Mobile app version of vmapp.org
Login or Join
Shelley277

: How do email spam filters tell if a spam email was maliciously sent with intent to shutdown a real email address? So for example, let's say we have a legitimate user from "user@legitimate.com"

@Shelley277

Posted in: #Dkim #Email #Spam #SpamPrevention #Spf

So for example, let's say we have a legitimate user from "user@legitimate.com" who sends real emails. However, there is a malicious individual who is using their own server or some other email service to send thousands of spam from "user@legitimate.com."


How do spam filters tell that the second email is not from the legitimate user?
Will the legitimate user get hurt by the actions of the malicious individual? - Would the malicious user's actions result in "legitimate.com" getting placed on blacklists?
What should a legitimate user do if this is happening to them?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Shelley277

1 Comments

Sorted by latest first Latest Oldest Best

 

@Martha676

Spam filters cannot definitively tell that the second email is not from the legitimate user unless an SPF record exists to inform them of the only authorised servers for sending messages.

The legitimate user could get their domain blacklisted as a result of the actions of malicious individuals and sometimes this is the end-goal for them. This will depend on how well the emails are spoofed and the quantity of messages. Blacklists may require you to implement SPF prior to removing you from their naughty list and you may also have to pay a charge for this.

If this is happening to you then ensure you have setup certain DNS records (TXT records) for your domain name that help to combat spam. An SPF record for your domain describes which servers are authorised to send mail from your domain and instructing recipient mail servers to treat all others as spam and discard the messages. For example:

legitimate.com IN TXT v=spf1 mx ptr ip4:1.2.3.4 -all


This would authorise mail to be sent from your mailservers as defined in your mx records, your webserver (using the reverse IP of legitmate.com if you include ptr), and any other ip address you specify. -all instructs mail transfer agents to reject any exceptions as spam. If you are uncertain you could use ~all to say accept but tag as spam. Read up on the SPF Record Syntax.

Secondly you could setup DKIM message authentication on your mailserver, which automatically applies a cryptographic signature to your message. If the receiving mail transfer agent cannot verify that the message came from your mail server using this signature then it may delete the message or at least tag it as spam (depending on the policies they have configured). A DKIM record might look like this:

legitimate.com IN TXT k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MV
aESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5
Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJw
IDAQAB


Thirdly, you could implement DMARC which is designed to help reduce phishing and spoofing attacks, essentially by reporting back to you all delivery reports of messages claiming to be from your domain name so that you can ensure your SPF and DKIM setup is effective. A DMARC record might look like this:

legitimate.com IN TXT v=DMARC1; p=none; rua=mailto:dmarc_reports@legitimate.com

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme