SPF is not a solution if you support users who forward email, as forwarding breaks SPF.
The current problem is a new virus or repeat of an old virus that includes a ZIP file with a virus. Just started up again today. Seen a bunch, filtering on body content is easy. Jeff Hitchcock - [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Sent: Monday, May 02, 2005 7:51 PM To: [email protected] Subject: Re: [IMail Forum] Spoof problem? The one thing that you can do, is set SPF DNS records up on your domains. While this doesn't stop anything, it will at least let SPF-configured mail servers block these before they can even be sent (and long before the bounce). I'd say it's worth doing, to save you some hassle. Eventually end-users maybe try to pursue you, thinking you sent 'em, and you'll have to do the whole education thing with each of them. Jonathan Cameron Biggart wrote: > Todd Richards wrote: > >> >> I've got an email address that I'm receiving "mail delivery failed" >> messages >> to - the problem is that I didn't send them. It appears that it is >> being >> used to spoof messages with virus attachments. It is a business >> address, so >> the image is not particularly favorable. I have not received this >> before >> today, and this is the second one (the first was a single email >> address). >> I'm assuming either my time has finally come, or someone is making an >> effort >> to exploit me. >> >> SMTP Security settings for this server are: >> Mail Relay Options: relay for local users only >> Allow remote mail to local groups (checked) >> Check valid sender (checked) Auto-deny possible hack attempts (checked) >> Disable SMTP "VRFY" command (checked) >> >> Any thoughts on what I should do? The returned message shows about >> 25 email >> addresses that were "invalid" so it is getting sent to a lot of people. >> >> Thanks for your help. >> >> Todd >> >> > > Todd > > Chances are the mails are not even originating at your server so your > security settings are going to have absolutely no effect. The trouble > is, and this may come as a surprise, the sort of people who send these > types of unsavory messages are not always honest (I know the shock of > it all) and as a result don't always use their own email address in > the sender or reply-to fields. > > If you still have the failure message and it still has the headers of > the original message in it you can look back through the 'received by' > headers to get the IP address or server name that the message was sent > from (this may also be forged). > > Once you have done this and confirmed that it was not your mail server > that the message originated from you can sit back, relax, have a drink > and quietly seethe at the damage these less than honest people are > doing to the reputation of the e-mail address associated with the > unsavory mail because there is just about nothing else you can do and > absolutely no way to stop them using your address unless you can > physically find them. > > The good news is though that this sort of thing usually stops on its > own when the people sending the mail decide to either pick on someone > else (if it's a malicious attack) or change email addresses because > yours is being blocked by too many people now. > > Sorry for the bad news. > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
