Spam pretending to be "from" an address of mine ending up in my inbox

[Misha]

Hi! I have a problem that's started happening just in the past few weeks:

I have an address, lets say, misha@otherdomain.com , that forwards to my fastmail account. That address is my main email address that i use in most contexts. I do not own otherdomain.com .

Recently, I've been getting several spam messages a day in my inbox that are allegedly from misha@otherdomain.com.

I understand it's trivially easy for spammers to forge the from header so that it looks like the spam is "from" me.

What I'm trying to understand is:


a) Why so many of these messages suddenly started getting through, when they previously had not

b) Whether there's anything I can do to fix the problem.

When I look at the headers of The spam messages that get through, they typically trigger a lt of smapassassin tests, but for some reason are assigned a spam-score of zero (presumably for reasons that have to do with the fact that misha@otherdomain.com is my address).

I've contacted fastmail support a few times, but the results haven't been very helpful.

I'd welcome any thoughts or advice!

(And I can post some sample headers here if that's helpful)

Thanks!!

[Misha]

Here's the headers from a sample message. I've blanked out (I hope) any identifying info that should not be posted here...

Code:

-------- Forwarded Message --------
Return-Path: 	<misha@otherdomain.com>
X-Sieve: 	CMU Sieve 2.4
X-Spam-known-sender: 	yes
X-Spam-score: 	0.0
X-Spam-hits: 	BAYES_50 0.8, DCC_CHECK 1.1, FSL_BULK_SIG 0.001, HELO_MISC_IP 0.065, HTML_MESSAGE 0.001, ME_FROM_EQ_TO 0.01, RCVD_IN_BL_SPAMCOP_NET 2, RCVD_IN_BRBL_LASTEXT 1.449, RCVD_IN_INVALUEMENT 2, RCVD_IN_INVALUEMENT24 2, RCVD_IN_RP_RNBL 1.31, RCVD_IN_UNSUBSCOREBL 1, RCVD_IN_XBL 0.375, SPF_PASS -0.001, URIBL_INVALUEMENT 3, URI_WPADMIN 1, WPBL_RBL 2, XPRIO 1.997, LANGUAGES en, BAYES_USED user, SA_VERSION 3.3.2
X-Spam-source: 	IP='XXX.XXX.XXX.XXX', Host='noreverse', Country='IL', FromHeader='net', MailFrom='net'
X-Spam-charsets: 	plain='windows-1250', html='windows-1250'
X-Resolved-to: 	MYADDRESS@fastmail.fm
X-Delivered-to: 	MYADDRESS@fastmail.fm
X-Mail-from: 	misha@otherdomain.com
Received: 	from mx3 ([xx.xx.x.xxx]) by compute4.internal (LMTPProxy); Mon, 09 May 2016 22:18:57 -0400
Received: 	from mx3.messagingengine.com (localhost [127.0.0.1]) by mx3.nyi.internal (Postfix) with ESMTP id BE877C0099 for <MYADDRESS@fastmail.fm>; Mon, 9 May 2016 22:18:56 -0400 (EDT)
Received: 	from mx3.nyi.internal (localhost [127.0.0.1]) by mx3.messagingengine.com (Authentication Milter) with ESMTP id 5777BACC816.9451DC0085; Mon, 9 May 2016 22:18:56 -0400
Authentication-Results: 	mx3.messagingengine.com; dkim=none (no signatures found); dmarc=none (p=none) header.from=otherdomain.com; spf=pass smtp.mailfrom=misha@otherdomain.com smtp.helo=XXXX.otherdomain.com
Received-SPF: 	pass (otherdomain.com: aaa.cc.bbb.ddd is authorized to use 'misha@otherdomain.com' in 'mfrom' identity (mechanism 'ip4:aaa.cc.bbb.ddd' matched)) receiver=mx3.messagingengine.com; identity=mailfrom; envelope-from="misha@otherdomain.com"; helo=XXXX.otherdomain.com; client-ip=xxx.xxx.xxx.xx
Received: 	from XXXX.otherdomain.com (otherdomain.com [aaa.cc.bbb.ddd]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx3.messagingengine.com (Postfix) with ESMTPS id 9451DC0085 for <MYADDRESS@fastmail.fm>; Mon, 9 May 2016 22:18:56 -0400 (EDT)
Received: 	by XXXX.otherdomain.com (Postfix) id 6284B4CE9C4; Mon, 9 May 2016 22:18:55 -0400 (EDT)
X-Remote-Delivered-To: 	misha@otherdomain.com
Received: 	by XXXX.otherdomain.com (Postfix, from userid 58) id 5A9794CE93C; Mon, 9 May 2016 22:18:55 -0400 (EDT)
X-Remote-Spam-Checker-Version: 	SpamAssassin 3.4.0 (2014-02-07) on XXXX.otherdomain.com
X-Remote-Spam-Level: 	
X-Remote-Spam-Status: 	No, score=-79.3 required=5.0 tests=BAYES_50,DOS_OE_TO_MX, HELO_MISC_IP,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT, RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RCVD_IN_XBL, RDNS_NONE,SPF_NEUTRAL,URI_WPADMIN,USER_IN_ALL_SPAM_TO,XPRIO autolearn=no autolearn_force=no version=3.4.0
Received: 	from [XXX.XXX.XXX.XXX] (unknown [XXX.XXX.XXX.XXX]) by XXXX.otherdomain.com (Postfix) with ESMTP id F13F14CE927 for <misha@otherdomain.com>; Mon, 9 May 2016 22:18:50 -0400 (EDT)
Message-ID: 	<DAD39F5316961FDAD39F5316961FDAD3@1I1ROLL1>
From: 	misha@otherdomain.com
To: 	misha@otherdomain.com
Subject: 	Hello!
Date: 	10 May 2016 06:47:51 +0200
MIME-Version: 	1.0
Content-Type: 	multipart/alternative; boundary="----=_NextPart_000_0019_01D1AA7B.03BBA7AF"
X-Priority: 	3
X-MSMail-Priority: 	Normal
X-Mailer: 	Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: 	Produced By Microsoft MimeOLE V6.00.2900.5931

