Bloggers and Email Spoofing or Why is My Spam Folder Full?
One of the great joys of running your own server is dealing with spam and spam-related issues. Among the ads for potent products and invites from lonely people, you might find bounceback messages that appear to originate from your own email address but are clearly not from you. This is called email spoofing and it is something that every blogger or website owner should care about and take action against.
From Wikipedia:
E-mail spoofing is a term used to describe fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. It is often associated with website spoofing which mimics an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization’s activities. The result is that, although the e-mail appears to come from the email indicated in the “From” field (found in the email headers) it actually comes from another e-mail address, probably the same one indicated in the “Reply To” field; if the initial e-mail is replied to, the delivery will be sent to the “Reply To” e-mail, that is, to the spammer’s email.
Quite a mouthful there… To simplify, email spoofing is the fancy name for bogus email messages that look like they came from you.
Interested in fixing the problem?
Why Bloggers (and everyone else) should care about Email Spoofing
The obvious reason to care about spoofing is that someone is using your good name to shuttle spam messages into unsuspecting inboxes. Not only can this have a negative impact your reputation, but it can also lead to having legitimate emails from your domain banned by ISPs large and small.
Imagine what might happen if your 30K subscriber newsletter suddenly died.
If that isn’t bad enough, spoofing is often used as a way of phishing for login information. The spoofer sends an email pretending to be you (or your server admin) and asks for passwords or sends links that lead to other nefarious places on the net.
This is not where you want to be.
How to Deal with Spoofing
1. Lock down your mail server so it won’t relay spam
Attached to the Wikipedia entry is a link to an article on CERT about email spoofing. This article provides a few good tips about securing your mail server.
To summarize, the main idea is to lock your outbound mail server (SMTP) so that it does not relay messages willy-nilly. This will stop spammers from sending email directly from your domain.
Most mail servers in hosted environments already lock down open relay, so this is generally not a problem. However, you might want to check just to be sure. I tested a few tools out there and found the open relay tester at SpamHelp.org to be the fastest and easiest for non-technical users.
2. Add a SPF record to your domain
Even if your mail server is locked down, it is still possible for a spammer to execute an email spoof. They just send the message through another mail server. As the CERT article points out, SMTP lacks authentication but there is a way around this limitation: Sender Policy Framework (SPF).
In simple terms, SPF is a record of valid IP addresses that can send email on behalf of a particular domain. You can think about it as a power of attorney for email.
If configured to check for SPF, a receiving mail server will look up the SPF record for your domain and check that against the origin address for the spam message. Assuming the spammer is sending from a server other than your own, the IP address will not match the list of valid address for your domain and the spam message will get zapped.
Here are two links to help you get started with SPF:
- See if you have an SPF record: Scott Kitterman’s SPF Record Testing Tools.
- Get help creating the SPF record: OpenSPF’s SPF Record Setup Wizard.
[Note: When you start looking into SPF, you will probably see references to Sender ID as well. Sender ID is yet another authentication method for SMTP. It goes a step further than SPF, but it is also a proprietary format from Microsoft. Generally, I have no problems with Sender ID, but the adoption rate is slow.]
3. Contact your Hosting Company or ISP
While I am a technical fellow by trade, I do not claim to be an security expert. The recommendations above are a reflection of my attempt to distill a whole lot of mumbo-jumbo about email spoofing into something that regular folks can use.
If you need more detailed advice, I recommend that you start by contacting your hosting company or ISP. They should have dedicated staff for addressing email and security issues.
A Few More Things to Think About
Whenever you make changes to the configuration of your site or DNS records, Bad Things May Happen. The consequences of mail server configurations can be somewhat surprising too.
1. Implementation of SPF may end up blocking delivery of certain automated emails from your website. Why? If your mail server is on IP address X and your site is on IP address Y, scripts that send mail from Y might get blocked unless you add SPF records for both addresses. Make sure to map all the places where systems originate email.
2. Locking down SMTP relay, while a good an important thing can also end up breaking processes that rely on the relay. If you have a program that sends out email and uses your mail server as a relay, it is possible that shutting down the relay will cause that process to fail. This generally happens when the process in question is on another server but that is not a given. Make sure to test along the way and be prepared to roll back in event of problems.
Best of luck!
Thanks for this great article! I know it’s hard to explain this stuff. As someone a little more technical than the average user, I struggle with this, too. Here’s my experience.
I’ve had my domain since 1995 and though I’m a one-person domain with about five legitimate email addresses… spammers like to use it. I use a web host — meaning I pay a monthly fee to host my web site and tie my domain to that provider.
Open relay: Those who host their domains with a service provider usually receive a inbound and outbound server address. Something like smpt.url.com or mail.url.com. So I entered my outbound into the open relay on spam help (where there is an IP address). I did not check the box. It confirmed it’s closed.
SPF: This is more complicated, but I’m glad I read up on this thanks to this post. It motivated me to leave a bad DNS registrar behind for good. I didn’t like them or how they did business. Well, they don’t offer this SPF stuff — now I can’t find where I found this information. My domain doesn’t have SPF. Will have to work on this one.
Thank you.
@Meryl Some network admins who check in here might snicker at this next statment, but I think SPF is a tough beast to tackle alone unless you’re technical…
The Direct Marketing Association (DMA) had a strong push for SPF last year. I sat through a number of webinars with marketers who just couldn’t get a handle on it.
The thing is, I don’t believe that marketers need to know much more than the information I’ve provided in this article. I hope your story about switching DNS services is an inspiration to others to do the same or grab a hired gun who can help out. This is serious business and help is available.
Thanks for the thoughtful and informative comment, Meryl. Sorry for the delay in posting it. Believe it or not, it got caught in my Akismet spam filter. LOL!
Thanks for the post. I have been looking for more information on SPF and the details and links you give here are very helpful to a non-tech like myself.
As a Newbie, I am always searching online for articles that can help me. Thank you