How do you stop domain impersonation?

« Other questions
1
0

Someone recently started using my domain name to send out spam messages. They are not actually using my smtp server, rather they are spoofing the name. Not much I can do there (email wasn’t designed with security in mind).

I do have DKIM and SPF setup for my email.

However, recently I saw an email they sent out with an unsubscribe link. I was curious what happened when you attempted the link (it had my actual domain name in it). So I jumped on a sandboxed browser on TailsOS and tried the link. The URL worked. The link is something like https://mydomain.com/app/optOut/noConfirm/1276176826/1762726. When trying the link, Firefox warns you that someone may be impersonating another site. I checked the certificate and it is a Komodo cert with my hosting company in the cert (*hostingcompany.com). I do not have https setup for my site because it currently is setup for a landing page only.

So my real question is this; how can someone use my domain name for a URL that does not exist on my server and it actually work? Are they able to execute some kind of DNS trickery or am I missing something here?

  • You must to post comments
0
0

For future reference if you’re not going to use your domain you should instead use the for documentation purposes domains – example.com (or .org or .net). But as for your problem it’s hard to say especially without more information.

The following thoughts come to mind:

1. Is the name of the link (in the email) the same as the actual link ? That is to say are you sure it’s not hiding the real destination?
2. If they have done something like 1 they could for example have their web server change the actual link in the browser; so for instance even if it wasn’t whatever it can be changed to show something else.
3. The warning you refer to in Firefox is too ambiguous to really say what it is. Are they having a certificate that has your domain name but it really isn’t them (as you suggest)? Seems odd that if it’s really Comodo that they would have this but you don’t give the exact warning in full.

You say you aren’t https enabled but this website is so unless your DNS servers were compromised (and/or your domain registrar account compromised) then it probably looks like it but isn’t necessarily it. (There are other possible things including with DNS but same idea). You’ll need to check all these things and that includes what Firefox really declares.

As for email: that is indeed a problem. If you have SPF configured do you use softfail (fail but allow)? Are you sure it’s configured correctly? (There are tests out there). But even if it is all okay not every MTA is going to check SPF and how they react to the results you also can’t know. For that matter the attackers might have their own DNS server, MTA etc., or have control of something else that makes spoofing easier. In the end it very often comes down to the recipient knowing how to read the mail headers (if they even know what email headers are) – and there are many more headers these days.

Lastly, if you really want more information on the website you end up connecting to, then do a query on the actual domain (remove any http:// or https:// and anything including and past the first / ) and see what it resolves to. Do a whois on that (you could also do a whois on the domain but keep in mind that if it’s a.example.org then you won’t get a whois on a.example.org but instead example.org ).

  • You must to post comments
Showing 1 result
Your Answer

Please first to submit.