolve this for our domain? I'd like to resolve this any way possible, even if the solution sounds like a "crazy" or "bad" idea. Moving servers? Changing emails/domains/providers?
Thanks
Thanks
You can use your last suggestion -- change email domain to lower the spoofing problem from your original domain.
Can you get (post) header of one email from your client that you suspecting was spoofed ?
ASKER
Unfortunately, I can't. Everyone who had the emails deleted them and it's difficult to get users from a company you have no IT partnership with to forward over the emails as attachments vs. them just forwarding the emails and saying "you've been hacked!" I've only seen the email logs from one of the remote servers that showed the IP address of the emails were from China and Russia (not Gmail's servers)
Can you get this email and post full header ?
No service provider or Office365 is going to help unless the receiver remove your email domain from the whitelist.
Sudeep
Sudeep
Question was properly answered
ASKER