How do the spoof my email address?

Twitchin Kitten

New Member
I am getting deluged with ridiculous spam emails from "myself" with zip attachments which are titled things like "FILE04508" or "document748574758" or "images" anything that they think are going to pique my interest and have me open these letting loose some kind of virus or Trojan into my system or worse, the server. I've had a few of those hosting with another company where hidden files were unleashed once I connected via FTP. I was using Windows at that time and have since switched to Apple products, but we all know they're not invincible. Better, just not invincible.

Anwyay, if I look at the full headers we know they come from Indonesia or some Middle Eastern den of spammers.

What I want to know is how can they spoof my email address so it looks like I'm emailing myself with this garbage? Pretty sure they know full well if I mark that as "SPAM" I'm also marking myself as a spammer, which I was told not to mark these as SPAM by the friend I have managing the server for me.

Does anyone know the process they use and is there a way to prevent this?

TKitten@twitchinkitten.com
To:TKitten@twitchinkitten.com
Content-Type: multipart/mixed; boundary=Apple-Mail-D03B505E-5FBB-7022-11C4-7572B15417EC
Mime-Version: 1.0 (1.0)
X-Spam-Level: ***
X-Spam-Status: No, score=3.285 tagged_above=1 required=4.5 tests=[BAYES_40=-0.001, HELO_MISC_IP=0.066, RCVD_IN_BL_SPAMCOP_NET=1.347, RDNS_NONE=0.793, TO_EQ_FM_DIRECT_MX=1.079, TVD_SPACE_RATIO=0.001] autolearn=no
X-Spam-Score: 3.285
Return-Path: <TKitten@twitchinkitten.com>
X-Mailer: iPhone Mail (13a50)
X-Spam-Flag: NO
Content-Transfer-Encoding: 7bit
Received: from localhost (unknown [127.0.0.1]) by vps29.xxxxx.com (Postfix) with ESMTP id B4CA7256020B for <TKitten@twitchinkitten.com>; Mon, 27 Jun 2016 14:17:00 +0000 (UTC)
Received: from vps29.xxxxx.com ([127.0.0.1]) by localhost (vps29.xxxxx.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ii2YArws9-zN for <TKitten@twitchinkitten.com>; Mon, 27 Jun 2016 10:17:00 -0400 (EDT)
Received: from [1.46.13.177] (unknown [1.46.13.177]) by vps29.xxxxx.com (Postfix) with ESMTP id 8A1562560208 for <TKitten@twitchinkitten.com>; Mon, 27 Jun 2016 10:16:59 -0400 (EDT)
X-Virus-Scanned: amavisd-new at vps29.xxxxx.com
Delivered-To: tkitten@twitchinkitten.com
Message-Id: <D03B505E-5FBB-7022-11C4-7572B15417EC@twitchinkitten.com>
FILE04508
 
Hi,

Welcome to the Knownhost forums!

Most of those documents as of lately have not been trojans/viruses, but ransomware/crypto which Apple did a good job of not making themselves susceptible too(I haven't seen an Apple ransomware issue, personally) They primarily affect Windows users by saying 'you're late on your payment, here's your invoice', etc; but can still be a nuisance, none-the-less when dealing with receiving them.

Unfortunately, you can't 'prevent' spoofing of the FROM: Address. Most of these are generated via PHP Mailers that don't require SMTP Authentication and they just broadcast mail based on 'whatever' they input to want it to show who it is 'From'. The most you can do is have a various means of email authentication setup for yourself so that when other webservers (or your own) perform checks against it they can see that it doesn't match what they're checking for and automatically deny/reject the email.

This can be done by setting up proper SPF Records and utilizing DKIM based authentication for your email, among other different things, but if the recieving mail system doesn't make use of these authentication methods to score such emails in negative way, or reject them, then there isn't anything you can do.

You can also make sure that Spam Assassin(if your server has this) is enabled on your server to score incoming mail based on RBL checks/content/malicious attached files, this tends to help cut down on the spoofing as well.

Though, based on those headers, it looks like the email is coming from your server?

Might want to open a support ticket if you want us to take a closer look at everything.
 
Yeah, that's what I was concerned with. Not sure if you'll help me out since I'm not using your Cpanel or any of the other ones you offer. My friend who manages the server for me uses ISPConfig. Top it off, I haven't been able to get hold of him for awhile and his answer to this kind of spoofing is "just delete them". I don't touch the 'techy' stuff on the server due to having "gremlins in my fingers".

If you guys would be able to support, let me know and I'll open a ticket. IN the mean time, I'm trying to get hold of him.
 
Email headers are read from the bottom up. Here's the culprit.

Received: from [1.46.13.177] (unknown [1.46.13.177]) by vps29.xxxxx.com (Postfix) with ESMTP id 8A1562560208 for <TKitten@twitchinkitten.com>; Mon, 27 Jun 2016 10:16:59 -0400 (EDT)
 
Email headers are read from the bottom up. Here's the culprit.

Received: from [1.46.13.177] (unknown [1.46.13.177]) by vps29.xxxxx.com (Postfix) with ESMTP id 8A1562560208 for <TKitten@twitchinkitten.com>; Mon, 27 Jun 2016 10:16:59 -0400 (EDT)

Yes, KH-JohnathanKW noted this too. They seem to be coming from our servers.

Since my server is "unmanaged" I'll be hoping to get to this over the coming weekend. I've since talked with my friend who manages the server for me.
 
The message originated from 1.46.13.177, received by vps29.xxxxx.com, passed to the local scanner (amavisd) and came back from it.
I'd say it's not from your server(s), unless 1.46.13.177 is one of yours.
 
When you set up an outlook account for example, you can set up whatever e-mail server you want to use and put whatever you want in the "Email Address" field, even the name of the recipient - that then looks as if you sent it to yourself. (btw, no harm trying it and sending a friend an e-mail from "Obama@whitehouse.gov" with the subject "I need you to support our country and vote for Trump!")
The spam software the criminals use are doing the same thing. When you look deeper into the properties of the e-mail, the only part that gives that away is the source server name/IP in the "Received from" part.
 
Oh' sure, no harm at all, until the secret service, fbi, national security, etc. finds out you're sending emails posing as Obama from the white house. But, until then, no harm at all.
 
Top