External emails from and to the same email address
Hi,
several users are complaining about receiving messages "from themselves". The message says that the client computer is being watched, and the hacker sent the email using his username and password (fake), and asks bitcoins not to post a porn video about the client.
I know that all of this is fake, the message has a fake "From:", but users will never understand this.
How can I prevent unauthenticated messages from external IPs using a local domain? Example:
2020-11-08 15:16:18 1kbpEe-0007sZ-Tw <= user@example.com H=([102.110.201.104]) [102.110.201.104]:2022 P=esmtp S=9236 id=2EBF383FB0A9B8B726A1A62930212EBF@3T2BPD8BHD T="Proposta de neg\363cio" for user@example.com
Thanks.
-
Hey hey! The short answer is that there is no way you can completely stop this type of activity. The longer answer is that you can ensure your local DNS is setup to help prove legitimate emails from your domain are authentic, which will help other be blocked in the future. You can also adjust your server to be more strict about the emails that it accepts. We have some additional detail in our article here about both these options: 0 -
Hello, yes, the DNS is set up, with DKIM, DMARC, SPF (with "-all") and so, to normal situations (server to server, delivery). But in this case is not a real mail server, is a virus/trojan that connects directly to the MX server to send a message directly to the user. I was looking for a way to create a SpamAssassin rule or ACL to block if from=to and originating IP is not the local server (or a valid domain's MX). Thanks. 0
Please sign in to leave a comment.
Comments
3 comments