Ask HN: A spammer is spoofing my email address; what do I do?
About every 15 seconds all day, another Mail Delivery Subsystem Status Notification Failure pops in from random servers around the world for some email that supposedly I sent, but of course did not. Apparently someone is sending out thousands of emails as coming from my address, and there is nothing I can do about it, right? Here are my questions:
1) Or, is there something I can do about this? 2) Will this cause my email address to end up on blacklists and cause me significant problems? 3) Why in 2016 are Internet mechanisms not in place to prevent stuff like this?
50 comments
[ 2.9 ms ] story [ 104 ms ] threadDKIM - https://support.google.com/a/answer/174124?hl=en
SPF - https://support.google.com/a/answer/33786?hl=en
Dmarc - https://support.google.com/a/answer/2466580?hl=en
However, implementing needs support from your email/hosting provider.
I'm also getting DMARC reports back from them for all my domains.
Can you share the full message headers of one of these bounces you are receiving? Feel free to redact your email address. https://support.google.com/mail/answer/22454?hl=en
Edit: I left Google in 2013
Google Groups uses a different sub system internally, and if you don't have SPF configured (or configured it wrong) it definitely rejects messages aggressively or queues them for moderation.
Virtually every problem where legitimate mail to any of your Google Apps email addresses (or groups) bounced could be addressed by adding DKIM and SPF. Some folks have strange dual delivery set ups, or perhaps use an outbound gateway server (for compliance filtering, journaling etc) - in those cases you definitely need to adjust the SPF records accordingly.
I never tried Fastmail before, maybe I'll check it out :)
Yes, I pay Fastmail and I wasn't paying for Google Apps. But I also get responsive support from Fastmail, IMAP push to iOS devices, more flexibility in delivery rules, etc.
https://support.google.com/groups/answer/2627595?hl=en
I personally always disable it for public groups and then rely on Spam filtering of the recipient inbox.
By the way - the bounce message you are seeing is what is sent when the Spam Classification Server determined your message to be Spam. The main reasons for that are things like sending from a bad IP, having certain keywords that are strongly correlated with Spam, or having domains in your message that are associated with Spam (based on other messages having been marked as Spam containing those domains).
Google Apps SMTP -> Google Apps Group (different domain) == FAIL
Fastmail SMTP -> Google Apps Group (different domain) == SUCCESS?
It's been a long time since I looked at this. We did have great internal tools to look up the classification of individual messages, including the top 10 deciding reasons for a given message classification. With a paid Google Apps domain a support rep investigating your ticket would eventually look at this tool to figure out what's going on.
@dang helpfully pointed out an email to him had ended in the spam box, and a bit of investigation later revealed that some Vietnamese and Indian spammers had been sending email as me, to the tune of a few thousand emails per day.
I already had SPF in place, but I've since added DKIM and a strict reject policy via DMARC.
Additionally I added https://dmarcian-eu.com/ (or https://dmarcian.com/ if you're outside the EU), and this allows the DMARC reports to be sent directly there where they can be analysed and reported on.
My buro9.com records now look like:
Note I've gone strict on SPF (against Google's recommendation), my DMARC is sending aggregate reports and forensics to Dmarcian, and I have DKIM keys for both Google (I'm on Google Apps) as well as Mailjet (I have a mailing list of 37k people and that needs to work too).So far this appears to be having the desired effect, and I don't yet know of any deliverability issues from my email. Looks like this combination works well.
On domains I send no email from, i.e. buro9.co.uk:
An SPF that signals everything fails, and a reporting endpoint to find out if people are still trying to send spam as me.The major email service providers (GMail, Yahoo, Hotmail, iCloud, AOL, Comcast) should already be sticking these spoofed emails in their recipients' spam folders.
If you rely on communication with a less- or un-managed email server, then you might have issues, since they might not be filtering based off of SPF, DKIM signatures, or DMARC policy.
The problem that happened then is someone was using random users@example.com causing the blowback spam to fill up my mail box. Until I added SPF, then hadn't had an issue since.
https://en.wikipedia.org/wiki/Email_address#Sub-addressing
If I sign up for, say, a Sears mailing list with the address sears@justinlardinois.com, it's not possible to divine what my "real" email address is.
What are the arguments for this being a bad idea?
> What are the arguments for this being a bad idea?
It enables spammers and makes you vulnerable to their backscatter, and there is no good way around it.
Yes, but if they drop the "+sears" part, you lose the tracking information.
What do you mean by wildcard emails enabling spammers?
Backscatter is not really a problem, I just filter non-whitelisted addresses to another folder which deletes them after a short while. Known problematic address get filtered to /dev/null. This is really easy to do with Sieve.
I've definitely received generic spam emails purporting to originate from colleagues (whose email addresses would have been published in the same place) and I think I've even received one or two with my email as the spoofed originator...
