spam mail with our domain?

[♥Tsimi]

Hi guys

 

Something weird going on lately that I cannot explain so I hope one of you out there can enlighten me.

 

We have a domain and company website let's call it (just an example) www.tsimi.com and mail addresses are [email protected] or [email protected] and so on.

Now around 1 month ago we start to receive e-mails that have the exact same sender domain. For example [email protected] or [email protected] and so on.

I checked with our host and also our server panel but no such mail address has been created. Those e-mails were send to us not from us but if they can send around such e-mails to anyone that might be not good. People might start accusing us for spamming or such things.

 

So how the f(censored) is it possible that they can send out e-mails with the same address ending? ([email protected])

 

Thanks

Lambros

[♥mattjt83]

Have you tried viewing the source for the emails? More than likely they aren't actually sending through your server although it is possible if they found a way in.

[Jack_mcs]

@@Tsimi That usually happens when the spammer uses the contact us or tell a friend page on the site. If you don't have googles recaptcha on those pages, then installing that will probably stop it. Depending upon your hosts control panel, there may be a way to prevent such addresses from being received. This won't stop the spammers from sending spam but will cut down the ones you receive. Ask your host if there is a way to limit which email addresses work with your account.

[♥Tsimi]

Thanks guys.

 

We contacted our host and we'll see what they have to offer.

[ArtcoInc]

@@Tsimi

 

These are probably forged email addresses. Unfortunately, I don't know of anything you can do about it.

 

(for example ... )

 

Our family has registered a domain <OurLastName>.com. I have an email address at <MyFirstName>@<OurLastName>.com

 

Today, I received a phishing "see the attached <infected> document" type email, and the sender was <SomeNonFamilyMemberName>@<OurLastName>.com. Looking at the header, one of the ISPs through which the email passed even said that the sender IP address may be forged.

 

The funny/sad thing is, I *never* give out this email address. It was used to create my Facebook account. And, I now receive a *lot* of spam to this email address. Thank you Facebook :x

 

Malcolm

[Jack_mcs]

Spammers use scripts to generate random and common email addresses. For example, if they find a shop named myshop.com, they will send emails to it for sales@@myshop.com, admin@@myshop.com and many other made up addresses. In cpanel, and I think Plesk, you can set the email options to only allow addresses for which there are accounts. So if the sales@@myshop.com account exists, that spam email will get through but if admin@@myshop.com doesn't exist, it will be ignored by the server.

[clustersolutions]

Look at the header and you should be able to rule out it came from your own smtp gateway...

[tgely]

@@Tsimi

I recieve similar emails nowadays with Trojan:W97M/MaliciousMacro.GEN but antispammer filter drop the contents. I think this is a mail server malicious backdoor.

[foring1981]

good point

[burt]

@@Tsimi

 

OUTGOING..

There are two endpoints for emails;

Sending server.
Receiving server.

Historically, email is a totally open system, with "loose" coding. So, anyone can pretend to be anyone else. With a tiny amount of technical knowledge I can sit here and pretend to be xyz@@Tsimi.com and send emails to 1000s of people.

In the last couple of years, providers have realised that spam is out of control, and so introduced two things;  SPF and DKIM.

Put simply, these are both designed to look at emails to determine if the email being received is sent from the domain it is linked to.  Eg, did xyz@@Tsimi.com come from an email server that belongs to tsimi.com...and depending on the answer, spambox the email or not.

 

Most (but not all) email providers look at DKIM and SPF as part of their spam detection.  Gmail are very good at it.

 

So, what should you do...

 

Set up SPF and DKIM for your domain.  If you have cPanel, this can be done direct in there if the host allows it.  If you cannot find it in cPanel, get the host to do it directly.  In cPanel, it is literally a 2 minute job (I had to do this last week for one of my domains).  

 

Once you have these two things set up, you've pretty much done all you can.

 

 

INCOMING

 

In control panel, set up individual inboxes for each person who needs email;

 

tsimi@

blah@

beep@

 

and so on.

 

Then set all others to blackhole.  Any email addressed to an inbox that exists, will go to that inbox.  Any email addresses to any other will be blackholed.

[♥Tsimi]

Thanks G!

I'll try to get my head around a Japanese control panel and if I should fail I'll just ask the host.

[♥John W]

I set up SPF 9 years ago and it's pretty easy to do.  Make sure you cover your home ip if you use outlook or the like to send mail through you smtp server.  It has to be listed on your DNS settings for it to publish.  I setup DKIM a few years ago and it helped with valid emails especially when using a new server with new mail ip.  My datacenter had recommended using http://www.dnsstuff.com/tools to check DNS entries and it's also helpful with email settings although it's changed with time and I haven't used it much lately.  There are other tools online for checking your DKIM to make sure it's correct.

 

Realize that these spam emails will still exist after you set these up but more mail servers will realize they are spam after you setup spf and dkim.  Of course, your server needs to require you authenticate to send and receive email and I use SSL for all my email connections. 
 

[biosporos]

I had the same problem until December 2016 and the customer service from my hosting did not have answer...

so I did a antivirus scanner in all my site and the problem were solved. There were some trojan malware making a party on my email. The antivirus had the following results:

 

ClamAV® Virus Scanner

Cleanup Process

mail/biosporos.gr/info/cur/1453758050.H392582P15618.ns1.hostivate.com,S=400477:2,c: disinfecting.....purged message 0 (infected with Win.Trojan.Toa-5372114-0).. ...done
mail/biosporos.gr/info/.Trash/cur/1482258333.M90148P17995.antares.multiserver.gr,S=106012,W=107428:2,Sb: disinfecting.....purged message 0 (infected with Doc.Dropper.Agent-5343349-0).. ...done
mail/biosporos.gr/harald2/cur/1481725568.M866321P7306.antares.multiserver.gr,S=24349,W=24687:2,S: disinfecting.....purged message 0 (infected with Doc.Dropper.Agent-1889982).. ...done
mail/biosporos.gr/harald2/cur/1481594351.M301314P21361.antares.multiserver.gr,S=55413,W=56154:2,S: disinfecting.....purged message 0 (infected with Doc.Dropper.Agent-1887560).. ...done
mail/biosporos.gr/harald/cur/1462578346.H982608P4288.ns1.hostivate.com,S=446009:2,c: disinfecting.....purged message 0 (infected with Win.Trojan.Toa-5372114-0).. ...done


The cleanup process is complete.