E-Mail reputation destroyed, what to do?

Hello,
so a month ago one of our customers got hacked into (this is the second time it happens ffs), and somebody noticed we were a reseller and started sending mail faking our domain, signature and senders asking people for money and sending malicious attachments.

From that day, hell ensued. Every single mail we send to any domain gets delivered straight into the mail folder or rejected. Godaddy rejects our email (This message has been rejected due to content judged to be spam by the internet community IB212), Gmail puts them into spam (although we also use Google Mail), Hotmail silently drops them as with plenty of other smaller providers.

I checked my e-mail score using https://www.experte.com/spam-checker and https://www.mail-tester.com/ and both give me a 10/10. SPF correct, DKIM as well, just a missing DMARC (but i honestly don't know where i'd send that)

As a test i tried adding my mxroute account to the domain and sending mail from there gets delivered succesfully, so it looks like the issue is only when e-mails are sent from Google servers.

But all mail deliverability checkers and spam checkers and such give me full score with both servers - mxroute and google. However, only google fails to deliver e-mails.

Has this happened to somebody else? What should i do?

«1

Comments

  • havochavoc OGContent Writer

    Don't think you'll have any luck persuading the big G to change it's mind once it considers it tainte

    mxroute has multiple backup routes it tries when delivery fails

  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited October 2021

    To quote myself (hoping to be corrected if I'm wrong):
    Third record contains DMARC settings (Domain-based Message Authentication, Reporting & Conformance). What is this? To put it simply, DMARC can be set to tell all the email servers:
    “If an email fails either SPF, or DKIM validation, disregard it, it is probably someone pretending to be sending emails as @yourdomain.com – impersonating it.”

    So I suppose DMARC, along with SPF and DKIM can help prevent such situations. More details:
    DNS records explained (mail-related, and others)

    Thanked by (1)rthwakel

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @foxone said: I checked my e-mail score using https://www.experte.com/spam-checker and https://www.mail-tester.com/ and both give me a 10/10. SPF correct, DKIM as well, just a missing DMARC (but i honestly don't know where i'd send that)

    And you're saying that your IP address isn't on any blacklists either?

    "A single swap file or partition may be up to 128 MB in size. [...] [I]f you need 256 MB of swap, you can create two 128-MB swap partitions." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 49)

  • Once tarnished, it's done for. Google no longer listens to anyone.

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • vyasvyas OG
    edited October 2021

    OP should fire the customer .

    First time hacked, shame on them.
    Second time hack, shame on the provider for keeping them around.

    Thanked by (2)Daniel level6
  • Smells like a wordpress installation with shit of of shabby plugins. Some people absolutely refuse to remove such plugins because they are essential to their websites.

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • vyasvyas OG
    edited October 2021

    @deank said:
    Some people absolutely refuse to remove such plugins because they are essential to their websites it is free .

    Fixed that for you

    Thanked by (1)Daniel
  • johnkjohnk Hosting Provider

    Why were they able to forge your domain and send emails?

  • @angstrom said:

    @foxone said: I checked my e-mail score using https://www.experte.com/spam-checker and https://www.mail-tester.com/ and both give me a 10/10. SPF correct, DKIM as well, just a missing DMARC (but i honestly don't know where i'd send that)

    And you're saying that your IP address isn't on any blacklists either?

    Nope. My ip address is masked by Google anyway so the source IP is google servers... i think?

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    @vyas said:
    OP should fire the customer .

    How do you "fire" customers? :P But yeah, they are retards.

  • Generally, you can add a clause in ToS that might allow you to terminate their accounts on certain events.

    But I don't think a customer being a half-wit would entitle an account termination. In Trump world, it might stand but not in the normal world.

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • johnkjohnk Hosting Provider

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    Anyone can send an email from your domain, and forge the From header. SPF/DKIM/DMARC keep the receiving client from recognizing these emails as legitimate. How did they forge those too?

    Thanked by (1)quicksilver03
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @johnk said:

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    Anyone can send an email from your domain, and forge the From header. SPF/DKIM/DMARC keep the receiving client from recognizing these emails as legitimate. How did they forge those too?

    OP said:
    "just a missing DMARC (but i honestly don't know where i'd send that)"

    Could it be that DMARC was not set to strictly drop any emails that don't pass either SPF, or DKIM?
    That would make this kind of mess much easier, no?

