Question Email Domain abuse with forwarding

[Erwin Fiten]

I noticed some strange behaviour lately.

This is the email delivery log for one of those mails :

Sep 11 11:10:50 6B8711803EE: client=xn--h1ard.046.xn--p1acf[77.87.212.94]
Sep 11 11:10:50 6B8711803EE: from=<[email protected]> to=<[email protected]>
Sep 11 11:10:50 6B8711803EE: message-id=<[email protected]>
Sep 11 11:10:50 6B8711803EE: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Sep 11 11:10:50 6B8711803EE: py-limit-out: stderr: SKIP
Sep 11 11:10:50 6B8711803EE: check-quota: stderr: SKIP
Sep 11 11:10:50 6B8711803EE: spf: stderr: PASS
Sep 11 11:10:50 6B8711803EE: from=<[email protected]>, size=92908, nrcpt=1 (queue active)
Sep 11 11:10:50 6B8711803EE: from=<[email protected]>, to=<[email protected]>, dirname=/var/qmail/mailnames
Sep 11 11:10:50 6B8711803EE: DKIM Feed: No signature
Sep 11 11:10:50 6B8711803EE: dk_check: stderr: PASS
Sep 11 11:10:50 6B8711803EE: dmarc: stderr: PASS
Sep 11 11:10:50 6B8711803EE: send message: id=S3339307 from=<SRS0=pSL6=3W=fastaresi.de=[email protected]> to=<[email protected]>
Sep 11 11:10:51 6B8711803EE: to=<[email protected]>, relay=plesk_virtual, delay=0.68, delays=0.4/0/0/0.28, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Sep 11 11:10:51 6B8711803EE: removed

This line worries me : "send message: id=S3339307 from=<SRS0=pSL6=3W=fastaresi.de=[email protected]> to=<[email protected]>"
My domain is in this example : "testdomain.be"

And something is using SRS to fake an address in my domain and tries to send mails to "[email protected]"

How can I avoind this. Asking AI( clause) this is the SRS service that needs to be disabled, but thuis looks like it's used by PLESK ?

Erwin

 

[Kaspar]

How can I avoind this.

Short answer: Disable mail forwarding on your mailbox.

Long answer: SRS (sender rewrite scheme) is used when emails are automatically forwarded to make sure the message still passes SPF validation. It's nothing to be alarmed about and It's also not something you can enable or disabled (at least not easily).

In your case your mail log shows that your mailbox first received the email from fastaresi.de and then forwards it to [email protected].

Sep 11 11:10:50 6B8711803EE: from=<[email protected]>, to=<[email protected]>, dirname=/var/qmail/mailnames
[...]
Sep 11 11:10:50 6B8711803EE: send message: id=S3339307 from=<SRS0=pSL6=3W=fastaresi.de=[email protected]> to=<[email protected]>

So I assume you've setup mail forwarding for the mailto:[email protected] mailbox, either in Plesk or as some sort of filter rule in webmail. If you don't like mails to be forwarded to [email protected] simply remove/disable the forward.

 

[Erwin Fiten]

Thank you for the quick reply, i wlil check this later today.

Erwin
.