I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id (i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
Is the "unscrupulous user" on your machine, or is it a guy from
some other system?
On Wed, 5 Apr 2006, Nipun Jain wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
Jon Daley http://jon.limedaley.com/
Needs are a function of what other people have. -- Jone's Principle
No, my domain is not blacklist. I could not check for open mail relay at checkor.com as its not working right now. But I tried some other sites which said that my server was not an open relay. Maybe you can try to check it out yourself, my domain is www.ccet.in. Also I am the sole user of my machine, so the unscruplous user is remote. If it helps, the webserver is not on my machine, its a remote shared webhosting (cPanel). Can anyone check to spoof an email by setting up their reply to address as something else? Does they face the same problem?
On 4/5/06, Nipun Jain jain.nipun@gmail.com wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
I did check the email headers and could not find your original email address randy at sermo.net anywhere except in the body of the message.
Anyways, the problem is that the person who is spoofing the email is most probably using roundcube (the webmail that my domain uses) as my domain ccet.in is not an open relay and the only way I can think of spoofing it is using the Reply To field of roundcube.
Another reason that enforces the belief that my webmail running roundcube is being used is that my webhost has complained that my webmail is being used to send virus ridden emails (he has gone to such great lengths as to suspend my hosting, hopefully temporarily). Now the the recipient of these particulars is me, but I again could not figure out the actual sender from the headers which showed the sender as administrator@mydomain.com, an email id which doesnt exist at my domain. And without knowing the actual email account used to send these mails, I cannot suspend that account.
So the only possible solution I could think of now is to disable the Reply To field from roundcube so that that person is unable to spoof the email (atleast using roundcube), and if he sends virus ridden emails again, his actual email id can be traced and then suspended.
Someone please come up with a solution as my webhost won't re enable my account until a find a solution to this problem.
On 4/5/06, Nipun Jain jain.nipun@gmail.com wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
Then why did my webhost supend my webhosting on the account that it was used to send virus ridden emails?
On 4/5/06, Nipun Jain jain.nipun@gmail.com wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
If you have logging turned on, you can see (in the logs/sendmail
file) which user was sending mails. Do you have access to all of the headers? Presumably, since your host shut down your account, they verified the headers were coming from your own machine. If you gave an account to a spammer, you shouldn't do that. It doesn't matter what the reply-to or anything is set to. Maybe someone guessed a password?
On Wed, 5 Apr 2006, Nipun Jain wrote:
No, my domain is not blacklist. I could not check for open mail relay at checkor.com as its not working right now. But I tried some other sites which said that my server was not an open relay. Maybe you can try to check it out yourself, my domain is www.ccet.in. Also I am the sole user of my machine, so the unscruplous user is remote. If it helps, the webserver is not on my machine, its a remote shared webhosting (cPanel). Can anyone check to spoof an email by setting up their reply to address as something else? Does they face the same problem?
On 4/5/06, Nipun Jain jain.nipun@gmail.com wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
Jon Daley http://jon.limedaley.com/
Complex problems have simple, easy to understand, wrong answers. -- Grossman's Misquote
as this is no longer a roundcube issue, let's move it off list. if you'll send me a copy of the email with all the headers, i'll take a look. in gmail, click on "more options" then "show original", copy and paste everything to me in an email.
again, if someone has access to ANY open relay, they can arbitrarily set ALL the email headers to be anything they want, including yours. this has absolutely nothing to do with your mailserver, roundcube or anything else. it can be impossible to track down people who fake that stuff.
i just sent this email from your address. disabling the reply-to won't help and won't affect anything, email is very unreliable in terms of authentication.
Nipun Jain wrote:
I did check the email headers and could not find your original email address randy at sermo.net http://sermo.net anywhere except in the body of the message.
Anyways, the problem is that the person who is spoofing the email is most probably using roundcube (the webmail that my domain uses) as my domain ccet.in http://ccet.in is not an open relay and the only way I can think of spoofing it is using the Reply To field of roundcube.
