Stop spammers from spoofing my email domain?
Posted by mifbody, 05-04-2007, 06:55 AM Is there any way to stop spammers from spoofing my address? I've had issues ever since I started this server with getting bounced spam where the "From:" field was (jibberish)@mydomain.com which was annoying but not that constant. I came online this morning to check my mail and had over 1200 e-mails and all of them have "online@wellsfargo.com" as the "From:" address, but the message-ID has my domain name in it.. There's gotta be some way (make that 1204.. just got 4 more bounces) to block spammers from doing this. Could someone help a newbie out? Thanks!
Posted by cpanellover, 05-04-2007, 07:06 AM hi, Most likely you have an insecure script running.To find out how the spammers are doing this i would suggest the folowwing http://choon.net/php-mail-header.php <<-- verry helpfull PHP patch read this thread and to actually stop them (and you are on CPanel) you can tick "prevent nobody .... " under tweak settings
Posted by AllenB, 05-04-2007, 09:12 AM Hello, I believe you are going to find that spoofing is harder to stop than it sounds and I do not know of a good cure for this. Have you implemented an SPF record for the domain? Good luck and best wishes.
Posted by SPaReK, 05-04-2007, 10:52 AM These headers look like there is a script on host.mydomain.com that is sending out spam/phishing messages. If host.mydomain.com is referring to your server, you would need to find the script that is sending out the messages or your server could become blacklisted. As for finding the script, you would have to look through your mail logs and it really depends on how you have configured your mail server and what security patches you had previously applied.
Posted by mifbody, 05-04-2007, 03:01 PM Could someone direct me to what mail logs I want to look through? I looked at /var/log/maillog but it didn't seem to really make sense to me. I did the change to the sendmail as described in the link cpanellover gave, and it's mostly stopped it from happening but I'm still receiving emails that are bounced. Seems like someone did a GOOD job taking advantage of the hole, I've received atleast 5,000 bounced emails -- and that's just the ones bouncing, can't imagine how many were sent that DIDN'T bounce. Thanks for all the help, guys, I really REALLY appreciate it.
Posted by whmcsguru, 05-05-2007, 11:41 AM If this is coming from your server, you can apply php mail patches that will assist in the identification of the script AND stop implicit BCC injections. When this is done, you can view the headers to see the page that is causing this, IF this is coming from your domain. Of course, this only works if a php page is being used to send the mail. If this is NOT your server sending out the mail, there really isn't a thing you can do. It's quite trivial to spoof an email address, really.
Posted by sanjuabraham, 05-05-2007, 10:08 PM Hello, Anyone with Outlook or any other email program can forge whatever address they want in the FROM field of an email, regardless of whether they own the domain name in the address, regardless of whether they have permission to use it, and regardless of whether the domain name even exists or is valid. There is nothing that the rightful owner of a domain name can do to stop people from sending out email with an address in the FROM field using someone else's domain name. There also is nothing that a webhost can do to stop or prevent spammers or virus mails from wrongfully claiming that your email address came FROM or was the sender of a piece of spam or email virus. The most annoying part of having someone forge your email address in the in FROM field of their outgoing SPAM is that nondelivery and other bounce notifications will be returned to you because the undeliverable messages appears to come FROM your address. You can set a black hole so that all unroutable mails to the domain will not be received in your inbox hereafter. There is an option in cpanel to do this. Please refer the following steps Enter cpanel Mail Option Default address Set default address Thanks