If you’ve found yourself in a situation where your end users for some reason are getting bounce notifications for emails they didn’t send out don’t panic.
Sometimes it _could_ mean your server has been compromised (i.e.: someone managed to guess the users password and is sending mail using their account). However unless your mail queues are building up and you’re blacklisted everywhere, this usually isn’t the case.
What your user (or users) is a victim of is what’s called a “Joe Job”.
A Joe Job is the name given to this form of “attack” where a user is being impersonated when a spammer is spamming the world.
A spammer is (intentionally or unintentionally) sending out spam to the world with a return email address of your users email address.
If the volume of spam is very high, this can turn into a Denial of Service attack where your server will be slammed with millions of bounce backs.
There are fixes for this.
The easiest is to make sure your domain has an SPF record declared for it.
SPF or “Sender Policy Framework” is a way to declare who can broadcast email on behalf of your domain.
So if someone sends an email using randomname@yourdomain.com, the recipient server at the other end will usually check to see if yourdomain.com has an SPF record and if the SENDING server is authorized to send mail on your behalf.
If the email is originating from a place you have not authorized, the message will either be soft failed (sometimes going to quarantine of the targets spam filter) or hard failed (rejected with a 550 notice).
An SPF record is actually declared as a TXT record in your DNS for your domain.
Example: for the domain xyz.com
TXT = “v=spf1 a mx ip4:74.56.86.26 ip4:173.248.158.0/24 all”
What the SPF record is saying for xyz.com is emails must either come from the IP the domain is associated with, the MX servers declared for this domain and the specific IP 74.56.86.26 and the class A 173.248.158.0/24.“all’ indicates a hard fail, and ‘~all’ would indicate a soft fail.
In essence, you’re basically telling the internet who can send mail on your behalf.
Try this SPF record builder at www.spfwizard.net.
Will it fix it?
Most mail servers do check SPF records nowadays so yes, it’ll definitely help. It might not get rid of the problem completely but it should greatly reduce cases of impersonation. The big name mail providers do check SPF.
Leave a Comment