Issue Email Spoofing

[dEbo1]

Hi,
we are facing a serious issue with email spoofing on all our nodes.

Lets say we are using domain.com as our primary domain.

The problem is we are receiving spam and emails from our own email addresses or even from addresses that doesnt even exist.
For example:
[email protected]
[email protected]
[email protected]
etc


The emails are originating from various sources and unknown IP's, which are not being whitelisted in Mail Server Settings and our own domain.com is not in the Spam Filter whitelist.

Our domain.com has proper SPF records set, allowing only certain IP's and hosts.
We do have SPF spam protection enabled with settings: Reject mail when SPF resolves to "fail" (deny)

I just tested sending email from simple php script hosted outside.
TO: was some random users on our domains in various plesk installations
FROM: was something madeup, or the same as recipient.

All these messages are being delivered!

Related maillog records:
Jan 25 05:24:30 srv spf filter[26952]: Starting spf filter...
Jan 25 05:24:30 srv spf filter[26952]: SPF result: pass
Jan 25 05:24:30 srv spf filter[26952]: SPF status: PASS
Jan 25 05:24:30 srv /usr/lib64/plesk-9.0/psa-pc-remote[1993]: handlers_stderr: PASS
Jan 25 05:24:30 srv /usr/lib64/plesk-9.0/psa-pc-remote[1993]: PASS during call 'spf' handler

Can somebody help investigate and find a fix to this serious issue?

# Plesk Onyx Version 17.0.17 Update #13

 

[danami]

1. Double check that your domains DNS SPF record is valid. Use https://dmarcian.com/spf-survey/
2. Enable DKIM signing for your domain under Mail Settings -> "Use DKIM spam protection system to sign outgoing email messages".
3. Set a proper DMARC policy for your domain. I suggest you start with the wizard : https://dmarcian.com/dmarc-inspector/

Setting a DMARC policy will tell email providers to reject any email that fails BOTH SPF and DKIM checks.

 

[dEbo1]

Unfortunately, all of the above is properly set and checked.

Domain has proper SPF, DKIM is set to sign and DMARC configured.

 

[danami]

What do your DMARC reports say?

 

[dEbo1]

I'm recieving standard DMARC reports from google and other ISP's.
Nothing that indicated any issues.

The problem is, i can mail from any simple php script outside our domain to my own domain hosted on Plesk and the email si recivied.
Thats a huge spoofing issue.

 

[danami]

Are you sure that you are sending the mail from a server IP outside of what you have in your SPF records? Make sure that your domains SPF record doesn't have any include statements that include the other network. I would also review:
https://support.plesk.com/hc/en-us/articles/213365509-What-do-notifications-from-SPF-filter-mean-

 

[dEbo1]

Iam sure that the email is being sent from IP outside our SPF DNS settings.
I have even just bought webhosting packaged from some unknown company, run php script to mail myself from myself and it went through.

In received mail source i see envelope-from and HELO to be some random stuff, but SENDER is ME.

From my maillog i see that the SPF result is PASS:
Jan 27 17:04:31 srv01 spf filter[21299]: Starting spf filter...
Jan 27 17:04:31 srv01 spf filter[21299]: SPF result: pass
Jan 27 17:04:31 srv01 spf filter[21299]: SPF status: PASS


It's like my Plesk is not checking SPF at all, i can just mail myself from whatever domain i want.
This is not good

 

[danami]

What is the result of ?:

/usr/local/psa/bin/mailserver -i spf

 

[dEbo1]

# /usr/local/psa/bin/mailserver -i spf
SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules:
SPF guess:
SPF explanation text:

 

[dEbo1]

Seriously i am the only one with this issue?

 

[danami]

I was waiting for someone from Plesk more knowledgeable to respond. For kicks I logged into 6 different Plesk servers to check for SPF fails. I couldn't find any with "SPF result: fail"

zgrep spf /var/log/maillog* | grep fail

My SPF settings

/usr/local/psa/bin/mailserver -i spf
SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules: include:spf.trusted-forwarder.org
SPF guess: v=spf1 a/24 mx/24 ptr
SPF explanation text:

I'm not sure if its a bug or if I have some type of misconfiguration?

 

[dEbo1]

can you please try to send mail from source outside your SPF rules to yourself, ideally trying to spoof your own mail address?
somehow iam sure it will go through...

 

[Zach]

Just wondering - Your SPF setting is set to reject only when you get a hard failure which is -a iirc ? I know ours is just a ~ atm for some migration / dmarc work.... when combined with the default policy of reject only on fail and not a softfail - No local rules set I see in your SPF settings?








Settings above:

SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules: v=spf1 +a/24 +mx/24 +ptr ?all
SPF guess: v=spf1 +a/24 +mx/24 +ptr ?all


I quickly adjusted my local guess rules to test if plesk actually checks the records

SPF spam protection: on
SPF checking mode: Reject mails when SPF resolves to "fail" (deny)
SPF local rules: v=spf1 +a/24 +mx/24 +ptr -all
SPF guess: v=spf1 +a/24 +mx/24 +ptr -all

And after adjusting my local rules




*sigh* edit yeah it most defiantly is applying the SPF guess rules to local domains instead of querying DNS or using the local rule


SPF checking mode: Reject mails when SPF resolves to "fail" (deny) (-a published in SPF DNS)
SPF local rules: v=spf1 +a/24 +mx/24 +ptr -all (Would assume this is the local rule ?)
SPF guess: v=spf1 a/24 mx/24 ptr ?all (This is the best guess rule for when we dont have an SPF published) ..... anyone know if its checking for the older SPF record type instead of txt?


Double Edit: Not asking for help or trying to steal a threat just trying to contribute that you dont seem to be losing you mind


Triple Edit: Removing local rule + guess rule and leaving preform dns check and on fail reject appears to actually generate failures - not 100% sure what plesk was using the local record for - but it seems to be favouring it over the dns lookup results. OpenSPF says guess records are deprecated - can anyone chime in on the purpose of the local record? if i understood the panels help tip it was only to be used when DNS lookup of the text spf record fails ? and then guess was applied to domains with know published spf?

 

[dEbo1]

Well, apparently this is perfectly normal and it doesnt bother anyone.
Seriously Plesk?

 

[IgorG]

Please fill this template with all necessary details if you really think that found a bug - https://talk.plesk.com/threads/please-follow-this-template-if-you-believe-that-found-a-bug.339636/

 

[dEbo1]

I already filled https://www.plesk.com/bug-report/

 

[IgorG]

I already filled https://www.plesk.com/bug-report/

Anyway, we need more detailed report. Please submit it with help of mentioned template with STEPS TO REPRODUCE, ACTUAL RESULT, EXPECTED RESULT, ANY ADDITIONAL INFORMATION