Handling spoofed domain that is lowering my Senderbase

Discussion in 'Installation/Configuration' started by DantePasquale, Sep 11, 2015.

  1. DantePasquale

    DantePasquale Member HowtoForge Supporter

    I'm not sure if this is the right place to ask, but if it's not, please point me in the right direction.

    It seems that my top level domain is being spoofed by spammers. This is resulting in lowering my ranking in Senderbase to the point where Cisco gear kicks out all emails from my server. I have 2 domains (websites) on the server, cocoanet.us and dantesinfernophotography.com. The server's name is inferno.cocoanet.us. Checking Senderbase with mail.cocoanet.us or mail.dantesinfernophotography.com are fine, but when I check inferno.cocoanet.us its reputation is bad. It seems that the spoofers are using the IP of inferno.cocoanet.us

    So, what is the best way, if any, to stop the spoofing? I've already setup SPF (I know that isn't very good with spoofing, but it might catch a couple).
    What about DKIM???

    What methods are people using these days?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    senderscore.org shows your IP in the green, so maybe you have this under control.

    I'll note that spammers can spoof the use of your domain, they can not spoof the use of your IP address. If your IP is showing high volumes of mail being sent out at senderscore, believe it - that is really coming from (or through) your server. Common causes are:
    • a misconfiguration that leaves your server open as a mail relay
    • the password of a mail account on the server has been guessed/compromised, and the account is being (ab)used to send mail
    • a form on a website that sends through your server is being abused
    And there are less common reasons, like a valid mail client is hacked/spamming through your server, or the server itself could be compromised. But check for the above 3 first.

    Also if you find SPF to be not very helpful to catch spoofed sender addresses, it might well be your SPF record that's at fault. Your current record ends in '+all' which means that everyone is blessed to send mail from your domains.

    While you're looking into your SPF and DKIM setup, take a look at https://dmarc.org/; you can have even better results by adding a DMARC record.
  4. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Well, I think I may have found the culprit, I'm just not 100% sure about what this line in the mail.log.* means:
    Sep 17 18:08:50 inferno postfix/smtpd[20690]: 256BD20555: client=186-107-99-212.baf.movistar.cl[], sasl_method=PLAIN, [email protected]
    Does this mean that [email protected] is logged in but re-authenticating or something? And what's with the sasl_method?
    My reason for thinking this is the issue is that there are literally hundreds of IP addresses that show up in the lines just like the above.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The message means that the account [email protected] is logging in from IP PLAIN is the normal login method, so that part is ok. If you see Login from many differet IP addresses for the same user account then this account might be hacked, you should change the password of that account and inform the account holder. He shhould not update the password on his desktop before he scanned his desktop for viruses.
  6. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Hi Till, thx for the info -- that account is shows quite a few IPs - some are legit, most aren't (they show as in SE Asia). At least this time it isn't the CEO's account :( but this user only uses Ubuntu and Android phone, no windows so I'm pretty sure it's not a virus. I checked https://haveibeenpwned.com - I'm not sure how reliable that site is, but it says this email address was pwnd so I'm wondering how/when it got hacked.

    Is there any good way to try to figure this out?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    There are many way how a password could get lost, e.g. the user might have used the same password in a website and this site got haced or the user used the smtp connection without smtps over a insecure wifi network etc...
  8. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Yes, it was indeed that single account -- now almost no emails going through with that user's email address -- I'll post some commands I used to figure it out later today/tonight. Thanks for all the help you guys!

Share This Page