[randombox]

Hi, Misha,
I started getting spammed to death at my fastmail.fm account just a few weeks ago and it has not stopped and don't know that it will or can.
At least, fastmail.fm is tracking them and routing them to the 'Spam' folder!

In my case, the spam are simply aliasing my account.
[e.g. YourName@Website.com becomes AliasedName###@YourName.Website.com]
And there does not appear to be a way to create a rule for such aliased spam, unless you don't alias your fastmail.fm account at all.

Maybe a Moderator (or sumsuch) would enlighten us on this topic.

[n5bb]

Quote:

Originally Posted by Misha

... a) Why so many of these messages suddenly started getting through, when they previously had not...

First, any of these spammers can decide to include you in their spam campaigns and send you a couple of dozen messages every day. The messages don't just appear completely by random, but are the result of actions controlled by individuals. They may decide that it's better to send a large number of spam messages to a small number of targets then a few messages to many more targets. The spammers may be trying different techniques, and some of these may find a way around spam filters. There's no way for an end user to know the details of these many different situations.

Quote:

Originally Posted by Misha

... b) Whether there's anything I can do to fix the problem.

When I look at the headers of The spam messages that get through, they typically trigger a lt of smapassassin tests, but for some reason are assigned a spam-score of zero (presumably for reasons that have to do with the fact that misha@otherdomain.com is my address).

Here is what I note about the specific message header you posted:

• Forwarding causes difficulty with determining the authenticity of a message. In some cases forwarding causes ham (good messages) to appear to be spam, while in other cases (this one) forwarding can cause spam to appear to be ham.
• Examine the following headers from your message. I shortened one line and wrapped several lines:
  Code:

  X-Remote-Spam-Status:     No, score=-79.3 required=5.0 tests=BAYES_50,DOS_OE_TO_MX, HELO_MISC_IP,HTML_MESSAGE,
     RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT, RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RCVD_IN_PSBL,
     RCVD_IN_RP_RNBL,RCVD_IN_XBL, RDNS_NONE,SPF_NEUTRAL,URI_WPADMIN,USER_IN_ALL_SPAM_TO...
  Received:     from [XXX.XXX.XXX.XXX] (unknown [XXX.XXX.XXX.XXX]) by XXXX.otherdomain.com (Postfix) with ESMTP id F13F14CE927
     for <misha@otherdomain.com>; Mon, 9 May 2016 22:18:50 -0400 (EDT)
  Message-ID:     <DAD39F5316961FDAD39F5316961FDAD3@1I1ROLL1>
  From:     misha@otherdomain.com
  To:     misha@otherdomain.com

