Spoofed "From:" (From: and To: same)

227ths
Posts: 6
Joined: Wed May 02, 2018 9:14 pm

Spoofed "From:" (From: and To: same)

Postby 227ths » Wed May 15, 2019 3:22 pm

We are getting 'extortion' type spam coming in from random IP's that are not whitelisted or allowed relaying.

The format is always the same:

1. They use an inline image of text (so email body text cannot be scanned for spam content). How can I spam block this?
2. They always use the SAME From: and To: (MAIL FROM/return path is NOT local, though)
3. Subject line is always the username part of email address (the user being sent to)

Code: Select all

-> From: <someone@mydomain.com>
-> To: someone@mydomain.com
-> Subject: someone
-> Mail From/Return Path/X-Envelope-Sender: someone-else@3rdpartydomain.com


Header Example:

Code: Select all

Received-SPF: pass (mydomain.com: domain of 100pceffective.com designates 5.77.56.20 as permitted sender)
   client-ip=5.77.56.20
Received: from www.100pceffective.com ([5.77.56.20]) by mydomain.com with
 MailEnable ESMTPS (version=TLS1 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256); Wed, 15 May 2019 06:43:18 +0000
Received: from [a96.sub16.net78.udm.net] (a96.sub16.net78.udm.net [78.85.16.96]) by www.100pceffective.com with SMTP;
   Wed, 15 May 2019 07:24:30 +0100
Feedback-ID: dibfz8o7tboyh3190560e6jn5g2vxse1x75ggcvyc4ixhmg:none:tyzuzln
List-Unsubscribe:
 <https://100pceffective.com/unsubscribe/fu/98041/gzow8qpksppw8js3u45rw5cnclk8xdpeuawkn527d8qzmu5qgq7ma9t3yx8oqcpl/647176637>
List-Help: <mailto:abuse@100pceffective.com>
Date: Wed, 15 May 2019 08:24:50 +0200
X-Priority: Critical
Message-ID: <p2jzqpbsngsg7ao$ijb3dd07secof5n$rba5f@f6wykjdlrfil>
X-Sender-Info: <peter.sammons@100pceffective.com>
To: user1@mydomain.com
Content-Type: multipart/related;
 boundary="3E9E4386CCAAF-23783AD11D0E-17ABE5EF4D2-02667A1FC-18A525BFF4422AE6"
MIME-Version: 1.0
Subject: user1
From: <user1@mydomain.com>
X-ME-CountryOrigin: GB
X-Envelope-Sender: peter.sammons@100pceffective.com
X-ME-Bayesian: 40.000000
Return-Path: <peter.sammons@100pceffective.com>


Logs:

Code: Select all

05/15/19 06:43:17   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20         220 mydomain.com ESMTP MailEnable Service, Version: 10.20--10.20 ready at 05/15/19 06:43:16   94   0      
05/15/19 06:43:17   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   EHLO   EHLO www.100pceffective.com   250-mydomain.com [5.77.56.20], this server offers 7 extensions   269   29      
05/15/19 06:43:17   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   STARTTLS         24   10      
05/15/19 06:43:17   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   STARTTLS   STARTTLS      24   10      
05/15/19 06:43:17   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   EHLO   EHLO www.100pceffective.com   250-mydomain.com [5.77.56.20], this server offers 6 extensions   161   29      
05/15/19 06:43:17   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   MAIL   MAIL FROM:<peter.sammons@100pceffective.com> SIZE=243626   250 Requested mail action okay, completed   43   58      
05/15/19 06:43:18   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   RCPT   RCPT TO:<user1@mydomain.com>   250 Requested mail action okay, completed   43   34      
05/15/19 06:43:18   SMTP-IN   9CFCA5BD09AC4ED3A072AE994D61BB54.MAI   2036   5.77.56.20   DATA   DATA   354 Start mail input; end with <CRLF>.<CRLF>   46   6      
05/15/19 06:43:19   SMTP-IN   ABEBD9C02FD04ACF9BE3AC128C01B426.MAI   2036   5.77.56.20   QUIT   QUIT   221 Service closing TLS SSL transmission session   50   6


Code: Select all

2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 EHLO EHLO+www.100pceffective.com 250-mydomain.com+[5.77.56.20],+this+server+offers+7+extensions mydomain-MAIL 269 29 -
2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 STARTTLS STARTTLS - mydomain-MAIL 24 10 -
2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 EHLO EHLO+www.100pceffective.com 250-mydomain.com+[5.77.56.20],+this+server+offers+6+extensions mydomain-MAIL 161 29 -
2019-05-15 06:43:17 5.77.56.20 SMTP-IN - 10.148.127.237 2036 MAIL MAIL+FROM:<peter.sammons@100pceffective.com>+SIZE=243626 250+Requested+mail+action+okay,+completed mydomain-MAIL 43 58 -
2019-05-15 06:43:18 5.77.56.20 SMTP-IN mydomain.com 10.148.127.237 2036 RCPT RCPT+TO:<user1@mydomain.com> 250+Requested+mail+action+okay,+completed mydomain-MAIL 43 34 -
2019-05-15 06:43:18 5.77.56.20 SMTP-IN mydomain.com 10.148.127.237 2036 DATA DATA 354+Start+mail+input;+end+with+<CRLF>.<CRLF> mydomain-MAIL 46 6 -
2019-05-15 06:43:19 5.77.56.20 SMTP-IN mydomain.com 10.148.127.237 2036 DATA DATA 354+Start+mail+input;+end+with+<CRLF>.<CRLF> mydomain-MAIL 43 243582 -
2019-05-15 06:43:19 5.77.56.20 SMTP-IN - 10.148.127.237 2036 QUIT QUIT 221+Service+closing+TLS+SSL+transmission+session mydomain-MAIL 50 6 -


Settings seem fine to me - am I missing something?

ME-Forum-Post-spoof-from-2019-05-15_101653.png
SMTP Properties/Security
ME-Forum-Post-spoof-from-2019-05-15_101653.png (43.34 KiB) Viewed 176 times



Please let me know why these emails are still getting through to our users.
Attachments
1557908690619.jpg
Non-Text text - cannot be scanned.
1557908690619.jpg (172.54 KiB) Viewed 176 times

kiamori
Posts: 197
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Spoofed "From:" (From: and To: same)

Postby kiamori » Thu May 16, 2019 3:42 am

They are using envelope sender function to get past the no spoofing function. You can block based on envelope sender however you will likely have many issues with email list services. Best solution is to use a DNSBL like 0spam.org which blocks many of these types of senders.

rfwilliams777
Posts: 1300
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Spoofed "From:" (From: and To: same)

Postby rfwilliams777 » Mon May 20, 2019 1:54 am

You can also set up a filter where the body states something consistent with that junk and any time any emails (even it is not them) they get deleted.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

Who is online

Users browsing this forum: Google [Bot] and 25 guests