SPF and Backscatter

Trying to solve an issue whereby spammers forge the From: header along with the sender address to make it appear mail is being sent from our mail server.

The recipients (always a group, never single recipient) bounce back the message to us as spam; as a result their ISPs are penalizing our mail server’s IP rep (via SenderBase et al) and/or the receipients are reporting us to their ISP.

All this despite the actual sender being [email protected][email protected] (i.e. spammer ip is the real sender). Currently Verizon has blacklisted our mail server IP and we’ve received a couple of warnings from AOL as well.

My question is, why is SPF not working? We have

v=spf1 mx ip4:our-mail-server-ip -all

setup for all mail users, and PTR on mail server and mail sender domains.

I’m particularly interested in knowing if there’s a loophole where a spammer is able to append their IP to a valid [email protected]_domain address thereby tricking remote mail servers into seeing our_domain as the actual sender. I suspect not, but putting it out there in case anyone else has noticed this spammer technique showing up in their maillog.

Ideas appreciated.

Thanks

Hi newmind

Sorry to hear your been targeted (it has a positive side, ie your services are known)

Is it always from one domain been used, or many different on your server

You should not be affected by reputation or IP as you state it’s not coming from your server. If you are been listed, I’d check that it definitely is not originating at your server as the sender

SPF only works if the receiving server utilises SPF on their receiving mail server.

I would set the SPF to hard fail so it should not be accepted in the first instance

You may want to also setup dk/dkims and dmarc, which also helps

If you have been blacklisted by some providers, you will need to contact them and give evidence of where it was sent from, and politely ask them to remove you.

You may also want to look at FBL which helps a lot, and gives you notification of issues prior to been blacklisted.

I hope that helps

Many thanks

John

Sure, here you go (you asked for message headers in my other thread but it actually applies to this thread):


Received: (qmail 1959 invoked by uid 108); 11 Dec 2015 11:03:54 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on OurMailServer
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=2.3 tests=ALL_TRUSTED,DATE_IN_PAST_06_12,
HTML_MESSAGE,MIME_HTML_ONLY,URIBL_BLOCKED autolearn=disabled version=3.4.1
Received: from unknown (HELO our_domain.com) ([email protected][email protected]_ip)
by OurMailServer with ESMTPA; 11 Dec 2015 11:03:52 -0500
X-Mailer: YahooMailIosMobile/0.0 YahooMailWebService/0.8.203.817
Message-Id: <[email protected]_domain.com>
Date: Thu, 11 Dec 2015 05:03:44 +0000
From: Dennis Ahrens <[email protected]_domain.com>
Subject: RE:
To: bunch o’ users…