Sorry About The Spam

TL;DNR: I was getting 50,000 spam email bounces per day. I enabled SPF, DMARC, and DKIM. I made an email filter at Dreamhost to stop the email forwarding madness from Dreamhost to my Gmail account. Problem solved! (for now)

Tens of thousands of people have been getting spam claiming to be from Lee.org. (Update 8-4-18: HUNDREDS of thousands 🙁 ) First, I’m sorry about that! Second, it’s not actually coming from me. Third, I documented below how you too can stop spam from being spoofed from your domain.

I was alerted to this when I got 20,000 email bounces last week from a letter sent in my name. That one started:

From: Mr-Williams <lee@lee dat org>
Subject: Re: Your Outstanding Bill Payment notification
How are you doing today? I am Pleased to inform you that we have made arrangement with bank of America to release your payment sum of $10.3 Million dollars…

I realized that my (geekspeak alert!) SPF record was incomplete. So bad actors were able to pretend to be me and send zillions of spams in my name. I had incorrectly set my SPF record in my DNS to:
TXT v=spf1 include:netblocks.dreamhost.com
but it should have been set to:
TXT v=spf1 include:netblocks.dreamhost.com -all

Without the “-all”, SPF wasn’t working to stop spam in my name!

Here’s what one of the spam email headers looked like:

Authentication-Results: spf=neutral (sender IP is 201.162.82.32 (In Brazil, definitely not from my mail host!!!))
smtp.mailfrom=lee.org; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=none action=none header.from=lee.org;
Received-SPF: Neutral (protection.outlook.com: 201.162.82.32 is neither
permitted nor denied by domain of lee.org)

MXToolbox is what keyed me in to what was going wrong. Thanks!

Other good tools are:
http://www.openspf.org/SPF_Record_Syntax
GSuite Toolbox Check MX
mxtoolbox.com
https://mxtoolbox.com/domain/lee.org/
And the whole mxtoolbox site

And thanks to Shehz for the helpful comment!


Update 8-3-18
I also added a DMARC record to my DNS
It’s a TXT record under lee.org that looks like so:
_dmarc TXT v=DMARC1; p=quarantine; ruf=mailto:[myDMARCemailaddress]@lee.org; rua=mailto:[myDMARCemailaddress]@lee.org; sp=n
one; ri=86400

So now email receivers know definitively what to do with spam coming to them from lee.org. And I get a report of when a bounce happens. I initially set p to “none” and got a few correct DMARC reports. Now it’s “quarantine” and in a little while I’ll set it to “reject”.


Update 8-3-18 #2
With DMARC enabled, I’m getting fifteen hundred reports a day telling me that spam “from” lee.org is being blocked. Ugh, sorry world! That tide is stopping now!

I got help with DMARC from these sites:

* https://dmarcian.com/
* https://dmarc.org/
* https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alee.org&run=toolpage


Update 8-22-18
I averaged 700 DMARC spam reports per day for the last 7 days.

Update 10-19-19 I got rid of the mailto: fields in my DMARC entry. I’m tired of getting kinda-pointless DMARC messages.


Update 10-18-18

Dreamhost shut off my email temporarily twice recently because the quantity of spams being forwarded from my Dreamhost lee.org account to my Gmail account were getting the better of them. Ugh. Here was the suggestion from Toby at Dreamhost:

SPF and DKIM records only help if the receiving server checks them. I would advise not to forward to gmail as this causes server load issues for everyone else on the server if you do run into further problems with this. You can configure your Gmail client to retrieve your email directly from Dreamhost’s server using POP3, and discontinue the use of your forwarder.

You’ll get all the benefits of Google SPAM filter as well, and this will be functionally equivalent to your current configuration. For more information on how to set up the Google side of things, please refer to the following article:

https://help.dreamhost.com/hc/en-us/articles/214870568-How-to-check-your-DreamHost-email-at-Google

Additionally you can setup filtering to filter out these spam message so
they don’t forward nor clog up your email box.

https://help.dreamhost.com/hc/en-us/articles/215030678-Custom-filters-How-to-enable-message-filters-on-an-email-address

I set up POP3 fetching and created some custom filters. I noticed that Gmail fetches about 200 emails per grab and it runs every 5 minutes or so. That means if I’m getting a lot of spam, Gmail won’t be able to keep up with fetching the mail! I just tested this and… OMG I opened the floodgates and started getting 250 email bounced PER MINUTE! It is no freaking wonder why Dreamhost turned off my email forwarding for a while!! Here’s a snapshot of Gmail and Dreamhost failing to keep up with the full force of spam with the spam floodgates wide open.

I deleted my spam folder with 1,500 emails and closed the floodgates by putting some filters in place at Dreamhost. But even 15 minutes later, old spams were still slowly trickling into the spam folder… Looking at the headers, it’s hard to tell if Dreamhost started choking/rate limiting or Gmail was choking/rate limiting.

I turned off POP3 mail fetch and left the mail filters in place. All is well now!

It was as simple as setting Dreamhost Panel | Mail | Message Filters | to “First, delete emails with [bad actor] in the body and then stop.”

4 Comments

  1. Lee Sonko says:

    If you got one of the gazillion spams sent by the spammer, you might tell your mail provider “Hey, I got a spam from a spoofed email address. The “spoofee” set up SPF, DKIM and DMARC correctly, could you please set your servers to check that stuff!”

  2. Lee says:

    My SPF is now set to
    TXT v=spf1 a mx include:netblocks.dreamhost.com -all

    Here’s another tool to test your mail:
    https://www.mail-tester.com/

    Here’s some sites to help you figure out what SPF is
    https://support.dnsimple.com/articles/spf-record/
    https://help.dreamhost.com/hc/en-us/articles/216107737

  3. Lee says:

    Canned message I send some folks:
    I noticed that many of your promotional emails fall into my gmail spam folder. Looking at the emails, I see that they fail (geekspeak alert) SPF, DKIM, and DMARC tests. You may want to fix that. For a start, you can check out how I fixed this problem on my domain, Lee.org https://www.lee.org/blog/2018/07/22/sorry-about-the-spam/

  4. Lee says:

    Another canned message I send some folks (for Mailchimp mailing lists)

    Hey, how come your emails go to my spam folder?
    Find some geek friend and have them read this….

    I have sophomore level knowledge about this stuff. Maybe it’ll help get your emails out of people’s spam folder. Your organization’s emails from Mailchimp are falling into my gmail spam folder and probably most other peoples’ too. I noticed that those emails (geekspeak alert) fail SPF checks. Well, the check comes back “neutral” which means that SPF is essentially turned off.I see that SPF is currently set on the your domain like so:”v=spf1 include:tigertech.net include:servers.mcsv.net ?all” (to do that yourself, do an nslookup set type=txt and search for your domain)

    That “?” near the end means it’s turned off. Any spammer can spoof an email “from” your organization, which sucks. Don’t change that setting without checking in with a geek and Mailchimp first or it’ll all break. I don’t know mailchimp, I see they have a page on how to set this stuff up here (https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/?_ga=2.56853354.1127601543.1597263438-801399683.1597263438)

    Happy Sailing!
    Lee

Leave a Comment

Do not write "http://" in your comment, it will be blocked. It may take a few days for me to manually approve your first comment.

You can edit your comment after submitting it.