Resolved Receiving spam from localhost

[petrosvw]

Hello everyone,

Recently I received an email from a external address but it was send from localhost.
I don't really know where it comes from and hope you guys know more about my problem.
I'm pretty new in self hosting my email. My previous host did it for me.

Some extra information

• I host the DNS with plesk. (Using 2 ip adresses
• I only received it from 1 specific domain I host
• The mail address is non existing

The email header information

• <DOMAIN.EXT> => The domain that is sending the spam (It's received on the same address marked with mymail@<DOMAIN.EXT>

Return-Path: <SRS0=sATn=S3=www140.onamae.ne.jp=r0408324@<DOMAIN.EXT>>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
<rDNS domain/ pesk domain>
X-Spam-Level:
X-Spam-Status: No, score=0.1 required=3.5 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4
X-Original-To: mymail@<DOMAIN.EXT>
Delivered-To: mymail@<DOMAIN.EXT>
Received: by <rDNS domain/ pesk domain> (Postfix, from userid 30)
id 771CE14017E; Sat, 12 Feb 2022 18:14:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=<DOMAIN.EXT>; s=default;
t=1644686060; bh=jXh5b4Zg4vbAdNldtQ1IXjEvpstvfxbVRZVZDm6spso=;
h=Received:Received:Received:To:Subject:From;
b=r07mC0WlDxCN0ds91cNOwn0Tm8XlrNvwt5xpfoZYNJOZ0rGo5NmYl9kgnJBr4MutA
D/rhCnykBWUzpA/iiVV7853YkL/37zsNEXYCc3Akk5D25y/azowLR3vsJyWYtFJYFZ
Z3syv1f7yMiEpy8LOyH0Ya95fiT1Fv+JMkUWl6wY=
Authentication-Results: <rDNS domain/ pesk domain>;
dmarc=none (p=NONE sp=NONE) smtp.from=www140.onamae.ne.jp header.from=gokuu.jp;
dkim=pass header.d=<DOMAIN.EXT>;
spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=srs0=satn=s3=www140.onamae.ne.jp=r0408324@<DOMAIN.EXT> smtp.helo=localhost
Received-SPF: pass (<rDNS domain/ pesk domain>: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=srs0=satn=s3=www140.onamae.ne.jp=r0408324@<DOMAIN.EXT>; helo=localhost;
X-Original-To: website@<DOMAIN.EXT>
Delivered-To: website@<DOMAIN.EXT>
Received: from mailgw30.onamae.ne.jp (mailgw30-251.onamae.ne.jp [118.27.99.251])
by <rDNS domain/ pesk domain> (Postfix) with ESMTPS id 08BCC14017C
for <website@<DOMAIN.EXT>>; Sat, 12 Feb 2022 18:14:16 +0100 (CET)
Received-SPF: none (<rDNS domain/ pesk domain>: no valid SPF record)
Received: from www140.onamae.ne.jp (unknown [172.16.43.32])
by mailgw30.onamae.ne.jp (Postfix) with ESMTP id 88660180049668
for <website@<DOMAIN.EXT>>; Sun, 13 Feb 2022 02:14:13 +0900 (JST)
Received: by www140.onamae.ne.jp (Postfix, from userid 10344)
id 87A462064782B; Sun, 13 Feb 2022 02:14:13 +0900 (JST)
To: website@<DOMAIN.EXT>
Subject: =?UTF-8?B?44CQ6Ieq5YuV6L+U5L+h44CR44GK5ZWP44GE5ZCI44KP44Gb44KS5Y+X44GR?= =?UTF-8?B?5LuY44GR44G+44GX44Gf?=
X-PHP-Script: anshinkazoku.com/index.php for 199.249.230.71
X-PHP-Filename: /home/r0408324/public_html/anshinkazoku.com/index.php REMOTE_ADDR: 199.249.230.71
Date: Sat, 12 Feb 2022 17:14:13 +0000
From: =?UTF-8?B?5L2P44G+44GE44KL5a6J5b+D5a625peP?= <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 6.1.6 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 

[Bitpalast]

Doesn't

X-PHP-Script: anshinkazoku.com/index.php for 199.249.230.71
X-PHP-Filename: /home/r0408324/public_html/anshinkazoku.com/index.php REMOTE_ADDR: 199.249.230.71

show where the mail originates?

 

[petrosvw]

Thank you for your reply.
I did see that part too. But when looking at this line:

spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=srs0=satn=s3=www140.onamae.ne.jp=r0408324@<DOMAIN.EXT> smtp.helo=localhost

it's telling me its from localhost. This email did pass the SpamAssassin check (not held back). Normaly I only see this when the SpamAssassin check thinks it's spam.
(for example, when I send an email from hotmail.com i see this:

Received-SPF: pass (<rDNS domain/ pesk domain>: domain of hotmail.com designates 40.92.73.76 as permitted sender) client-ip=40.92.73.76; envelope-from=[email protected]; helo=EUR04-HE1-obe.outbound.protection.outlook.com;

I didn't receive an another mail from the specific sender nor any other spam mail from localhost

But can I conclude from your message there is nothing wrong?
The spf line and the x-php script part confuses me.

Thanks in advance

 

[Bitpalast]

Before it is processed by localhost it has been handled by other hosts or services. So probably there is nothing wrong with this. I think it may have been forwarded by a setting in your domain to another internal mail address. At least this does not look as if it comes from your own host in the first place.

 

[petrosvw]

Oh. Thanks. Yes! That's the problem. the email "website" is just a forward address. Not an existing email.

Thank you for your help. This makes sense!

(It can be soo confusing sometimes. I've got to learn how it all works. But I like it to learn ;-))

(sorry for the maybe dumb topic)