Spam & Phishing Emails Spoofing My Email Address

[davetanguay]

This one got me stumped.

I was hoping someone had some advice for me on this one...

I noticed my email address is being spoofed with phishing emails and spam.

I thought I would be able to prevent this using SPF and DMARC records as follows:

<REDACTED>

Seems this email originated from 103.143.76.121 but still getting through to me when it should be rejected.

I noticed a lot of CPanel Phishing emails are coming being sent by spoofing our [email protected] address as well and want to make sure these get rejected at the recipients' mailserver.

Any feedback would be greatly appreciated.

-Dave

 

[cPRex]

Hey there! Unfortunately, there's no perfect system to stop these. If there were, it would be well-known and you wouldn't be here asking this question today. The reality is, spammers will always find ways around the checks and there will always be spoofed messages.

Although it sounds like you've done these already, the best information we have is in this article:

Preventing spoofed emails

Symptoms If you've had an email delivered that was sent from your address, and you know you didn't send the message, that's an example of a spoofed email. These are often used in phishing scams or...

support.cpanel.net

The best thing you can do is to block any IP addresses that continue to send those types of messages so they can't even connect to your server to start a mail transaction.

I'm sorry I don't have better news on this one for you.

 

[davetanguay]

Thanks for the reply but it seems even a Global Email Filter won't stop a pattern of spam emails in which it seems they are spoofing my from address.

Blocking their IP won't work since it seems they're sending from Google's servers and blocking those will block legitimate emails from Google's servers.

Here's the email headers of a recent example:

++++++++++++++++++++++++++++++++++++++
Return-Path: <>
Delivered-To: mailto:[email protected]
Received: from cpanel12.primary001.net
by cpanel12.primary001.net with LMTP
id gHi0EVWk72PVEwAAMg0UZQ
(envelope-from <>)
for mailto:[email protected]; Fri, 17 Feb 2023 10:59:17 -0500
Return-path: <>
Envelope-to: mailto:[email protected]
Delivery-date: Fri, 17 Feb 2023 10:59:17 -0500
Received: from [103.198.26.159] (port=40229 helo=mail237.sea22.mcdlv.net)
by cpanel12.primary001.net with esmtp (Exim 4.96)
id 1pT373-0004kB-0b
for mailto:[email protected];
Fri, 17 Feb 2023 10:59:13 -0500
Received: from 10.194.196.20
by atlas110.aol.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 17 Feb 2040 14:31:59 +0000
X-Originating-Ip: [209.85.167.52]
Received-SPF: pass (domain of gmail.com designates 209.85.167.52 as permitted sender)
Authentication-Results: atlas110.aol.mail.bf1.yahoo.com;
dkim=pass mailto:[email protected] header.s=20210112;
spf=pass smtp.mailfrom=gmail.com;
dmarc=pass(p=NONE,sp=QUARANTINE) header.from=gmail.com;
X-Apparently-To: mailto:[email protected]; Fri, 17 Feb 2040 14:31:59 +0000
X-YMailAVSC: zzBDI_o3bBtmtfq_jF2sgrchdrSWbDgtOukUCk9jerRkr1F
5YMwRAgD5c3EjZRvf.yTAFsonsO1pihCOSfJLluGyE8KOyi2Z7QCvde.77Mm
AWLsG.B7jLv7dYy9sxQOWR7cc.esHXXlc4zjEQQ8WvSy5vIQx4K6_acyx0Fc
Q65ghvvL6zl.roRyvn2dZWDDC.hw9Fwdv41QEMnPyZjzA2eI7leyoweG6l_j
2wO0GoxhnMjQZOsPpTusB7Qo43leLp4vvYgrPFZzjtzyPudrWSyBuBgRWRY3
E8WWzNlplkd1j4B3l1Tq5DtPZ1wqHahhQZ60yluOhOcqMwr4YB2r2jedyIcA
rP5PLcwe7nDjptHx1xg.ykd_gLjv85KCgNh9hOA5morWyKgHDC3tYWfRXxcG
zl7irhMQthW7UPGheRpAUUT50CUpks_j.iFRWRl_zzDopD3e64VnBOYsUK9a
u1xSnLQ.BJAR3OAVFF4l5PWLA4GGL6oCjVwptRsOCaobRnBmtmBkEenDKJqz
PGCa_Zpn3kahU8D5fgKIFZFkOkFgNRi7ei3eDaeJcX1ir77WujA7da6Yv7x.
3mMY_utma9bouu8ErzRxNeBpIaWjKw4Ys7aVx8leEQ9rXlOJWtRoXgAoqbqt
Hqa0lqAW6xs5QXwiATLKoiEG0zAgicUWNSADZQgGG4Xyu_F31KCfyf6GE4Nk
qMXWZ9ugaJsltvY06_FVD75Pmz0WqB42dGLfAtEXjPVnZtCWrvqMy2pTgukp
zQ6lMKbCXXY4UdgTf1YSmZJ_O4.adj2wRffnJM_f67zSg3BUAG4hCLQT4iA4
AG358WtYwz5x4whscxzp1cPdfP2Q_zQ9R1G0IB44nepz3ZYVbb1WfdWS.7V.
tUtzfMBSo75urYvt8bCBE5R1QpCsZJWZE7_iC2tPAoXxzIEviRxMDcuvYYQ4
eeNj6OuiIcVjc2ztI0TsNQdmHiYCn7GQrDg6jC595mHSYOJSgfXYs88sPKou
cwDL36xHGkarfjkzVGYR00WLBP8wXKnlBHbprjwPQE2qJoN5YX82Rnh8ZvSu
5r6o4mJ9BMs5XukSR
X-YMailISG: l4ySZ4QWLDsCIFqtrjl9svSm88xGIvN4xBOsj9EIEkr7Z5qt
zwRd_qbODz47U9zW_q9qFV2vYEOHl0BmG_Nj2McQd3aFR.xDSamqMMCE7WfQ
_59HoVFl3JjHjRUcuTE25PGPAywMit4SHcOwTLeKiNgIXAnNaltcFziduA2P
k7f9YBtDUDCkmBSokvVxUZAitShiwpVaCngnqJCuwJNvFvYKM3raDgM3n1l6
CVxRa9XA_fGvDdku_Yz4fq4UltnS9yV9msssdWhXJYVPAX3Vssi_8tymrJTe
kKMnSRdwhjsNa9WAbERxGG4B7JhnmS6hiZxliWuRKo1psrS5eKisUJ1h0QoR
L.s2TYDegIMsySFdavkQ7.IZApogFqgLSNAFJeCjvguN4aemrRIcJ4ZOqyu1
fZVqx3oKLkjcifBvEOArv4NBlIHWAKdW7_K_wlv8QR6dso.4Bh8nx8iZK11t
GWm3Q5OSPsNIHwcaKIn0CF4LOSElL_CVDZ1mylKm1_uAl4e4d7SLMidu.Ht7
wcZnTGvisKChLQe5cc90A_wwMK2tNcQkKlh8piz8o0Cmmz8FRqNIG7PHomIX
u0OSnfI2XYd3gV307KCQxli33VlAAgq9LQK16dEXKnuyxUmtAaTuegFQzwOA
Duw6kgj.PSJPWnX7OTZv7EEG42_MsJXYlWheztmY0KcRDmGsV9tadG_ROMZy
dIvmSAKkWYWGndjJwp4FHVUq_KFDQg5K8tl5HMZJHZ2gE5mnLe5NKeBSCc.E
YvZvuZN4rRpFxXhrL6y12UvT78iljhLVNucLmBLSyVWIVRGNi1dGQNcFVioS
zDnoG_vz8t7v14_hUZqGOnhs039uz2Sb_4.pbLs_lbqzblmcD4quXPI8s1E8
yFH.FKwilY9RZamoWRK_WZ8JzprDhqgWH.5xp9406yKsiqs5aC4fE2Dfj9MC
TiI4Q7qzVfnAsQ13OlVlmnG_TWEq7KbKNT_uNX5MKB_DRFfhkFWR2TceI_iZ
ZdwdLVT7H4vDDrmFe4b70RDbtwQUfxRZ8.J4Nbtk3pECYNeaWNy2k7LucskB
0Ehguk0oToVRrmwTG7ZJHKcdPJv4OzWze5xgX5L5gQhQmBeacanYG99jWC81
keBIj2F0UgEO.R8zx4hrPLUSGEyYdrsYM9IadJFi2wzL8tauIbM7pfYRcswg
AVs-
Received: from 209.85.167.52 (EHLO mail-lf1-f52.google.com)
by 10.194.196.20 with SMTPs
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256);
Fri, 17 Feb 2040 14:31:59 +0000
Received: by mail-lf1-f52.google.com with SMTP id p19so1773333lfr.9
for mailto:[email protected]; Fri, 17 Feb 2040 06:31:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc:subject:date:message-id:reply-to;
bh=pC7P3qOuWCWKzwP3BvxgAAr43ic9lKr1ofb2xWQUiX4=;
b=me3i4bNjdC9e9Bm3TMYeHsKq/TiIbHQQsbwcWxo8TmEk+mWfexAO/MEFKy3Zg/dDN7
gYaIZqxwFX2MKQC51IS1WCD4LXnDofNEkuSTkGFSMoqg1Qa0Pli8K6n5BlXbIrAbwhXd
G8RNFjePtxlPfnzheGgQI2O+OCjpRlnMSuAIW8c8Cd+PduvIjDNuyN2QfvFV0WwMoLYW
L+XJmIZuvXNQ9FhvhNs+CZy6QJAFyC3ZJjEprzUksn9GGRCQZBSywAmxKIEYAWE2/lhM
HYSFBPffTwsOXd8mdPwx08rMa0vF6QJw9nw/4+SpEw6vEPDp4bq8I32OLyC+SS3enJ0D
pBZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=pC7P3qOuWCWKzwP3BvxgAAr43ic9lKr1ofb2xWQUiX4=;
b=m6Y/C+al44pwXmf1D+h+ZP+6huQm0NfFdcm72Vr7p4uNVOUHgow3pBFwq1nHneNIrB
pqA6znQfQYHu8brA3jaorI893l5rHb/GO6tQMkwQFWWhlbxb4/0GMzAD8HwxVmuj+1ma
wVYR6kDGcH/h2hgNk3lqMxosNh7O0xMnE38g/Zti5KylfB4wJx4jezQF3SdeCqH8c9UT
M9b0jCz5cvzPet706NPhAgeT6TX8PEJNQIprFTEXO5MzqoYV/F8/OIqOjxZWbaRRvs3b
lqp0OkPNvIXdHRLEd0SymAWSNeJ7kK/IcM/onKw3KTs9WkSNkvU2XVaV5WG27mGqKzW2
JriA==
X-Gm-Message-State: AO0yUKVTl67momJLBOHceV233tP70RzOxvkIiQEiXJZi0nbKyiOjMCT4
+rnt9LFuGzaJSgys3BkmFgPSX30AyRHcEAgMlCbT+G6M
X-Google-Smtp-Source: AK7set8NUVzPOwXYd+nZivLVanpSzWn6hKVFUXirCgs3AgFskgnm7JI/OG/cC6m/S39QDt/K1bbep+fiMid9qLygtmw=
X-Received: by 2002:a05:6512:39c4:b0:4dc:7e56:9839 with SMTP id
k4-20020a05651239c400b004dc7e569839mr2069013lfu.5.1676644318011; Fri, 17 Feb
2040 06:31:58 -0800 (PST)
List-Unsubscribe: https://rdir-agn.freenet.de/uq.html...ct=unsubscribe:MODWOYZVUPEVFSW3M0LCGZ84RYTKVI
X-tdResult: mailto:[email protected]-4515daveBWU
References: mailto:[email protected]193.PROD.OUTLOOK.COM
MIME-Version: 1.0
From: =?UTF-8?B?THVtaWdlbiBSZWQgTGlnaHQgVGhlcmFweQ==?=mailto:[email protected]
Date: Fri, 17 Feb 2040 15:33:47 +0100
Message-ID: mailto:CAPrzedVSW+W2IyWzco=OzvuTJ2-fEr=[email protected]
Subject: =?UTF-8?B?WW91IEhhdmUgVG8gU2VlIFRoZXNlIEFtYXppbmcgUmVzdWx0cyE=?=
To: dave mailto:[email protected]
Content-Type: multipart/alternative; boundary="000000000000fd654b05f4e62c8a"
X-cpanel12primary001net-MailScanner-Information: Please contact the ISP for more information
X-cpanel12primary001net-MailScanner-ID: 1pT373-0004kB-0b
X-cpanel12primary001net-MailScanner: Found to be clean
X-cpanel12primary001net-MailScanner-SpamCheck: not spam (too large)
X-cpanel12primary001net-MailScanner-From:
X-Spam-Status: No
++++++++++++++++++++++++++++++++++++++