Another reason that enforces the belief that my webmail running roundcube is being used is that my webhost has complained that my webmail is being used to send virus ridden emails (he has gone to such great lengths as to suspend my hosting, hopefully temporarily). Now the the recipient of these particulars is me, but I again could not figure out the actual sender from the headers which showed the sender as administrator@mydomain.com mailto:administrator@mydomain.com, an email id which doesnt exist at my domain. And without knowing the actual email account used to send these mails, I cannot suspend that account.
So the only possible solution I could think of now is to disable the Reply To field from roundcube so that that person is unable to spoof the email (atleast using roundcube), and if he sends virus ridden emails again, his actual email id can be traced and then suspended.
Someone please come up with a solution as my webhost won't re enable my account until a find a solution to this problem.
in general, ALL email headers can be faked. with an open relay of any kind, someone can send email to anyone looking like it came from anyone. it's not just the reply to, ALL email headers can be spoofed. for example, i just sent this from microsoft without any server configurations.
dumb email clients (i.e. those that don't do anything except display what they're given) won't complain, though if you check the headers, you can see where it really came from (randy at sermo.net). hence the idea behind SPF. http://www.openspf.org/howworks.html
randy
Nipun Jain wrote:
No, my domain is not blacklist. I could not check for open mail relay at checkor.com http://checkor.com as its not working right now. But I tried some other sites which said that my server was not an open relay. Maybe you can try to check it out yourself, my domain is www.ccet.in http://www.ccet.in. Also I am the sole user of my machine, so the unscruplous user is remote. If it helps, the webserver is not on my machine, its a remote shared webhosting (cPanel). Can anyone check to spoof an email by setting up their reply to address as something else? Does they face the same problem?
Since my hosting account is currently shut, I cannot access any logs. No, my machine has not been verified to send the virus ridden emails. They have suspended the hosting to take their time to analyze the headers and see if it was my fault or someone outside the domain is seding these spoofed mails. And I havent given any email account to a spammer. And all my passwords are alphanumeric and of good lengths so are not easy to guess.
I am assuming that its someone using my webmail coz only since my webhost can make the complaint of my domain being used to send these emails.
On 4/5/06, Nipun Jain jain.nipun@gmail.com wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube).
Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com and / or administrator@mydomain.com in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com or administrator@mydomain.com) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com as I am the admin, and my email is admin@mydomain.com (administrator@mydomain.com does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com (or info@mydomain.com).
Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
Basically, one can only send mails from a RoundCube installation when he or she passes an IMAP login. Otherwise you won't get a valid session in RC. Depending on your RoundCube configuration, logins can be done on any IMAP host (if no default_host is configured) or only on your mailserver. If you don't have a default_host configured and autocreate_user is enabled, then anybody can use your RoundCube installation to send mails using the PHP mail function or the SMTP server you configured.
If your installation is configured properly and only registered users are allowed to login, I don't see anything to improve with RoundCube. All the properties that you can set in RoundCube (From-address, Reply-to, etc.) can also be configured the same way in any common mail client.
I regret that documentation on RoundCube's installation and configuration is not very detailed but please remember that you are using a new webmail solution which is still under development. Before setting it up in a public environment you should test your configuration carefully and keep an eye on the logs.
Regards Thomas
Nipun Jain schrieb:
Since my hosting account is currently shut, I cannot access any logs. No, my machine has not been verified to send the virus ridden emails. They have suspended the hosting to take their time to analyze the headers and see if it was my fault or someone outside the domain is seding these spoofed mails. And I havent given any email account to a spammer. And all my passwords are alphanumeric and of good lengths so are not easy to guess.
I am assuming that its someone using my webmail coz only since my webhost can make the complaint of my domain being used to send these emails.
On 4/5/06, *Nipun Jain* <jain.nipun@gmail.com mailto:jain.nipun@gmail.com> wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube). Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com <mailto:info@mydomain.com> and / or administrator@mydomain.com <mailto:administrator@mydomain.com> in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com <http://mydomain.com/>. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com <mailto:info@mydomain.com> or administrator@mydomain.com <mailto:administrator@mydomain.com>) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com <mailto:administrator@mydomain.com> as I am the admin, and my email is admin@mydomain.com <mailto:admin@mydomain.com> ( administrator@mydomain.com <mailto:administrator@mydomaincom>does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com <mailto:administrator@mydomain.com>(or info@mydomain.com <mailto:info@mydomain.com>). Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
My default_host is set to local host and only registered users can login to the webmail. Although auto create user is set to true, as new accounts are being created everyday (through on a gmail like invitation basis). I know that the reply to address can be configured through email clients also but if I am able to disable it throgh roundcube, thats one less way to spoof for the users. If its possible, please reply. Also, does anyone else able to spoof emails using the reply to address in roundcube? I can test as my hosting is supended.
On 4/6/06, Thomas Bruederli roundcube@gmail.com wrote:
Basically, one can only send mails from a RoundCube installation when he or she passes an IMAP login. Otherwise you won't get a valid session in RC. Depending on your RoundCube configuration, logins can be done on any IMAP host (if no default_host is configured) or only on your mailserver. If you don't have a default_host configured and autocreate_user is enabled, then anybody can use your RoundCube installation to send mails using the PHP mail function or the SMTP server you configured.
If your installation is configured properly and only registered users are allowed to login, I don't see anything to improve with RoundCube. All the properties that you can set in RoundCube (From-address, Reply-to, etc.) can also be configured the same way in any common mail client.
I regret that documentation on RoundCube's installation and configuration is not very detailed but please remember that you are using a new webmail solution which is still under development. Before setting it up in a public environment you should test your configuration carefully and keep an eye on the logs.
Regards Thomas
Nipun Jain schrieb:
Since my hosting account is currently shut, I cannot access any logs. No, my machine has not been verified to send the virus ridden emails. They have suspended the hosting to take their time to analyze the headers and see if it was my fault or someone outside the domain is seding these spoofed mails. And I havent given any email account to a spammer. And all my passwords are alphanumeric and of good lengths so are not easy to guess.
I am assuming that its someone using my webmail coz only since my webhost can make the complaint of my domain being used to send these emails.
On 4/5/06, *Nipun Jain* <jain.nipun@gmail.com mailto:jain.nipun@gmail.com> wrote:
I am facing a problem of email spoofing with my webmail (running on roundcube). Some unscruplous person(s) using my webmail has set their reply to address as info@mydomain.com <mailto:info@mydomain.com> and / or administrator@mydomain.com <mailto:administrator@mydomain.com> in their identity and is / are using that identity to send email to other people on their webmail account at mydomain.com <http://mydomain.com/>. Now the recipient gets fooled by this spoofed mail as roundcube (and maybe other web based email) displays the sender as the spoofed email id ( i.e. info@mydomain.com <mailto:info@mydomain.com> or administrator@mydomain.com <mailto:administrator@mydomain.com>) and not the actual email id used to send the email. I myself have received a couple of such mails and was perplexed to see to get an email from administrator@mydomain.com <mailto:administrator@mydomain.com> as I am the admin, and my email is admin@mydomain.com <mailto:admin@mydomain.com> ( administrator@mydomain.com <mailto:administrator@mydomaincom>does not exist). I tried to figure out the actual email id by reading the email headers but it didnt show the actual email id, only showed the spoofed email id as administrator@mydomain.com <mailto:administrator@mydomain.com>(or info@mydomain.com <mailto:info@mydomain.com>). Now is this supposed to work this way? I mean setting the reply to field to any email address in roundcube enables one to spoof the sender's email id? Is there any way to disable the "Reply To" field in roundcube so that users are unable to send spoofed mails?
Little off topic, but check your domain settings at http://www.dnsreport.com/ It gives out comprehensive report, it may help you.
-Nitin
Nipun Jain wrote:
My default_host is set to local host and only registered users can login to the webmail. Although auto create user is set to true, as new accounts are being created everyday (through on a gmail like invitation basis). I know that the reply to address can be configured through email clients also but if I am able to disable it throgh roundcube, thats one less way to spoof for the users. If its possible, please reply. Also, does anyone else able to spoof emails using the reply to address in roundcube? I can test as my hosting is supended.
-
Jon Daley -
N P List -
Nipun Jain -
Randy Noval
-
Randy Noval -
Thomas Bruederli