• Status: Solved
  • Priority: High
  • Security: Private
  • Views: 82
  • Last Modified:

Spoofed emails being received by other companies from a user who had their address book compromised previously

We have a client using GSuite and we have run into a problem where one of their users email addresses is being spoofed and is being used to send out emails to multiple clients of theirs. I have implemented Google DKIM, an SPF record with the -all hard failure, and DMARC, all of which have not helped. I have verified that no has logged directly into the Gmail account in question to send these emails, and log files from the remote servers that I could access show that the IP addresses that these spoofed emails come from are coming from places like China's Mobile Network. Is there a way to confirm that no one is using SMTP with this account to send these emails, or would that also show up in the login list?

Normally when an address is spoofed, it's not a big deal because spam filters will pick it up and block that email. The problem in this instance is that someone has stolen this users address book and is using that address book to send spoofed messages to all of their clients within that address book. Because the client companies in the address book most likely have the spoofed user's domain whitelisted, the spam emails come through to them anyway, even though they are obviously spoofed or spam and coming from random country IP addresses. This is a huge problem because the clients that are listed in the address book are getting spam from what looks like the user who is being spoofed and think that they've been hacked in some way (even though as far as I can tell, they're not) which translates to fear of doing business with the company getting their emails spoofed.

What can be done to resolve this? I'm looking for any solutions, no matter cost or time involved to resolve this.

Thank you
OAC Technology
OAC Technology
4 Solutions
JohnBusiness Consultant (Owner)Commented:
There are only a couple of ways to deal with this:

1. Really top notch spam filters. I get good email from people I know and quarantined (spam) email from the same persons (spoofed).

2. Change the email address. This is not practical for me and may not be practical for you.
Dr. KlahnPrincipal Software EngineerCommented:
The problem is at the spam senders' and the email receivers' ends, not at yours.  You've really got no control over anything in this situation.

  • You can't force an ISP on the other side of the world to stop spamming.  Especially not when it's emanating from the Far East or from Third World countries where they wink at spammers as long as they bring in hard U.S. currency.
  • You can't force the MTA at another company to check incoming SPF and DKIM.  It would be nice, but it's not possible.  Clearly the recipients are not doing that -- because if they were, they would see that they are coming from unauthorized sources, and not accept those messages.

I don't see any way to resolve this except (per John supra) close that account permanently, notify the email victims that it is no longer active, and strongly suggest to them that they (a) start checking SPF and DKIM, and (b) flag any email that fails those tests with *** BOGUS *** in the topic.
timgreen7077Exchange EngineerCommented:
If they are all coming from the same sending IP address you can block the IP address on your perimeter email gateway or spam filters. Look at the headers and see if the originating IP is the same and then just block it. Other than that Dr. Klahn and John are right, that is not easy to over come so just blow away that account.

The best thing that you can do is what you have already done - make sure you have setup at least SPF records, and ideally DKIM and DMarc too.

You can't stop A sending spam to B, pretending to be you (or one of your users).  What you can do is make it as easy as possible for B to know that it is spam, and an SPF record will pretty much nail that for them.

Then, if you hear about anyone receiving spam purporting to be from your domain, contact their admin, and ask them to make sure they are checking SPF records.  If they are, it should nail the problem for them at least.

Hope that helps, but not much you can do unfortunately.

Good advice offered.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now