• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Block Spam Mails send from own Domain

Sally1

Regular Pleskian
Hello,


Have the problem, that I get send from my own mail address [email protected] Fishing emails since some weeks now! How can I block these emails send from my own Domain with Plesk???


OS ‪CentOS Linux 7.6.1810 (Core)

Product Plesk Onyx

Version 17.8.11 Update #48, last updated on April 6, 2019 10:14 PM




Mail Server Settings:



SPF_DKIM_DMARC_settings.JPG 1.JPG

2.JPG

3.JPG
4.JPG

5_Spam_Filter_Protection.JPG

Mail Header Information

Mail_header_1.JPG

Mail_header_2.JPG
 
It does not look as if the mail is sent from your own domain unless your domain is @anonymoushackers.rocks.

You can try to lower the spam filter threshold to 2.0 instead of 7.0. This will catch a lot more spam.
 
Hi Peter,

I get an other one, please see here the header information. mydomain and myservername.cloud are both correct in the send emails...., that's why its scary





Return-Path: <[email protected]>

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on

myservername.cloud

X-Spam-Level:

X-Spam-Status: No, score=-89.3 required=7.0 tests=BITCOIN_EXTORT_01,

BITCOIN_SPAM_02,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,KHOP_DYNAMIC,RCVD_IN_PBL,

RCVD_IN_XBL,USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.0

X-Original-To: [email protected]

Delivered-To: [email protected]

Received: by myservername.cloud (Postfix, from userid 30)

id A1F481050424; Mon, 8 Apr 2019 21:37:17 +0200 (CEST)

X-Original-To: [email protected]

Delivered-To: [email protected]

Received: from 97e5620e.skybroadband.com (97e5620e.skybroadband.com [151.229.98.14])

by myservername.cloud (Postfix) with ESMTP id 1BC78104F4C4

for <[email protected]>; Mon, 8 Apr 2019 21:37:16 +0200 (CEST)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com;

s=default; t=1554752236;

bh=xezQ7rJOVzmH7t03uUtXbHYURTC7yJ5hsFflJa1HcTg=; l=1797;

h=From:To:Subject;

b=KNtEFGngha1maV+awAO6VZOfNQYFRiNFtVjvfl3uLeJI88vKlCAeIASqo5UBX2AYC

Zrej0m+zXs1LQkejETGPf9XiOajd+RTWTbhX4+lNuxitoVsiovekhEbvd2pmgM13sF

av0MHT8kX9CFavWYljvTKpljNUhHI0rbV7x+eKQM=

Authentication-Results: myservername.cloud;

dmarc=pass (p=NONE sp=NONE) d=mydomain.com; header.from=mydomain.com;

dkim=pass [email protected];

dmarc=pass (p=NONE sp=NONE) d=mydomain.com; header.from=mydomain.com;

dkim=pass [email protected];

spf=fail (sender IP is 151.229.98.14) [email protected] smtp.helo=97e5620e.skybroadband.com

Received-SPF: fail (myservername.cloud: domain of mydomain.com does not designate 151.229.98.14 as permitted sender) client-ip=151.229.98.14; [email protected]; helo=97e5620e.skybroadband.com;

Message-ID: <[email protected]>

Date: Mon, 08 Apr 2019 20:37:16 +0000

From: <[email protected]>

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10

MIME-Version: 1.0

To: <[email protected]>
 
"Received-SPF: fail (myservername.cloud: domain of mydomain.com does not designate 151.229.98.14 as permitted sender) client-ip=151.229.98.14; [email protected]; helo=97e5620e.skybroadband.com;"

This says it all.

The problem is that you can put anything you like into E-Mail "From" fields. You could for example sent from "[email protected]" although you are not that sender. That's what spammers do. However, the sender IP is more difficult to forge, and in this case you can see that the sender IP fails the SPF record of the domain, so very likely the sender address has been forged.
 
Thanks Peter, will then lower the threshold to see if the Spam get filtered out

Best regards
Sally
 
Lowering general Spamassassin threshold to 2.0 might cause quite a bit more false positives, depending on the common daily mail contents for the server or mailbox in question, of course. I find 5.0 to be a soft spot for general use and prefer to adjust specific Spamassassin checks to produce higher values when needed.

In cases like this, blocking messages which fail SPF checks is a better approach.

There are two causes of action one can choose from, the first is to block failed messages before they even reach Spamassassin:

Tools & Settings -> Mail Server Settings -> SPF spam protection, SPF checking mode, switch to "Reject mail when SPF resolves to "fail" (deny)"

The other is to adjust how Spamassassin values failed SPF records, which can be done for the entire server in /etc/spamassassin/local.cf:

Code:
# adjust SPF_FAIL score from 0 0.919 0 0.001 to something more substantive
score SPF_FAIL 10.0
# adjust SPF_HELO_FAIL score from 0 0.001 0 0.001 to something more substantive
score SPF_HELO_FAIL 10.0
# adjust SPF__NONE and SPF_HELO_NONE from 0 to something more  substantive
score SPF_NONE 1.0
score SPF_HELO_NONE 1.0

Check your Spamassassin configuration before restarting spamassassin:
Code:
spamassassin --lint
systemctl restart spamassassin.service
 
Hello Ales,

thanks for the Update. I reduced the Level to 5, but still getting the Spam. I setup now SPF Fail as you recommend and see what happens

Thx
Best regards
Sally
 
Back
Top