Spam & Phishing Emails Spoofing My Email Address
This one got me stumped.
I was hoping someone had some advice for me on this one...
I noticed my email address is being spoofed with phishing emails and spam.
I thought I would be able to prevent this using SPF and DMARC records as follows:
Seems this email originated from 103.143.76.121 but still getting through to me when it should be rejected.
I noticed a lot of CPanel Phishing emails are coming being sent by spoofing our support@domain.com address as well and want to make sure these get rejected at the recipients' mailserver.
Any feedback would be greatly appreciated.
-Dave
-
Hey there! Unfortunately, there's no perfect system to stop these. If there were, it would be well-known and you wouldn't be here asking this question today. The reality is, spammers will always find ways around the checks and there will always be spoofed messages. Although it sounds like you've done these already, the best information we have is in this article: 0 -
Thanks for the reply but it seems even a Global Email Filter won't stop a pattern of spam emails in which it seems they are spoofing my from address. Blocking their IP won't work since it seems they're sending from Google's servers and blocking those will block legitimate emails from Google's servers. Here's the email headers of a recent example: ++++++++++++++++++++++++++++++++++++++ Return-Path: <> Delivered-To: mailto:dave@interactiveonline.com Received: from cpanel12.primary001.net by cpanel12.primary001.net with LMTP id gHi0EVWk72PVEwAAMg0UZQ (envelope-from <>) for mailto:dave@interactiveonline.com; Fri, 17 Feb 2023 10:59:17 -0500 Return-path: <> Envelope-to: mailto:dave@interactiveonline.com Delivery-date: Fri, 17 Feb 2023 10:59:17 -0500 Received: from [103.198.26.159] (port=40229 helo=mail237.sea22.mcdlv.net) by cpanel12.primary001.net with esmtp (Exim 4.96) id 1pT373-0004kB-0b for mailto:dave@interactiveonline.com; Fri, 17 Feb 2023 10:59:13 -0500 Received: from 10.194.196.20 by atlas110.aol.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 17 Feb 2040 14:31:59 +0000 X-Originating-Ip: [209.85.167.52] Received-SPF: pass (domain of gmail.com designates 209.85.167.52 as permitted sender) Authentication-Results: atlas110.aol.mail.bf1.yahoo.com; dkim=pass mailto:header.i=@gmail.com header.s=20210112; spf=pass smtp.mailfrom=gmail.com; dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com; X-Apparently-To: mailto:dave@interactiveonline.com; Fri, 17 Feb 2040 14:31:59 +0000 X-YMailAVSC: zzBDI_o3bBtmtfq_jF2sgrchdrSWbDgtOukUCk9jerRkr1F 5YMwRAgD5c3EjZRvf.yTAFsonsO1pihCOSfJLluGyE8KOyi2Z7QCvde.77Mm AWLsG.B7jLv7dYy9sxQOWR7cc.esHXXlc4zjEQQ8WvSy5vIQx4K6_acyx0Fc Q65ghvvL6zl.roRyvn2dZWDDC.hw9Fwdv41QEMnPyZjzA2eI7leyoweG6l_j 2wO0GoxhnMjQZOsPpTusB7Qo43leLp4vvYgrPFZzjtzyPudrWSyBuBgRWRY3 