Stop Spoof Email in a Poof!

How do we keep this site running? This post may contain affiliate links — the cost is the same to you, but we get a referral fee. Compensation does not affect rankings. Thanks!

AttachmentWe recently had a problem where the root email address associated with a few domains was being spoofed to death. This was on domains that were merely setup to forward to another domain. That is, they had no user email accounts setup (with exception of the root account, which cannot be deleted), no forwarders setup, no catch-all (a catch-all address “catches” emails that arrive at the server but cannot find a matching user or email address), and no auto-responders (auto-responders are setup to automatically respond with a pre-written message to messages that target a specific email address. An out of office message is a type of auto-responder). Nevertheless, emails continued to pour in. These emails were all the result of spoofing attempts.

What is spoofing?

Spoofing refers to fraudulent e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.

How to stop spoof email, ie. spoofing?

There is no real way to stop spoofing except to delete the messages as they arrive. To accomplish this, you can simply define a filter that will delete messages based on specific values in the email message header. In our case, we set the header to delete messages sent from the MAILER-DAEMON address.

What is a mailer-daemon address?

A mailer-daemon address is used to process bounce messages. In other words, messages that have not reached a recipient. A bounce message (or failed Delivery Status Notification (DSN) message) is an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. The original message is said to have bounced. By filtering out and deleting all messages from the mailer-daemon on your server that processes these messages as they arrive, you should prevent your mailbox from filling up and potentially having your account suspended for going over your disk space quota.

We’re going to show you how to filter spoof messages in Horde, a common webmail utility used in the Cpanel interface. A similar approach should be available to set filters in any server/ webmail environment.

How to filter and stop spoof emails in Horde (Cpanel)

  • Log into webmail for your root account (ie. log into Cpanel and click on the Webmail icon)
  • Click on the filters icon towards the top of the screen.
  • Select “New Rule”
  • Name your rule something like “Stop Spoofs”
  • Under For an incoming message that matches: select “All of the following”
  • Under the “Select a field” drop-down, select “From”
  • The next drop-down should have “Contains”
  • In the field type your mailer-daemon email address (you can find this by examining the full message headers of one of your spoof emails – look for the value next to the “From” field).
  • Under “Do this” select “Delete message completely”
  • You can select “Stop checking if this rule matches”
  • Click the “Save” button
  • You can move the filter to the top of the filter list so that it is executed first (before any other filters).
  • Select “Apply Filters” to run the filter on your current inbox.

Voila 🙂 You should have gotten rid of your spoofed email messages. Any new spoof email messages that arrive will be promptly deleted.

Alex bring a series of in-depth articles on search marketing and content management systems as well as troubleshooting tips to We Rock Your Web's collection. He is an avid tennis player, nature enthusiast, and hiker, and enjoys spending time with his wife, friends, and dogs, Bella and Lily.

Leave a Reply

9 Comments on "Stop Spoof Email in a Poof!"

Sort by:   newest | oldest | most voted

This doesn’t help those of us who have had our own email addresses spoofed…

Skip Horni
Skip Horni
And for the record, I set my filter to “Body” then “Contains” 90% of my failures were because I had exceeded a 500 email a day limit. I was able to delete these with impunity. I can still get emails if I miss-type an address. The other is a “550 5.1.1” error. This is more problematic but, as a home user, should hardly ever affect me. I did the same thing. Created a new rule “Spoof2” “Body” then “contains” and then the 550 string. I hope this helps others. I had been getting these for days. Setting a generic rule… Read more »
Skip Horni
Skip Horni

You saved my cojacks!! Thanks!!!
I know that they (delivery failures from my spoofed email) are still coming in but there isn’t thing one I can do about it. I have an SPF and, as soon as I figure out how, set up a DMARC record.

I cannot stop this email source. Any suggestions? I have tried to block using the words in the source, which is consistent in each email. There is ALWAYS the word snapchat in every email. So, I tried a RULE that would move any email that I receive with the Word snapchat in the header. THAT DOES NOT WORK. Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.8 via Mailbox Transport; Sun, 27 Nov 2016 09:40:44 +0000 Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.8 via Frontend Transport;… Read more »

This is a pretty bad solution, MAILER-DAEMON email is for error reporting.

If a user puts this into place, if they accidently send an email to say a friend, and misspell the email address, they will never see the legitimate
email from mailer-daemon to notify them that they made a mistake.
Similarly, if the recipient has another error with their account, stopping delivery, the user sending the mail will never know their mail didn’t get thru …

True, if you have mailboxes setup. But note in our example that the domain has no user boxes setup, and the mail received at the root domain is simply taking up disk space. But let’s say user mailboxes are in place. In that case you’ll want to install and configure spam filter software. If you’re in an open source Cpanel environment, you should have spam assassin at your disposal. Out of the box, it may not stop a lot of spam, but if you let it learn over time, or jump start it by importing a ruleset, it’s not a… Read more »

Rather than having to deal with all this issues I prefer to use the Mail App from Google. I love Gmail and using this app for my domains is very hassle free. Even the spam filter is really good, and if it fails to detect spam I usually get saved by some random software that I find just by googleing “antivirus download free”…so Google helps me in this matter too 🙂

Spoof emails have become a big headache nowadays and can be a serious problem. In my personal email account alone, I receive all sorts of spoofs, that claim they are sent from legitimate companies such as, Ebay, Amazon, or Paypal. My spam filters are now working quite well, but even so, I recently received a very realistic-looking email from ‘Facebook’. In fact, the only reason I could tell this email was fake is that I originally signed up for Facebook with my university email address, and have since then changed my account to my work email (and not my… Read more »

Send this to a friend