• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Email Spoofing

D

dEbo1

New Pleskian
Hi,
we are facing a serious issue with email spoofing on all our nodes.

Lets say we are using domain.com as our primary domain.

The problem is we are receiving spam and emails from our own email addresses or even from addresses that doesnt even exist.
For example:
[email protected]
[email protected]
[email protected]
etc


The emails are originating from various sources and unknown IP's, which are not being whitelisted in Mail Server Settings and our own domain.com is not in the Spam Filter whitelist.

Our domain.com has proper SPF records set, allowing only certain IP's and hosts.
We do have SPF spam protection enabled with settings: Reject mail when SPF resolves to "fail" (deny)

I just tested sending email from simple php script hosted outside.
TO: was some random users on our domains in various plesk installations
FROM: was something madeup, or the same as recipient.

All these messages are being delivered!

Related maillog records:
Jan 25 05:24:30 srv spf filter[26952]: Starting spf filter...
Jan 25 05:24:30 srv spf filter[26952]: SPF result: pass
Jan 25 05:24:30 srv spf filter[26952]: SPF status: PASS
Jan 25 05:24:30 srv /usr/lib64/plesk-9.0/psa-pc-remote[1993]: handlers_stderr: PASS
Jan 25 05:24:30 srv /usr/lib64/plesk-9.0/psa-pc-remote[1993]: PASS during call 'spf' handler

Can somebody help investigate and find a fix to this serious issue?

# Plesk Onyx Version 17.0.17 Update #13
 
1. Double check that your domains DNS SPF record is valid. Use https://dmarcian.com/spf-survey/
2. Enable DKIM signing for your domain under Mail Settings -> "Use DKIM spam protection system to sign outgoing email messages".
3. Set a proper DMARC policy for your domain. I suggest you start with the wizard : https://dmarcian.com/dmarc-inspector/

Setting a DMARC policy will tell email providers to reject any email that fails BOTH SPF and DKIM checks.
 
Unfortunately, all of the above is properly set and checked.

Domain has proper SPF, DKIM is set to sign and DMARC configured.
 
I'm recieving standard DMARC reports from google and other ISP's.
Nothing that indicated any issues.

The problem is, i can mail from any simple php script outside our domain to my own domain hosted on Plesk and the email si recivied.
Thats a huge spoofing issue.
 
Iam sure that the email is being sent from IP outside our SPF DNS settings.
I have even just bought webhosting packaged from some unknown company, run php script to mail myself from myself and it went through.

In received mail source i see envelope-from and HELO to be some random stuff, but SENDER is ME.

From my maillog i see that the SPF result is PASS:
Jan 27 17:04:31 srv01 spf filter[21299]: Starting spf filter...
Jan 27 17:04:31 srv01 spf filter[21299]: SPF result: pass
Jan 27 17:04:31 srv01 spf filter[21299]: SPF status: PASS


It's like my Plesk is not checking SPF at all, i can just mail myself from whatever domain i want.
This is not good
 
# /usr/local/psa/bin/mailserver -i spf
SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules:
SPF guess:
SPF explanation text:
 
I was waiting for someone from Plesk more knowledgeable to respond. For kicks I logged into 6 different Plesk servers to check for SPF fails. I couldn't find any with "SPF result: fail"

Code: 
zgrep spf /var/log/maillog* | grep fail

My SPF settings
Code: 
/usr/local/psa/bin/mailserver -i spf
SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules: include:spf.trusted-forwarder.org
SPF guess: v=spf1 a/24 mx/24 ptr
SPF explanation text:

I'm not sure if its a bug or if I have some type of misconfiguration?
 
can you please try to send mail from source outside your SPF rules to yourself, ideally trying to spoof your own mail address?
somehow iam sure it will go through...
 
Just wondering - Your SPF setting is set to reject only when you get a hard failure which is -a iirc ? I know ours is just a ~ atm for some migration / dmarc work.... when combined with the default policy of reject only on fail and not a softfail - No local rules set I see in your SPF settings?



Screen Shot 2017-02-01 at 4.38.33 PM.png


Screen Shot 2017-02-01 at 4.38.38 PM.png

Settings above:

SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules: v=spf1 +a/24 +mx/24 +ptr ?all
SPF guess: v=spf1 +a/24 +mx/24 +ptr ?all


I quickly adjusted my local guess rules to test if plesk actually checks the records

SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules: v=spf1 +a/24 +mx/24 +ptr -all
SPF guess: v=spf1 +a/24 +mx/24 +ptr -all

And after adjusting my local rules


Screen Shot 2017-02-01 at 4.56.00 PM.png

*sigh* edit yeah it most defiantly is applying the SPF guess rules to local domains instead of querying DNS or using the local rule


SPF checking mode: Reject mails when SPF resolves to "fail" (deny) (-a published in SPF DNS)
SPF local rules: v=spf1 +a/24 +mx/24 +ptr -all (Would assume this is the local rule ?)
SPF guess: v=spf1 a/24 mx/24 ptr ?all (This is the best guess rule for when we dont have an SPF published) ..... anyone know if its checking for the older SPF record type instead of txt?


Double Edit: Not asking for help or trying to steal a threat just trying to contribute that you dont seem to be losing you mind ;)


Triple Edit: Removing local rule + guess rule and leaving preform dns check and on fail reject appears to actually generate failures - not 100% sure what plesk was using the local record for - but it seems to be favouring it over the dns lookup results. OpenSPF says guess records are deprecated - can anyone chime in on the purpose of the local record? if i understood the panels help tip it was only to be used when DNS lookup of the text spf record fails ? and then guess was applied to domains with know published spf?
 

Attachments

  • Screen Shot 2017-02-01 at 4.36.11 PM.png
    Screen Shot 2017-02-01 at 4.36.11 PM.png
    34.4 KB · Views: 14
Last edited:
You must log in or register to reply here.

Similar threads

D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
615
drdna
D
C
Resolved Why is one email of a domain not working, if others are?
Replies
2
Views
379
Change Maker
C
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
510
Change Maker
C
A
Resolved Some emails don't go through
Replies
5
Views
779
andrecab93
A
danami
Resolved Arc errors in maillog
2
Replies
22
Views
4K
AlexMuc81
A
Back
Top