E8WWzNlplkd1j4B3l1Tq5DtPZ1wqHahhQZ60yluOhOcqMwr4YB2r2jedyIcA rP5PLcwe7nDjptHx1xg.ykd_gLjv85KCgNh9hOA5morWyKgHDC3tYWfRXxcG zl7irhMQthW7UPGheRpAUUT50CUpks_j.iFRWRl_zzDopD3e64VnBOYsUK9a u1xSnLQ.BJAR3OAVFF4l5PWLA4GGL6oCjVwptRsOCaobRnBmtmBkEenDKJqz PGCa_Zpn3kahU8D5fgKIFZFkOkFgNRi7ei3eDaeJcX1ir77WujA7da6Yv7x. 3mMY_utma9bouu8ErzRxNeBpIaWjKw4Ys7aVx8leEQ9rXlOJWtRoXgAoqbqt Hqa0lqAW6xs5QXwiATLKoiEG0zAgicUWNSADZQgGG4Xyu_F31KCfyf6GE4Nk qMXWZ9ugaJsltvY06_FVD75Pmz0WqB42dGLfAtEXjPVnZtCWrvqMy2pTgukp zQ6lMKbCXXY4UdgTf1YSmZJ_O4.adj2wRffnJM_f67zSg3BUAG4hCLQT4iA4 AG358WtYwz5x4whscxzp1cPdfP2Q_zQ9R1G0IB44nepz3ZYVbb1WfdWS.7V. tUtzfMBSo75urYvt8bCBE5R1QpCsZJWZE7_iC2tPAoXxzIEviRxMDcuvYYQ4 eeNj6OuiIcVjc2ztI0TsNQdmHiYCn7GQrDg6jC595mHSYOJSgfXYs88sPKou cwDL36xHGkarfjkzVGYR00WLBP8wXKnlBHbprjwPQE2qJoN5YX82Rnh8ZvSu 5r6o4mJ9BMs5XukSR X-YMailISG: l4ySZ4QWLDsCIFqtrjl9svSm88xGIvN4xBOsj9EIEkr7Z5qt zwRd_qbODz47U9zW_q9qFV2vYEOHl0BmG_Nj2McQd3aFR.xDSamqMMCE7WfQ _59HoVFl3JjHjRUcuTE25PGPAywMit4SHcOwTLeKiNgIXAnNaltcFziduA2P k7f9YBtDUDCkmBSokvVxUZAitShiwpVaCngnqJCuwJNvFvYKM3raDgM3n1l6 CVxRa9XA_fGvDdku_Yz4fq4UltnS9yV9msssdWhXJYVPAX3Vssi_8tymrJTe kKMnSRdwhjsNa9WAbERxGG4B7JhnmS6hiZxliWuRKo1psrS5eKisUJ1h0QoR L.s2TYDegIMsySFdavkQ7.IZApogFqgLSNAFJeCjvguN4aemrRIcJ4ZOqyu1 fZVqx3oKLkjcifBvEOArv4NBlIHWAKdW7_K_wlv8QR6dso.4Bh8nx8iZK11t GWm3Q5OSPsNIHwcaKIn0CF4LOSElL_CVDZ1mylKm1_uAl4e4d7SLMidu.Ht7 wcZnTGvisKChLQe5cc90A_wwMK2tNcQkKlh8piz8o0Cmmz8FRqNIG7PHomIX u0OSnfI2XYd3gV307KCQxli33VlAAgq9LQK16dEXKnuyxUmtAaTuegFQzwOA Duw6kgj.PSJPWnX7OTZv7EEG42_MsJXYlWheztmY0KcRDmGsV9tadG_ROMZy dIvmSAKkWYWGndjJwp4FHVUq_KFDQg5K8tl5HMZJHZ2gE5mnLe5NKeBSCc.E YvZvuZN4rRpFxXhrL6y12UvT78iljhLVNucLmBLSyVWIVRGNi1dGQNcFVioS zDnoG_vz8t7v14_hUZqGOnhs039uz2Sb_4.pbLs_lbqzblmcD4quXPI8s1E8 yFH.FKwilY9RZamoWRK_WZ8JzprDhqgWH.5xp9406yKsiqs5aC4fE2Dfj9MC TiI4Q7qzVfnAsQ13OlVlmnG_TWEq7KbKNT_uNX5MKB_DRFfhkFWR2TceI_iZ ZdwdLVT7H4vDDrmFe4b70RDbtwQUfxRZ8.J4Nbtk3pECYNeaWNy2k7LucskB 0Ehguk0oToVRrmwTG7ZJHKcdPJv4OzWze5xgX5L5gQhQmBeacanYG99jWC81 keBIj2F0UgEO.R8zx4hrPLUSGEyYdrsYM9IadJFi2wzL8tauIbM7pfYRcswg AVs- Received: from 209.85.167.52 (EHLO mail-lf1-f52.google.com) by 10.194.196.20 with SMTPs (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Fri, 17 Feb 2040 14:31:59 +0000 Received: by mail-lf1-f52.google.com with SMTP id p19so1773333lfr.9 for mailto:dave@interactiveonline.com; Fri, 17 Feb 2040 06:31:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=pC7P3qOuWCWKzwP3BvxgAAr43ic9lKr1ofb2xWQUiX4=; b=me3i4bNjdC9e9Bm3TMYeHsKq/TiIbHQQsbwcWxo8TmEk+mWfexAO/MEFKy3Zg/dDN7 gYaIZqxwFX2MKQC51IS1WCD4LXnDofNEkuSTkGFSMoqg1Qa0Pli8K6n5BlXbIrAbwhXd G8RNFjePtxlPfnzheGgQI2O+OCjpRlnMSuAIW8c8Cd+PduvIjDNuyN2QfvFV0WwMoLYW L+XJmIZuvXNQ9FhvhNs+CZy6QJAFyC3ZJjEprzUksn9GGRCQZBSywAmxKIEYAWE2/lhM HYSFBPffTwsOXd8mdPwx08rMa0vF6QJw9nw/4+SpEw6vEPDp4bq8I32OLyC+SS3enJ0D pBZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pC7P3qOuWCWKzwP3BvxgAAr43ic9lKr1ofb2xWQUiX4=; b=m6Y/C+al44pwXmf1D+h+ZP+6huQm0NfFdcm72Vr7p4uNVOUHgow3pBFwq1nHneNIrB pqA6znQfQYHu8brA3jaorI893l5rHb/GO6tQMkwQFWWhlbxb4/0GMzAD8HwxVmuj+1ma wVYR6kDGcH/h2hgNk3lqMxosNh7O0xMnE38g/Zti5KylfB4wJx4jezQF3SdeCqH8c9UT M9b0jCz5cvzPet706NPhAgeT6TX8PEJNQIprFTEXO5MzqoYV/F8/OIqOjxZWbaRRvs3b lqp0OkPNvIXdHRLEd0SymAWSNeJ7kK/IcM/onKw3KTs9WkSNkvU2XVaV5WG27mGqKzW2 JriA== X-Gm-Message-State: AO0yUKVTl67momJLBOHceV233tP70RzOxvkIiQEiXJZi0nbKyiOjMCT4 +rnt9LFuGzaJSgys3BkmFgPSX30AyRHcEAgMlCbT+G6M X-Google-Smtp-Source: AK7set8NUVzPOwXYd+nZivLVanpSzWn6hKVFUXirCgs3AgFskgnm7JI/OG/cC6m/S39QDt/K1bbep+fiMid9qLygtmw= X-Received: by 2002:a05:6512:39c4:b0:4dc:7e56:9839 with SMTP id k4-20020a05651239c400b004dc7e569839mr2069013lfu.5.1676644318011; Fri, 17 Feb 2040 06:31:58 -0800 (PST) List-Unsubscribe: (envelope-from <>) I had even setup a Global Email Filter to Discard if Any Header shows any of the above since Return-Path or envelope-from shouldn't be blank if they are legitimate emails, but still these emails get through. Also this confuses me a bit. It shows 4 different IPs it was received from and it shows it passed SPF since it was sent from gmail.com ++++++++++++++++++++++++++++++++++++++++++++++++ Received: from [103.198.26.159] (port=40229 helo=mail237.sea22.mcdlv.net) by cpanel12.primary001.net with esmtp (Exim 4.96) id 1pT373-0004kB-0b for mailto:dave@interactiveonline.com; Fri, 17 Feb 2023 10:59:13 -0500 Received: from 10.194.196.20 by atlas110.aol.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 17 Feb 2040 14:31:59 +0000 X-Originating-Ip: [209.85.167.52] Received-SPF: pass (domain of gmail.com designates 209.85.167.52 as permitted sender) Received: from 209.85.167.52 (EHLO mail-lf1-f52.google.com) by 10.194.196.20 with SMTPs ++++++++++++++++++++++++++++++++++++++++++++++++ I've blocked 103.198.26.159 but that 1st IP listed in the headers is always changing. I literally can't keep up with the amount of different IPs they use. Also within these pattern of spam emails, I see Yahoo and Gmail IPs in the headers too. Why does it show these Yahoo and Gmail IPs? From what I gather from this info 10.194.196.20 is a local IP of the spammer's computer but they're using gmail.com SMTP to send out the spam, but somehow spoofing the FROM address to look like my address dave@interactiveonline.com Also I just don;t know hwo in the world this can PASS the SPF check: Received-SPF: pass (domain of gmail.com designates 209.85.167.52 as permitted sender) Any ideas how to block this type of spoofed spam without having to block Google's IP? I get a lot like these every day. Any feedback would be greatly appreciated! 0
Please sign in to leave a comment.
Comments
2 comments