Receiving Spam emails from my Own Email address in Lotus Domino

I am running IBM Lotus Domino Email Server with Symantec Premium Antispam.

From past few days, I am receiving SPAM emails that pretend to coming from my own email address. example my email is JOHN@MYCOMPANY.COM , and in my inbox, i see spam email coming from JOHN@MYCOMPANY.COM. (and in header different ips or domains showed, subject is different everytime , see below code)

how can I prevent such spam emails. as sometimes they contains harmful .docm or sometimes it shows advertisements.

Following is full header.

Message-ID: <454418365439223099674707@MYCOMPANY.COM>
From: <MYUSER@MYCOMPANY.COM>
To: <MYUSER@MYCOMPANY.COM>
Subject: Greetings
Date: 7 Jul 2016 08:35:58 +0400
MIME-Version: 1.0
Content-type: multipart/alternative;
 boundary="---8D7023F9ECDEAA36CB98425765118D70"

This is a multi-part message in MIME format.
-----8D7023F9ECDEAA36CB98425765118D70
Content-transfer-encoding: quoted-printable
Content-type: text/plain;
 charset="cp-850"

Salutation

Let me present to you one of the largest worldwide enterprises where I =
work as a permanent manager of HR department.


Our company is well known in various fields as follows:
 - real estate
- companies setting-up and winding-up
- supporting business in Europe and other countries=20
- etc.


We need employees:
- payment $5000 + bonus
- 1 - 2 working hours per day
- free timetable=20

If you are interested in this job please=20
visit our web page.
-----8D7023F9ECDEAA36CB98425765118D70
Content-transfer-encoding: quoted-printable
Content-type: text/html;
 charset="cp-850"

<html><head>
 <meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dcp-850"></head>
<body>Salutation<br><br>
Let me present to you one of the largest worldwide enterprises where I =
work as a permanent manager of HR department.<br><br>
<b>Our company is well known in various fields as follows:</b><br>=20
- real estate<br>- companies setting-up and winding-up<br>- supporting =
business in Europe and other countries <br>- etc.
<br><br>
<b>We need employees:</b><br>
- payment $5000 + bonus<br>
- 1 - 2 working hours per day<br>
- free timetable <br><br>
If you are interested in this job please <a =
href=3D"http://luixbeltzamoda.gestiondatos.com/cache/smarty/cache/blockne=
wproducts_tab/20160213/1/1/1/6/16/"><b>visit our web page</b></a>.
 </body></html>
-----8D7023F9ECDEAA36CB98425765118D70--

Syed Jahanzaib

Posted 2016-07-12T04:11:55.313

Reputation: 129

Who manages your email gateway? They will be able to address this. – Paul – 2016-07-12T04:24:05.083

Email gateway? means email server? its resides in my office physically and connected to the internet via fiber line using FIX ip. i manage my email server myself. – Syed Jahanzaib – 2016-07-12T04:28:47.307

1Oh great. Does email get directly delivered to your email server? If so, do you have SPF or DKIM set up? – Paul – 2016-07-12T06:13:31.417

My domain is MYCOMPANY.COM which is hosted by hosting comapny , they pointed @/www to my fix public ip which is then configured in my email server. Exmaple: WWW > 1.2.3.4 @ + mail.mycompany.com > 5.6.7.8 (which is my email server

Email directly gets delivered to my email server. So when our user sends email to outer world, other party sees user@mycompany.com in there FROM tab. So what would be the SPF record?for my domain?

Something "v=spf1 a:MYCOMPANY.COM -all" – Syed Jahanzaib – 2016-07-12T06:28:31.837

Some reading here http://lifehacker.com/how-spammers-spoof-your-email-address-and-how-to-prote-1579478914

– Vojtěch Dohnal – 2016-07-12T07:24:48.550

Something like v=spf1 a:mailserver.MYCOMPANY.COM -all should be more appropriate, it points to A record, so it is a host name. – Vojtěch Dohnal – 2016-07-12T08:01:16.213

Answers

Your problem is that you have not configured anti-spoofing mechanisms for your mail server. In the 20th century I used to send e-mails from: bill.gates@microsoft.com without any problems.

1) Enable at least verifying PTR records of connecting hosts in Lotus Domino: http://www-01.ibm.com/support/docview.wss?uid=swg21378411

Verify connecting hostname in DNS:

Enable the following fields in the Configuration Document --> Router/SMTP tab --> Restrictions and Controls --> SMTP inbound controls:

Choose one: 1. Enabled - Domino verifies the name of the connecting host by performing a reverse DNS lookup. Domino checks DNS for a PTR record that matches the IP address of the connecting host to a host name. If Domino cannot determine the name of the remote host, because DNS is not available or no PTR record exists, it does not allow the host to transfer mail. Although Domino accepts the initial connection, later in the SMTP transaction, it returns an error to the connecting host in response to the MAIL FROM command.

NOTE: Internet SMTP hosts are not required to have PTR entries in DNS. As a result, when this field is enabled, the SMTP task may reject connections from valid SMTP hosts.

Disabled - (default) Domino does not check DNS to verify the name of the connecting host.

2) Check PTR, SPF , DKIM and DMARC records of your domain http://blog.msbiro.net/2014/09/if-you-have-trouble-with-smtp-delivery-check-ptr-spf-dkim-and-dmarc-record.html

Those records are stored in DNS server and thus must be configured by your ISP, but they usually provide some interface to allow users to edit their own DNS records.

You should verify the state of your DNS records using: http://mxtoolbox.com

You should define SPF to specify that it is your mail server that is authorized to send mail from your domain and nothing else.

http://www.openspf.org/Introduction

Let's look at an example to give you an idea of how SPF works. Bob owns the domain example.net. He also sometimes sends mail through his GMail account and contacted GMail's support to identify the correct SPF record for GMail. Since he often receives bounces about messages he didn't send, he decides to publish an SPF record in order to reduce the abuse of his domain in e-mail envelopes:
example.net.  TXT  "v=spf1 mx a:pluto.example.net include:aspmx.googlemail.com -all"
The parts of the SPF record mean the following: v=spf1 SPF version 1 mx the incoming mail servers (MXes) of the domain are authorized to also send mail for example.net a:pluto.example.net the machine pluto.example.net is authorized, too include:aspmx.googlemail.com everything considered legitimate by gmail.com is legitimate for example.net, too -all all other machines are not authorized

This example demonstrates but a small part of SPF's expressiveness. Do not take it as a guideline for building your own record — things might not work out as you expect and legitimate messages might get blocked! Instead, learn more about the record syntax, or get the complete picture by studying the full specification. Community support is available.

Vojtěch Dohnal

Posted 2016-07-12T04:11:55.313

Reputation: 2 586

DNS verify option is already enabled

(Inbound Connection Controls / Verify connecting hostname in DNS: Enabled)

I have requested the web hosting provider to add the SPF record. instead messing with DNS names in which i am a bit confused , i want to add my email server IP.

Does Following SPF record is valid? "v=spf1 mx ip4:1.2.3.4 -all" – Syed Jahanzaib – 2016-07-12T08:11:41.060

Rather v=spf1 ip4:1.2.3.4 -all http://www.openspf.org/FAQ/Common_mistakes#no-mx

– Vojtěch Dohnal – 2016-07-12T08:17:17.603

But your Domino will not use the SPF settings probably http://www-01.ibm.com/support/docview.wss?uid=swg21227751. But Symantec AntiSpam might do it.

– Vojtěch Dohnal – 2016-07-12T08:21:12.870

https://wordtothewise.com/2014/06/authenticating-spf/ So v=spf1 mx ip4:1.2.3.4 -all is ok, it allows all your MX records + IP 1.2.3.4 to send email from your domain, everything else is prohibited. But the mailservers or relays must support SPF protocol. – Vojtěch Dohnal – 2016-07-12T08:37:09.813

Dear All, I really appreciate your replies for my repetitive annoying queries. Just one last query :) At symantec article https://support.symantec.com/en_US/article.TECH90926.html I read you can safely delete emails claiming to come from your domain inbound

So If I create a rule that blocks Inbound Mail and Internet Domain is MYCOMPANY.COM, then delete the document. Will this helps to block spoofed emails? since I only have one single site and single mail server.

– Syed Jahanzaib – 2016-07-12T09:53:49.177

Ok i have added the rule in SMSDOm, but its blocking info / alert emails that are coming from my other local servers as well, example i have file server that sends backup email to me@mycompany.com is blocking as well. how to overcome this issue? – Syed Jahanzaib – 2016-07-12T10:30:30.037

Ok today SPF record published for my domain by my hosting provider. But i see no difference. example I can goto site https://www.wormly.com/test_smtp_server and then i use my email address in Recipient / Sender email for spoofing test and I got the email in my inbox. so SPF not helping in blocking spoofed emails ??

– Syed Jahanzaib – 2016-07-19T03:53:48.820

It only helps mail servers, proxies etc. that are programmed to actively use it, it is a relatively new concept. It is a guidance for antispam programms how to deal with spoofed messages, but if there is no such antispam programm, it makes no difference. – Vojtěch Dohnal – 2016-07-19T06:12:11.587

NEVER, and I repeat NEVER let an SMTP server that is meant for your internal mails be directly accessible from the internet. Having so called "spoofed" mails is your smallest concern in doing so.

Of course you can -and should- configure your Domino server to not be an open relay by setting the appropriate options in the Router/SMTP- Tab of your configuration document of your server (start reading here in the IBM Domino Administrator help), but this will only block the most obvious kind of spam / malware mails.

Your server will be objective to massive mail flooding, Denial of service attacks, mail relay attempts, ... you name them.

And as soon as they flood your server it will break down and not be able to do your internal services as well.

There are a lot of professional services that filter email and send only the "good" mails to your mailserver. There are spam - / antivirus- appliances that can be set in front of your domino to professionally filter all bad mails.

Domino cannot do this (although there are addin- products to filter spam and viruses, but that does not solve the problem of mail flooding).

Torsten Link

Posted 2016-07-12T04:11:55.313

Reputation: 970

my server is not open relay. its only allow my internal users to send email. my problem is not flooding. but sometimes i receives emails pretending to be coming from y domain, and in header it shows external ips/domains) as shown in the header. – Syed Jahanzaib – 2016-07-12T07:04:57.643

Update: Yesterday I was able to block the spoofed emails. I made following rule in SMSDOM.

Description: Compliance Rule:

Flow: Inbound

Applied: Conditionally (Exempt my few local servers email ids that are used to send backup/alerts emails to admin)

Expression: if Internet Domain Contains MYCOMAPNY.COM

Action: QUARANTINE

:) & now I can see many spoofed emails dropping in quarantine box.

Thank you all for the support.

Syed Jahanzaib

Posted 2016-07-12T04:11:55.313

Reputation: 129

Domino servers do not support SPF or DKIM, and Domino's mail rules aren't going to help you solve this problem without creating new ones. I have no idea what capabilities or your Symantec configuration has, but I believe that your best bet will either be to install an email security appliance that is configured to act as your MX and relay to your Domino server, or to outsource your MX to a company that provides hosted anti-spam services.

P.S. This question really belongs on ServerFault rather than SuperUser.

rhsatrhs

Posted 2016-07-12T04:11:55.313

Reputation: 640

Noted. I finally found the workaround to sort this issue. – Syed Jahanzaib – 2016-07-13T03:31:09.770