How to stop someone using my domain to send spam

[bkiser]

When I got into work this morning and checked my email I got a bunch of messages from other servers saying they are receiving SPAM from my domain. I went into my logs and checked my "outmail_xx.log" files and couldn't find any of the domains listed. I also opened up some of the email headers and it doesn't look like they are actually coming from my server, here are a couple of the headers:

Received: from ti300710a080-3557.bb.online.no (ti300710a080-3557.bb.online.no [85.166.149.235])
by router.jcfumc.org (Postfix) with SMTP id 03FEB58EA5
for <xvrjh@jcfumc.org>; Mon, 10 Nov 2008 09:30:31 -0600 (CST)
Message-ID: <167601c94349$05f8a7c0$eb95a655@ti300710a080-3557.bb.online.no>
From: "Kate.Zak" <Subki.Arnoth@matsonalarm.com>
To: <xvrjh@jcfumc.org>
Subject: [SPAM] only smart people have finished the learnings
Date: Mon, 10 Nov 2008 15:30:22 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_2669_4ACC9E33.F0C8DAE7"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.137
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.137
X-yoursite-MailScanner-Information: Please contact the ISP for more information
X-yoursite-MailScanner: Found to be clean
X-yoursite-MailScanner-SpamCheck: spam, spamcop.net,
SpamAssassin (not cached, score=21.692, required 4,
autolearn=disabled, DEAR_SOMETHING 2.23, DOS_OE_TO_MX 2.75,
HTML_IMAGE_ONLY_24 2.21, HTML_MESSAGE 0.00,
RCVD_IN_BL_SPAMCOP_NET 2.19, RCVD_IN_SORBS_DUL 1.61,
URIBL_AB_SURBL 1.61, URIBL_BLACK 1.96, URIBL_OB_SURBL 2.13,
URIBL_SBL 2.47, URIBL_SC_SURBL 2.52)
X-yoursite-MailScanner-SpamScore: sssssssssssssssssssss
X-yoursite-MailScanner-From: subki.arnoth@matsonalarm.com
X-Spam-Status: Yes

and

Received: from 9.subnet125-160-255.speedy.telkom.net.id ([125.160.255.9]) by biao.co.ci with Microsoft SMTPSVC(6.0.3790.211);
Mon, 10 Nov 2008 15:57:25 +0000
Message-ID: <2f2201c94416$19307afe$09ffa07d@9.subnet125-160-255.speedy.telkom.net.id>
From: "Jova.Ryad" <Chong.Orestes@matsonalarm.net>
To: <yo@biao.co.ci>
Subject: ****SPAM**** you can always start another learning, but only today - finish what is started
Date: Tue, 11 Nov 2008 16:00:08 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_94AC_C9E33F0C.8DAE7C53"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1123
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
Return-Path: Chong.Orestes@matsonalarm.net
X-OriginalArrivalTime: 10 Nov 2008 15:57:29.0849 (UTC) FILETIME=[08F38690:01C9434D]
X-NAI-Spam-Checker-Version: NAI SpamAssassin 1.2 (2.70 20081107 3143)

The "From" addresses are non-existent users the address in the "Received" section are not from any of my networks. Is there any way to stop this?

Thank you,

Ben Kiser

[rob]

One method would be to enable SPF and also add the appropiate SPF records to your domain. There is also a SPAM feature 'Use Sender Domain Check' which will verify any from address that matches your domains (to prevent just this type of attack). I should note the SPAM feature can cause new issues but as long as your users all correctly log in to the SMTP for relaying access it should be fine.

[bkiser]

So could the original emails be coming from my server, or is someone just using my domain name but the mail is actually be sent from a different server? If it's coming from a different server does anyone know how to stop it?

Thank you,

Ben Kiser

[rob]

The mails most likely are coming from external SPAM sources, and faking to be from your domain. As my previous post stated, SPF and Sender Domain Check are designed specifically to prevent this kind of attack. I would recommend giving them a try to see if these type of mail is reduced.

[Pugglewuggle]

Hi there, I've setup SPF on all of my domains, but I don't entirely understand it even after researching it.

The record I'm using is a TXT record that contains the following:

v=spf1 a mx ~all

Please let me know if you have any input or suggestions for the SPF record.

I did use the wizard here: http://old.openspf.org/wizard.html but didn't really get what it was doing with the information I put in.

[rob]

The SPF record below simply says that any of the MX record's domains (and there appropiate IP's) and also the IP of the actual email domain (the part after the @) are permitted to send mail. As long as you don't expect to use any other third party mail servers to relay your mail this should work fine. I should note that ~all means that other mail servers accepting your mail will still accept SPAM mail, as the ~ is a SOFTFAIL, and this is generally only a indicator that further checking should be done really. If you want mails not from your IP's to be rejected as they arrive to AMS or external mail servers, you should cahnge this to -all. Of course it would be wise to keep a look out for mails failing should you choose to do this (you should receive bounces).

[bkiser]

This worked great! Thank you.