Spoofed emails being received by other companies from a user who had their address book compromised previously

We have a client using GSuite and we have run into a problem where one of their users email addresses is being spoofed and is being used to send out emails to multiple clients of theirs. I have implemented Google DKIM, an SPF record with the -all hard failure, and DMARC, all of which have not helped. I have verified that no has logged directly into the Gmail account in question to send these emails, and log files from the remote servers that I could access show that the IP addresses that these spoofed emails come from are coming from places like China's Mobile Network. Is there a way to confirm that no one is using SMTP with this account to send these emails, or would that also show up in the login list?

Normally when an address is spoofed, it's not a big deal because spam filters will pick it up and block that email. The problem in this instance is that someone has stolen this users address book and is using that address book to send spoofed messages to all of their clients within that address book. Because the client companies in the address book most likely have the spoofed user's domain whitelisted, the spam emails come through to them anyway, even though they are obviously spoofed or spam and coming from random country IP addresses. This is a huge problem because the clients that are listed in the address book are getting spam from what looks like the user who is being spoofed and think that they've been hacked in some way (even though as far as I can tell, they're not) which translates to fear of doing business with the company getting their emails spoofed.

What can be done to resolve this? I'm looking for any solutions, no matter cost or time involved to resolve this.

Thank you
LVL 3
OAC TechnologyProfessional NerdsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
There are only a couple of ways to deal with this:

1. Really top notch spam filters. I get good email from people I know and quarantined (spam) email from the same persons (spoofed).

2. Change the email address. This is not practical for me and may not be practical for you.
0
Dr. KlahnPrincipal Software EngineerCommented:
The problem is at the spam senders' and the email receivers' ends, not at yours.  You've really got no control over anything in this situation.

  • You can't force an ISP on the other side of the world to stop spamming.  Especially not when it's emanating from the Far East or from Third World countries where they wink at spammers as long as they bring in hard U.S. currency.
  • You can't force the MTA at another company to check incoming SPF and DKIM.  It would be nice, but it's not possible.  Clearly the recipients are not doing that -- because if they were, they would see that they are coming from unauthorized sources, and not accept those messages.

I don't see any way to resolve this except (per John supra) close that account permanently, notify the email victims that it is no longer active, and strongly suggest to them that they (a) start checking SPF and DKIM, and (b) flag any email that fails those tests with *** BOGUS *** in the topic.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
If they are all coming from the same sending IP address you can block the IP address on your perimeter email gateway or spam filters. Look at the headers and see if the originating IP is the same and then just block it. Other than that Dr. Klahn and John are right, that is not easy to over come so just blow away that account.
0
AlanConsultantCommented:
Hi,

The best thing that you can do is what you have already done - make sure you have setup at least SPF records, and ideally DKIM and DMarc too.

You can't stop A sending spam to B, pretending to be you (or one of your users).  What you can do is make it as easy as possible for B to know that it is spam, and an SPF record will pretty much nail that for them.

Then, if you hear about anyone receiving spam purporting to be from your domain, contact their admin, and ask them to make sure they are checking SPF records.  If they are, it should nail the problem for them at least.


Hope that helps, but not much you can do unfortunately.

Alan.
0
AlanConsultantCommented:
Good advice offered.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.