Domain facing massive e-mail spoofing attacks: Can something be done?
Hello,
I am running my own mailserver using Mailcow and I noticed, since mid-January, a huge rise of e-mail address spoofing attacks, in three ways:
(1) a lot of spam ends up in the inbox despite having rspamd.
(2) a few undelivered e-mail errors
(3) some e-mails with rubbish content sent to public administrations, with my e-mail address mentioned in the “via” field, but different sender address (possibly from a third hacked mailserver), end up in my inbox as well.
My mailserver doesn’t seem to have been hacked BTW, as e-mails were sent today and the last connection to the SMTP service was 2 days ago according to Mailcow admin UI.
Here are my questions:
(1) Does the address spoofing make that rubbish mail end up in the recipients’ inbox?
(2) Is it shown as being sent by me or by the third hacked mailserver?
(3) Is there a way to block the incoming spam using that technique in rspamd?
(4) Can this spoofing attack impact my domain name’s reputation (blacklist, …?)
(5) Last but not least, do you think I could get in legal trouble given the fact attackers seem to spoof my e-mail to target public administrations of my country (France, in case that matters)? If so, what could prove neither me nor my mailserver are faulty?
I am respecting all the good practices for e-mail security (SPF, DKIM, DMARC, and even signing my emails with an S/MIME cert). Oh and my server isn’t an open relay _
Thank you!
When it says the email is “from” server 1 “via” server 2, the From address is an email that isn’t yours, and the Reply-To address on the mail has been rewritten to yours. Mail client software is supposed to display the Reply-To, but obviously doing that leads to a rise in spam fooling people, so I understand why spec isn’t followed there.
Your last sentence stitches the whole thing up: you’re doing everything right. Nothing can stop someone trying to impersonate you and sending emails professing to be from your email address. Your SPF, DKIM, and DMARC records will prevent them from being delivered most of the time, and even if it goes to spam the recipient mail client should put a warning on it to the effect that it failed verification. Not having an open relay prevents anyone from abusing your mail server itself, meaning anyone trying to impersonate you will fail verification, as they cannot send an email from your server’s IP or with your valid DKIM signature.
Your emails going to spam isn’t something you can readily stop, I’m afraid. All your security we’ve talked about so far is aimed at preventing fake emails from being delivered; going to the spam folder is a result of secondary sorting after delivery. I believe some systems take the verification into account, but who knows what other logic they apply. Most systems will skip secondary sorting for emails in the address book, so as '90s as it sounds: get yourself added to the address book. And make sure nobody reports your legitimate emails as spam; those reports do actually work.
Speaking of, when you get a bounce notice, it should say why. It might not be useful, but then again it might. Remember as well that your email may have bounced just because “Big Email Said No”: https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html
Other people sending spam shouldn’t affect your domain’s reputation; a lot of that is the IP the email is sent from, rather than the domain itself. Lists like SORBS and HostKarma work solely off the IP, to my understanding.
Tools I use regularly are https://mail-tester.com (3 free tests a day, don’t send attachments) to check for how deliverable your emails are, and https://senderscore.org for checking your reputation.
Finally, don’t worry about spammers targeting authorities while spoofing your email, if the French government’s IT security departments can’t tell it’s spam and not from you just by looking at the email headers, France as a whole has bigger problems 😋
I hope that helps! Sorry I can’t help with spam filtering in your own inbox, I’m mostly focused on deliverability to other inboxes. I also hope someone with more experience than me can chime in, because I’m sure there’s a lot I’m missing 😅
@voracitude Thank you very much! This confirms my worries, not much can be done…
You’re welcome! But honestly it’s not much of a worry, the methods you have in place are pretty effective. It’s just hard running your own mail server, all the big kids wanna push us around 😂