• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?

D

drdna

New Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
Plesk Obsidian 18.0.62 Update 2
Hi everyone,

I'm having an issue with my mail server, and I'm hoping someone can help me out. Despite having correct SPF, DKIM, and DMARC configurations, my server seems to be allowing emails from spoofed senders. These emails are suddenly appearing as if they are sent from my own server.
Here are the anonymized headers of the problematic email:

ASP.net: 
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from myserver.com (localhost.localdomain [127.0.0.1])
    by myserver.com (Postfix) with ESMTP id 842DA189
    for <[email protected]>; Wed, 31 Jul 2024 15:05:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mycustomer.com;
    s=default; t=1722431138;
    bh=hidSf2f+jKzpSIGY5FOQ0bATgnoGCnNpOReMXW01eho=;
    h=Received:Received:Received:Received:Received:Received:From:To:
    Subject;
    b=rOq7JCyjRZWsmRKs9bRBl3MOEJpsZ/V+AR2c208dGNaCaqo2qsrWWoMo2Kgz8sMXw
    Ei/1M9DCbs4J1C8utZzhZ6MPO6cSg5KFQTf0aex/1TJJbhqQZ3gQkR4eXse2HrLNNY
    xKl3Hbw+RqYBd4QU0027yKII4LZ5aGUJunng4rb0=
Authentication-Results: myserver.com;
    dmarc=pass (p=QUARANTINE sp=NONE) smtp.from=caucasus-lat.com header.from=caucasus-lat.com;
    dkim=pass header.d=mycustomer.com;
    spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=srs0=n9ay=o7=caucasus-lat.com=contact@mycustomer.com smtp.helo=myserver.com
Received-SPF: pass (myserver.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=srs0=n9ay=o7=caucasus-lat.com=contact@mycustomer.com; helo=myserver.com;
X-Virus-Scanned: Debian amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.803
X-Spam-Level:
X-Spam-Status: No, score=-0.803 tagged_above=-9999 required=1
    tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
    HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
    MIME_HTML_ONLY=0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
    RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001,
    URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: myserver.com (amavisd-new);
    dkim=fail (1024-bit key) reason="fail (message has been altered)"
    header.d=mycustomer.com
Received: from myserver.com ([92.xxx.xxx.xx])
    by myserver.com (myserver.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id dBLsnUPdynOI for <[email protected]>;
    Wed, 31 Jul 2024 15:05:32 +0200 (CEST)
Received: by myserver.com (Postfix, from userid 30)
    id 4DEBE2A9; Wed, 31 Jul 2024 15:05:32 +0200 (CEST)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from myserver.com (localhost.localdomain [127.0.0.1])
    by myserver.com (Postfix) with ESMTP id B6BFE1E3
    for <[email protected]>; Wed, 31 Jul 2024 15:05:31 +0200 (CEST)
Received-SPF: pass (myserver.com: localhost is always allowed.)
    client-ip=127.0.0.1; [email protected];
    helo=myserver.com;
X-Virus-Scanned: Debian amavisd-new at
Received: from myserver.com ([92.xxx.xxx.xx])
    by myserver.com (myserver.com [127.0.0.1]) (amavisd-new,
    port 10024)
    with ESMTP id 2wzK1awemtZ0 for <[email protected]>;
    Wed, 31 Jul 2024 15:05:31 +0200 (CEST)
Received: from otherserver.example.com (otherserver.example.com
    [116.202.190.239])
    by myserver.com (Postfix) with ESMTPS id 5526A189
    for <[email protected]>; Wed, 31 Jul 2024 15:05:31 +0200 (CEST)
Received-SPF: pass (myserver.com: domain of caucasus-lat.com designates
    116.202.190.239 as permitted sender) client-ip=116.202.190.239;
    [email protected]; helo=otherserver.example.com;
Received: from ip213-165-86-42.pbiaas.com ([213.165.86.42]
    helo=ip87-106-141-219.pbiaas.com)
    by otherserver.example.com with esmtpsa (TLS1.3) tls
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.93)
    (envelope-from <[email protected]>)
    id 1sZ91G-002HoE-Rv
    for [email protected]; Wed, 31 Jul 2024 13:05:30 +0000
From: [email protected], [email protected]
To: [email protected]
Subject: Update your phone number on your bank account
Date: 31 Jul 2024 13:05:30 +0000
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-PPP-Message-ID:
    <[email protected]>
X-PPP-Vhost: mycustomer.com

Can anyone point out what might be misconfigured on my server or suggest further checks I should perform? Thanks in advance for your help!

Best regards,
Andreas
 
drdna said:
Hi everyone,

I'm having an issue with my mail server, and I'm hoping someone can help me out. Despite having correct SPF, DKIM, and DMARC configurations, my server seems to be allowing emails from spoofed senders. These emails are suddenly appearing as if they are sent from my own server.
Here are the anonymized headers of the problematic email:
Click to expand...

