|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
5 May 2016, 01:18 AM | #31 |
Master of the @
Join Date: Apr 2002
Location: West Sussex, UK
Posts: 1,334
|
Looking at this in more detail.
To try mitigate the impact of my own domains being used for spam campaigns I have implemented SPF, DKIM and DMARC. Now I want to go further. 1. On SPF I still have the 'all' qualifier as ?all. I would ideally like to change this to -all but I understand that will prevent recipients of my valid emails being able to forward emails. Is this true? 2. On DMARC I have changed the P to 'p=quarantine'. Not sure if I set it to reject that will help. 3. I was going to upload to my address book all email addresses I have received emails on. But I now understand that whitelisting is no longer implemented. Not sure why (or when that was announced) but I guess I can now skip populating my address book in such a way?? 4. I am also going to populate my 'aliases' with the various email addresses I have actually sent from. I will have to in the future have to populate new addresses (which is a pain). 5. Once I have done all that I will turn off all wildcards for both domains. Specifically the *.domain.tld in aliases and in my addresses books. The hope then is that this will stop my domains being used by spam merchants (as the email From addresses they use will not exist) and the SPF and DMARC settings will mitigate most other stuff. Is this correct? Anything I'm missing? What I want to avoid is losing valid incoming emails or my valid outgoing emails being blocked. Cheers Ed |
5 May 2016, 02:01 AM | #32 |
Essential Contributor
Join Date: Oct 2003
Posts: 327
|
I'd happily set the SPF record to -all, but some family members use gmail while still setting the From address to be theirname@mydomain.example
How do I whitelist FM and gmail only while disabling the rest? |
5 May 2016, 06:07 AM | #33 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Quote:
|
|
5 May 2016, 05:22 PM | #34 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
I completely agree with BritTim's remarks. You shouldn't worry about someone spoofing your address and using it to send spam. It's a pain when you get loads of backscatter delivery failure or other rejection messages, but that shouldn't cause blacklisting for your domain.
Bill |
15 May 2016, 02:03 AM | #35 |
Member
Join Date: Aug 2008
Posts: 61
|
I've been receiving many of these "failed to deliver" backscatter messages as well in the past couple of weeks, all sent to invalid addresses at my domain.
Two things: - Is it worth enabling the option to automatically discard these messages? Is it guaranteed that no "real" email will be wrongly discarded? - Why are FM's users receiving these emails all of a sudden? Have FM changed a setting somewhere that now means we see these messages, or have FM's customers somehow become a target? Thanks, |
15 May 2016, 01:01 PM | #36 | ||
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
Quote:
Quote:
The only way you can attempt to block spammers spoofing your address is to use SPF and DMARC for your domain.
Code:
header:"X-Backscatter: yes" |
||
15 May 2016, 08:57 PM | #37 |
Member
Join Date: Aug 2008
Posts: 61
|
Thanks very much for your detailed response Bill.
If this trend continues, I may look into enabling these options. |
17 May 2016, 09:58 PM | #38 |
Member
Join Date: Feb 2014
Posts: 56
|
I too have been getting hundreds of these over the past week using the exact same formula as everyone else. Before this, I never received any back scatter spam and nothing has changed.
I know we can't "know" what the spammers are doing, but obviously it is not a coincidence that all the sudden everyone on FM is getting back scatter. Was there a breach in FM that allowed a third party to see what domains are using FM? |
17 May 2016, 10:42 PM | #39 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,944
|
|
18 May 2016, 10:04 AM | #40 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
Quote:
The only way I know of protecting the reputation of your domain and reducing backscatter is as I suggested below (SPF, DKIM, and DMARC). Without publishing SPF for your domain, a receiving email server has no way of knowing which servers send email for your domain, so they have to assume that any message which appears to be from your domain is indeed a proper message. When the message is bounced at the SMTP stage, there is usually no spam filtering at the receiving server and the only way for the server to block the message (not send you backscatter) is if SPF fails, if the sending IP is a known insecure server, or if other behavior of the server is suspicious (such as bad response to greylisting). My guess is that these reports are the results of random behavior by spammers. Bill |
|
19 May 2016, 12:07 AM | #41 | |
Member
Join Date: Feb 2014
Posts: 56
|
Quote:
|
|
19 May 2016, 04:32 AM | #42 |
Member
Join Date: Nov 2005
Posts: 38
|
Just adding another victim to the list. It started just over three weeks ago. I'm getting a dozen (or fewer) a day, most of which are moved to spam. FirstLastNumber addresses asking for payment or with zip attachments. This isn't the first time, but the first in many years.
It's not a huge problem and I could have them discarded but want to monitor. The main annoyance is that I get iPhone Mail alerts. It's happening to one of my three FM hosted domains. This could be an overall trend of increasing domain hijacking, or random DNS harvesting targeting FM hosted addresses. However, this domain is the one that I use to give companies unique addresses (so I need to wildcard accept) so it could have been a leak from one of those companies. It is curious that it happened to a number of us at the same time. I tightened SPF to -all with no apparent effect. Hopefully it helps with future attacks. Now looking into DMARC. Cheers |
19 May 2016, 07:09 PM | #43 |
Master of the @
Join Date: Sep 2004
Posts: 1,583
|
Would it be safe to filter the following, or is it likely that some legitimate messages also contain this?
Code:
X-Backscatter: NotFound1 https://www.fastmail.com/help/techni...ckscatter.html I think I'll filter them to spam and leave them unread so I can check them. |
20 May 2016, 03:31 AM | #44 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
The subject of this email thread concerns backscatter spam, so I'm going to assume that everyone posting in this thread is describing their experience with backscatter, which is not email directly addressed to you from a spammer.
Here is my experience in the past 60 days - that's how long I keep old spam (96 spam messages as of today):
I am checking with Fastmail staff to see if my interpretation of the empty Return-Path header causing X-Backscatter: NotFound1 is correct. Bill Last edited by n5bb : 20 May 2016 at 04:11 AM. Reason: Added comments about empty Return-Path header |
20 May 2016, 10:52 AM | #45 | |
Cornerstone of the Community
Join Date: Jul 2004
Location: Manila
Posts: 509
|
Quote:
I'm filtering all of the backscatter messages into the folder of the same name, which doesn't have spam learning activated. Is there an advantage to learning all of these messages as spam? As it is, I'm only moving backscatter messages to the spam folder if they make it to my inbox, which is not frequent. I'm worried that marking those messages as spam (552 in May alone) might skew the finely tuned balance currently evident in my spam filtering. My current settings, which up to this backscatter spate, have been highly effective: Apply a spam # to subject line: >1 Move to spam folder: >2 Discard: >7 Kevin |
|