Adam D
asked on
Spoofed emails - how to prevent and/or stop
I have a client that has their own domain using GSuite based email. Their customers are receiving a lot of spoofed (not hacked) emails from one of the users. The usual spam/infection type of email like "here is your invoice" which the customers almost open but think better of it.
The users system is clean, no infections, usual protections, etc.
Any way to reduce or prevent this problem from happening? It seems to only be happening to this one user and it comes in waves...nothing for a month or two and then an onslaught of emails to the people in the users address book.
Thoughts?
Thanks.
The users system is clean, no infections, usual protections, etc.
Any way to reduce or prevent this problem from happening? It seems to only be happening to this one user and it comes in waves...nothing for a month or two and then an onslaught of emails to the people in the users address book.
Thoughts?
Thanks.
Make sure your Spam settings are set Medium to High and Blacklist any that get through.
I see a few of these: 100% in my Spam Quarantine. Delete from there.
I see a few of these: 100% in my Spam Quarantine. Delete from there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Any way to reduce or prevent this problem from happening?
Not at your end. You can advise your customers to configure their incoming MTAs to not accept email appearing to emanate from your domain on which the SPF does not validate, which would be a solid solution. However, I daresay most of them when so advised will say "Huh wot?"
At the end of the day the problem is at the receiver's end, not at yours, and there's nothing you can do about it other than give them the advice above.
Not at your end. You can advise your customers to configure their incoming MTAs to not accept email appearing to emanate from your domain on which the SPF does not validate, which would be a solid solution. However, I daresay most of them when so advised will say "Huh wot?"
At the end of the day the problem is at the receiver's end, not at yours, and there's nothing you can do about it other than give them the advice above.
ASKER
Thank you all for your responses.
1. My client is the one who is "sending" the emails - or so their customers think. For example, you are my clients customers and YOU have received an email from my client saying you have an invoice to pay. Of course, my client did NOT send any emails, they were all spoofed.
2. My client's email is being hosted and controlled by GSuite of Google. All MX records point there. If the MX records point there and I am not hosting the domain, do I still have the ability to modify SPF records? Wouldn't Google have already done that, since it is their servers sending out legitimate emails?
Thanks. :)
1. My client is the one who is "sending" the emails - or so their customers think. For example, you are my clients customers and YOU have received an email from my client saying you have an invoice to pay. Of course, my client did NOT send any emails, they were all spoofed.
2. My client's email is being hosted and controlled by GSuite of Google. All MX records point there. If the MX records point there and I am not hosting the domain, do I still have the ability to modify SPF records? Wouldn't Google have already done that, since it is their servers sending out legitimate emails?
Thanks. :)
2
As long as you have control over the DNS (this means that you can change the MX, TXT, and other records when you want), that's the control over the domain. Do you have it?
The problem is not if you host it or not, the problem is that you have the ability to change it.
1
You do need to validate the emails using the Domain Key Signature, DKIM, and of course, implement DMARC. so if any of this spoofers send emails "like if were your client" they get directly as Spam or are rejected and you also get a report of what is going on and you can block or send the warning to your clients that those emails are not going out from your server.
That's why the Triforce of the emails exists (SPF, DKIM, and DMARC).
As long as you have control over the DNS (this means that you can change the MX, TXT, and other records when you want), that's the control over the domain. Do you have it?
The problem is not if you host it or not, the problem is that you have the ability to change it.
1
You do need to validate the emails using the Domain Key Signature, DKIM, and of course, implement DMARC. so if any of this spoofers send emails "like if were your client" they get directly as Spam or are rejected and you also get a report of what is going on and you can block or send the warning to your clients that those emails are not going out from your server.
That's why the Triforce of the emails exists (SPF, DKIM, and DMARC).
I agree with Jose. Setup SPF, DKIM and DMARC.
If you have G Suite and you are an admin, you should be able to contact Google support who can guide you through setting them up.
If you have G Suite and you are an admin, you should be able to contact Google support who can guide you through setting them up.
ASKER
Ok, thank you. SPF is already setup (and has been) and I am looking into DKIM and DMARC although I don't think it will help much in this situation since the emails being received by the customers are not fully being spoofed, only the users display name is being faked.