What does make you think that this mail appears to be sent from your server? The "From: [email protected]" part? This is free text that can contain anything, but has absolutey no meaning. It is especially not an indication of the real sender.

drdna said:
Return-Path: <SRS0=n9aY=O7=caucasus-lat.com=[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from myserver.com (localhost.localdomain [127.0.0.1])
by myserver.com (Postfix) with ESMTP id 842DA189
for <[email protected]>; Wed, 31 Jul 2024 15:05:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mycustomer.com;
s=default; t=1722431138;
bh=hidSf2f+jKzpSIGY5FOQ0bATgnoGCnNpOReMXW01eho=;
h=Received:Received:Received:Received:Received:Received:From:To:
Subject;
b=rOq7JCyjRZWsmRKs9bRBl3MOEJpsZ/V+AR2c208dGNaCaqo2qsrWWoMo2Kgz8sMXw
Ei/1M9DCbs4J1C8utZzhZ6MPO6cSg5KFQTf0aex/1TJJbhqQZ3gQkR4eXse2HrLNNY
xKl3Hbw+RqYBd4QU0027yKII4LZ5aGUJunng4rb0=
Authentication-Results: myserver.com;
dmarc=pass (p=QUARANTINE sp=NONE) smtp.from=caucasus-lat.com header.from=caucasus-lat.com;
dkim=pass header.d=mycustomer.com;
spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=srs0=n9ay=o7=caucasus-lat.com=[email protected] smtp.helo=myserver.com
Received-SPF: pass (myserver.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=srs0=n9ay=o7=caucasus-lat.com=[email protected]; helo=myserver.com;
X-Virus-Scanned: Debian amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.803
X-Spam-Level:
X-Spam-Status: No, score=-0.803 tagged_above=-9999 required=1
tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: myserver.com (amavisd-new);
dkim=fail (1024-bit key) reason="fail (message has been altered)"
header.d=mycustomer.com
Received: from myserver.com ([92.xxx.xxx.xx])
by myserver.com (myserver.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dBLsnUPdynOI for <[email protected]>;
Wed, 31 Jul 2024 15:05:32 +0200 (CEST)
Received: by myserver.com (Postfix, from userid 30)
id 4DEBE2A9; Wed, 31 Jul 2024 15:05:32 +0200 (CEST)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from myserver.com (localhost.localdomain [127.0.0.1])
by myserver.com (Postfix) with ESMTP id B6BFE1E3
for <[email protected]>; Wed, 31 Jul 2024 15:05:31 +0200 (CEST)
Received-SPF: pass (myserver.com: localhost is always allowed.)
client-ip=127.0.0.1; envelope-from=[email protected];
helo=myserver.com;
X-Virus-Scanned: Debian amavisd-new at
Received: from myserver.com ([92.xxx.xxx.xx])
by myserver.com (myserver.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id 2wzK1awemtZ0 for <[email protected]>;
Wed, 31 Jul 2024 15:05:31 +0200 (CEST)
Received: from otherserver.example.com (otherserver.example.com
[116.202.190.239])
by myserver.com (Postfix) with ESMTPS id 5526A189
for <[email protected]>; Wed, 31 Jul 2024 15:05:31 +0200 (CEST)
Received-SPF: pass (myserver.com: domain of caucasus-lat.com designates
116.202.190.239 as permitted sender) client-ip=116.202.190.239;
envelope-from=[email protected]; helo=otherserver.example.com;
Click to expand...

The following is the interesting part and as long as none of the here mentioned systems is your server, there is nothing to worry about.

drdna said:
Received: from ip213-165-86-42.pbiaas.com ([213.165.86.42]
helo=ip87-106-141-219.pbiaas.com)
by otherserver.example.com with esmtpsa (TLS1.3) tls
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.93)
(envelope-from <[email protected]>)
id 1sZ91G-002HoE-Rv
for [email protected]; Wed, 31 Jul 2024 13:05:30 +0000
Click to expand...

This looks just like a simple SPAM/SCAM/Phishing mail.

drdna said:
From: [email protected], [email protected]
To: [email protected]
Subject: Update your phone number on your bank account
Date: 31 Jul 2024 13:05:30 +0000
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-PPP-Message-ID:
<[email protected]>
X-PPP-Vhost: mycustomer.com[/CODE]

Can anyone point out what might be misconfigured on my server or suggest further checks I should perform? Thanks in advance for your help!

Best regards,
Andreas
Click to expand...

It's almost impossible to suggest anything reasonable without knowing (more about) the actual configuration, but if you haven't already implemented some DNSBL checks within postfix, it might be a good idea to consider it. This way you can make sure that known malicious senders are being rejected before they can even send something to your (mail)server. Among hundreds of possible RBL/DNSBL you might want to consider zen.spamhaus.org and/or bl.spamcop.net for example. See spamhaus.org or spamcop.net for further infos about their service.
 
Thank you, @La Linea.

I don't believe these emails are sent by my server, but to the customer, it appears that way.

Because of the 'From' part:

From: [email protected], [email protected]

In the actual email client, for example, Outlook, it only shows:

From: [email protected]

This makes me think that something is abnormal or misconfigured.
I didn't think the email could get through with all options enabled SPF, DKIM, and DMARC.

I have now implemented some additional DNSBL lists to see if that brings any improvement.

Thank you.


 
You must log in or register to reply here.

Similar threads

L
Issue Spam-/Mailproblems
Replies
1
Views
836
Peter Debik
P
K
Question Mail not sended.
Replies
2
Views
1K
klamort
K
L
Resolved Mails marked as Spam
Replies
6
Views
1K
tramvainqueur
tramvainqueur
D
Question receiving phishing emails
Replies
2
Views
1K
Kaspar
K
JogoVogo
Issue E-Mail Problem (Spam)
Replies
5
Views
1K
JogoVogo
JogoVogo
Back
Top