Why Did I get this SPAM from your Domain
We get email all the time saying someone from our domain or our network is sending spam. This is published to help you learn how to find the culprit and if it really is us or not.
Here is a recent email asking us to stop this person from sending spam.
firstname.lastname@example.org is sending out fake emails from FEDEX with viruses attached. Please shut him down. Here is a copy of the email. Do not click on the DOWNLOAD POSTAL RECEIPT OR YOU WILL GET THE VIRUS. I would love to have his IP address if you can get it to me so I can get him shut down by the law.
Unfortunately this person didn’t send me the headers so I could tell him what the ip address was. I can help someone determine who sent an email if they send me the headers. If they will read through the following they will learn how to tell themselves. Headers have all the information we need to find out where the email originated and what mail servers they sent it through.
Headers are added to each email sent. It is a record of everything that has happened from the sender of the email to the recipient’s mail server. Viewing them is easy in Thunderbird, just click View -> Headers -> All. In Outlook viewing is easy also but you will need to search for how to view the headers of a particular email as many Outlooks have different methods. Web interface for email is generally also easy. Just search for viewing headers. Google “Outlook view headers” and you will find links for how to see the headers.
Each entity that deals with an email adds headers to the top of the header section. The first entries are at the bottom. The last ones are at the top.1. The original email was sent by www02.enschede.dla.nl [184.108.40.206] by mailhost.dla.nl
2. mailhost.dla.nl sent the email on to p3pismtp01-019.prod.phx3.secureserver.net
3. secureserver.net happily accepted the email from 10.6.12.19 who said his name was p3pismtp01-019.prod.phx3.secureserver.net. He lied and secureserver.net knew it but accepted it anyway. Notice it said “unknown”.
The important thing to note here is that the mail was not sent through mail.tulsa.com. Mail.tulsa.com is the only server authorized to send email for anyone @tulsa.com. We didn’t participate in this spam. We do give the world a way to determine if the email is valid. We provide a record called Sender Policy Framework. We give other mail servers a way to tell if an email is coming from an allowed mail server. If it didn’t come from our server, they can safely delete the email because it is bogus. We use this function on any domain that provides the SPF records and hapily delete everything that doesn’t come from an authorized mail server.
Here is the headers someone (I changed his email address to email@example.com) sent thinking someone (“Lawyer Skadden” <firstname.lastname@example.org>) at tulsa.com was spamming the world.
Received: (qmail 24093 invoked by uid 30297); 14 Nov 2012 06:03:
Received: from unknown (HELO p3pismtp01-019.prod.phx3.secureserver.net) ([10.6.12.19])
by p3plsmtp15-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <email@example.com>; 14 Nov 2012 06:03:35 -0000
Received: from mailhost.dla.nl ([220.127.116.11])
by p3pismtp01-019.prod.phx3.secureserver.net with ESMTP; 13 Nov 2012 23:03:34 -0700
Received: from www02 (www02.enschede.dla.nl [18.104.22.168])
by mailhost.dla.nl (DLA ICT Mailhost) with SMTP id YRR27129
for <firstname.lastname@example.org>; Wed, 14 Nov 2012 07:03:29 +0100
Date: Wed, 14 Nov 2012 07:03:29 +0100
Subject: PayPal Bill Me Later Current Debt 9998
From: “Lawyer Skadden” <email@example.com>
Reply-To: “Lawyer Skadden” <firstname.lastname@example.org>
This email was actually a virus laden piece of spam telling the recipient that they can see the details of a FED EX delivery. Opening the attached file will add a virus to their computer. Sadly, his mail server knows that this email came from someone who was lying about it’s origin but delivered it to the recipient anyway.
So why doesn’t everyone use SPF and kill off some of this stuff? Honestly, I don’t know. There are a number of ways to tell if an email is likely spam. The down side side for an email administrator is that they might have to admit that they have no clue how to implement SPF records or some of the other ways to eliminate spam. They may also decide that the worst thing they could do is drop valid email.