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • johnkjohnk Hosting Provider

    @bikegremlin said:

    @johnk said:

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    Anyone can send an email from your domain, and forge the From header. SPF/DKIM/DMARC keep the receiving client from recognizing these emails as legitimate. How did they forge those too?

    OP said:
    "just a missing DMARC (but i honestly don't know where i'd send that)"

    Could it be that DMARC was not set to strictly drop any emails that don't pass either SPF, or DKIM?
    That would make this kind of mess much easier, no?

    DMARC isn't mandatory is prevent email forgery. As long as you aren't authorizing the IP via SPF, any email client should take it very cautiously. I doubt Google would blacklist your domain if the sending was forged. How did they forge your SPF? You also mentioned they forged your DKIM signature - how did that happen?

    You can't do either unless you either have full control over the server, or the domain's DNS.

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited October 2021

    @johnk said:

    @bikegremlin said:

    @johnk said:

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    Anyone can send an email from your domain, and forge the From header. SPF/DKIM/DMARC keep the receiving client from recognizing these emails as legitimate. How did they forge those too?

    OP said:
    "just a missing DMARC (but i honestly don't know where i'd send that)"

    Could it be that DMARC was not set to strictly drop any emails that don't pass either SPF, or DKIM?
    That would make this kind of mess much easier, no?

    DMARC isn't mandatory is prevent email forgery. As long as you aren't authorizing the IP via SPF, any email client should take it very cautiously. I doubt Google would blacklist your domain if the sending was forged. How did they forge your SPF? You also mentioned they forged your DKIM signature - how did that happen?

    You can't do either unless you either have full control over the server, or the domain's DNS.

    Does DMARC help (additionally)?

    It is my understanding that SPF + DKIM + DMARC is as good as you can get in order to prevent reduce (make more difficult) phishing/email address spoofing.

    When I hear of an organization (like a bank or similar) warning customers of phishing attacks, I check their email records and they most often don't have at least one of the three properly configured.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • johnkjohnk Hosting Provider

    @bikegremlin said:

    @johnk said:

    @bikegremlin said:

    @johnk said:

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    Anyone can send an email from your domain, and forge the From header. SPF/DKIM/DMARC keep the receiving client from recognizing these emails as legitimate. How did they forge those too?

    OP said:
    "just a missing DMARC (but i honestly don't know where i'd send that)"

    Could it be that DMARC was not set to strictly drop any emails that don't pass either SPF, or DKIM?
    That would make this kind of mess much easier, no?

    DMARC isn't mandatory is prevent email forgery. As long as you aren't authorizing the IP via SPF, any email client should take it very cautiously. I doubt Google would blacklist your domain if the sending was forged. How did they forge your SPF? You also mentioned they forged your DKIM signature - how did that happen?

    You can't do either unless you either have full control over the server, or the domain's DNS.

    Does DMARC help (additionally)?

    It is my understanding that SPF + DKIM + DMARC is as good as you can get in order to prevent reduce (make more difficult) phishing/email address spoofing.

    When I hear of an organization (like a bank or similar) warning customers of phishing attacks, I check their email records and they most often don't have at least one of the three properly configured.

    Yes, it can help. It does not prevent the phishing attacks you mention, as those typically do not forge the email domain, and send it from a different domain. For example, microsoft-server-example.xyz. DKIM/SPF passes, so it delivers to the inbox (if spam filtering is based on that alone). You have to depend on other signals to find phishing campaigns typically.

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @johnk said:

    @bikegremlin said:

    @johnk said:

    @bikegremlin said:

    @johnk said:

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    Anyone can send an email from your domain, and forge the From header. SPF/DKIM/DMARC keep the receiving client from recognizing these emails as legitimate. How did they forge those too?

    OP said:
    "just a missing DMARC (but i honestly don't know where i'd send that)"

    Could it be that DMARC was not set to strictly drop any emails that don't pass either SPF, or DKIM?
    That would make this kind of mess much easier, no?

    DMARC isn't mandatory is prevent email forgery. As long as you aren't authorizing the IP via SPF, any email client should take it very cautiously. I doubt Google would blacklist your domain if the sending was forged. How did they forge your SPF? You also mentioned they forged your DKIM signature - how did that happen?

    You can't do either unless you either have full control over the server, or the domain's DNS.

    Does DMARC help (additionally)?

    It is my understanding that SPF + DKIM + DMARC is as good as you can get in order to prevent reduce (make more difficult) phishing/email address spoofing.

