Forged Email Headers

carl6969

Community Support Team
Community Support
Messages
6,874
Reaction score
206
Points
63
I have been having a lot of problems with forged email lately. Email that, (based on the return address and most of the headers), appears to come from one or more of the domains on my VPS. I have Spam Assassin set up and it is catching most of the normal spam, but the forged email's are getting by. I can set up filters on my personal email program to take care of this on my end, but I do not want these emails going out in the first place. Other people are going to think they are really coming from my domains and some of them have malware / virus attachments. Not good for business.

So, I have been wondering if there is ANY way at all to deal with this on the server side.
I am using Centos 5.3, BIND, Procmail filter, SpamAssassin.
I have done some research and cannot find any obvious errors with my configurations.
 

lemon-tree

x10 Minion
Community Support
Messages
1,420
Reaction score
46
Points
48
It is almost certain that the emails are not actually originating from your server, but as you said the headers are just being manipulated to tell the end user they are coming from your server. I would recommend looking at the headers of the email and look for a mailed-by header; this may give you an impression as to the origin of the email but it will still be very difficult to stop it unless the spammer is stupid enough to be sending from a server that has web content on it too.
Basically, as that document says, it is very difficult to stop the spammers, but you could use a few techniques to assist your users. Firstly, I would recommend sending an email to all your users describing the situation and perhaps changing your email address. I would also use an email obfuscater to hide your email address from web bots, as this is likely where they got your address from.
 

carl6969

Community Support Team
Community Support
Messages
6,874
Reaction score
206
Points
63
@lemon-tree
Thanks for the reply and the advice.
Even though I receive a lot of spam with obviously forged headers, the spam that seemed to be coming from my own server was puzzling me. I started wondering if I had a vulnerability somewhere that the spammers were exploiting, or, perhaps, more experienced server operators had found a way to prevent this problem. Based on some reading, including the article referenced by Mr. DOS, the only point I may have failed at is obfuscated email addresses. Ironically, I have recently started changing all that, but I fear I am closing the barn door after the cows have already left. But perhaps this thread will be useful to new VPS users just getting started in the future.
Thanks again.
 
Last edited:

The Real Rebel

New Member
Messages
336
Reaction score
10
Points
0
Ouch, sorry to see you have this problem Carl, Hope everything is getting better now
 

carl6969

Community Support Team
Community Support
Messages
6,874
Reaction score
206
Points
63
Ouch, sorry to see you have this problem Carl, Hope everything is getting better now

Thanks. Currently working to correct both the forged email problem and the caffeine deprivation. Mr. Coffee assisting with second one.
 

lemon-tree

x10 Minion
Community Support
Messages
1,420
Reaction score
46
Points
48
Ironically, I have recently started changing all that, but I fear I am closing the barn door after the cows have already left
Don't worry, I did a similar thing once and my spam levels in my inbox was hundreds per week. On the same address now I get a couple a month. It seems that the spam crawlers will drop your email address after a while of not being able to find it anywhere, it's like they refresh their database of known emails once a month or so. So eventually those cows you let loose will come back eventually.
 

masshuu

Head of the Geese
Community Support
Enemy of the State
Messages
2,293
Reaction score
50
Points
48
i set a spf record on my domain. Any mailserver worth its salt obeys spf records.
 

carl6969

Community Support Team
Community Support
Messages
6,874
Reaction score
206
Points
63
i set a spf record on my domain. Any mailserver worth its salt obeys spf records.

I have been doing some studying on SPF records and they are simple enough implement. Some sources question their effectiveness because servers on both end have to use them for the whole thing to work. An example is Yahoo which I think is using something different for the same purpose. I also read something that stated SPF records could cause some problems on a system where multiple users are sharing the same mail server. The article did not give enough details about what this potential problem is. Anybody know anything about that? Anyway, this is something I plan to implement as soon as I am sure I completely understand and am confident I am not going to mess up everybody's email when I do it.
 

carl6969

Community Support Team
Community Support
Messages
6,874
Reaction score
206
Points
63
i set a spf record on my domain. Any mailserver worth its salt obeys spf records.

I did some more research on SPF records. Some sources say it is useless to use SPF records but "can't do any harm" if setup correctly. Others say it is absolutely essential for spam control and will probably be a required standard in the near future. I decided to go ahead and set up SPF. It was quick and easy.

That was about 24 hours ago.
My overall spam has been reduced by at least 60 percent and I have not received ANY of the spam with forged headers (appearing to come from my own server) since the SPF change.

So, to anybody else having similar problem, try this. Your mileage may vary, but it worked for me.
And a big thank you to Supermatthew for the suggestion.
 
Top