Email problem (spoofing?) receiving email from myself

[VicenteS]

Hi!

I have a problem with Spam because my clients and me are receving spam from our own email address.

Headers Sample:

DomainKey-Status: no signature
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ****SERVER REMOVED****
X-Spam-Level: *********
X-Spam-Status: No, score=9.8 required=10.0 tests=BAYES_00,
CK_HELO_DYNAMIC_SPLIT_IP,DATE_IN_PAST_03_06,HELO_DYNAMIC_IPADDR2,
RCVD_IN_BRBL_LASTEXT,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,UNPARSEABLE_RELAY,
URIBL_DBL_SPAM autolearn=no version=3.3.1
Received: (qmail 6965 invoked from network); 20 Feb 2013 10:19:21 +0100
Received: from 201-20-110-37.baydenet.com.br (201.20.110.37)
by ****SERVER REMOVED**** with SMTP; 20 Feb 2013 10:19:20 +0100
Received: from 201.20.110.37 (account <****VALID ACCOUNT EMAIL REMOVED****> HELO ****SERVER REMOVED****)
by ****SERVER REMOVED**** (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 588003200 for <****VALID ACCOUNT EMAIL REMOVED****>; Wed, 20 Feb 2013 01:18:51 -0300
From: <****VALID ACCOUNT EMAIL REMOVED****>
To: <****VALID ACCOUNT EMAIL REMOVED****>
Subject: Gibraltar located enterprise presently looking for representatives from all of Europe
Date: Wed, 20 Feb 2013 01:18:51 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Mailer: gdanl_38
Message-ID: <3514485563.ON8CGDE5794358@oxfhyiuqnwbdkv.emvngdgn.ru>

My mail.info has: HAM: mua=0,ip=[201.20.110.37:201-20-110-37.baydenet.com.br],helo=<201-20-110-37.baydenet.com.br>,from=<boondocksq@gmail.com>,rcpt=<****VALID ACCOUNT EMAIL REMOVED****>

I have activated Magic Spam (module), SPF, Antivirus, Autentification through POP3 with full names.

The email received was sent by my email. My computer has antivirus and my email password hasn't been compromised.

I have found information about this and if I'm not wrong this is email spoofing and I could fix it with SPF but i wasn't worked.

 

[VicenteS]

I have made a test with telnet and I can send emails WITHOUT authentification if the email is a valid email from my server.

If I try to sent to another mail like rcpt to: someguy@hisdomain.com
I get this error:
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

So open relay is not activated

 

[Faris Raouf]

It is a common "trick" for spammers to send email with a "FROM" address that is the same as the recipient's address.
There are, I think, spamassassin plugins that look for this and score the resulting messages quite highly, which can cause them to be dropped.

Another alternative, if you use qmail, is to install spamdyke (spamdyke.org) - this is an excellent anti-spam tool and includes a facility to reject emails where the from and to address are the same.

 

[VicenteS]

Thanks faris for you reply, but What does it happen when you really need to send an email to yourself?

I usually send me an email for testing or for todo something later.

 

[Faris Raouf]

With spamdyke you would be able to whitelist your own email address (and as many others as you want). Such whitelisted addresses would not be blocked if the "from" matches the "to".

With the spamassassin plugins, things might be a bit more complicated. Keep in mind that spamassassin working on a scoring system. The plugins I mentioned might add a +100 score to any email where the from matches the to. To allow your own (and any other addresses you want) mails to get through, you could simply whitelist your own addresses. When there is a whitelist match, spamassassin gives a -100 score. If this isn't enough, you'd need to add your own rule to give it a bigger "minus" score.

 

[Jayson]

Please let me know if I'm wrong, but isn't this exactly what SPF should be used for? If you have an SPF record for your domain and this remote spammer is not listed as an ip allowed to send your email then it is rejected.

 

[GravuTrad]

Put spamassassin to at less 4.80 in plesk antispam configuration to filtering this.

 

[Faris Raouf]

Please let me know if I'm wrong, but isn't this exactly what SPF should be used for? If you have an SPF record for your domain and this remote spammer is not listed as an ip allowed to send your email then it is rejected.

A very good point! Typially you'd use SpamAssassin to score something with an SPF fail quite high, but you might not want to rely on that alone to classify an email as definitely being spam. It would definitely help in a situation like this, BUT you'd have to be reasonavly sure that your SPF records really cover all possible IPs. And this can be difficult.

 

[Jayson]

I don't know if you would really have to be that careful. Most of my customers use SMTPAuthentication on port 587 and only send through my server, some use webmail. I understand for people who want to use their ISP to send email on their domain, but normally they aren't mobile so adding something for smtp.telus.net or outbox.allstream.net etc. is not a problem.