    When I hear of an organization (like a bank or similar) warning customers of phishing attacks, I check their email records and they most often don't have at least one of the three properly configured.

    Yes, it can help. It does not prevent the phishing attacks you mention, as those typically do not forge the email domain, and send it from a different domain. For example, microsoft-server-example.xyz. DKIM/SPF passes, so it delivers to the inbox (if spam filtering is based on that alone). You have to depend on other signals to find phishing campaigns typically.

    Yes, that is probably the most commonly used trick that doesn't take much to implement (using a subdomain that matches the target's domain).

    I actually wrote about that "trick" - and other "popular" methods here:
    https://io.bikegremlin.com/15447/email-security/
    (any additions & corrections are welcome)

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • DanielDaniel OG
    edited October 2021

    @foxone said:

    @johnk said:
    Why were they able to forge your domain and send emails?

    They sent mails to our customers using our "From:" identity and forging our signatures. They never had access to our domain or anything.

    How though? If they set the from address to yours, it should have failed SPF and DKIM checks, and even without DMARC those emails should have still ended up being marked as spam by most mail systems.

    Do you have the full headers from one of these fake emails?

    This is something DMARC is good for. Even if you don't set it to reject invalid emails, you'll still receive logs as to which servers are sending emails from your domain, and whether they were rejected by the recipient server or not. The logs are XML files and there's a bunch of services that can receive and analyze DMARC reports - I'm using mailhardener.com's free account. The idea is that you analyze the logs, and once everything looks good (you have a good number of logs and they show that all your legit email is accepted), you can flip it to reject invalid emails.

    @vyas said:
    OP should fire the customer .

    How do you "fire" customers? :P But yeah, they are retards.

    Write something in your ToS stating that you (or either party) may end the business relationship at any time after some notice period. If a customer makes you have to get a new IP range and potentially a new domain to fix your email reputation, they may just not be worth it.

  • vyasvyas OG
    edited October 2021

    @foxone said:

    @vyas said:
    OP should fire the customer .

    How do you "fire" customers? :pensive:

    >

    If they cost you more than you make from them, a month (or two) before renewal period ends, send a notice- "we will not continue with you yada yada." Your TOS should have included the renewal clause.

    To terminate mid- term you can update your TOS- and give them advance notice as others have suggested.

    "Encourage" them to move to a different pricing tier, if they are a LE customer, they will also give you free publicity by posting a PMS thread most likely on LET.

    But yeah, they are retards.

    hmm sounds like vocabulary from another host.... @yoursunny knows what I talk about.

  • Nobody ever had access to my domain. DKIM a SPF are set correctly by me to allow E-Mails from Google Apps servers (that's what we use), and i have no DMARC policy since i didn't feel like i needed it.

    Since when our customer (we are not in the hosting business, it's just people we sell machinery to) got hacked, somebody started sending mails pretending to be us, and this was the start of this nightmare...

  • johnkjohnk Hosting Provider

    @foxone said:
    Nobody ever had access to my domain. DKIM a SPF are set correctly by me to allow E-Mails from Google Apps servers (that's what we use), and i have no DMARC policy since i didn't feel like i needed it.

    Since when our customer (we are not in the hosting business, it's just people we sell machinery to) got hacked, somebody started sending mails pretending to be us, and this was the start of this nightmare...

    Did these forged emails pass SPF + DKIM checks?

  • @foxone said:

    Since when our customer (we are not in the hosting business, it's just people we sell machinery to) got hacked

    What type of machinery?

  • DanielDaniel OG
    edited October 2021

    @foxone said: DKIM a SPF are set correctly by me to allow E-Mails from Google Apps servers (that's what we use),

    Is your SPF record set to softfail (~all at the end) or hardfail (-all at the end)? It should be set to hardfail once you're sure that it's accurate, in which case any email that fails the SPF check should be marked as spam by recipient servers. This is where DMARC can be useful, as it lets you tell approximately how frequently your emails fail SPF checks.

  • @Daniel said:

    @foxone said: DKIM a SPF are set correctly by me to allow E-Mails from Google Apps servers (that's what we use),

    Is your SPF record set to softfail (~all at the end) or hardfail (-all at the end)? It should be set to hardfail once you're sure that it's accurate, in which case any email that fails the SPF check should be marked as spam by recipient servers. This is where DMARC can be useful, as it lets you tell approximately how frequently your emails fail SPF checks.

