• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Spam sent to domain by domain

Xavier12

Regular Pleskian
Hi guys,

Having an issue where we are getting constant spam on several domains within the same domain with a non-existent email. For example, [email protected] exists, but we are receiving emails to [email protected] by [email protected] or a random email (ie: [email protected])

The spam is non-stop. Also, checked the header and it matches with @domain.com. In the header will show in message id: <[email protected]>. It seems like its coming as a legit header.

How can we narrow down the source or solve this? Not sure if they are also spoofing emails to other email addresses outside of our domain.

Specs below. Please advise, thanks guys.

cloudlinux 6.8
email: postfix and dovecot
Latest Plesk 12.5
 
Hi Xavier12,

actually, you are a regulary user of this forum... you should know, that missing facts only lead to guessings... nothing more. Consider to post the depending log - file entries from you maillog, as well as the complete header for investigations, pls.
In addition, you know, that configuration files help as well to investigate issues/failures/problems with your mail - server.;)
 
Sorry guys, below is a mail log file of a specific mail. Not sure where exactly to start the copy and paste:

Code:
Aug 30 12:04:05 host postfix/smtpd[552606]: connect from unknown[UKNOWNIP]
Aug 30 12:04:10 host postfix/smtpd[552606]: 9CFE5540286: client=unknown[UNKNOWNIP]
Aug 30 12:04:11 host postfix/cleanup[553506]: 9CFE5540286: message-id=<[email protected]>
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: handlers_stderr: SKIP
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: SKIP during call 'limit-out' handler
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: handlers_stderr: SKIP
Aug 30 12:04:11 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: SKIP during call 'check-quota' handler
Aug 30 12:04:11 host spf filter[553827]: Starting spf filter...
Aug 30 12:04:12 host spf filter[553827]: SPF result: softfail
Aug 30 12:04:12 host spf filter[553827]: SPF status: PASS
Aug 30 12:04:12 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: handlers_stderr: PASS
Aug 30 12:04:12 host /usr/lib64/plesk-9.0/psa-pc-remote[588691]: PASS during call 'spf' handler
Aug 30 12:04:12 host postfix/qmgr[736122]: 9CFE5540286: from=<[email protected]>, size=12489, nrcpt=1 (queue active)
Aug 30 12:04:12 host postfix-local[553828]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Aug 30 12:04:12 host dovecot: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Aug 30 12:04:12 host postfix/pipe[553788]: 9CFE5540286: to=<[email protected]>, relay=plesk_virtual, delay=6.8, delays=6.7/0/0/0.06, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Aug 30 12:04:12 host postfix/qmgr[736122]: 9CFE5540286: removed
Aug 30 12:04:12 host postfix/smtpd[552606]: disconnect from unknown[UNKNOWNIP]
Aug 30 12:04:21 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=MYIP, lip=SERVERIP, mpid=553833, TLS, session=<12g4Ikw75gBDVS0z>
Aug 30 12:04:22 host dovecot: service=imap, [email protected], ip=[MYIP]. Connection closed rcvd=502, sent=15287
Aug 30 12:04:22 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=MYIP, lip=SERVERIP, mpid=553836, TLS, session=<Q99IIkw7wwBDVS0z>
Aug 30 12:04:22 host dovecot: service=imap, [email protected], ip=[MYIP]. Connection closed rcvd=67, sent=757


[email protected] is my actual domain name.. [email protected] does not exist but successfully sends to my [email protected]. MYIP is my actual ip address where thunderbird retrieves my email on my computer. SERVERIP is the actual server IP. UNKNOWNIP is the ip address that seems like the offending IP address.


Here is the email header:

FROM: [email protected]
Subject: PHOTOS
TO: [email protected]
Tue, 30 Aug 2016 11:04:03 -0500
MESSAGE ID: <[email protected]>
RETURN-PATH: <[email protected]>
X-ORIGINAL-TO: [email protected]

Also note, we are using SENDGRID as mail service connected with Postfix
 
Postfix main.cf

http://snippi.com/s/l3xk3eh

Note: "Myserverdomain" is different from the MYDOMAIN.com. MYDOMAIN.com is a domain hosted on the plesk server for Myserverdomain.com. Not sure if you need dovecot configuration, its default with a custom SSL modification.

Sorry for the long post. Looking forward to hearing back.
 
Hi Xavier12,

first, some suggestions for your main.cf:

Pls. use:

smtp_sasl_security_options=noanonymous
smtp_sasl_tls_security_options=noanonymous

and

smtpd_sasl_security_options=noanonymous
smtpd_sasl_tls_security_options=noanonymous
instead of only "smtp_sasl_security_options = noanonymous"​


Is there a reason, why you left out
  1. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
  2. smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch
  3. smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
  4. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender
( red marked configurations are all missing )




Next, some thoughts to your provided depending - log - entries and header informations:

Sorry, but with your complete "anonymization", these informations just lead to the fact, that you are missing domainkeys/DKIM - checks. If you want some help here, consider to provide informations, which can be investigated. ;)


[email protected] does not exist but successfully sends to my [email protected].
Well, you don't restrict very good in your postfix configuration, as already suggested above. In addition, I would use "reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org" instead of only "reject_rbl_client zen.spamhaus.org".
 
Hi UFHH01

Thanks for the update. Set these settings so far, but now I am receiving email errors when sending emails to certain email address, mostly gmail. Here is the email:


This is the mail system at host host.MYDOMAIN.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[email protected]>: unknown mail transport error
Reporting-MTA: dns; host.MYDOMAIN.com
X-Postfix-Queue-ID: 25FEA540EBD
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Thu, 1 Sep 2016 16:13:43 -0400 (EDT)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 4.3.0
Diagnostic-Code: X-Postfix; unknown mail transport error
 
Hi Xavier12,

Set these settings so far, but now I am receiving email errors when sending emails to certain email address, mostly gmail.
Did you consider to REMOVE suggested additions ( one-by-one ), to see, which suggested restriction might be incompatible to your complete ( main AND master.cf ) postfix - configuration?
 
Have you considered that these spam emails that seem to be coming from your own server are actually spoofed and not actually coming from your server at all?

You could examine the source of one of these emails and examine the first header beginning with"Received: from" and note the IP address listed.
If it isn't one of your server's IP addresses, then these emails are most likely spoofed, which means they didn't originate from your server and there is nothing you can do to prevent them except attempt to spam-filter them out when they come in.

Just something to check.
 
Have you considered that these spam emails that seem to be coming from your own server are actually spoofed and not actually coming from your server at all?

You could examine the source of one of these emails and examine the first header beginning with"Received: from" and note the IP address listed.
If it isn't one of your server's IP addresses, then these emails are most likely spoofed, which means they didn't originate from your server and there is nothing you can do to prevent them except attempt to spam-filter them out when they come in.

Just something to check.

Hi, thanks for chiming in! Yes, it shows a different IP address other than the server, which means that they are spoofing. But, the weird thing is that the message header still shows @mydomain.com. So I am confuse as to how they are able to spoof it from another server but still have a valid message header. Normally the message header email would be different if they are simply spoofing it by making it display as a "reply to" email. Not sure if they are somehow making their way by entering via an open relay.

Please advise, thanks guys
 
Back
Top