If you look at the attached screenshot you'll see the email looks like it is spoofing my email address [email protected] as the FROM address.

But if I look at the headers it shows the following:

Return-Path: <>
(envelope-from <>)

I had even setup a Global Email Filter to Discard if Any Header shows any of the above since Return-Path or envelope-from shouldn't be blank if they are legitimate emails, but still these emails get through.

Also this confuses me a bit. It shows 4 different IPs it was received from and it shows it passed SPF since it was sent from gmail.com

++++++++++++++++++++++++++++++++++++++++++++++++
Received: from [103.198.26.159] (port=40229 helo=mail237.sea22.mcdlv.net)
by cpanel12.primary001.net with esmtp (Exim 4.96)
id 1pT373-0004kB-0b
for mailto:[email protected];
Fri, 17 Feb 2023 10:59:13 -0500
Received: from 10.194.196.20
by atlas110.aol.mail.bf1.yahoo.com pod-id NONE with HTTPS; Fri, 17 Feb 2040 14:31:59 +0000
X-Originating-Ip: [209.85.167.52]
Received-SPF: pass (domain of gmail.com designates 209.85.167.52 as permitted sender)

Received: from 209.85.167.52 (EHLO mail-lf1-f52.google.com)
by 10.194.196.20 with SMTPs
++++++++++++++++++++++++++++++++++++++++++++++++

I've blocked 103.198.26.159 but that 1st IP listed in the headers is always changing. I literally can't keep up with the amount of different IPs they use. Also within these pattern of spam emails, I see Yahoo and Gmail IPs in the headers too.

Why does it show these Yahoo and Gmail IPs?

From what I gather from this info 10.194.196.20 is a local IP of the spammer's computer but they're using gmail.com SMTP to send out the spam, but somehow spoofing the FROM address to look like my address [email protected]

Also I just don;t know hwo in the world this can PASS the SPF check:

Received-SPF: pass (domain of gmail.com designates 209.85.167.52 as permitted sender)

Any ideas how to block this type of spoofed spam without having to block Google's IP?

I get a lot like these every day.

Any feedback would be greatly appreciated!