For example, if the users display name is "John Smith" and the email address is "john.smith@company.com;" the customer is receiving an email from display name "John Smith" with the email address "notme@3djls.ck.jp"
As far as the customer is concerned they only see the display name and think it is the real user, but if you look at the headers or even just the email address a little bit closer, you see the actual email address doesn't even try to pretend they are "john.smith@company.com"
And the other interesting question, if the user was not hacked, how did they get the address book for this user?
Thanks. :)
For example, if the users display name is "John Smith" and the email address is "john.smith@company.com;" the customer is receiving an email from display name "John Smith" with the email address "notme@3djls.ck.jp"
As far as the customer is concerned they only see the display name and think it is the real user, but if you look at the headers or even just the email address a little bit closer, you see the actual email address doesn't even try to pretend they are "john.smith@company.com"
And the other interesting question, if the user was not hacked, how did they get the address book for this user?
Thanks. :)
Setup SPF, DKIM and DMARC
Just a note,
Setting up and implementing these records and DMARC policy for the senders domain is only part of it.
Both the sender and receiver need to be filtering emails for DMARC compliance either through a service, or via milter
(OpenDKIM, OpenDMARC, etc). Additionally the senders DMARC policy must be set to either Quarantine or Reject.
If the receiving server does not filter for DMARC compliance forged messages will get delivered.
ASKER
Thanks Kenfcamp. Do standard personal email providers like Comcast, AT&T, Gmail, Microsoft, etc. do that automatically or is that on an end user basis in the email program/app?
Do standard personal email providers like Comcast, AT&T, Gmail, Microsoft, etc. do that automatically
Not anyone I use. That is why Spam Filtering is so critical.
Not anyone I use. That is why Spam Filtering is so critical.
Do standard personal email providers like Comcast, AT&T, Gmail, Microsoft, etc. do that automatically
Gmail, Yahoo (and likely the others) will filter the incoming messages for DMARC compliance, but their outgoing policies are generally set to none meaning compliance failures will be ignored by the receiving mail server.
ASKER
So, in reality, the concept of SPF, DKIM and DMARC are nice, but for an everyday user, they are basically pointless.
Even if this particular domain had all three, it is really up to the receiving end to do the check. Which, in the case of a standard email provider is less than likely.
Any thoughts on how this spoofing campaign is apparently able to send these emails to the list of people from the client's address book?
Thanks. :)
Even if this particular domain had all three, it is really up to the receiving end to do the check. Which, in the case of a standard email provider is less than likely.
Any thoughts on how this spoofing campaign is apparently able to send these emails to the list of people from the client's address book?
Thanks. :)
Malware or virus.... Compromised accounts.
About the comment of dkim, spf and dmarc if you think they are pointless then probably you are part of the problem
About the comment of dkim, spf and dmarc if you think they are pointless then probably you are part of the problem
This is why Spam Filtering Protection is needed.
I get valid emails from name@domain.com without issue.
I see emails from name@domain.com in my Spam Quarantine and they are truly spoofed phishing emails.
It is hard for records as mentioned above to keep up with this.
At your end, filter the email.
At the other end, that is up to them.
I get valid emails from name@domain.com without issue.
I see emails from name@domain.com in my Spam Quarantine and they are truly spoofed phishing emails.
It is hard for records as mentioned above to keep up with this.
At your end, filter the email.
At the other end, that is up to them.
ASKER
I disagree Jose. If standard providers do not implement these policies on outgoing mail, which apparently they may not, then receiving servers will have nothing to verify and therefore pointless. In addition, even though my client's particular domain does NOT have DKIM or DMARC setup, since they are using GSuite based emails Google is signing all emails with the default Google DKIM and yet the people receiving these fraudulent emails are still getting them in the inbox and not in their junk folder.
Thanks John. Unfortunately it does appear to be up to the end recipient to filter their emails and ensure they are not seeing what is obviously spam or worse. Unfortunately, for my side of things, there doesn't seem like there is much else I can do, except add the domain DKIM and DMARC vs the defaults.
Thanks.
Thanks John. Unfortunately it does appear to be up to the end recipient to filter their emails and ensure they are not seeing what is obviously spam or worse. Unfortunately, for my side of things, there doesn't seem like there is much else I can do, except add the domain DKIM and DMARC vs the defaults.
