Trying to solve an issue whereby spammers forge the From: header along with the sender address to make it appear mail is being sent from our mail server.
The recipients (always a group, never single recipient) bounce back the message to us as spam; as a result their ISPs are penalizing our mail server’s IP rep (via SenderBase et al) and/or the receipients are reporting us to their ISP.
All this despite the actual sender being our_user@our_domain@spammer-ip (i.e. spammer ip is the real sender). Currently Verizon has blacklisted our mail server IP and we’ve received a couple of warnings from AOL as well.
My question is, why is SPF not working? We have
v=spf1 mx ip4:our-mail-server-ip -all
setup for all mail users, and PTR on mail server and mail sender domains.
I’m particularly interested in knowing if there’s a loophole where a spammer is able to append their IP to a valid our_user@our_domain address thereby tricking remote mail servers into seeing our_domain as the actual sender. I suspect not, but putting it out there in case anyone else has noticed this spammer technique showing up in their maillog.
Sorry to hear your been targeted (it has a positive side, ie your services are known)
Is it always from one domain been used, or many different on your server
You should not be affected by reputation or IP as you state it’s not coming from your server. If you are been listed, I’d check that it definitely is not originating at your server as the sender
SPF only works if the receiving server utilises SPF on their receiving mail server.
I would set the SPF to hard fail so it should not be accepted in the first instance
You may want to also setup dk/dkims and dmarc, which also helps
If you have been blacklisted by some providers, you will need to contact them and give evidence of where it was sent from, and politely ask them to remove you.
You may also want to look at FBL which helps a lot, and gives you notification of issues prior to been blacklisted.