Quick Help

The knowledgebase is a categorized collection of answers to frequently asked questions (FAQ) and articles. You can read articles in this category or select a subcategory that you are interested in.



 my email address is being spoofed, what to do about it

Solution

What is spoofing? A malicious person is sending spam or malicious content from email account(s) AND they are using your email address as the ‘display name’ of the sends. ‘Display name’ is nothing more than a pseudonym that is allowed to be placed on any sent email. It is unfortunate that use of ‘display name’ is still an accepted industry practice, as mis-understanding of it presents a major security risk. This does not mean that your email account has been breached, however if the spoofer has acquired your customer contacts (such as through monitoring a contact form on a non-SSL website, or breaching some other unsecured database/software you have in use) their spoofing of your email carries significant risk for your customers, a risk which could spread back to you.

Here are the steps to combat spoofing:

Send this to the folks receiving the spoofed emails from you (here is our results of this as well: https://snipboard.io/JYe3w2.jpg):

Open the spoofed email, but do not click on anything in it.
Now go to view message source, here are the possible instructions to do that:
If you use outlook.com to check email: click the down arrow of “more options” and choose “view message source”.
If you use outlook (software) on a computer to check email: https://support.office.com/en-us/article/view-internet-message-headers-cd039382-dc6e-4264-ac74-c048563d212c 
If you use yahoo.com to check email: https://help.yahoo.com/kb/SLN22026.html 
If you use gmail to check email: https://support.google.com/mail/answer/29436?hl=en 
Once you have the message source on the screen, you’ll need to grab a screenshot of it.
Follow the instructions here: https://snipboard.io/ then..
Email back the snipboard url to your screenshot to [a good reply email for you here]

For you once they send the screenshots to you:

Note: If the ‘Return-Path’ sender is actually your email account (your account pirated), you will need to change the password to your email account, and take appropriate actions at services that use that account.
If your email is only being spoofed, here’s how to trace and contact the server admin of the spoof source:
From the header snapshot find the IP of the ‘Received: from’ section for the server that sent the email.
In a Linux terminal, type the command: host –t TXT 0.0.0.0.abuse-contacts.abusix.org
Replace the zeros in that command with the IP of the ‘Received: from’ section, but in reverse-order.
So if the sending server IP was 87.106.233.149, you would enter it as 149.233.106.87 in the command.
This will yield the abuse contact email that you will need to email to to report the spoofer.
Send an email to that abuse contact from the email of yours being spoofed, with the header image as well as spelling out in the message body the spoofed email address (yours) and the spoofing email address (from the ‘Return-Path’).
Spoofers are known to use multiple servers/return-paths in a single batch of spoofed emails to various recipients, you may have to repeat this process many times during a spoof attack to get all the outlets of a spoof attack to suspend the offending account(s).

Once the spoof has been reported, you will likely receive no further notification from the server abuse contact. Your only course of action is to continue reporting to abuse contact(s) until spoofing ceases. 

If a single recipient or single domain was the target of a spoof attack frequent enough with your email being the one spoofed, the recipient server may blacklist your email account or domain, there is a whole additional process to pursue should that be found to be the case.

On a separate matter you should check that your nameserver provider’s DNS table has a sufficient SPF policy in place for your outbound mail server and other active points of send.


 
Was this article helpful? yes / no

 
Powered by Help Desk Software HESK, brought to you by SysAid