18

Someone is using my Google Apps Email ID to send spam messages and I've received 2000+ undelivered and autorespond emails.

I have no idea how to block this because the spammer is also using my email as reply-to email.

If you have any previous experiences, can you tell me how to block this in an easy way?

Subjects are like "URGENT Pedophile Alert" and "Heres your $1OOO Walmart Gift Card"

My DNS has this as the TXT record: v=spf1 a mx ip4:X.X.XX.XX ~all

I have now added this: v=spf1 include:_spf.google.com ~all

For reference, here's a sample reply to an email I received (I have added xxxx to hide some emails):

Delivered-To: mail@xxxxxxxx.com
Received: by 10.27.89.9 with SMTP id n9csp996482wlb;
        Sun, 24 Jan 2016 14:48:58 -0800 (PST)
X-Received: by 10.55.73.85 with SMTP id w82mr17774512qka.52.1453675738222;
        Sun, 24 Jan 2016 14:48:58 -0800 (PST)
Return-Path: <>
Received: from SNT004-OMC2S24.hotmail.com (snt004-omc2s24.hotmail.com. [65.55.90.99])
        by mx.google.com with ESMTPS id 7si20890653qgy.13.2016.01.24.14.48.57
        for <mail@xxxxxxx.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Sun, 24 Jan 2016 14:48:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of SNT004-OMC2S24.hotmail.com designates 65.55.90.99 as permitted sender) client-ip=65.55.90.99;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of SNT004-OMC2S24.hotmail.com designates 65.55.90.99 as permitted sender) smtp.mailfrom=;
       dmarc=fail (p=NONE dis=NONE) header.from=msn.com
Received: from na01-bl2-obe.outbound.protection.outlook.com ([65.55.90.72]) by SNT004-OMC2S24.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
     Sun, 24 Jan 2016 14:48:57 -0800
Received: from BN3PR17MB0625.namprd17.prod.outlook.com (10.165.115.139) by
 BN3PR17MB0625.namprd17.prod.outlook.com (10.165.115.139) with Microsoft SMTP
 Server (TLS) id 15.1.390.13; Sun, 24 Jan 2016 22:48:56 +0000
Received: from BN3PR17MB0625.namprd17.prod.outlook.com ([127.0.0.1]) by
 BN3PR17MB0625.namprd17.prod.outlook.com ([10.165.115.139]) with Microsoft
 SMTP Server id 15.01.0390.013; Sun, 24 Jan 2016 22:48:56 +0000
From: MAC MCOMBER <macxxxxxxxarol1@msn.com>
To: Neighborhood Alert <mail@xxxxxxxxxx.com>
Subject: Automatic reply: URGENT Pedophile Alert
Thread-Topic: URGENT Pedophile Alert
Thread-Index: AQHRVvlnYJlMVx0pu0eDEW+YO1CewZ8LRN0u
Date: Sun, 24 Jan 2016 22:48:56 +0000
Message-ID: <56bcad494e29434eb31e762fcdf38e6f@BN3PR17MB0625.namprd17.prod.outlook.com>
References: <COL004-MC2F10rf3yXv000739cd@COL004-MC2F10.hotmail.com>
In-Reply-To: <COL004-MC2F10rf3yXv000739cd@COL004-MC2F10.hotmail.com>
X-MS-Has-Attach:
X-Auto-Response-Suppress: All
X-MS-Exchange-Inbox-Rules-Loop: macxxxol1@msn.com
X-MS-TNEF-Correlator:
authentication-results: xxxxxx.com; dkim=none (message not signed)
 header.d=none;web3canvas.com; dmarc=none action=none header.from=msn.com;
x-ms-exchange-parent-message-id: <COL004-MC2F10rf3yXv000739cd@COL004-MC2F10.hotmail.com>
auto-submitted: auto-generated
x-ms-exchange-generated-message-source: Mailbox Rules Agent
x-microsoft-exchange-diagnostics: 1;BN3PR17MB0625;23:szzPHpRWFWcejvo2dVr00t4AmKBuIQDpL3YmG6ZCC5F/mfnjUl/jlt55bZF/MtXSTFhp0/CX3A1b/sGFEV4zxkFoBjbtnJtEa6BKcTT8WTQ6Teef4aeLAfDtuizz7xnYvOABjb7ypohELRorJ+crqT4VC49sxoI0DL4/s/FBdgqQldhRcWIqGt03naEtuRpUyN/Fe92wH/fcA8NXyAg+Mg==;5:+c3FXL7JypOTqHvY8I3WIqTp7xEaq8cyZMuC77eHCAmKt2hVjmUtKB91eVkr7Qi7d6sVjae+uk9gbv2/uxkXrXpbQM/GoP8gwpN6hSb08y9SqQHh2BOVNMl+0YvIB57AcGMYQUXW2gvzanmG1GLPfA==;24:MRTsqWmPbTTdXzjvcnrNYmNjuiue/CXXsOT8meWUHPlRD+VBUVnIkamU4QgBZoVbx2+IOOUkNKcqkrXVQdN6m2Cmr7fSpQ04SBxi8vaQ3lA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR17MB0625;
x-ms-office365-filtering-correlation-id: 0afd3f36-0f70-4738-daf4-08d325108aa3
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(432015012)(82015046);SRVR:BN3PR17MB0625;BCL:0;PCL:0;RULEID:;SRVR:BN3PR17MB0625;
x-forefront-prvs: 0831C25939
x-forefront-antispam-report: SFV:NSPM;SFS:(7070004)(98900002);DIR:OUT;SFP:1901;SCL:1;SRVR:BN3PR17MB0625;H:BN3PR17MB0625.namprd17.prod.outlook.com;FPR:;SPF:None;LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
    boundary="_000_56bcad494e29434eb31e762fcdf38e6fBN3PR17MB0625namprd17pr_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-1-318-15-msonline-outlook-9143d.templateTenant
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2016 22:48:56.4758
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR17MB0625
Return-Path: <>
X-OriginalArrivalTime: 24 Jan 2016 22:48:57.0752 (UTC) FILETIME=[68EAD180:01D156F9]

--_000_56bcad494e29434eb31e762fcdf38e6fBN3PR17MB0625namprd17pr_
Peter Mortensen
  • 877
  • 5
  • 10
Surjith S M
  • 289
  • 2
  • 5
  • As far as I know this is really hard to counter without controlling the mail server yourself. I would contact your mail provider definitely. – AdHominem Feb 04 '16 at 18:19
  • 1
    Have you tried generating a new Apps ID in case the current one got accidentally leaked? If that works, the next step might be to see if you can identify how the ID got leaked - like through an infected computer that you've used recently. – Dom Feb 04 '16 at 23:39
  • @Dom I didn't created any Apps ID, Just changed the DNS records to link to Google Apps. – Surjith S M Feb 05 '16 at 07:06
  • @AdHominem Will try that too.. – Surjith S M Feb 05 '16 at 07:07
  • 1
    If you want to Google more discussion about this, it is called a "joe job". – Ben Jackson Feb 05 '16 at 07:41

3 Answers3

19

I have now added this : v=spf1 include:_spf.google.com ~all

The ~all at the end just causes a soft fail, that is that mail will still be delivered. If you want to have a permanent fail use -all. Of course this only affects mail server which check the SPF records, which are not all.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • If I put `-all`, All mails will fail? Even the one I'm sending? I'm also using mailchimp to use the email. So that will also will not deliver? Sorry, I'm a newbie.. – Surjith S M Feb 05 '16 at 07:08
  • 5
    @SurjithSM: From your question I would assume that you have no understaning of how SPF works but still try to configure it somehow. Basically it specifies which mail servers (IP address) can deliver mails to other mail servers which contain a specific sender domain as sender. For more details see https://en.wikipedia.org/wiki/Sender_Policy_Framework. – Steffen Ullrich Feb 05 '16 at 08:50
  • In the Google Help, they says, If you used -all, you will get some mail delivery issues. So I'm confused (Indeed I have no knowledge in this tuff) – Surjith S M Feb 06 '16 at 09:04
  • 2
    The mail delivery issues you might have are because servers checking SPF don't accept mail from this domain which is not sent through the specified mail servers. In case of misuse of your domain this is exactly what you want. Of course you need to follow your rules yourself, i.e. don't try to use your domain as sender when the delivery is not done through googles mail servers. – Steffen Ullrich Feb 06 '16 at 09:10
9

From the mail it looks like they are sending from a google account, circumenting the SPF record.Misread the respective headers. It's not the case

My recommendation would be to roll out DMARC and DKIM. This allows you to ask the receiving servers to discard or quarantine mail if it wasn't sent and signed by your server. I don't know if DKIM is possible with Google Apps email.

tarleb
  • 1,200
  • 9
  • 22
  • Sorry, I'm a newbie, Can you explain what should I do? – Surjith S M Feb 05 '16 at 07:05
  • 2
    DKIM & DMARC Can both be implemented in a google apps environment (GMAIL) - Having recently (And very painfully) configured in an enterprise environment. https://support.google.com/a/answer/2466563?hl=en - google docs on adding DMARC https://support.google.com/a/answer/174124?hl=en - configuring DKIM DKIM will have no effect in this instance, as presumably your emails are not being intercepted and changed during transmission. – Aaron Dobbing Feb 05 '16 at 12:04
6

If you're getting bounce messages back to you, that's known as backscatter. It's possible to filter out bogus bounce messages. See also http://www.dontbouncespam.org/#BS for other ways to filter backscatter.

This does not stop the spammer from sending emails to victims, using your name in the From: line.

D.W.
  • 98,420
  • 30
  • 267
  • 572