• New headers are usually added at the top, so you need to read these headers starting at the bottom. This message is sent To your otherdomain address From your otherdomain address. So From == To. The Message-ID appears to be forged to me. The message was Received at otherdomain addresses to you.
• Now for the interesting header. The otherdomain.com email system uses a remote spam filter which returned a SpamAssassin score of -79.3, but you can see that there are many spam matches (RCVD_IN_BL_SPAMCOP_NET, etc.). This means that the otherdomain.com email system is whitelisting the message, probably because the From header is in your address book at otherdomain.com.
• So the key reason that you are getting these is that the otherdomain.com email system isn't noticing that the spammer is forging your From address and setting From == To.
• But there is more going on here. Examine these headers generated when the message arrived at Fastmail:
  Code:

  Authentication-Results:     mx3.messagingengine.com; dkim=none (no signatures found);
     dmarc=none (p=none) header.from=otherdomain.com;
     spf=pass smtp.mailfrom=misha@otherdomain.com smtp.helo=XXXX.otherdomain.com
  Received-SPF:     pass (otherdomain.com: aaa.cc.bbb.ddd is authorized to use
     'misha@otherdomain.com' in 'mfrom' identity (mechanism 'ip4:aaa.cc.bbb.ddd' matched))
     receiver=mx3.messagingengine.com; identity=mailfrom; envelope-from="misha@otherdomain.com";
     helo=XXXX.otherdomain.com; client-ip=xxx.xxx.xxx.xx
  Received:     from XXXX.otherdomain.com (otherdomain.com [aaa.cc.bbb.ddd])
     (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bit

• These headers show that SPF (Sender Policy Framework) passed when the message was received at Fastmail. This means that the otherdomain.com domain publishes DNS records which assert that certain servers are allowed to send email for that domain, and the message received at Fastmail indeed was sent from an allowed server.
• So Fastmail sees a valid message from otherdomain.com. The Fastmail spam filter might possibly block it, but this is prevented because it is From misha@otherdomain.com, which is whilelisted at Fastmail because your address is in your online Fastmail address book. This whitelisting creates the following header, which forces the spam score to 0.0:
  Code:

  X-Spam-known-sender:     yes

• If the SPF test had failed (for example, if the message wasn't sent with your address in the From header), you would see the following header (from a spam email I received a few hours ago), and the message would not be whitelisted and so could be filtered by the SpamAssassin scrores:
  Code:

  X-Spam-known-sender: no, "From == To and no DKIM or SPF for from domain, likely forged"

I will ask Fastmail staff if there is anything they can do about such forwarded spam messages. In this case, the otherdomain.com email system didn't block the message, and Fastmail then trusted the forwarded message to be valid (since it was sent with your otherdomain.com From address by the otherdomain.com server passing the SPF test).

Bill

[Misha]

Thanks, Bill! That's all very helpful.

Quote:

So Fastmail sees a valid message from otherdomain.com. The Fastmail spam filter might possibly block it, but this is prevented because it is From misha@otherdomain.com, which is whilelisted at Fastmail because your address is in your online Fastmail address book. This whitelisting creates the following header, which forces the spam score to 0.0:

I wonder: Is there a way to de-whitelist misha@otherdomain.com, while still keeping it in my address book? It seems like that might be one solution, though I guess I could imagine others....

[n5bb]

I just received a message from Fastmail that there isn't much they can do when the forwarding system fails to block the spam message. Unfortunately, the whitelisting changes the X-Spam-known-sender and X-Spam-score headers before the Sieve rules script processes the message, so there isn't any way to easily remove the whitelisting.

But you could create some other rule to catch similar messages, such as detecting that From == To. It's unfortunate that the spam score isn't available when whitelisting is triggered.

Bill