Domain facing massive e-mail spoofing attacks: Can something be done?
Hello,
I am running my own mailserver using Mailcow and I noticed, since mid-January, a huge rise of e-mail address spoofing attacks, in three ways:
(1) a lot of spam ends up in the inbox despite having rspamd.
(2) a few undelivered e-mail errors
(3) some e-mails with rubbish content sent to public administrations, with my e-mail address mentioned in the “via” field, but different sender address (possibly from a third hacked mailserver), end up in my inbox as well.
My mailserver doesn’t seem to have been hacked BTW, as e-mails were sent today and the last connection to the SMTP service was 2 days ago according to Mailcow admin UI.
Here are my questions:
(1) Does the address spoofing make that rubbish mail end up in the recipients’ inbox?
(2) Is it shown as being sent by me or by the third hacked mailserver?
(3) Is there a way to block the incoming spam using that technique in rspamd?
(4) Can this spoofing attack impact my domain name’s reputation (blacklist, …?)
(5) Last but not least, do you think I could get in legal trouble given the fact attackers seem to spoof my e-mail to target public administrations of my country (France, in case that matters)? If so, what could prove neither me nor my mailserver are faulty?
I am respecting all the good practices for e-mail security (SPF, DKIM, DMARC, and even signing my emails with an S/MIME cert). Oh and my server isn’t an open relay _
Thank you!
@intelisense
Those are properly configured, I get a 10/10 on mail-tester dot com, as well as everything validated on mxtoolbox.
Then you need to seriously consider if your mail server is compromised or a user’s credentials have been leaked. What does your DMARC record look like? Could be that DMARC is not blocking delivery yet.
@intelisense
Hello, thank you for your answer and sorry for the late reply.
I took some time analyzing my SMTP server logs, and it contains 100% legit outgoing traffic. And no successful SSH connection for weeks on the server so it can’t have been erased.
u/voracity confirms my thoughts as well. I think the issue is outside and unrelated to my server. And the e-mail address in question seems to have leaked from several places according to haveibeenpwned (the password is safe though).
@intelisense Oh and sorry for the second message I forgot the last part of your message. Here’s the DMARC record, I’ve been using it for months now:
_dmarc.villisek.fr. 900 IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@villisek.fr,mailto:b377e11c@mxtoolbox.dmarc-report.com; ruf=mailto:postmaster@villisek.fr,mailto:b377e11c@forensics.dmarc-report.com; rf=afrf; sp=quarantine; fo=0:1:d:s; pct=100; adkim=r; aspf=s"