How to prevent Spoofing of email

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 45
Joined: 2020-05-26 16:03

How to prevent Spoofing of email

Post by VadaDosaIdly » 2024-05-30 21:22

Hello Friends,
I have been enjoying hMailServer and its features for some time. However,or some time I am noticing that some Hackers are trying spoof our domain-based emails and spoofing us. This has been going on for some time and I noticed that most times hMailserver is able to identify this spoofing email as SPAM but sometimes it fails and those directly hit my inbox. The headers of spoofing emails clearly shows third party IP addresses those are not included in our SPF record. We use SPF, DKIM and DMARC polices on our mail server.

Has anyone experienced this issue? What was the resolution and any advice for me.

tunis
Senior user
Senior user
Posts: 353
Joined: 2015-01-05 20:22
Location: Sweden

Re: How to prevent Spoofing of email

Post by tunis » 2024-05-31 08:35

I reject all incoming mail from my domain on port 25.

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    If InStr(oMessage.From, "@mydomian.com") > 0 and oClient.Port = 25 Then
	Result.Value = 2
        Result.Message = "5.7.1 CODE06 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
        Exit Sub
    End If
End Sub       
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.

User avatar
RvdH
Senior user
Senior user
Posts: 3307
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: How to prevent Spoofing of email

Post by RvdH » 2024-05-31 10:14

VadaDosaIdly wrote:
2024-05-30 21:22
Hello Friends,
I have been enjoying hMailServer and its features for some time. However,or some time I am noticing that some Hackers are trying spoof our domain-based emails and spoofing us. This has been going on for some time and I noticed that most times hMailserver is able to identify this spoofing email as SPAM but sometimes it fails and those directly hit my inbox. The headers of spoofing emails clearly shows third party IP addresses those are not included in our SPF record. We use SPF, DKIM and DMARC polices on our mail server.

Has anyone experienced this issue? What was the resolution and any advice for me.
SPF, DKIM, and DMARC on your domain will likely (depending on the score) not stop these kind of spoofing attempts within HMS, as it will use the senders FromAddress (The sender address of the message, taken from "mail from" during the SMTP conversation and then inserted as the first occurrence of Return-Path) and not From address

DKIM will fail (so you either score that very high, not recommended) so you might be better off writing a custom rule in SpamAssassin, basic example (not tested, use with care)

Code: Select all

describe T_SPOOFBLOCK Block spoofing
header  __T_SPOOFBLOCK_A EnvelopeFrom:addr !~ /\@(?:yourdomain\.com)$/i
header  __T_SPOOFBLOCK_B Return-Path:addr !~ /\@(?:yourdomain\.com)$/i
header  __T_SPOOFBLOCK_C From:addr =~ /\@(?:yourdomain\.com)$/i
meta	T_SPOOFBLOCK ( ( __T_SPOOFBLOCK_A + __T_SPOOFBLOCK_B >= 1 ) && __T_SPOOFBLOCK_C )
tflags   T_SPOOFBLOCK net      
# score    T_SPOOFBLOCK 10
If EnvelopeFrom:addr or Return-Path:addr NOT is your domain and From:addr IS your domain it is likely spoofed, score higher
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 45
Joined: 2020-05-26 16:03

Re: How to prevent Spoofing of email

Post by VadaDosaIdly » 2024-05-31 17:10

tunis wrote:
2024-05-31 08:35
I reject all incoming mail from my domain on port 25.

Hello Tunis,
Just for clarification, blocking port 25 fwill block all incoming emails. I mean, some port needs to be opened for incoming. What port you suggest? [/size]

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    If InStr(oMessage.From, "@mydomian.com") > 0 and oClient.Port = 25 Then
	Result.Value = 2
        Result.Message = "5.7.1 CODE06 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
        Exit Sub
    End If
End Sub       
Where should above code block be updated or added? EventHandler Script?

Does this requires adding or changing a setting inside the TCP/IP ports settings of hMailServer application? Most important, Have you tested this? and did Spamming stopped for you?[/size]

palinka
Senior user
Senior user
Posts: 4589
Joined: 2017-09-12 17:57

Re: How to prevent Spoofing of email

Post by palinka » 2024-05-31 18:47

VadaDosaIdly wrote:
2024-05-31 17:10
tunis wrote:
2024-05-31 08:35
I reject all incoming mail from my domain on port 25.

Hello Tunis,
Just for clarification, blocking port 25 fwill block all incoming emails. I mean, some port needs to be opened for incoming. What port you suggest? [/size]

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    If InStr(oMessage.From, "@mydomian.com") > 0 and oClient.Port = 25 Then
	Result.Value = 2
        Result.Message = "5.7.1 CODE06 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
        Exit Sub
    End If
End Sub       
Where should above code block be updated or added? EventHandler Script?

Does this requires adding or changing a setting inside the TCP/IP ports settings of hMailServer application? Most important, Have you tested this? and did Spamming stopped for you?[/size]
He's not blocking port 25 - he's blocking all mail on port 25 where the from address matches his own domain. His own users submit mail on port 587 or some other port - and never on 25 - so therefore its safe to assume that anyone claiming to be from his domain on port 25 is spam.

User avatar
SorenR
Senior user
Senior user
Posts: 6346
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to prevent Spoofing of email

Post by SorenR » 2024-06-01 18:38

palinka wrote:
2024-05-31 18:47
VadaDosaIdly wrote:
2024-05-31 17:10
tunis wrote:
2024-05-31 08:35
I reject all incoming mail from my domain on port 25.

Hello Tunis,
Just for clarification, blocking port 25 fwill block all incoming emails. I mean, some port needs to be opened for incoming. What port you suggest? [/size]

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    If InStr(oMessage.From, "@mydomian.com") > 0 and oClient.Port = 25 Then
	Result.Value = 2
        Result.Message = "5.7.1 CODE06 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
        Exit Sub
    End If
End Sub       
Where should above code block be updated or added? EventHandler Script?

Does this requires adding or changing a setting inside the TCP/IP ports settings of hMailServer application? Most important, Have you tested this? and did Spamming stopped for you?[/size]
He's not blocking port 25 - he's blocking all mail on port 25 where the from address matches his own domain. His own users submit mail on port 587 or some other port - and never on 25 - so therefore its safe to assume that anyone claiming to be from his domain on port 25 is spam.
Except when you forward a job opportunity from your favorite jobsite to your own email ;-) Now I forward to a "public" alternate email that is fixed forwarded to my own server :roll:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

Post Reply