It's quite common to see people have their gmail accounts hacked and used for spam.
https://security.google.com/settings/security/secureaccount
I use 2-factor auth, but I had a significant discrepancy in this checkup recently that I'm still trying to understand.
Steps to mitigate.
1. Setup SPF immediately. You can validate your records here- http://www.kitterman.com/spf/validate.html
You'll have to know who you send email through and their SPF record, but a quick googling of "provider name SPF" should get you what you need.
Depending on your DNS provider the results may be instant.
2. Filter those bounces keep them out of your inbox - it's going to take while until this clears up.
3. Make sure that YOU are not hacked, check the headers of the bounce back messages here - http://mxtoolbox.com/EmailHeaders.aspx
Ensure that your IP or hostname is not listed there. (This includes web servers that your domain is hosted on, apps that send on your behalf etc)
4. You can check to see if your domain is black listed - http://mxtoolbox.com/blacklists.aspx probably not...but worth a check.
TL;DR - I run one of the largest spam filtering companies in the world. Happens all day to clients...it's one of the reasons people switch to us.
I think it's also worthwhile to mention DMARC: https://dmarc.org/overview/. Most of the major Email Service Providors (ESPs) support it.
SPF and DKIM signatures are two data points to help form an opinion about whether a message is legitimate. DMARC is your published policy about what to do with email that fails SPF and DKIM. If you have the strictest DMARC policy along with good SPF and DKIM records, and you're signing all your outgoing email correctly with DKIM, then this should solve your problem.
It's recommended to start with the most permissive DMARC settings (p=none) so you can make sure you don't prematurely block your own outgoing email.
I work for one of the larger (by market share) "send email via an API" services. This is a common issue we come across with our customers.
If you fully and correctly implement SPF[1], DKIM[2], and DMARC[3], you'll see a massive improvement as much of the SPAM gets dropped completely at recipient MTAs.
To fully solve the problem, you need something to filter the backscatter[4] . At the time I purchased Postini, but now that Google has bought them, Google Apps for Work seems to have this feature built in. There may also be software you can run on your own server, or other proxy services like Postini. I've not looked since I use Google Apps for work. Such filters simply track all outgoing messages you send, and reject bounces from addresses and domains you never emailed.
This has complete solved my problem. Now I only get regular SPAM, a fact of life now.
In practice, all these things together look like this for kogir.com:
The sp=reject in the DMARC record is very important, but only works if all valid email from your domain will pass both the SPF and DKIM checks.[1] http://www.openspf.org/
[2] http://www.dkim.org/
[3] https://dmarc.org/
[4] https://en.wikipedia.org/wiki/Backscatter_(email)
sp=reject is already implied by your p=reject. You only ever need to specify sp= when it is different from your p=.
Additionally, adkim=r; aspf=r; pct=100; rf=afrf; and ri=86400; are all implicit defaults.
As for the defaults, you have much more faith in other people's correct implementation of them than I do. Why not just be explicit?
Disclosure: I'm not at all affiliated with Postmark, I use their free tier transactional emails, and I use their DMARC tool.
https://dmarc.postmarkapp.com
Change your password. Check your settings for unknown API tokens or any app you may have given to the permission to access your Google account.
Removing the bad SPF record and updating passwords fix it for me.
Still waiting on my web hosting provider to see if it was changed from my account with a valid login or if they were compromised in some way.
Once I discovered that the spammer was doing credit card fraud, and paying for their hosting with stolen credit cards, my conversations with hosting companies became even more effective, and the target sites were shut down within hours. Finally, the spammer retreated to an ISP in St. Petersburgh, Russia. It took a while, but it turned out that the CEO was an American expat, and we had some mutual friends. We had a nice chat. He told me the problem would be taken care of. The spam stopped shortly thereafter and never resumed.
It's much harder now, because spammers use botnets. On the other hand, after the CAN-SPAM act, "legitimate" spamming almost disappeared. Nobody spams from their own site any more, because spam filters will blacklist them. If they spam with phony origination, they're a crook, and can be prosecuted, so nobody legit spams with a phony source. The stuff that's left is all criminal, and because the number of spammer crooks really isn't that large, the spam gets picked up by classifiers that can see the commonality across destinations. (That's Gmail's edge.)
Second please check all of your systems that your email password is entered atleast once. Maybe a system has a spyware or virus or something.
Third change your email's password.
Except you are 100% sure that the spammer is not using your MTA then you just use an spf with the -all directive!
When I was a kid on AOL in ~2000 I made some script-kiddie mad and he did this to me. One angry person replied to me, and I explained what was going on. He took some convincing, but eventually he believed me. He became my good friend--I've even met him in person. I'm really thankful it happened.