Undelivered Mail Returned to Sender


#1

Hello,

Within the past 30 minutes I received 250 messages “Undelivered Mail Returned to Sender”

Can you please tell me what to do?

This is the mail system at host box.example.com

I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

               The mail system

random.person@spammed.com: host smtp.glb.shawcable.net[64.59.136.136] said: 550 5.1.1
random.person@spammed.com recipient rejected (in reply to RCPT TO command)

Subject Dating Teen
From Brandi me@box.example.com
To random.person@spammed.com
Date Today 10:06 pm
HI
We would like to offer you a brand new Parenting Teenagers

The women here really want to meet. Press here to get your trial membership: Enter Here

[by the way, it is beyond depressing to discover that spammers are now trafficking in teenage parents and that my email address if being used:frowning:]


#2

Per Google Domains:

Patricia 9:12 AM

Yes, please check with your mailhost what SPF they can provide you so you can add them correctly to your DNS.

https://support.google.com/a/answer/33786?hl=en

Patricia 9:18 AM
Bottom line on SPF is that it’s mail hosting-related and cannot be added for all.

Patricia 9:18 AM
http://www.openspf.org/Introduction

Patricia 9:20 AM
Please understand that your email is not on Google mail server.

Patricia 9:21 AM
It’s correct that your DNS is in Google, however, they should provide you with a working SPF.

Patricia 9:23 AM
Much as we want to help, we depend on the values for SPF obtained by the user from a host.


#3

After reading this post, I changed my SPF record to


"v=spf1 include:box.example.com -a"

to allow only my MIAB (box.example.com) to send mail claiming to be from my domain (example.com), and prevent any further SPF related issues

J376A Jan '16
Here’s an example to help illustrate how SPF works.

I’ve set up a MIAB for sending email from users@mailinabox.email. I’ve set the MX record for mailinabox.email to my MIAB and taken care of A records and all that already. Now I just need SPF.

Because I’m only sending email from mailinabox.email, I only need an SPF record on the mailinabox.email domain. So for example, because I’m not sending email from discourse.mailinabox.email, I don’t need an SPF record for discourse.mailinabox.email.

I assume you aren’t sending email from awesome-users@box.fwla.com, but instead from awesome-users@fwla.com. Additionally, your email news letter is saying it’s from info@fwla.com

So, the SPF record to focus on will be that of fwla.com itself. You’d want to include both box.fwla.com and amazonses.com. This is because while you aren’t sending emails from awesome-users@box.fwla.com, you are sending emails through box.fwla.com in order to deliver your email. SPF is concerned with the email servers that deliver the email for a domain, which is why the email sending domain SPF should contain the email servers you’ll be using.

Now, if AmazonSES notes that it requires an _amazonses.fwla.com, you should include that as an SPF record in addition to the ones you’ve already set.

So, you should have at least:

fwla.com TXT “v=spf1 include:amazonses.com include:box.fwla.com -a”. This will let only AmazonSES and your MIAB send mail claiming to be from fwla.com, without SPF related issues.
You won’t need to change the SPF records for any of your subdomains unless you need to add some for Amazon SES to work.

The More You Know: Note that we have put -a instead of ~a. The former is restrictive and the latter is permissive. Email coming from somewhere not defined in your SPF, when you use the -a flag, will be rejected. This makes it harder on spammers. Email coming from somewhere not defined in your SPF when using the ~a flag, will result in the email probably getting through but maybe tagged as spam. This is good for debugging how you’ve set up SPF. The setting we have here, with -a, means that you expect legitimate email only to originate on your MIAB and from Amazon SES.


#4

The spoofing stopped yesterday and then started again about an hour ago, despite having updated my SPF record.


#5

any solution to this? i recently have a couple of users having this trouble.


#6

Hi, I check my email on my phone. Once I see bounced messages coming through, I log in to mail in a box as administrator and disable my email address.

I found some interesting links:

https://support.symantec.com/en_US/article.TECH90926.html
1.) Create a sender policy framework (SPF) record for the IP addresses within your domain and enable authentication via SPF records for your own domain.
-You can check if you have an SPF here: https://mxtoolbox.com/spf.aspx
-The SPF record should typically look like this: “v=spf1 ip4:8.8.8.8 include:spf.spamhero.com ~all”

2.) Enable DKIM, publish a DKIM key and DKIM policy, and sign your messages with it.

https://studenterguiden.dk/en/HvadErE-mailSpoofingOgHvordanSikrerDuDigImodDet/Danmark/nyheder/4644
How does email spoofing work? If you have noticed the actual configuration of the email account in your email contacts, you know that the outgoing server always contains SMTP also called the Simple Mail Transfer Protocol. All users use an SMTP when sending an email. However, this protocol can be exploited and is why not all spam smokes in the spam folder. However, the protocols for this were updated in 2008, but still do not contain any filters that can distinguish between original and manipulated headings.

https://community.mimecast.com/thread/2666
"If your spoofed user received an NDR, this would indicate that the sending server (the one that attempted to send the spoofed message) generated the NDR. Unfortunately there isn’t currently any way to keep the sending server from generating an NDR…add an option to Hold messages instead of rejecting them."


