Sorry About The Spam

Tens of thousands of people have been getting spam claiming to be from Lee.org. (Update 8-4-18: HUNDREDS of thousands 🙁 ) First, I’m sorry about that! Second, it’s not actually coming from me. Third, I documented below how you too can stop spam from being spoofed from your domain.

I was alerted to this when I got 20,000 email bounces last week from a letter sent in my name to probably many many more than 20,000 people. That one started:

From: Mr-Williams <lee@lee dat org>
Subject: Re: Your Outstanding Bill Payment notification
How are you doing today? I am Pleased to inform you that we have made arrangement with bank of America to release your payment sum of $10.3 Million dollars…

Happily, I fixed it. My (geekspeak alert!) SPF record was incomplete. I had my SPF in DNS set to:
TXT v=spf1 include:netblocks.dreamhost.com
but it should have been set to:
TXT v=spf1 include:netblocks.dreamhost.com -all

Without the “-all”, SPF wasn’t working to stop spam in my name.

Here’s what one of the spam email headers looked like:

Authentication-Results: spf=neutral (sender IP is 201.162.82.32 (In Brazil, definitely not from my mail host!!!))
smtp.mailfrom=lee.org; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=none action=none header.from=lee.org;
Received-SPF: Neutral (protection.outlook.com: 201.162.82.32 is neither
permitted nor denied by domain of lee.org)

MXToolbox is what keyed me in to what was going wrong. Thanks!

Other good tools are:
http://www.openspf.org/SPF_Record_Syntax
GSuite Toolbox Check MX
mxtoolbox.com
https://mxtoolbox.com/domain/lee.org/
And the whole mxtoolbox site

And thanks to Shehz for the helpful comment!

————————————————–
Update 8-3-18
I added a DMARC record to my DNS
It’s a TXT record under lee.org that looks like so:
_dmarc TXT v=DMARC1; p=quarantine; ruf=mailto:[myDMARCemailaddress]@lee.org; rua=mailto:[myDMARCemailaddress]@lee.org; sp=n
one; ri=86400

So now email receivers know definitively what to do with spam coming to them from lee.org. And I get a report of when a bounce happens. I initially set p to “none” and got a few correct DMARC reports. Now it’s “quarantine” and in a little while I’ll set it to “reject”.

————————————————–
Update 8-3-18 #2
With DMARC enabled, I’m getting fifteen hundred reports a day telling me that spam “from” lee.org is being blocked. Ugh, sorry world! That tide is stopping now!

I got help with DMARC from these sites:
* https://dmarc.org/
* https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alee.org&run=toolpage

Leave a Comment

Do not write "http://" in your comment, it will be blocked. It may take a few days for me to manually approve your first comment.

You can edit your comment after submitting it.