View Full Forums : IP spoofing IT help


Jinjre
11-29-2005, 11:38 AM
Okay, I am definitely a chemist, not an IT person, so I'm hoping one of you folks might be able to help me.

In the past week or so, we've had our IP address spoofed by spammers. Which, unfortunately, means I'm (as webmaster) receiving, oh, 100+ emails per day which are getting bounced back to me by the mailer daemon, all of them infected with virii.

Is there any way to "spoof proof" my IP so they can't do this? I know they're not using our computer systems (we've got too many firewalls for anyone to get through), but since they're spoofing the IP, I can't make these things stop.

Or am I just hosed?

*sigh*

Panamah
11-29-2005, 11:44 AM
Do you guys have your own mail server? Or do you download email from your ISP?

I don't think they'd actually need to spoof an IP, what they're doing is probably forging email headers to say they're from your domain. It is probably a security configuration issue with the email server, it needs to only relay messages from you all, rather than anyone who claims to be you. That's usually done by forbidding forwarding or relaying unless it comes from a particular address range (or something like that, I'm pretty rusty).

Stormhaven
11-29-2005, 11:45 AM
Anything infected with a virus should be stopped by your company's gateway mail server (which should be scanning all incoming mail). You cannot stop spoofing, you can take pretty much any mail client, say you're "user@somedomain.com" in your From: field and if you find an anonymous relay server, you can send all day long.

The only thing you can do (and it's really not that effective) is try to figure out which server is the open relay and have that server put on one of the many Real Time Blacklists. If your company has an anti-spam server, it may check those lists to see if incoming mail is being sent from those servers.

Another option is to have your DNS guy set up an SPF record. Many of the larger ISPs and public companies are starting to check SPF records, and if they see someone sending from your domain but not listed as an authorized server, it will reject the connection.

Short answer, yes, you're still pretty screwed. The best answer for you is to get something like Inbox rules that will auto delete/sort the stuff you have coming inbound.

Jinjre
11-29-2005, 12:06 PM
We're a whopping 5 people big, so uh...I AM the IT department ><

Yes Pan, we download our mail from our ISP servers, we aren't big enough to warrant having our own email server. And given our luck with our ISP, I doubt there's much they can (or will) do. Unfortunately, we do have a lot of emails which involve receiving forwarded messages from people outside our domain, oftentimes with "to" lists on them containing 30 or more people (ah, science by committee) which means banning forwarded mail would not be good for us.

Ah well, sounds like I'll be deleting virus laden returns. Just one more thrilling aspect of my job.

Stormhaven
11-29-2005, 12:37 PM
If you think it's worth it, you might check out a company like <a href="http://postini.com/">Postini</a>. They do email filtering before it gets sent to your ISP. I believe they had some price plans that catered to small businesses too.

Panamah
11-29-2005, 12:54 PM
Jinjre, try doing a google of "email management virus spam" and you can probably find a bunch of those companies if you want more than one to check. Otherwise, try to call your ISP and see if they'll help you out. They might have services they will turn on for a few bucks a month. Sometimes they just nickel and dime you for stuff you really should have included.

Tinsi
11-29-2005, 01:17 PM
If their ISP's email server is an open relay, I'd bitch loudly and demand that a) I get refunded for crapastic service and b) they fix it - immediately.

Jinjre
11-29-2005, 01:20 PM
Tinsi, can you explain to me (in very small words) what it means to be an "open relay"? I don't want to call them up and sound like a moron who has no clue what I'm talking about (even if I am one).

Stormhaven
11-29-2005, 01:21 PM
The ISP is not an open relay, their ISP is just forwarding the mailer daemon messages from other domains which did not accept the mail.

Spammer -> Open Relay -> Destination Domain -> Rejection email -> Spoofed Domain's ISP -> Jinjre's mailbox

Tinsi
11-29-2005, 01:32 PM
Tinsi, can you explain to me (in very small words) what it means to be an "open relay"? I don't want to call them up and sound like a moron who has no clue what I'm talking about (even if I am one).

A properly configured email server will tell an email knocking at it's door to sod off unless it either:
- originates from said server or
- has said server as it's destination

An open email relay will accept any emails, regardless of where it's coming from and where it's going. I'm sure you can immagine how finding these is pretty high on the professional spammer's list of priorities.

However, from your first post it sounds like Stormy is correct. The emails you are getting truckloads of are of the "this message could not be delivered blabla"-kind, yes?

Jinjre
11-29-2005, 01:54 PM
Yes, I'm getting the returned emails, pretty much like Stormy has outlined.

The "original sender" email address isn't even one of ours. Unfortunately, all email not sent to a 'real' email address (5 employees, 5 email addresses, and not a single one of them is xyglekhew@myworkdomain.com) goes into my mailbox (because we don't seem to be able to convince our clients that firstlastname is not the same as flastname, and because many of our clients seem incapable of spelling) so I can sort out the ones that should be going to someone else.

I used to have it set up where all emails not directed to one of our 'real' email addresses went straight to devnull, but we got too many complaints about that and it was causing issues with clients.

Ah, the wonders of modern technology.

Panamah
11-29-2005, 02:03 PM
You could set up an email filter to direct those to a special folder you don't open very often.

I did that with freecycle.org. I got spammed with dozens of responses trying to find a new home for my stuff. So I set up a mailbox for them and a filter to stick everything in there from that mailing list.

guice
11-29-2005, 02:32 PM
It's not just you. I got that too. It's nor your IP they are spoofing, too. All they do is pick a domain that had a catch-all enabled and started using that as the "From" address for all the spams.

I finally got tired of it and completely disabled my catch-all. The emails will go into never, never land. That is if they pass the "From email" validation checks.