    My SPF is set to "v=spf1 include:_spf.mlsend.com include:eu.zcsend.net include:_spf.google.com include:mxroute.com -all"

  • mikhomikho AdministratorOG

    @Daniel said:

    @foxone said: DKIM a SPF are set correctly by me to allow E-Mails from Google Apps servers (that's what we use),

    Is your SPF record set to softfail (~all at the end) or hardfail (-all at the end)? It should be set to hardfail once you're sure that it's accurate, in which case any email that fails the SPF check should be marked as spam by recipient servers. This is where DMARC can be useful, as it lets you tell approximately how frequently your emails fail SPF checks.

    As long as the recipient server actually checks the SPF.
    I've had clients who had these checks disabled as many of their clients had their own domains and almost never setup a SPF record for it.

    Thanked by (2)bikegremlin Falzo

    “Technology is best when it brings people together.” – Matt Mullenweg

  • @foxone said:
    My SPF is set to "v=spf1 include:_spf.mlsend.com include:eu.zcsend.net include:_spf.google.com include:mxroute.com -all"

    Might be too many includes?
    (Not sure what the limits are, but DNS can't expand too many, I think ...)

  • @flips said:

    @foxone said:
    My SPF is set to "v=spf1 include:_spf.mlsend.com include:eu.zcsend.net include:_spf.google.com include:mxroute.com -all"

    Might be too many includes?
    (Not sure what the limits are, but DNS can't expand too many, I think ...)

    One can have up to 10 DNS lookups, so this should be okay in this respect.

    Thanked by (1)flips

    "A single swap file or partition may be up to 128 MB in size. [...] [I]f you need 256 MB of swap, you can create two 128-MB swap partitions." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 49)

  • I think you can't do much about it directly. Anyone can go ahead and start spoofing the from address for any domain and also forging mails that look like yours. It's probably not even safe to say that this is related to that hacked client after all.

    as @mikho said SPF and DKIM will only help depending on how the receiving server goes about these informations and still these mails will be in the world and might continue bounce or circle around and eventually hurt your domain reputation (not IP).

    I'd suggest to try and change the (transactional) mail designs where possible, avoid graphics and external links if not absolutely needed.
    check how you handle bounces to avoid double bouncing eventually non existing mail addresses on your domain (not sure how gmail goes about that though).
    also ask your contacts especially with addresses at bigger providers like microsoft or gmail itself to add your regular sending mail address as a contact in their accounts, so these providers get the chance to learn about legitimate senders from your domain.

    Thanked by (2)angstrom Daniel
  • @angstrom said:

    @flips said:

    @foxone said:
    My SPF is set to "v=spf1 include:_spf.mlsend.com include:eu.zcsend.net include:_spf.google.com include:mxroute.com -all"

    Might be too many includes?
    (Not sure what the limits are, but DNS can't expand too many, I think ...)

    One can have up to 10 DNS lookups, so this should be okay in this respect.

    You're right. Unless you add MX and a couple of other arguments, this should only be 8 required queries, I think. :#

  • DanielDaniel OG
    edited October 2021

    @angstrom said: One can have up to 10 DNS lookups, so this should be okay in this respect.

    @flips said: You're right. Unless you add MX and a couple of other arguments, this should only be 8 required queries, I think.

    Yeah looks like 8 to me. _spf.google.com has include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com which adds 3 queries (all of which are just IPs), and mxroute.com has include:_s00002163.autospf.email which adds another query.

    I wouldn't recommend having so many vendors on a single domain, as any one of those vendors being breached or having a security issue that allows spoofing can impact deliverability of all emails on your domain. IMO, at least marketing emails should be split onto a separate subdomain and sent from a different IP to avoid you having issues with corporate emails being seen as spam if customers mark newsletters / mailing lists as spam. This is usually how larger companies do it - eg if you look at Costco, their marketing emails come from online.costco.com whereas transactional emails come from costco.com, and customer service emails come from a different domain that I can't quite remember right now, and all three have different SPF records.

  • foxonefoxone OG
    edited October 2021

    I removed some stuff from the SPF to tidy up and Mailhardener told me my DKIM weren't properly configured (for some reason Gmail wasn't using them even though they were set on the domain).

    Looks like there's plenty of people who want to send e-mails with our domain!

Sign In or Register to comment.