How to catch a spammer using my domain email?

Dear Community,

I am hoping to get help here.

I am currently helping out an NGO to manage their domain name. The domain was re-registered in January 2022. Prior to that, the domain was inactive (expired for a few years).

It as come to our attention that someone used our email [email protected] to send out email without our knowledge in April 2022.

My assumption is that:

  1. someone that managed the email and domain previously might have added and verified the [email protected] to email marketing platform such as mailchimp or etc.
  2. similar to point 1 above but this time to gmail so that can use the “send as” feature.

I was thinking, does the email sender record such as IP address, email client, etc. were recorded somewhere either by DNS provider (in this case is Cloudflare) or by registrar or by any other party?

We have contacted the recipient and they refused to provide us the email details.

Is there a way to retrieve such info or any way to catch the culprit?

Thank you in advanced.

In this situation Cloudflare, as the DNS provider, can do very little, if nothing.

I’d suggest implementing SPF, DMARC and DKIM on the domain (which are set-up via DNS records).
The IP address is recorded in the e-mail headers, if you can get the full e-mail.

PS: do note that someone could have been compromised and the e-mails could come directly from an actual account (I know rules to auto-delete incoming messages on compromised accounts to prevent discovery have been added multiple times). In this case if you have a decent e-mail provider you should have logs.

Thank you Matteo for your response.

I have implemented SPF, DMARC and DKIM.
DMARC as below :
v=DMARC1; p=none; sp=none; adkim=s; rua=mailto:[email protected],mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected]; aspf=s; fo=1; pct=100

SPF as follow :
v=spf1 include:_spf.mlsend.com a mx include:spf.kirim.email include:spf.forwardemail.net -all

Do you have any improvement suggestion?

Could you please share how to identify compromised accounts and how to auto delete incoming messages on compromised account?
Could you please share how to find the logs if I have a decent e-mail provider?
I have setup the “send as” feature on my personal email. Is this info relevant ?
I have also received the DMARC report but mostly is from yahoo, gmail, outlook, hotmail etc. While the recipient is a professional domain. example domain1.com

Is there a way to identify the culprit ?

Thank you

Note that this isn’t the best place to discuss this as it’s the main focus, but…

  1. I’d consider actually enforcing DMARC (you are not, currently, p=none; sp=none;)
  2. In the SPF, are you actually gonna send e-mail via the MX records’ IPs and the A records (which are Cloudflare’s, not even possible to do so)?

These are provider specific, I’m not gonna speculate nor search endlessly. Talk to them.

Maybe, was your personal account compromised? I’d suggest to avoid this as it will mess up DMARC, etc.

99% of professional e-mail is handled by one of the big providers, with custom domains. Basically no one handles it internally. You’ll see these reports from them, especially as they are sent by the recipients’ provider.

Maybe, but it’s very hard to do so.

Thank you for your input. I have therefore made some changes.

i) updated p=none to p=reject
ii) while for sp=none , should I remove it? I followed the DMARC generator

  1. I am using forwardemail to forward all domain email, they recommended to add mx record.

  2. I have checked, my account is not compromised.

  3. I have checked one of the abnormal record in the DMARC report sent by Google. Would appreciate your input. The report as below. I have rename the domain name and IP address for privacy purposes.

11.12.3.133.69 = not real IP address , it is also the IP address of the web hosting company that host otherdomain .com
mydomain .com = the domain I manage
otherdomain .com = not related to us
myemailserver .com = this domain related to the email marketing platform I am using and I have added in my domain spf setting.

<record>
    <row>
      <source_ip>**11.12.3.133.69**</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>**mydomain .com**</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>**otherdomain .com**</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <dkim>
        <domain>**mydomain .com**</domain>
        <result>fail</result>
        <selector>ml</selector>
      </dkim>
      <dkim>
        <domain>**myemailserver .com**</domain>
        <result>fail</result>
        <selector>ml</selector>
      </dkim>
      <spf>
        <domain>**otherdomain .com**</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

My understanding is that otherdomain .com sent an email claiming it from mydomain .com
Since the IP address is the IP address of the otherdomain .com web hosting company, I assume that the sender sent email from their cpanel webmail, or could it be from their gmail but using cpanel smtp?

For this auth_results part, why is the result “pass” for dkim and spf ? The otherdomain .com is not in my domain dns setting at all.

<auth_results>
      <dkim>
        <domain>otherdomain .com</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
.
.
.
<spf>
        <domain>otherdomain .com</domain>
        <result>pass</result>
      </spf>
    </auth_results>

Is there a way to record all recipient email address whenever myself or anyone send email using my domain?

Thank you very much for your help.

Thank you for your input. I have therefore made some changes.

i) updated p=none to p=reject
ii) while for sp=none , should I remove it? I followed the DMARC generator

  1. I am using forwardemail to forward all domain email, they recommended to add mx record.

  2. I have checked, my account is not compromised.

  3. I have checked one of the abnormal record in the DMARC report sent by Google. Would appreciate your input. The report as below. I have rename the domain name and IP address for privacy purposes.

11.12.3.133.69 = not real IP address , it is also the IP address of the web hosting company that host otherdomain
mydomain = the domain I manage
otherdomain = not related to us
myemailserver = this domain related to the email marketing platform I am using and I have added in my domain spf setting.

<record>
    <row>
      <source_ip>**11.12.3.133.69**</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>**mydomain**</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>**otherdomain**</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
      <dkim>
        <domain>**mydomain**</domain>
        <result>fail</result>
        <selector>ml</selector>
      </dkim>
      <dkim>
        <domain>**myemailserver**</domain>
        <result>fail</result>
        <selector>ml</selector>
      </dkim>
      <spf>
        <domain>**otherdomain**</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

My understanding is that otherdomain sent an email claiming it from mydomain
Since the IP address is the IP address of the otherdomain web hosting company, I assume that the sender sent email from their cpanel webmail, or could it be from their gmail but using cpanel smtp?

For this auth_results part, why is the result “pass” for dkim and spf ? The otherdomain is not in my domain dns setting at all.

<auth_results>
      <dkim>
        <domain>otherdomain</domain>
        <result>pass</result>
        <selector>default</selector>
      </dkim>
.
.
.
<spf>
        <domain>otherdomain</domain>
        <result>pass</result>
      </spf>
    </auth_results>

Is there a way to record all recipient email address whenever myself or anyone send email using my domain?

Thank you very much for your help.

As @matteo pointed out, this isn’t really the best forum for discussing DMARC and email forgery as that falls pretty far outside of the services Cloudflare provides. I expect that you will find your conversation fares a little better over at the dmarcian forums, as email authentication and DMARC reporting is the primary focus there.

I’ll save further comment on this topic for that forum.

2 Likes

I am not aware of such forum.
Hope can get answer from there.
Thank you for pointing out the right forum.