How Spammers Spoof Your Email Address (and How to Protect Yourself)


#7


Here is what i having in two of my clients boxes.

any help or orientation to not received this in the boxes of them please.


#8

Hi,

Here is what Google says about spoofing: https://support.google.com/mail/answer/50200?hl=en

Someone is sending emails from a spoofed address
Your Gmail account might be spoofed if you get bounce messages for emails that look like they were sent from your account, or if you get a reply to a message you never sent.

How email spoofing happens
When you send an email, a sender name is attached to the message. However, the sender name can be forged. When spoofing happens, your address can be used as the sender address or the reply-to address.

Why this happens
Some spammers use software programs to create random lists of email addresses to use in spoofing.
If a spammer spoofs your Gmail address, you might get reports of delivery failures for emails that look like they were sent by you.

How to fix the problem
Because these emails are created outside of Gmail, Gmail isn’t able to stop the spammers from spoofing your address. If you get these kinds of emails, report them as spam.

So, even Gmail can not stop spoofing, apparently.


#9

More general suggestions from Google:

General tab

  1. Check your signature to make sure the text looks correct.
  2. Check your vacation responder to make sure the text looks correct, and that it isn’t turned on if you don’t need it to be.

Accounts and Import tab

  1. Check “Send mail as” to make sure all the email addresses listed belong to you.
  2. Check “Grant access to your account” to see that no unknown people have access to your account.
  3. Check “Check mail from other accounts (using POP3)” to make sure all the email addresses listed belong to you.

Filters and Blocked Addresses tab

  1. Check to make sure mail isn’t being automatically forwarded to an unknown account using a “Forward to” filter.
  2. Check that any filters that automatically delete messages (“Delete it”) were set up by you.

Forwarding and POP/IMAP tab

  1. Check that your messages aren’t being forwarded to an unknown account.
  2. Verify that your POP or IMAP settings are correct.

#10

And here is what Amazon says about spoofing: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/authentication.html

Because SMTP does not provide any authentication by itself, spammers can send email messages that claim to originate from someone else, while hiding their true origin. By falsifying email headers and spoofing source IP addresses, spammers can mislead recipients into believing that the email messages that they are receiving are authentic.

Most ISPs that forward email traffic take measures to evaluate whether email is legitimate. One such measure that ISPs take is to determine whether an email is authenticated. Authentication requires senders to verify that they are the owner of the account that they are sending from. In some cases, ISPs refuse to forward email that is not authenticated. To ensure optimal deliverability, we recommend that you authenticate your emails.

Authentication mechanisms used by ISPs include:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)

Also, ensure you comply with Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC relies on SPF and DKIM

Per the mail in a box instruction guide, check your DKIM and SPF configuration via the DKIM validator. http://dkimvalidator.com/ (Send an email from your spoofed account to the address they provide.)

When I ran the dkim validator, it gave me the following error messages:
> Result: permerror (Missing required domain-spec in ‘include:’)
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

I then went to my DNS and created a custom resource record for SPF.
Name = @
Type = SPF
TTL = 1hr
Data = “v=spf1 mx include: box.myserver.com -a -all”

I think it would be great if someone could create detailed, step by step instructions for setting up DMARC, DKIM and SPF records.

More options (per Hover):

Delete your account
"If the spoofing is recurring and causing a lot of inconvenience, the best thing to do would be to delete the account and start over with a new email account." https://help.hover.com/hc/en-us/articles/217282017-Am-I-being-spoofed-or-has-my-email-been-compromised-

Determine if your account has been compromised

  1. Look in the email header
  2. If the header says, “Authenticated sender: sender@senderdomain.com”, your account has been compromised - they have your username and password :rage: :scream::grimacing:
  3. Run a full system virus scan and change your password

Find the spammer

  1. your bounced emails may contain original source of the email
  2. find the IP address of where the message originated
  3. find the ISP
  4. ask the ISP to put the IP address on a blocklist

PGP Encryption and MIAB?
#11

After checking some spam I received, I noticed that spoofers seem to want to manipulate the Reply-To address, so perhaps the key to stopping spoofing is to stop the ability to change the reply-to address:

From Google Incorporation® noreply@googleuk.com
Reply-To portrugpat@outlook.com
Date 2017-05-24 7:42 am

Priority Normal
We wish to congratulate you on this note, for being part of our selected winners in our just concluded …