Over 10,000 spoofed emails from my server!

I came home to discover that one of my domains which has a personaladdress@domain and a test@domain has over 10,000 mailer daemons from spoofing attempts. I have SPF and DMARC set up. I can no longer email to any microsoft domain as I have been blacklisted. How can I secure my email and prevent this?

I just went trough something similar. I tried sending to large mailing list and ended up getting my ip blacklisted. I had to re-start all over again. Try checking you ip on mxtoolbox.com… MS never unblocked ip. Good luck…

I’ll have to move to a new IP, I’m pretty sure, but I need to figure out how to PREVENT this from happening in the future.

DMARC, SPF in strict mode, and DKIM are about the best you can do. And it’s still not perfect.

Richard

The only way I’ve found to get MS to unblock an IP is to block MS’s entire IP range, and then tell them that in one of your replies to the idiots in Outlook Deliverabilty Support. It escalates the ticket to a supervisor, who must be at least an imbecile to hold that position. If you’re really lucky, you’ll get a moron.

Whoever gets the ticket, they get all offended – and unblock your IP.

I usually say something like, “My records indicate that 47 percent of my incoming spam comes from Microsoft-owned servers, therefore your IP range is not eligibility for remediation.” I just quote whatever bullshit they told me and throw it back to them. And I really do block their IP’s.

So far, it’s worked every time.

Richard

5 Likes

LMAO!!! Man, that is funny! Thanks!

1 Like

Yeah, securing your email server is a never ending battle.
The first issue you will need to resolve is “how did it happen?” in the first place.
That means going through all the logs and trying to see what happened.

Obviously you need to implement all the recommended security protocols.
Make sure that there aren’t any open back-doors. Often its not the email server that’s the problem, but a unsecure web page. e.g. we found that a spoofer used an unsecured website email form to do this.
Ditto for webmail functionality.

The next step, as mentioned, is to ensure DMARK, SPF & DKIM is correctly set up and set as tight as possible.

Microsoft is a problem.
They use Spamhaus, so check your IP there first.
However, not only do they block you when you are listed there, but they also use an Outlook reputation score derived from the number of Outlook users that list you as spam. So, for example, you might have a 100% valid email subscriber list, but when you send an email the recipient marks you as junk. A few of those and you get blocked as a spammer.

Getting that reset is virtually impossible. You can request access to that IP address from Microsoft Smart Network Data Services, but that will be blocked if your email server IP is provided by a T1 hosting provider.

2 Likes

Since no one has addressed the root cause, you either have a user sending that spam (one of your domain owners), or you have an exploitable web application running that has allowed someone to send mail as a local user.

Postfix in the default configuration and the configuration Virtualmin sets up, are not open relays. So…for someone to send mail, they have to have access to an account. Those are the two obvious ways for it to happen.