• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

SPAM from internal e-mail

F

FirstPoint

Basic Pleskian
Hello.

We have the following problem:
Domain abc.com is hosted on our server, it has a hosted e-mail [email protected]. This e-mail adress keeps getting SPAM messages from an address [email protected] (where srv2.xyz.com is our server FQDN).
What we understood by reading the headers (posted below) is that someone is sending an e-mail to [email protected]. This e-mail adress, as configured in Plesk, redirects e-mails to [email protected]. But we don't understand how someone managed to send an e-mail from an unexistent [email protected] to it. Can you help us ?

Here are the headers:

DomainKey-Status: no signature
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by srv2.xyz.com (Postfix, from userid 30)
id CD4A2430017F; Tue, 14 Apr 2015 23:50:58 +0200 (CEST)
DomainKey-Status: bad format
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from 188.165.248.5 (unknown [60.169.75.45])
by srv2.xyz.com (Postfix) with SMTP id 7AA5D430017B
for <support@âbc.com>; Tue, 14 Apr 2015 23:50:55 +0200 (CEST)
X-Message-Info: 7wPTdI64Kxmhkf8yMbP7QD3jIkfijS63
Received: from dns5scapular.com ([151.84.110.111]) by nd1-w7.hotmail.com with
Microsoft SMTPSVC(5.0.2195.6824); Wed, 15 Apr 2015 02:42:58 +0400
Received: from archbishopcrinkle.com [127.0.0.1] by dns4exquisite.com
(SMTPD32-7.12 ) id PB071861W2; Tue, 14 Apr 2015 16:49:58 -0600
Subject: I love that I can now fit in to my old clothes!
From: Anibal@srv2.xyz.com, [email protected]yz.com
To: support@abc.com
Message-Id: <[email protected]>
Content-Type: multipart/alternative;
boundary="--26043614405046902846"
X-PPP-Message-ID: <[email protected]>
X-PPP-Vhost: abc.com
Date: Tue, 14 Apr 2015 23:50:58 +0200 (CEST)
X-Antivirus: avast! (VPS 150414-0, 14.04.2015), Inbound message
X-Antivirus-Status: Clean
----26043614405046902846
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
This is the most effective weight loss treatment! You may need the information!
This is the new way to shape your body.
We are the biggest shop in the net!
http://x.co/8rnAW
----26043614405046902846--
[/qupte]
Click to expand...
 
Hi FirstPoint,

I suppose, that your public key is used to authenticate the smtp - user ( Anonymous ) over TLS and you didn't restrict thsi in postfix ( main.cf ) - in basic, you allow TLS and/or SASL authentification for the user "anonymous", if authentification over the standard public key is used, without using "username" and "password". Please have a look at your eMail - logs and watchout for the user "Anonymous".
 
You must log in or register to reply here.

Similar threads

D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
611
drdna
D
M
Question Hackers are sending tons of mails
Replies
4
Views
452
MrPleskLearner
M
carini
Issue System message can't be delivered to wrong address
Replies
1
Views
294
Kaspar@Plesk
Kaspar@Plesk
D
Issue No email dispatch
Replies
2
Views
1K
dicker
D
K
Question Spam???
Replies
1
Views
462
Peter Debik
P
Back
Top