Mail spoofing.

ozgurerdogan

Verified User
Joined
Apr 20, 2008
Messages
309
Even I am using dkim, spf, dmarc. How can users still recieve spoof mail like they are sending mail to themselves.


Code:
From: user@domain.com.tr
To: user@domain.com.tr
Subject: =?utf-8?B?VmVyaWxlcmluaXppbiBiw7x0w7xubMO8xJ/DvG7DvCBrb250cm8=?=
    =?utf-8?B?bCBlZGluIChnw7x2ZW5saWsgc2VydmlzaW5lIGfDtnJlIA==?=
    =?utf-8?B?aGVzYWLEsW7EsXogc2FsZMSxcsSxeWEgdcSfcmFtxLHFn3TEsXIpLg==?=
Date: Thu, 7 May 2020 11:49:51 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="Mark=_-1816578468-908289234768"
X-Priority: 3
Return-Path: <user@domain.com.tr>
Delivered-To: user@domain.com.tr
Received: from lnx12.hostname.comby lnx12.hostname.com with LMTPid gDmiNfPws15IBAAAKisGDw(envelope-from <user@domain.com.tr>)for <user@domain.com.tr>; Thu, 07 May 2020 14:28:51 +0300
Return-path: <user@domain.com.tr>
Envelope-to: user@domain.com.tr
Delivery-date: Thu, 07 May 2020 14:28:51 +0300
Received: from [49.244.17.114] (helo=114-adsl.ntc.net.np)by lnx12.hostname.com with esmtp (Exim 4.93.0.4)(envelope-from <user@domain.com.tr>)id 1jWehv-0000ZM-6pfor user@domain.com.tr; Thu, 07 May 2020 14:28:51 +0300
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
SPFCheck: Soft Fail, 30 Spam score
SpamTally: Final spam score: unset because ESF not run (SpamAssassin unset, whitelist, or skipped)

This is a multi-part message in MIME format.
 

ozgurerdogan

Verified User
Joined
Apr 20, 2008
Messages
309
49.244.17.114 ip is start point of sending mail? Did they steal mail account password's?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,004
Location
Maastricht
Even I am using dkim, spf, dmarc. How can users still recieve spoof mail like they are sending mail to themselves.
I don't see any of that in the header. Does your server check for DKIM on incoming mail? Because normally you see something about it in the header if it fails or is correct.

I do see an SPF check though:
SPFCheck: Soft Fail, 30 Spam score
If you want to have strict SPF checks, you have to change the ~all to -all in the SPF records, which is advisable anyway.

Did you also install:
blockcracking
easy spam fighter
and spamassassin?

These can be easily installed from custombuild and work very nice. If you have not done so already.

Indeed, also check logs to see if it's stolen mail password.
 

ozgurerdogan

Verified User
Joined
Apr 20, 2008
Messages
309
Ok I will take a deeper look. But please tell me, can they still spoof mails if all those checks are correctly set.
 
Top