Thanks.
If I understand, by spoofed you mean the From: address has been forged, so email sent from sam@foo.com are all forged, meaning sam@foo.com isn't sending these email.
If this is correct, then the fix is using correct SPF + DKIM + DMARC settings.
Then (importantly) you must test your SPF + DKIM settings + review your nightly DMARC email to ensure your settings are correct.
Almost 100% of the projects I take on related to email deliverability start the same way. They all think their SPF + DKIM + DMARC records are correct, then after a few minutes testing, some or all settings turn out to be wrong.
Always test.
Tip: Simple DKIM test (which can be a bear to test). Send your own Gmail address a test message + look under the actions tab + say show original message. At the bottom of the headers you'll see a message about whether DKIM passed or failed.
This can save many hours of testing.
If this is correct, then the fix is using correct SPF + DKIM + DMARC settings.
Then (importantly) you must test your SPF + DKIM settings + review your nightly DMARC email to ensure your settings are correct.
Almost 100% of the projects I take on related to email deliverability start the same way. They all think their SPF + DKIM + DMARC records are correct, then after a few minutes testing, some or all settings turn out to be wrong.
Always test.
Tip: Simple DKIM test (which can be a bear to test). Send your own Gmail address a test message + look under the actions tab + say show original message. At the bottom of the headers you'll see a message about whether DKIM passed or failed.
This can save many hours of testing.
@David-Favor I'm gonna help you out there, just save this address.
http://www.appmaildev.com/en/dkim
Open it on your customer, click "next step", copy the address and send an email test you'll get the report of all 3 (SPF, DKIM, and DMARC).
If they are implemented correctly this, that should solve the problem, I honestly have never had the need to get something in the middle to filter emails, because small/mid sizes companies just don't have the budget for this kind of stuff, but if you can have them, of course, you can get them, but is not a MUST to have it in nowadays companies and the best against spoofers emails is always educate your personal than getting more things in between.
http://www.appmaildev.com/en/dkim
Open it on your customer, click "next step", copy the address and send an email test you'll get the report of all 3 (SPF, DKIM, and DMARC).
If they are implemented correctly this, that should solve the problem, I honestly have never had the need to get something in the middle to filter emails, because small/mid sizes companies just don't have the budget for this kind of stuff, but if you can have them, of course, you can get them, but is not a MUST to have it in nowadays companies and the best against spoofers emails is always educate your personal than getting more things in between.
@Jose, this type of tool only tests that the DKIM DNS record is correct, so for example the DKIM key is base64.
To actually test if DKIM is working, requires...
1) Sending a message through an MTA.
2) MTA interacts with opendkim or some other DKIM implementation to process message + produce a signature.
3) Signature is returned to MTA.
4) MTA injects DKIM signature header into message, connects to MX for recipient + sends message.
5) Only at this point an DKIM be determined as pass/fail + this occurs at the Mailbox Provider.
6) This is what makes the Gmail DKIM pass/fail message note so useful.
To actually test if DKIM is working, requires...
1) Sending a message through an MTA.
2) MTA interacts with opendkim or some other DKIM implementation to process message + produce a signature.
3) Signature is returned to MTA.
4) MTA injects DKIM signature header into message, connects to MX for recipient + sends message.
5) Only at this point an DKIM be determined as pass/fail + this occurs at the Mailbox Provider.
6) This is what makes the Gmail DKIM pass/fail message note so useful.
ASKER
Thank you for all your responses. I personally do not think adding the DKIM/DMARC will help with the personal email recipients since they are using the standard provider emails like Comcast/AT&T, but on the off-chance they do check for all three pieces, then this could reduce the amount of spoofed emails they receive.
This is an optional DNS entry, which specifies the IP addresses that email from a domain should be expected to be sent from. Spoofed email usually arrives from a different IP.
Most domains have this in place, which means most spoofed email is captured in spam filters. The few remaining domains that are in use in 2019 without an SPF record in place are thus useful for spammer who want to spoof them, and get hammered with this all the time as well as having a lot of their email spam binned.
Unfortunately, YOU can't fix this, all you could do is check that the problematic sender has an SPF record in place, and if not, request they implement one ASAP.
More here: https://en.wikipedia.org/wiki/Sender_Policy_Framework