Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Spam (unknown users as spam email using my own domain name)
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
hi gurus, we have a kerio connect 8.0.1 version.
We have configured an alias for our domain and specified a folder to route the emails.

I just noticed that there are quite a number of spam emails, using our own domain name.

the user name is in random, like: caroll@mydomain.com, 1434309421.4290843@mydomain.com, jack@mydomain.com, charles<_at_>mydomain.com

Basically, some email account are valid and existing, some email account has been deleted already, and some email account are just random that we never created such an email account.

Any ideas, why were having this problem? how do I stop this spam from using my own domain name?

Thank you for any ideas.
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
I guess you are talking about Sender addresses. Sender addresses can be spoofed, you cannot prevent that.

You can setup SPF and Sender ID to detect those messages mark them as Spam.

Can you post the full header of such a mail?

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
JJJCR

Messages: 110
Karma: -6
Send a private message to this user
yes, i'm talking about the spoofed sender addresses.

here's the full header below.

I guess the spammer was using sendmail.php to do the thing.

can you give an example how to configure the SPF and caller ID in DNS?

Thanks Smile

===============
Full Header:

Return-Path: <lividy069<_at_>google.com>
X-Spam-Status: No, hits=4.7 required=5.0
tests=BAYES_50: 1.567,URIBL_DBL_SPAM: 1.7,URIBL_RHS_DOB: 1.514,
TOTAL_SCORE: 4.781,autolearn=no
X-Spam-Level: ****
Received: from chello213047155159.5.graz.surfer.at ([113.17.255.279])
by xmail07.mydomain.com
for xnvalln<_at_>mydomain.com;
Sat, 1 Apr 2013 18:42:50 +0800
Received: from apache by pcghphphpeqqhggjrrr.fox-oskam.com.ca with local (Exim 4.67)
(envelope-from <<xnvalln<_at_>mydomain.com>
Cc: <xneval<_at_>mydomain.com>>)
id E59TXJ-8V7GY2-HM
for <xnvalln<_at_>mydomain.com>
Cc: <xneval<_at_>mydomain.com>; Sat, 1 Apr 2013 11:42:49 +0100
To: <xnvalln<_at_>mydomain.com>
Cc: <xneval<_at_>mydomain.com>
Subject: the insane gurus right now
X-PHP-Script: pcghphphpeqqhggjrrr.pado.com.br/sendmail.php for 113.17.255.279
From: <xnvalln<_at_>mydomain.com>
Cc: <xneval<_at_>mydomain.com>
X-Sender: <xnvalln<_at_>mydomain.com>
Cc: <xneval<_at_>mydomain.com>
X-Mailer: PHP
X-Priority: 1
Content-Type: text/plain; charset="windows-1250"
Message-Id: <0AZRP0-LT9JEN-HB<_at_>pcghphphpeqqhggjrrr.caspex.co.nz>
Date: Sat, 1 Apr 2013 11:42:49 +0100

  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Have a look at the instructions in the Kerio knowledge base on how to create SPF and Caller ID records:

http://kb.kerio.com/product/kerio-connect/antispam/how-do-i- create-an-spf-or-caller-id-record-248.html

In addition, you can activate the following setting:

"Require authentication even when sender is from a local domain"

in the SMTP server security settings.

[Updated on: Tue, 09 April 2013 14:18]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
camisy

Messages: 114
Karma: 12
Send a private message to this user
if you are downloading your emails via pop from another ESP I recommend thinking about an own MX in order to have full functionality of Kerio Connect Anti Spam featurer such as Spam Repellent, Blacklists and Greylisting.
  •  
scottwilkins

Messages: 652
Karma: 7
Send a private message to this user
SPF records are so easy for spammers to setup these days, that SPF really doesn't work any more. Caller ID is a little better, but not a lot. Many companies no longer do this, so blocking on SPF failures could block good e-mail too. I'm still waiting for a "certificate" style e-mail verification system to be made. One that's backed by international laws. I know, dreaming again.... sorry.

[Updated on: Wed, 10 April 2013 15:49]

  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
scottwilkins wrote on Wed, 10 April 2013 06:48
SPF records are so easy for spammers to setup these days, that SPF really doesn't work any more. Caller ID is a little better, but not a lot. Many companies no longer do this, so blocking on SPF failures could block good e-mail too. I'm still waiting for a "certificate" style e-mail verification system to be made. One that's backed by international laws. I know, dreaming again.... sorry.


SFP is not supposed to stop spams, it is supposed to protect your domain from being used by spammers. So I am not sure why it doesn't work. If a company cannot be bothered to spend 30 seconds and put in a TXT record to protect their domains and reputation, I would be rather concerned.
  •  
camisy

Messages: 114
Karma: 12
Send a private message to this user
tonyswu wrote on Wed, 10 April 2013 20:32
scottwilkins wrote on Wed, 10 April 2013 06:48
SPF records are so easy for spammers to setup these days, that SPF really doesn't work any more. Caller ID is a little better, but not a lot. Many companies no longer do this, so blocking on SPF failures could block good e-mail too. I'm still waiting for a "certificate" style e-mail verification system to be made. One that's backed by international laws. I know, dreaming again.... sorry.


SFP is not supposed to stop spams, it is supposed to protect your domain from being used by spammers. So I am not sure why it doesn't work. If a company cannot be bothered to spend 30 seconds and put in a TXT record to protect their domains and reputation, I would be rather concerned.


you are right one the one side but if I select to not accept any emails with false SPF it's an anti spam feature, isn't it? Wink
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Quote:
SPF records are so easy for spammers to setup these days, that SPF really doesn't work any more. Caller ID is a little better, but not a lot. Many companies no longer do this, so blocking on SPF failures could block good e-mail too.


I don't think you are correct there. Most of the big mail companies have set SPF up. So if a spammer puts hotmail.com as a sender address, SPF will stop it.

Why would it have gotten easier for spammers to setup SPF? It was always the same. They need to buy their own domains to do it, so they try to use other domains to spoof the sender address like yours, GMail, Hotmail etc. With SPF, this can be prevented.

What do you mean by SPF failure? An SPF Fail is when the domain has a valid SPF record, but the sending IP address does not match. If a domain does not have an SPF record, you would of course not block it. So I think there is some misunderstanding from your side.

We some Spam with SPF, but other things like Blacklists are more effective. Nevertheless, SPF is one of many things that fend off spam.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Introducing Kerio Connect 8.1.0 beta
Next Topic: VMware Appliance - how to backup to external drive
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Sep 24 16:05:02 CEST 2017

Total time taken to generate the page: 0.00486 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.