Tens of thousands of people have been getting spam claiming to be from Lee.org. (Update 8-4-18: HUNDREDS of thousands 🙁 ) First, I’m sorry about that! Second, it’s not actually coming from me. Third, I documented below how you too can stop spam from being spoofed from your domain.
I was alerted to this when I got 20,000 email bounces last week from a letter sent in my name to probably many many more than 20,000 people. That one started:
From: Mr-Williams <lee@lee dat org>
Subject: Re: Your Outstanding Bill Payment notification
How are you doing today? I am Pleased to inform you that we have made arrangement with bank of America to release your payment sum of $10.3 Million dollars…
Happily, I fixed it. My (geekspeak alert!) SPF record was incomplete. I had my SPF in DNS set to:
TXT v=spf1 include:netblocks.dreamhost.com
but it should have been set to:
TXT v=spf1 include:netblocks.dreamhost.com -all
Without the “-all”, SPF wasn’t working to stop spam in my name.
Here’s what one of the spam email headers looked like:
Authentication-Results: spf=neutral (sender IP is 22.214.171.124 (In Brazil, definitely not from my mail host!!!))
smtp.mailfrom=lee.org; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=none action=none header.from=lee.org;
Received-SPF: Neutral (protection.outlook.com: 126.96.36.199 is neither
permitted nor denied by domain of lee.org)
MXToolbox is what keyed me in to what was going wrong. Thanks!
And thanks to Shehz for the helpful comment!
I added a DMARC record to my DNS
It’s a TXT record under lee.org that looks like so:
_dmarc TXT v=DMARC1; p=quarantine; ruf=mailto:[myDMARCemailaddress]@lee.org; rua=mailto:[myDMARCemailaddress]@lee.org; sp=n
So now email receivers know definitively what to do with spam coming to them from lee.org. And I get a report of when a bounce happens. I initially set p to “none” and got a few correct DMARC reports. Now it’s “quarantine” and in a little while I’ll set it to “reject”.
Update 8-3-18 #2
With DMARC enabled, I’m getting fifteen hundred reports a day telling me that spam “from” lee.org is being blocked. Ugh, sorry world! That tide is stopping now!
I got help with DMARC from these sites: