Need help stopping email spoffing from my domain


#1

I’m trying to stop someone from spoofing my domain and sending out spamming emails. I’ve already set up SPF (Sender Policy Framework). I thought that would block these from being sent, but it didn’t. It seems like the received from server in the header is always different. I’ve seen:

aitsecure.net (unknown [69.94.30.107]
5150.worldwide.jp (219.117.252.203.static.zoot.jp [219.117.252.203]
v1.mailsystems.net (v1.mailsystems.net [192.168.0.16]
titanic.ableelectropolishing.com (unknown [63.250.224.130]
e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.141]

Here is the header from an email that bounced back to me because I have a catch-all email setup. Any help is greatly appreciated.

Return-Path: <>
X-Original-To: Debra7F146D@jeffhyde.com
Delivered-To: x13094368@homiemail-mx12.g.dreamhost.com
Received: from server.aitsecure.net (unknown [69.94.30.107])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by homiemail-mx12.g.dreamhost.com (Postfix) with ESMTPS id A6F7D27844D
for Debra7F146D@jeffhyde.com; Thu, 28 Jun 2012 20:19:22 -0700 (PDT)
Received: from localhost (localhost)
by server.aitsecure.net (8.13.8/8.13.8) id q5T2xcIb003499;
Thu, 28 Jun 2012 22:59:38 -0400
Date: Thu, 28 Jun 2012 22:59:38 -0400
From: Mail Delivery Subsystem MAILER-DAEMON@server.aitsecure.net
Message-Id: 201206290259.q5T2xcIb003499@server.aitsecure.net
To: Debra7F146D@jeffhyde.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="q5T2xcIb003499.1340938778/server.aitsecure.net"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

–q5T2xcIb003499.1340938778/server.aitsecure.net

The original message was received at Thu, 28 Jun 2012 22:59:37 -0400
from [188.49.9.2]

----- The following addresses had permanent fatal errors -----
etbunch@collegeboundnews.com

----- Transcript of session follows -----
554 5.2.2 Mail system full.
554 5.0.0 Service unavailable

–q5T2xcIb003499.1340938778/server.aitsecure.net
Content-Type: message/delivery-status

Reporting-MTA: dns; server.aitsecure.net
Received-From-MTA: DNS; [188.49.9.2]
Arrival-Date: Thu, 28 Jun 2012 22:59:37 -0400

Final-Recipient: RFC822; etbunch@collegeboundnews.com
Action: failed
Status: 5.5.0
Last-Attempt-Date: Thu, 28 Jun 2012 22:59:38 -0400

–q5T2xcIb003499.1340938778/server.aitsecure.net
Content-Type: text/rfc822-headers

Return-Path: Debra7F146D@jeffhyde.com
Received: from 188.49.9.2 ([188.49.9.2])
by server.aitsecure.net (8.13.8/8.13.8) with ESMTP id q5T2xZIb003483
for etbunch@collegeboundnews.com; Thu, 28 Jun 2012 22:59:37 -0400
Date: Thu, 28 Jun 2012 22:59:35 -0400
Message-Id: 20120629061918.FE0508BDF74D125374F6@NJM-PC
From: Lavonne Livingston Debra7F146D@jeffhyde.com
To: etbunch etbunch@collegeboundnews.com
Reply-To: Irma Durham Brandie830236@crevelingsawmill.com
Subject: Hi etbunch
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

–q5T2xcIb003499.1340938778/server.aitsecure.net–


#2

You’re getting backscatter which is not surprising considering you are using a “catch all” mailbox. It could be that the machine that is receiving messages is going to send bounces to forged From/Sender addresses regardless of whether or not the machine sending the message is blacklisted.


#3

You can’t prevent anyone from sending an e-mail that spoofs your domain, even with SPF. What SPF does is to allow the recipient of such e-mails to detect if an e-mail is sent from an authorized server, thus making it easier to detect spam.

It would make sense for the servers that deal with such messages not to send failure messages to a spoofed address. If so that would reduce the backscatter. I don’t know if this is common behavior, but given that you are still receiving them after setting up SPF, I guess the answer is that it’s not.