this post was submitted on 31 Jan 2024
11 points (100.0% liked)

techsupport

2468 readers
10 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 1 year ago
MODERATORS
 

Domain facing massive e-mail spoofing attacks: Can something be done?

Hello,

I am running my own mailserver using Mailcow and I noticed, since mid-January, a huge rise of e-mail address spoofing attacks, in three ways:
(1) a lot of spam ends up in the inbox despite having rspamd.
(2) a few undelivered e-mail errors
(3) some e-mails with rubbish content sent to public administrations, with my e-mail address mentioned in the "via" field, but different sender address (possibly from a third hacked mailserver), end up in my inbox as well.

My mailserver doesn't seem to have been hacked BTW, as e-mails were sent today and the last connection to the SMTP service was 2 days ago according to Mailcow admin UI.

Here are my questions:
(1) Does the address spoofing make that rubbish mail end up in the recipients' inbox?
(2) Is it shown as being sent by me or by the third hacked mailserver?
(3) Is there a way to block the incoming spam using that technique in rspamd?
(4) Can this spoofing attack impact my domain name's reputation (blacklist, ...?)
(5) Last but not least, do you think I could get in legal trouble given the fact attackers seem to spoof my e-mail to target public administrations of my country (France, in case that matters)? If so, what could prove neither me nor my mailserver are faulty?

I am respecting all the good practices for e-mail security (SPF, DKIM, DMARC, and even signing my emails with an S/MIME cert). Oh and my server isn't an open relay ^_^

Thank you!

@email @techsupport

you are viewing a single comment's thread
view the rest of the comments
[–] wintermute_oregon@lemm.ee 0 points 9 months ago (4 children)

Are you sure it’s spoofing and not a relay attack? It’s doubtful anyone would spoof you. More likely you left a relay open.

[–] clement@ck.villisek.fr 1 points 9 months ago (3 children)

@wintermute_oregon
I tested on Mxtoolbox, it shows my server isn't an open relay.

[–] wintermute_oregon@lemm.ee -2 points 9 months ago (2 children)

Check logs to verify you’re not sending the messages. It’s highly unusual for them to use a small domain for spoofing. The idea behind spoofing is you are using a name people would identify with.

[–] clement@ck.villisek.fr 0 points 9 months ago (1 children)

Hi, thank you for the answer, and sorry for the late reply :( ...

I analysed the logs thoroughly, and I can confirm my SMTP server hasn't sent any email aside the legitimate ones.
And u/voracitude 's answer confirmed my thoughts, being that the emails were sent from somewhere else.

I don't think it's that much unusual to use a "small" domain for spoofing: SMEs are "easy targets" usually, and if the recipient's anti-spam isn't configured properly then the attackers could benefit from a domain which may be small but has a good reputation.

[–] wintermute_oregon@lemm.ee -3 points 9 months ago

If you’re small you won’t have a reputation. It’s why they are not targeted. By default they’ll go to junk.

Dkim/spf will help you out. You’ll end up being blacklisted over it. You don’t send enough email to have a true reputation.

Most spam filters for companies like Microsoft/proofpoint/mimecast will just end up adding your IP to the email firewall. That’ll be dropped on delivery.