Forged Email Headers

[carl6969]

I have been having a lot of problems with forged email lately. Email that, (based on the return address and most of the headers), appears to come from one or more of the domains on my VPS. I have Spam Assassin set up and it is catching most of the normal spam, but the forged email's are getting by. I can set up filters on my personal email program to take care of this on my end, but I do not want these emails going out in the first place. Other people are going to think they are really coming from my domains and some of them have malware / virus attachments. Not good for business.

So, I have been wondering if there is ANY way at all to deal with this on the server side.
I am using Centos 5.3, BIND, Procmail filter, SpamAssassin.
I have done some research and cannot find any obvious errors with my configurations.

[Mr. DOS]

I think http://www.robsworld.org/forgery.html is probably relevant to you.

[lemon-tree]

It is almost certain that the emails are not actually originating from your server, but as you said the headers are just being manipulated to tell the end user they are coming from your server. I would recommend looking at the headers of the email and look for a mailed-by header; this may give you an impression as to the origin of the email but it will still be very difficult to stop it unless the spammer is stupid enough to be sending from a server that has web content on it too.
Basically, as that document says, it is very difficult to stop the spammers, but you could use a few techniques to assist your users. Firstly, I would recommend sending an email to all your users describing the situation and perhaps changing your email address. I would also use an email obfuscater to hide your email address from web bots, as this is likely where they got your address from.

[carl6969]

I think http://www.robsworld.org/forgery.html is probably relevant to you.

Thanks for the link. Good article.

[carl6969]

@lemon-tree
Thanks for the reply and the advice.
Even though I receive a lot of spam with obviously forged headers, the spam that seemed to be coming from my own server was puzzling me. I started wondering if I had a vulnerability somewhere that the spammers were exploiting, or, perhaps, more experienced server operators had found a way to prevent this problem. Based on some reading, including the article referenced by Mr. DOS, the only point I may have failed at is obfuscated email addresses. Ironically, I have recently started changing all that, but I fear I am closing the barn door after the cows have already left. But perhaps this thread will be useful to new VPS users just getting started in the future.
Thanks again.

[The Real Rebel]

Ouch, sorry to see you have this problem Carl, Hope everything is getting better now

[carl6969]

Ouch, sorry to see you have this problem Carl, Hope everything is getting better now

Thanks. Currently working to correct both the forged email problem and the caffeine deprivation. Mr. Coffee assisting with second one.

[The Real Rebel]

Lol, I have mr coca cola to sort that :P

[lemon-tree]

Ironically, I have recently started changing all that, but I fear I am closing the barn door after the cows have already left

Don't worry, I did a similar thing once and my spam levels in my inbox was hundreds per week. On the same address now I get a couple a month. It seems that the spam crawlers will drop your email address after a while of not being able to find it anywhere, it's like they refresh their database of known emails once a month or so. So eventually those cows you let loose will come back eventually.

[masshuu]

i set a spf record on my domain. Any mailserver worth its salt obeys spf records.