Hey ET - Domain spoofing question

[Mister Bushice]

I'm been receiving these emails in my primary email address (email@), but they are being sent to "guest@", and "help@". I asked a tech guy from my provider, and he said it was possible my domain was being "spoofed", and gave me the following link:

http://openspf.org/

Now, tech guy said I should fill out the form at that site, and then send the results to my providers tech support email. I don't even know all of the info the form is asking about, so I figured I'd ask someone who knows shit ( you) rather than rely on the tech guys screwing up my email.

[ElTaco]

Ok first of all, Email spoofing is really easy on an unsecured email server, which as luck would have it, anyone can install on any machine. On an unsecured server, you just tell the server that you set up, you can claim to be anyone sending from anywhere to anyone, in other words, it doesn't lock down who can send from what domain to what domain so I could claim to be Billgates@microsoft.com sending to you from Microsoft.com and if its a really crappy server, it won't even check what server/machine/domain I'm connecting from.

Now the question is how do you protect your domain. There are many options and they offer different ways of doing this. One option is to get some authority to certify that you are in fact you. You can use PGP or some other derivitive of it or there are some other servers. This way you have a public key that can be included in your email and it encrypts your email. When you send an email you encrypt it with your Private key. The user then uses your public key to unencrypt the contents of your email. The problem is that most of this is done in the background and anyone can create a key with your name. You can pay a service like verisign to authenticate you, which is much more accurate but it costs money. There are also some large registries that have popped up in the past few years. These registries use a community authentication method to ensure that you are you. In other words, they are free, however not all of them are automatically included in commercial products yet. The way they work is that you have to find a person who is already a trusted member, you then present them with 2 or more forms of authentication. Each person who verifies your authenticity can give you points and these points build. As the points build your authenticity in the system goes up. So the more people that verify you are you in the system, the more you will be trusted. Its a nice system, but ultimately it only works if people actually check who you are and how many 'points' you are worth. If they just blindly open and close your emails, then this doesn't work too well. Also this is an individual personal thing and not a domain wide protection.

I've never really worked with SPF or any other domain wide system but...Your best initial protection is to ensure that your email server is well protected. It should authenticate you when you send and receive emails (both smtp and pop authentication). You should also limit forwarding so that only people with an account on the server can send (forward) emails to other domains. Finally, you may want to set it up so that only people from certain domains/ip blocks can even connect to your smtp/pop server.

This will ensure that no one can spoof from your server. Now they will have to use their own server, which will mean that anyone who knows a little about what the email headers should looklike will be able to tell if its a forgery or not. SPF uses exactly this to figure out if an email is spam or not. They want you to set a secure policy so if you read their directions, you will find they are similar to what I just told you above. Then you publish which servers are authorzed to send email for your domain. Now if a SPF server receives email from your domain, it will check to make sure that the email was sent by one of your authorzed servers. If it was, its considred real, if not, its considered spam and discareded.
The problem is that this only works if most servers in the world are SPF compatible. As of now, I doubt that they are so for the most part, except for securing your server, there isn't too much you can do that will clean up spoofs of your domain. Considering that there are large corporations that are still using email servers that are out of date and do not comform to basic standards, I'd say a common solution will not be found for a long while.

[Mister Bushice]

Thanks for the info. I use a remote hosted server through my isp, but the tech guy who linked me to that spf site didn't even know all of the answers to questions I asked him, so I decided not to go that route lest I block some legit email unintentionally.

I don't know why they can't just reject any incoming mail arriving in my default email when it isn't addressed to it. That makes no sense.

IOW, someone sends a spam email to "guest@mywebsite.com", and it arrives in "email@mywebsite.com" can't that be easily stopped?

[ElTaco]

You should do some quick research on SMTP and how emails are routed.

The To and From field that you see isn't really used for routing emails. In other words, when you send an email the smtp server takes the info you put into your to, cc and bcc fields and puts them in to the appropriate header fields, the email is then routed based on these addresses and delivered into your POP3 email box. When you get the email, you once again see the To, From and CC fields that the user typed in, but not the actual fields that the SMTP servers used to route your email.

If you are concerned about spam being sent to your email accounts, I would suggest using some type of bayesian filter either on your email client or use something like SpamAssassin (open source project) on your server. Either way, these tools generally score emails as they come in based on certain rules. The Bayesian filters can learn based on how you mark emails so if you get a spam email, you mark the email as spam, your program will read it over and increase and decrease the weight of certain things that it finds/doesn't find in those emails. So for example usually when you get an email that has all HTML and only an image is showing, it would be marked as spam, however maybe in your case you get valid emails like that so you mark those emails as none spam several times. Well by default your program would add (example) 50 points to the spam score of the email if all it had was an image in it, but now maybe it will only add 20 points which isn't enough in it self to make the program mark the email as spam.

Your other problem is certifying that the email came from you. This isn't as big a problem in your case because spammers don't tend to use small domains to spoof because you don't have trusting clients like a large bank might have. Usually small domains have problems securing their email server and then spammers can use the server to forward their emails, which may or may not spoof you as the sender. I would say if this is a problem, I would start by making sure that your email server is secure and does not forward. You can do this by disabling forwarding and installing auth.smtp and requring people to authenticate to the smtp server before it will accept emails to be sent/forwarded to other domains. By using auth and/or ssl, you are also encrypting your traffic reducing any possibility of someone sniffing your email information. By securing your own server and ensuring that it doesn't send spam, you make it easier for spam programs mark emails sent from another server claiming to be from your domain as spam. Also it will be less likely that your email server/domain will get marked as a spam site on one or more of the blacklists that companies use to block spam.

Once you are secured your smtp/pop servers, you shouldn't have to worry about people sending out emails with your domain info. If someone does try to spoof you, you could get PGP or some other authentication service that will authenticate you to be you. For business, a company like Verisign is probably the best service although its not cheap. You can also run your own service, but this would only be useful within your organization.

[Mister Bushice]

Being remote hosted, I don't think I have that much control over my situation. Everytime I have tried to contact this provider about out of the ordinary changes, the answer is always "we can't do that" If I could easily move my shit, I would, but it would be a big pita.

However I do have my own server sitting here, waiting for me to get around to putting it on line, and I most certainly will implement some of those ideas you mentioned.

[ElTaco]

Remember that using the DNS system (specifically the MX record) you always have the option to set your email server to be anywhere so you could keep them as your webhost if they do a good job at that and either set up your own email server and secure it or find someone else that does a better job just for the email portion.

[Mister Bushice]

really? That is my biggest complaint against them. Their webmail server is hinky. It is down about an hour a week lately. Never used to be that way.

How would I go about changing that? I'm sure they will be of no help in doing that. Their tech support really sucks.

[ElTaco]

Well your first task is to find someone who will accept email for your domain. You could try your ISP (their server is probably secure although they may not install additional security) or go out and find a host that will do email and will install all the tools you want or set up your own maching. All you should need is a static IP or FWDN for the email server. Once you have that you go to your DNS record holder (the primary and secondary DNS server you set when you registered your Domain Name) and request that they change the MX record from the current server to the new one. Then all email sent to your domain will be refered to the new server.