this post was submitted on 31 Jan 2024
11 points (100.0% liked)

techsupport

2455 readers
2 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 1 year ago
MODERATORS
 

Domain facing massive e-mail spoofing attacks: Can something be done?

Hello,

I am running my own mailserver using Mailcow and I noticed, since mid-January, a huge rise of e-mail address spoofing attacks, in three ways:
(1) a lot of spam ends up in the inbox despite having rspamd.
(2) a few undelivered e-mail errors
(3) some e-mails with rubbish content sent to public administrations, with my e-mail address mentioned in the "via" field, but different sender address (possibly from a third hacked mailserver), end up in my inbox as well.

My mailserver doesn't seem to have been hacked BTW, as e-mails were sent today and the last connection to the SMTP service was 2 days ago according to Mailcow admin UI.

Here are my questions:
(1) Does the address spoofing make that rubbish mail end up in the recipients' inbox?
(2) Is it shown as being sent by me or by the third hacked mailserver?
(3) Is there a way to block the incoming spam using that technique in rspamd?
(4) Can this spoofing attack impact my domain name's reputation (blacklist, ...?)
(5) Last but not least, do you think I could get in legal trouble given the fact attackers seem to spoof my e-mail to target public administrations of my country (France, in case that matters)? If so, what could prove neither me nor my mailserver are faulty?

I am respecting all the good practices for e-mail security (SPF, DKIM, DMARC, and even signing my emails with an S/MIME cert). Oh and my server isn't an open relay ^_^

Thank you!

@email @techsupport

you are viewing a single comment's thread
view the rest of the comments
[–] intelisense@lemm.ee 2 points 9 months ago (1 children)

Do you have DKIM, SPF configured? If not, start there. Once that's done, enable DMARC, and your problem will be solved. Be careful with DMARC, though - if the first two aren't correct, legitimate emails will get blocked.

[–] clement@ck.villisek.fr 1 points 9 months ago (1 children)

@intelisense
Those are properly configured, I get a 10/10 on mail-tester dot com, as well as everything validated on mxtoolbox.

[–] intelisense@lemm.ee 1 points 9 months ago (1 children)

Then you need to seriously consider if your mail server is compromised or a user's credentials have been leaked. What does your DMARC record look like? Could be that DMARC is not blocking delivery yet.

[–] clement@ck.villisek.fr 0 points 9 months ago (1 children)

@intelisense
Hello, thank you for your answer and sorry for the late reply.

I took some time analyzing my SMTP server logs, and it contains 100% legit outgoing traffic. And no successful SSH connection for weeks on the server so it can't have been erased.
u/voracity confirms my thoughts as well. I think the issue is outside and unrelated to my server. And the e-mail address in question seems to have leaked from several places according to haveibeenpwned (the password is safe though).

RE: lemmy.world/comment/7170785

[–] intelisense@lemm.ee 1 points 9 months ago

If SPF, DKIM and DMARC are properly configured, emails sent by any server other than your own will be rejected by the receiving server. Have you had complaints or is this just showing up in DMARC logs?