Mail spoofing.

O

ozgurerdogan

Verified User
Joined
Apr 20, 2008
Messages
352
Even I am using dkim, spf, dmarc. How can users still recieve spoof mail like they are sending mail to themselves.


Code: 
From: [email protected]
To: [email protected]
Subject: =?utf-8?B?VmVyaWxlcmluaXppbiBiw7x0w7xubMO8xJ/DvG7DvCBrb250cm8=?=
    =?utf-8?B?bCBlZGluIChnw7x2ZW5saWsgc2VydmlzaW5lIGfDtnJlIA==?=
    =?utf-8?B?aGVzYWLEsW7EsXogc2FsZMSxcsSxeWEgdcSfcmFtxLHFn3TEsXIpLg==?=
Date: Thu, 7 May 2020 11:49:51 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="Mark=_-1816578468-908289234768"
X-Priority: 3
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from lnx12.hostname.comby lnx12.hostname.com with LMTPid gDmiNfPws15IBAAAKisGDw(envelope-from <[email protected]>)for <[email protected]>; Thu, 07 May 2020 14:28:51 +0300
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 07 May 2020 14:28:51 +0300
Received: from [49.244.17.114] (helo=114-adsl.ntc.net.np)by lnx12.hostname.com with esmtp (Exim 4.93.0.4)(envelope-from <[email protected]>)id 1jWehv-0000ZM-6pfor [email protected]; Thu, 07 May 2020 14:28:51 +0300
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
SPFCheck: Soft Fail, 30 Spam score
SpamTally: Final spam score: unset because ESF not run (SpamAssassin unset, whitelist, or skipped)

This is a multi-part message in MIME format.
 
49.244.17.114 ip is start point of sending mail? Did they steal mail account password's?
 
ozgurerdogan said:
Even I am using dkim, spf, dmarc. How can users still recieve spoof mail like they are sending mail to themselves.
Click to expand...
I don't see any of that in the header. Does your server check for DKIM on incoming mail? Because normally you see something about it in the header if it fails or is correct.

I do see an SPF check though:
SPFCheck: Soft Fail, 30 Spam score
Click to expand...
If you want to have strict SPF checks, you have to change the ~all to -all in the SPF records, which is advisable anyway.

Did you also install:
blockcracking
easy spam fighter
and spamassassin?

These can be easily installed from custombuild and work very nice. If you have not done so already.

Indeed, also check logs to see if it's stolen mail password.
 
Ok I will take a deeper look. But please tell me, can they still spoof mails if all those checks are correctly set.
 
You must log in or register to reply here.
Back
Top