0

We recently received a whole bunch of notification emails stating an email that apparently originated from our servers was blocked for being spam, but we can't find the source emails on our server, so wanted to ask if we're missing anything obvious.

Below is the notification email. [email protected] is our domain email address:

Notification email:

A message that you sent was rejected by the local scanning code that checks incoming messages on this system. The following error was given:

This message was classified as SPAM and may not be delivered

------ This is a copy of your message, including all the headers. ------

Received: from amcham by vps62989.inmotionhosting.com with local (Exim
4.95) (envelope-from [email protected]) id 1nrvvQ-0002CA-NB for
[email protected]; Thu, 19 May 2022 23:15:48 -0700
To: [email protected] Subject: Contact
X-PHP-Script: amchamec.com/index.php/contactanos for 104.149.136.246
X-PHP-Originating-Script: 1003:class.phpmailer.php
Date: Fri, 20 May 2022 06:15:48 +0000
From: "? Donna just viewed your profile! Click here: https://spamPornURLRemoved.com ?"
[email protected] Message-ID:
[email protected] MIME-Version: 1.0
Content-Type: text/html; charset=utf-8

Customize this e-mail also. You will receive it as administrator.

Nombre y Apellido:? Donna just viewed your profile! Click here: https://wondergirl22.page.link/29hQ?bvh9r ?
E-mail:[email protected]
{CompanySize:caption}:{CompanySize:value}
{Position:caption}:{Position:value}
{ContactBy:caption}:{ContactBy:value}
{ContactWhen:caption}:{ContactWhen:value}

Some bullet points:

  • The envelope was from [email protected] This is a genuine email address on our servers. This is NOT a mailbox but a forwarder that comes to my business email mailbox.
  • Checking Exim there is no record of the 1nrvvQ-0002CA-NB mail ID or [email protected] mail id except the above message.
  • class.phpmailer.php does not exist on this server, but we do use PHP and clients do send mailings using PHPMailer (but not from this domain).
  • Our servers always use PTR, DKIM, SPF, DMARC , etc.

Our problem

So, there have been enough of these notification emails I'm not sure they're fake, but checking Exim Logs can't find these id's or email addresses in the logs so am not sure what's going on. I can only conclude that the email is entirely 3rd party but somehow they're "piggybacking" on our domain as the "envelope".

Question

What can we do to prevent 3rd party domains using our domains as "envelopes" for emails they send?

If the illustarted email above is a spam or fake, a) Is this likely and b) Why?

Improve this question
2
  • 1
    I don't understand. Are they sent using your IP address, or some completely unrelated addresses and only your domain names appear there?
    – Nikita Kipriyanov
    Commented May 20, 2022 at 13:35
  • @NikitaKipriyanov as I say, I can't find any Exim records for the referenced mail, the exim logs for the above email show where it's from but that's inmotionhosting.com (I'd imagine, I've not confirmed).
    – Martin
    Commented May 20, 2022 at 13:57

1 Answer 1

Reset to default
7

You can do nothing to prevent others from using your domain name in mails they send, including the envelope address. This is called sender address forgery and is generally considered abusive, but you as the legitimate owner of the domain have no direct means to prevent it.

You can also do nothing to prevent others receiving such mail from blindly believing that envelope address and sending non-delivery messages to it. This is called backscatter and is generally considered bad practice, but again, you as the recipient have no direct means to prevent it.

What you can do is set an SPF record in your domain to signal which servers are legitimated to send mails with envelope sender addresses from that domain. Well-configured mail servers will then reject mails falsely claiming to be from your domain during delivery instead of emitting notifications after the fact, thereby avoiding backscatter.

What you can also do is complain to the owners of the mail server producing the backscatter (ie. the sender of the notification mails) for running a misconfigured server.

As a last resort, you can use the ips.backscatterer.org RBL to block mailservers producing backscatter from delivering mail to your server.

Improve this answer
7
  • Also it is worth setting up DKIM records and configuring DMARC policy. But all those measures are recommendations to receivers that mail with your domain name in "mail from" should be rejected or quarantied if it doesn't adhere to certain rules.
    – Nikita Kipriyanov
    Commented May 20, 2022 at 16:08
  • Setting SPF records would help as major mail service providers will respect it and bounce off the emails from not allowed sources. You would need to read up a little more on how to configure SPF records properly.
    – antimatter
    Commented May 20, 2022 at 16:46
  • Thanks for this answer. We have DKIM, DMARC and SPF all set up and working on the domains across our servers.
    – Martin
    Commented May 21, 2022 at 11:09
  • Currently our SPF records are set on SoftFail ~all would it help combat this situation if they're changed to HardFail -all ?
    – Martin
    Commented May 21, 2022 at 11:17
  • It may mitigate it but will not entirely stop it. Misconfigured mailservers that produce backscatter tend to ignore SPF, too. At the end of the day, you can only complain and, if that is fruitless, block them.
    – Tilman Schmidt
    Commented May 21, 2022 at 18:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .